In the aftermath of IBM’s announced acquisition of ISS, market analysts and pundits have speculated that HP should and might acquire a security company of its own.
For example, Cowen Co. research analyst Walter Pritchard wrote the following in a research report issued yesterday:
Larger systems software companies have been aggressively acquiring security software vendors and point technology . . . and HP has been notably absent.
Pritchard thinks HP should be considering an acquisition of Symantec or McAfee. I think don’t think HP will buy either vendor, each of which relies too much, even today, on revenue from antivirus products that are facing a growing competitive threat from Microsoft, a key HP partner.
HP is Microsoft’s number-one reseller of Exchange. Does it really want to get into competition with Microsoft, knowing that the software giant already is moving to provide inbound messaging hygiene, including antivirus, for Exchange business users as well as for users of its consumer products? I don’t think so.
To the extent that HP might buy its way into the security market at all, I am more inclined to agree with the assessment of Momin Khan, an analyst at Technology Business Research:
They might have to go smaller. We think they’re in the market to spend another billion dollars with two or three acquisitions [total] over the course of the year.
Let’s say that’s true, and let’s assume they won’t want to acquire a vendor that derives a large share of its revenue from sales of antivirus software. HP could opt to buy a couple private security companies in areas such as intrusion prevention and data leakage prevention (DLP), sometimes known as outbound content control (OCC).
If HP pursues that course of action, then Sourcefire would make an excellent IPS candidate, bringing a solid set of services, a good installed base of customers, and stellar security credentials. In the DLP/OCC space, Vontu is an early market leader in a market that is growing and drawing the attention of the major players.
Perhaps HP would consider buying Check Point, but I think the price there is too rich. Check Point is reeling, though, and it must infuse itself with new growth prospects and vitality through acquisitions or it must agree to an acquisition by a bigger industry player.
Maintaining the status quo is not an alternative for Check Point, which is being pummeled on one side by larger vendors with greater marketing power, stronger brands, and more extensive market coverage, and has been beaten on the other side by smaller, nimbler upstarts that have been quicker to innovate.
HP and Check Point have been longtime partners, and it’s possible, though not probable, that HP might decide it should own Check Point, which has been weakened in recent years, as Luc Hatlestad of VARBusiness has written, by poorly and slowly integrated acquisitions, micromanagement by CEO Gil Shwed, poor field operations, and an executive exodus that has made it difficult for Check Point’s business partners to identify the company’s main players without a regularly updated program.
It’s not a given that HP will make security acquisitions, but, if it does, I would be surprised to see it turn in the direction of either Symantec or McAfee. Given the remaining roster of vendors available, current and future market dynamics, and HP’s particular circumstances and criteria, the company would be more likely to make smaller, targeted acquisitions — which would offer more compelling returns on investment — than to make a huge acquisition of a company with a significant antivirus overhang.