Intel Acquires McAfee, IBM Acquires BigFix – What Does It Mean to You?

Intel acquired McAfee yesterday and there were numerous shockwaves throughout the IT security industry.  The announcement was unexpected and there was no pre-brief on the move, so writers and analysts were left to speculation and conjecture.  Most struggled to see the logic in the deal, and most had a negative impression of its long-term outcome.  For what it is worth, I can provide you my impressions.

I was on the phone with a gentleman the other day who is a 30+ year veteran of IT, mostly in security.  He was lamenting about a favorite product that had been purchased by one of the very large AV vendors and noted that “<insert AV company name here> is the place where good products go to die”.  Now one of those large vendors (McAfee) has been acquired by an even larger vendor (Intel) that has no real pedigree in security.  One might ask if companies like  Intel (or IBM) is the place where companies where good product go to die, go to die. (Even I had to read that twice)

Some smart people have said that this acquisition, as well as the acquisition of BigFix by IBM, won’t change anything.  I have been acquired before and I can assure you it will change everything.  No matter how much the acquiring company says it will not change things, trust me, things will change.  BigFix was moved into IBM’s Software Group, specifically the Tivoli division.  Operations and security are converging, but the fact that BigFix is now in an operations oriented division would cause me concern if I were a security oriented customer of BigFix.  Speculation is that Intel acquired McAfee as a play to protect mobile devices and embedded chips.  How does that make me feel if I am a McAfee customer and my concentration is on endpoint security?  Will I become a second class citizen?  Will they continue to innovate as the threats evolve?  This is not FUD, folks – history has proven me right more times than anyone can count and examples abound.  And everyone deep down knows it to be true.

Both McAfee and BigFix are one bad quarter by their acquiring company and operational division from a re-org that begins to strip away their identity.  Cultures between the acquiring company and the smaller organizations will inevitably clash.  Plenty of smart people in the acquired companies will chafe under the slower moving, more political climate.  They will simply cash out and leave.

I have full confidence that time will prove me right.  If you have not been on my side of the business you may not know that smaller companies normally rejoice when a competitor is acquired because it tends to distract them for at least 12 months and creates enormous opportunity.

So what does this mean to you?  I would submit that choosing a large security company as a perceived hedge against risk may be futile.  The McAfee acquisition proves that everyone can get bought, and in fact the rumors about Symantec are now rampant.  So choosing the “one throat to choke” path and taking the monolithic offerings from McAfee or Symantec or IBM may not buy you any risk reduction, and in fact force you to compromise your security with products that don’t deliver to your needs.

Unlike any other segment of IT, security people must be pragmatic and make hard decisions.  I understand that there is personal, professional risk in choosing smaller companies, but in most cases they are where the real innovation happens.  That is why small companies get acquired, because larger companies tend to stop innovating.

My advice?  Don’t compromise and blindly buy into the suites.  Evaluate your security threats and needs and don’t fear innovative products just because the company can’t afford a booth the size of an airplane hangar at RSA.  Don’t ring your hands over companies being acquired, as that is the nature of the business and it will either happen or it won’t, but the bad guys will persist.  And even the large companies perceived as “safe bets” are every bit as much in play as a company with under $100M in revenue.  Yesterday’s acquisition proved that.  Don’t saddle yourself with bloated agents and monolithic product suites full of “me-too” stuff that do not effectively address your security risks.

Remember that the bad guys thrive when organizations delay important decisions or make “safe” decisions.  I would submit that yesterday’s acquisition proves there is no such thing as a safe decision.  So free yourself of that worry and choose the products that help you win the battle.