IBM's (IBM) - Get Report $1.3 billion splurge for Internet Security Systems (ISSX) has had tongues wagging about which security software makers could be snapped up next.

EMC

(EMC)

kicked off the buying binge in June with its acquisition of

RSA Security

(RSAS)

for $2.1 billion, noting at the time that security was "a missing piece in our information infrastructure puzzle."

Data infrastructure companies represent the latest sector to focus on security, mimicking networking firms' security spree a few years back, according to a Thursday note from Robert Breza of RBC Capital Markets.

"You're seeing a move from securing data, to figuring out who has access to the data

and that application, and how to secure that application ... that tends to be more of an infrastructure play than a networking play," Breza said in an interview.

The emphasis on application security and access has created a dynamic climate for infrastructure, networking and pure-play security firms.

"We recognize that many of the broad solution providers face pressure to have a security product that is difficult to develop organically, leaving M&A as the only real option," Breza wrote.

It's also not surprising that IT firms are looking at the security market. According to Gartner numbers, overall IT spending is growing 5% a year, and security spending is growing 10% a year.

"If you're an IT vendor and you want to increase your growth, you look at security," says John Pescatore, who follows security for Gartner. "That's behind a lot of this."

Analysts speculated the next tech firm to go shopping could be

Hewlett-Packard

(HPQ) - Get Report

, which stands out for its lack of security pick-ups.

"It's the one that leaps out at you. H-P has really shown no great vision for security overall," says Pescatore. He does not own any stock in the companies he covers and his firm doesn't do banking.

He speculated that H-P might eye

Sourcefire

or

CheckPoint

(CHKP) - Get Report

for network security products or

Cybertrust

for its managed security services.

"EMC,

CA

(CA) - Get Report

and now IBM have a meaningful presence in the market, but H-P is notably absent," wrote Walter Pritchard, an analyst with Cowen, in a Thursday note. He added that two of the security sectors biggest names make a good match: "We'd look to

McAfee

(MFE)

and

Symantec

(SYMC) - Get Report

as companies that make the most sense to fill this gap, although clearly an acquisition of Symantec would be a broader move than just filling the security piece." Pritchard's firm makes a market in ISS.

Breza concurs that McAfee would be an appealing match for H-P. The antivirus firm would bring broad distribution, a solid brand name and a loyal customer base to the tech giant. He estimates the probability that McAfee is in play at 50% or better.

On the other hand, McAfee could be predator rather than prey and take out another security firm itself.

SonicWall

(SNWL)

would improve McAfee's reach to small and medium businesses and would fill some product gaps, Breza says. (His firm makes a market in SonicWall.)

All of this potential consolidation, however, doesn't necessarily mean fewer opportunites for investors in the future. "Given all the M&A we've seen, I think it's important to point out to investors that these things move in cycles," Breza says. "There are some very good, emerging, hot private companies out there that will step up and fill the void. They could

go public any time."

While more established security software firms will be in the sights of larger firms, analysts seem to agree that the security market won't be entirely swallowed up by big tech firms.

"New threats pop up and smaller vendors are always more nimble to react," Pescatore says.