Over the past few months there has been a flurry of activity in the security space. Since the summer many of the major players in the enterprise content management arena appear to be buying all around them.

Risk and Monitoring

And companies are at risk. Earlier this month a report by HP TippingPoint's Digital Vaccine Labs (DVLabs) indicated that more than 80% of network attacks targeted web-based systems.

Two risk elements were identified: websites and web clients. The report shows websites are constantly at risk of being taken offline or defaced from SQL injections, PHP File Include or other attacks, and that these types of attacks have doubled in the last six months.

According to different research carried out by security and compliance auditing vendor nCircle, the vast majority of organizations have the ability to deploy continuous monitoring, but just don’t.

In fact, 60% are not scanning for configuration compliance, says nCercle, and continuous monitoring is a key component of upcoming changes to Federal Information Security Management Act (FISMA) regulations.

FISMA and Security

But if enterprises themselves are not carrying out security checks, then upcoming changes in regulations might force them to.

There are plans at the moment to change the Federal Information Security Management Act of 2002 (FISMA). The act provides a framework for ensuring the security of federal data stored in networks.

The proposed changes will  implement more stringent measures that will require not just compliance with federal security protocols, but also evidence that systems are being consistently monitored -- from vendors wishing to do business with public bodies.

In order to keep security compliant, checklists of IT requirements for vendors have been developed. While they differ in some respects, many of the requirements are common across all regulatory standards. With FISMA changes on the way, the list of security requirements includes:

  • An information systems inventory
  • Categorization of information and information systems according to risk level
  • Definition of minimum security controls
  • Risk assessment which identifies potential threats
  • System security plan as the major input to the security certification and accreditation process for the system
  • Certification and accreditation
  • Continuous monitoring rather than just compliance
  • Security and convergence

To protect themselves, but also to cut themselves a piece of a rapidly growing market, the major players have been either buying or developing the security items  they don’t have. It is impossible to list and categorize all the deals that have played out even since the beginning of this summer, but here are some of the major ones.

IBM, Security and Compliance

Open Pages

Big Blue (news, site)  in mid-September announced that it is to buy Open Pages, a MA-based company that develops risk and compliance software for businesses

Added to IBM’s business analytics division, the software highlights any inconsistencies in risk and performance goals, giving enterprises a comprehensive view of the business opportunities and risks associated with new business interests.

Big Fix

IBM reportedly paid US$ 400 million for security firm BigFix and closed the deal on July 20. Already they have announced the general availability of the new BigFix Unified Management Software (UMS), which identifies all enterprises PCs, laptops, servers and virtualized devices as well as everything contained on those devices.

Intel and Mobile Security

Intel (news, site) paid a US$ 7.7 billion for McAfee (news, site ). Intel said it would be using current McAfee products to enhance Intel’s mobile chip technologies and that the first combined products could be announced as early as next year.

Whether Intel will be able to sell the concept of mobile security to the business community has yet to be see but with many mobile users looking to manage their content remotely it would be a real game of Russian Roulette with business information to assume that it is going to be secure on smartphones.

HP, ArcSight and Fortify


HP (news , site) bought ArcSight earlier this month for $1.50bn firm with an eye on integrating security into its software stack. That it also offers enhanced compliance, audit and intellectual property protection is no harm either. There is still no timeline for the integration of the two.


The deal for an undisclosed price is no real surprise as they have collaborated before on a number of projects including the release of the advanced security analysis software Hybrid 2.0 in February.

With Fortify, HP can build enterprise application security programs from the ground up rather than adding them as an afterthought and in doing so create far more robust security systems across application lifecycles.

EMC and Cloud Security

While it hasn't  bought any security vendors recently, EMC (news, site) continues to develop its cloud security software through RSA. Recently it unveiled its RSA Solution for Cloud Security and Compliance at the VMworld 2010 conference. The solution aims to reassure companies that the cloud is a safe place to be.

The RSA solution uses a dashboard-based platform that centrally manages security across both VMware virtual infrastructures, as well as physical infrastructures.

On the security side, the solution integrates with the RSA enVision security information and event management platform, providing a comprehensive assessment of security events from across the enterprise.

Security Market Growth

And this only since May. While it is just about certain that the introduction of the new FISMA regulations will be put on hold until after the mid-term elections later this year, the added time has provided companies that have holes in their platforms the opportunity to fill them in.

But even if they do feel compliant, it seems unlikely that the buying spree is going to stop anytime soon. Gartner  (news, site)  suggests that worldwide security software revenue is forecast to surpass US$ 16.5 billion in 2010, an 11.3% increase from 2009 revenues of US$ 14.8 billion.

With these kinds of figures, and more importantly this kind of growth rate, there are still a lot of companies to buy out there. How long they remain independent of a few major players is impossible to say, but not very long is probably a good guess.