Foiling the Wily Hacker

The computer-security industry is rushing through its formative years and heading rapidly toward a shakeout, say industry officials and observers.

"The industry has expanded rather rapidly... [and] it is heading toward consolidation," said Kermit Beseke, chief of Roseville, Minn.-based Secure Computing Corp.

Industry officials estimate there are almost 500 computer-security companies throughout the nation, including roughly 75 companies trying to sell the firewalls needed to protect a company's network from being raided by hackers lurking on the worldwide data networks.

Many of these 500-odd companies are small start-ups lacking capital and customers but are brimming with ideas. Their future is dim unless they develop spectacular technology or quickly ally with other security firms, industry executives said.

In a second tier are companies with established products, customers and reputation. These include Secure Computing Corp.; Security Dynamics Inc., Cambridge, Mass.; Trusted Information Systems Inc., Glenwood, Md.; Open Vision, Pleasanton, Calif.; and Checkpoint Software. Some of these second-tier companies are trying to provide a broad range of products, but most work in a narrow sector of the computer-security business. For example, McAffee Associates Inc., Santa Clara, Calif., has two-thirds of the market for virus-protection software, while Braintree Technology Inc., Norwell, Mass., builds security software for relational databases.

Beyond this tier lie industry giants such as IBM, AT&ampT, Basking Ridge, N.J.; Digital Equipment Corp., Maynard, Mass.; and Computer Associates International Inc., Islandia, N.Y. These companies develop some security products, but most frequently package other companies' security products with their hardware and software offerings. These large companies -- along with Hewlett-Packard Co., Palo Alto, Calif., Microsoft and Netscape -- are expected to use their financial clout to buy the computer-security technologies, products and expertise they want over the next few years.

For example, Computer Associates earned more than $3.5 billion in 1995 from worldwide sales of its mainframe and server software, including the CA-Unicenter software designed to help manage data processing systems. In 1995, the company sold $600 million worth of the CA-Unicenter products, which includes some security tools, said Michael Miller, Computer Associates' senior vice president for federal sales. Computer Associates is also selling Unicenter/ICE, intended to alleviate the security problem posed by electronic commerce over the Internet.

"Over time, [computer security] will get sucked into the operating system. It is the natural evolution," said Brian O'Higgins, who is heading Nashville, Tenn.-based Northern Telecom's effort to sell its Entrust product. Entrust is intended to help companies use sophisticated data-scrambling technology.

"The bigger companies are watching to see what happens [to the computer security business]. When someone breaks into the lead... [the big companies] will select their partners," said Secure Computing's Beseke. Early this year, Hewlett-Packard bought SecureWare Inc., a small security company in Atlanta.

To stay ahead of the pack, Beseke offered his company's stock for sale on Wall Street last November. The public offering gained the company $32 million. The stock increased from its initial price of $16 per share to a high of $48 per share on the first day. The money will be spent on research, marketing and buyout of companies, he said. Last month, it acquired Webster Network Strategies, Naples, Fla., whose product can be used by companies or parents to block employees or children from viewing undesirable Internet sites. Webster cost Secure Computing $3 million. Secure Computing also swapped 6.5 million shares of stock -- then worth $200 million -- for Border Network Technologies, Toronto, cementing its No. 2 position in the market for Internet firewalls.

Waltham, Mass.-based Raptor Systems raised $45 million from its February public offering, said Mike Grandinetti, the company's marketing chief. Raptor's shares now sell for roughly $31 each, up from $13 on opening day.

AXENT Technologies, Rockville, Md., gained $33 million from its recent public offering, boosting its role in the client/server security market, said Pete Privateer, the company's vice president for operations.

Security Dynamics sold its first shares in 1994, raising $23 million for investment. Last November, it raised another $55 million from stock sales, helping it buy RSA Data Security, a Redwood, Calif.-based company that holds several critical patents for data-protection encryption technology.

These stock surges were bolstered by Wall Street's great interest in Internet-related stocks, such as Netscape. And like Netscape, some of the computer-security companies have relatively little revenue to justify their high stock prices. But executives in the computer-security industry say their stock prices are justified by fast-growing revenues and their vital role in the protection of electronic commerce.

For example, projections by market analysts show AXENT's 1996 revenue growing to $21 million, up from $15 million in 1995. Other projections show Security Dynamics growing to $60 million in 1996, up from $40 million in the 12 months prior to April 1996. Trusted Information Systems' non-government revenue will climb to $12 million in 1996, up from $3.5 million in 1995.

The projections are partially based on growing demand by customers for security products. A recent survey of 400 security professionals indicated that companies spent 25 percent more on security in 1995 than in 1994. Projections call for even greater spending in 1996. The survey was completed in March by The Yankee Group and InfoSecurity News, a trade publication based in Framingham, Mass.

Infusions of Wall Street capital will not be enough to keep these computer-security companies alive, analysts say. "The key is making good partners," said Computer Associates' Miller, allowing a security company to piggyback its products on more famous brand names, and to offer an easy-to-use, complete security package tailored for each customer.

This advice has already been followed by several companies. For example, 5 percent of Raptor is owned by PC maker Compaq Computer Corp., Houston, giving Raptor easy access to almost 40,000 Compaq resellers, Grandinetti said. Security Dynamics already has marketing and technology deals with companies such as IBM, Trusted Information Systems and Raptor, said company president Charles Stuckey.

These multicompany deals allow some executives to claim they offer -- almost -- a full suite of security technologies and services, including encryption, consulting, firewalls, authentication, auditing, security management, training and even trusted operating systems. But analysts don't see any single security company today that can provide a complete answer to a corporation seeking to protect its data.

Building a good brand name will also help a security company because it helps convince potential customers that the company's products are safe and reliable.

However, creating a good reputation won't be easy, partially because customers don't want to advertise what security technologies they are using. And a carefully cultivated brand name may turn sour if the company's security products fail to protect a customer.

Sooner or later, a few surviving companies will be able to provide a complete solution, predicted executives. That complete capability will allow some security companies to survive the shakeout and the Microsofts and IBMs, said Fred Avolio, marketing vice president at Trusted Information Systems.

The security companies will always find some customers who need specialized security services not offered by Computer Associates or AT&ampT, he said. The security companies can develop new and innovative security products better than larger companies.