More security OEM deals to come

Licensing agreements are seen as the best way to increase marketability amidst increased enterprise demands

With enterprises demanding more tightly integrated security products than ever before and pressure increasing on vendors in the space to offer as many tools as possible to win deals, experts say that an increasing number of technology providers will turn to licensing agreements to help increase their marketability.

OEM (original equipment manufacturer) pacts have long been a staple of the technology world, as companies have inked partnerships with firms in other market segments to package and resell their products.

By tying products together in the factory and selling them to customers as a package, end-users are saved from trying to do that legwork for themselves, and gain a single point of contact for multiple tools, advocates of the agreements maintain.

As IT security has grown into a major headache for enterprises, demanding that they employ reams of technologies to ward off attacks and meet the demands of compliance regulations, businesses have demanded broader sets of integrated products to help them meet the challenge.

And although massive security vendors such as Symantec and McAfee have gone on acquisitions sprees in the name of building integrated packages of technologies to address the call for fewer individual products and vendors, market watchers contend that a growing number of smaller firms will look to OEM pacts to gain similar capabilities.

There is already a plethora of high-profile OEM arrangements in the security space, including partnerships such as IBM's Internet Security Systems division's deal to provide Arbor Networks' Peakflow X network monitoring appliances to customers. Even anti-virus market leader Symantec has carved out a relationship with Juniper Networks whereby the infrastructure specialist is providing customized security hardware to Symantec clients.

In the coming months, analysts believe, midsized and smaller security vendors will begin signing more deals to increase their footprints and remain relevant with enterprises.

"Size really matters these days in the security market, and with the mergers and acquisitions activity we've seen among larger players in the last six-to-nine months, it really points in the direction of OEM deals for smaller and midsized vendors," said Andrew Braunberg, analyst at Current Analysis, based in Sterling, Va. "These companies are looking to provide an integrated suite, and to do so quickly, and the OEM channel is one of the best options for them to do that."

Braunberg specifically believes that security vendors will look to add technologies including DLP (data leakage prevention) and NAC (network access control), which are currently in hot demand from enterprises.

"Participants in these deals also gain new exposure to their partners' installed base, which is an attractive new channel," Braunberg said. "There's also the issue of speed to market. Building technology yourself is almost out of the question from that angle, and to a degree so are acquisitions, which can move very slowly."

One of the best examples of security companies pursuing the OEM strategy to increase their coffers is Webroot Software, a long-time anti-spyware specialist that has signed licensing deals both to add to its own product lines, and to market its products via new avenues.

While some industry watchers have predicted that Webroot would be acquired or disappear as a result of its niche status, the company has undertaken an aggressive OEM strategy to widen its presence and make itself more attractive to customers.

In Oct. 2006, the company announced that it would begin licensing anti-virus technology from Sophos, a vendor with which it has historically competed for enterprise dollars. During the same month, the company entered an OEM pact with security gateway specialist IronPort Systems, which has since been acquired by Cisco Systems, to provide its anti-spyware tools in IronPort's Web security appliances.

The deals not only allow Webroot to drive more revenue, but also give the company a foot in the door with customers who already eschew individual point products, said Chief Executive Peter Watkins. Surviving as a provider of a single breed of security tool has become a challenging prospect, he admits.

"We're seeing somewhat schizophrenic behavior from customers, who tell you that they want a best-of-breed answer to a problem but want it integrated together with other technologies and designed to be simple to use and implement," Wakins said. "We've made our mark in best-of-breed anti-spyware but customers are telling us they wanted integration with anti-virus so we added Sophos. With IronPort, both partners get to be in a market they otherwise wouldn't be in, which is very beneficial to both companies."

The challenges of striking out with the OEM strategy are multiple, but can be managed through careful partnering, the CEO said. Along with attempting to synchronize product release schedules and keep partners on the same page, vendors must make sure that they are not "cannibalizing" their own market, or potentially cutting demand for their stand-alone products via the deals.

Companies embarking on OEM deals must also ensure that their partners haven't over-extended themselves with too many relationships, and that they agree on certain issues regarding technological road maps.

"This trend will continue as the security market matures, because with so many product categories, there's really no way for one single company to provide on a level of excellence in all of the areas of the market," Watkins said. "There will be more OEM partnering to meet customer demands for best-of-breed and simplicity, and there may also be a nascent trend toward suppliers who operate primarily around an OEM business model."

Companies such as online storage back-up specialist Mozy, who primarily go to market via partners to eliminate expensive customer marketing costs, could create an opportunity for businesses who do not create their own security technologies but instead merely piece together and customize products from other vendors, Watkins said.

In a sense, major IT consulting companies have been doing the same thing for years.

For its part, Sophos said it will continue to seek out more OEM deals with providers such as Webroot and with appliance vendors. In addition to Webroot, the AV specialist has OEM deals in place with companies including Akonix, Finjan, IronPort, and WebWasher, among others.

"There has always been a desire among partners to use our technology in a way that it can be integrated into their operations, so we've always had a customer base that's been asking for this," said Ron O'Brien, senior security analyst at Sophos. "It makes sense because they see the efficacy of our products and realize that partnering is a smarter move when they weigh the cost of licensing versus trying to develop something similar."

Some experts believe that the security market is on the cusp of a wave of OEM partnership activity as vendors struggle to meet customer demands for integration and "fewer throats to choke" in regard to vendors.

The strategy, however, does have its risks, analysts observed.

"In order to compete in this market you have to offer more than what your solution does, and if you don't have the cash for an acquisition, OEM is a good way to go," said Paul Stamp, analyst with Forrester Research. "In some ways, it is less risky than doing acquisitions because you don't have the upfront cost, but in other ways it can be more risky when the company your partnered with is competing for the same budget, or if they're acquired by someone else."

For instance, Stamp said he believes that since Sophos launched its own line of security appliances, its deal with IronPort has "soured."

"When you start to expand your product line, internally or via partnerships, you need to be careful not to tread on existing partners," Stamp said. "Nonetheless, we believe that this is a business model that will become more common in the security market."