When it comes to initial public offerings, the security software sector has had an unusually long dry spell. Its last IPO was in 2001, when NetScreen stepped up to the public trough. Three years later, the company was acquired by Juniper Networks ( JNPR). And those that have come close to going public -- antispam company Brightmail in 2004 and enterprise security firm Sybari in 2005, for instance -- were snapped up by Symantec ( SYMC) and Microsoft ( MSFT), respectively, at the last minute. Industry observers say the money needed to go public, the demands of the market, competition and the trend toward working with fewer vendors have all contributed to steer many private companies to stay private -- or take an easier exit by getting acquired. "The IPO market is weak, and I don't really see that changing," says Deborah Magid, director of strategic alliances and software strategy for IBM's ( IBM) venture capital group. Mergers and acquisitions in security, on the other hand, are "a very vibrant market." Big players like McAfee ( MFE) and Symantec certainly aren't shy about paying big bucks to acquire fledgling startups, as the larger companies look to fill gaps in their own businesses and add to revenue. And it's not just security-software makers doing the buying, Magid says. Technology companies are pairing security with their other offerings. Just a few weeks ago, EMC ( EMC) picked up RSA Security ( RSAS). In October, IBM bought a security firm called DataPower. The offers are generally pretty rich. "These companies are getting paid attractive enough valuations," Peter Kuper, an analyst at Morgan Stanley says. "The decision makers say, 'This is a great payout, so let's take the money and go.'" Yet despite the significant hurdles, some privately-held firms are building their companies with a firm goal of going public. Security watchers say there are a handful of contenders who may try to go for an IPO in the next 12 to 18 months.
However, the public-offering bar has gotten a lot higher over the past several years, and regulatory costs are among the main concerns. "Regulatory compliance makes being a small public company difficult," says Peter Christy, co-founder of the Internet Research Group. It "makes it less attractive to go public." Companies now have to show they are Sarbanes-Oxley-ready, meaning they have gone through a financial audit and have sufficient internal controls, procedures and governance in place. The cost to become compliant typically runs in the millions, experts say. Enrique Salem, former CEO of Brightmail and now head of Symantec's consumer business, says Sarbanes-Oxley was one of the factors in the company's decision to be acquired rather than go public. "You definitely think about the new scrutiny that SOX puts on a business," he says. Because of the law, public companies spend more time, more resources and more money on their own governance, Magid says. "Part of the appeal for a private vendor is that if the original investors can get a payout from their investments in a clean transaction -- without having to deal with all the regulatory burdens and having to deal with Sarbanes-Oxley -- it certainly requires a lot less ongoing maintenance," says Ed Maguire, an analyst with Merrill Lynch. Merrill Lynch does and seeks to do business with the companies it covers. Another cost-saving factor driving startups toward choosing mergers is the ease of distribution. Salem says this was the case with Brightmail. "When these companies buy the smaller companies, they can just put them in to their existing channels," says Ken Allen, an investment analyst with T. Rowe Price. Smaller companies don't have to build up their infrastructure, scale and overall capability by themselves.
"It's kind of hard for a smaller guy to build up and compete against these broadly diversified companies," Allen says. In addition, smaller security software makers considering an IPO also face the uphill battle of building a significant brand name. "Over time, it's hard to get the market share required to be successful," Salem says. "While we had a good brand, it doesn't compare to the big security companies." Meanwhile, the market of publicly-owned security is consolidating, a trend that observers expect to continue. It mirrors a similar development with its enterprise customers, who are consolidating the number of vendors they work with to manage security. Security is now receiving a larger chunk of technology budgets and receiving more scrutiny from management, IRG's Christy says. Executives want to improve cost efficiency and are choosing a smaller number of vendors over time. That's a change from several years ago, when it was common for companies to use one antivirus vendor for desktops and a different one for servers, for instance. Christy says firms are finding that "maybe the differentiation we get is not as great as we hoped for (and) the cost of multiple vendors is not justified." Still, some have taken those IPO-free years building more mature companies that will perhaps take the path of a public bid. Companies in the messaging, intrusion prevention and unified threat-management space are areas where companies are approaching more than $100 million in sales, according to Asheem Chandna, a principal at Greylock Partners. "It's a high-risk environment and you have to be a broader-focused
company. You can't go out as a one-trick pony," says Craig Collins, chief financial officer with IronPort Systems, a private company that "definitely" plans to go public. "We're building a quality company, and we're going to have a quality infrastructure before we're in a position where we're going to file."
For companies like IronPort and others, the Street will be looking for long-term, double-digit revenue growth, a clear path to profitability and solid management teams that have compliance issues in order. "You want to stay private to get enough legs under the stool, to make sure you're going to be a high performer and consistent," Collins said. At this point, of the 700 privately-held security firms, there are perhaps four or five that have a promising shot at going public, Morgan Stanley's Kuper says. (Most of those 700 firms, it should be noted, intend to stay private). One such candidate, CipherTrust, was just picked up by Secure Computing ( SCUR) on Tuesday. Sourcefire, Webroot and Postini, among others, are also considered possibilities for going public. "Consolidation will continue in security, but I also think the threat landscape evolves quickly enough that there will be other opportunities," Allen said. "As new technology is rolled out it will create new problems," Kuper says. His firm does and seeks to do business with the companies it covers.