US$1.3 billion is a lot of money. If traveling is your thing, you could buy 38 Gulfstream V jets to fly in style and even have a little left over for gas money, or 7,900 Bentley Continental GTs to make sure you (and all your friends) are comfortable at ground level.
IBM, however, hopes you'll take some of that coin, buy one Bentley and hire 10,000 IBM-ers to drive you around. Why drive yourself when they can do it for you?
That's what IBM's acquisition of ISS is all about: services. Sure, services were only 15 percent of ISS' revenue stream, but they were where most of its efforts have been. Never mind that those efforts were devoted to services because ISS was becoming less competitive in the product space. Never mind that its vaunted X-Force research team had been marginalized by more aggressive, more timely and better-marketed competitors, such as eEye, F-Secure and SiteAdvisor.
Never mind that ISS had missed revenue projections for three quarters running and it wasn't looking good for the rest of the year. Never mind those pesky details. ISS was drowning in a competitive sea of larger security players with bigger and better products and channels. Then IBM threw it a $1.3 billion life jacket. You'd figure with that much money stashed in the life jacket, it would sink like a stone - but I digress.
The fact is that IBM paid a tremendous amount of money, based on any kind of economic measure, especially when you consider the uncertain future of ISS' products. But the services opportunity is compelling.
I can paint a picture where users of all sizes look to someone else to do the grungy work of protecting their networks, data centers and applications. Of course, no user in his right mind should be outsourcing his security strategy, compliance reporting or communicating the security value proposition to the powers that be. That's always an inside job.
It's perfectly legitimate, how-ever, to get someone else to manage the boxes that protect you from the bad guys. Why? In my best British accent: "It's economics, dear Watson. Economics." Managed security is all about economies of scale. For most users, making significant investments in all sorts of security management hasn't paid off. They don't have the scale to gain the leverage that makes sense.
Large managed-security companies would have that leverage. Given the scale of all the networks they manage, they can cost-effectively deploy technologies such as security information management and anomaly detection.
Because security events happen fairly infrequently (if you have your defenses up to snuff), you don't need your own dedicated band of merry men and women sitting around the table 24/7 waiting for something bad to happen. A big service provider can do that for you, and it can do it cheaper than you can.
It's also a maturity thing. Outsourcing disciplines usually take 10 to 15 years to become accepted. Yes, that long. Remember mainframe outsourcing? That took even longer, but now you are hard-pressed to find an enterprise that still manages its own Big Iron.
Networks have been the same way. Networks in the early '90s were all about private lines and multiplexers managed by the internal network people. Now we use frame relay and managed IP services. If something breaks, you call the service provider and yell at it.
I believe we'll see the same thing in network security: Someone else will manage those firewalls, intrusion-detection systems, antispam gateways and their brethren. Not today, and not tomorrow, but within a couple of years.
So, IBM made a long-term bet that managed security will be big, and it wanted to have a leadership position early. It's probably right. $1.3 billion is a big number, but when you amortize it over 10 years, it seems pretty manageable.
Rothman is president and principal analyst of Security Incite, an analyst firm focusing on information security. Read his blog at http://feeds.feedburner.com/securityinciterants or send e-mail to firstname.lastname@example.org.