I’ve been covering the Data Loss Prevention/Content Monitoring and Filtering space pretty much since before it existed and it’s been pretty wild to watch a market grow from it’s inception to early mainstream. It’s also a weird experience to stand on the sidelines and watch as all the incredibly hard work of contacts in various vendors finally pays off.
As complex and not-quite-mature as the market is, I’m still a fan of DLP. If you go in with the right intentions, especially understanding that it’s great for limiting accidents and bad processes, but not all that good against malicious threats, you’ll be able to reduce your risk in a business-friendly way. It helps solve a business problem, does it reasonably well despite needing some maturity, and has the added benefit of giving you good insight into where your data is and how it’s used.
I’m predicting the core DLP market will do somewhere around $100M this year. No lower than $80M and not higher than $120M, but probably closer to $90-$100M. If we add in products with DLP features that aren’t pure plays, this grows to no more than $180M. In other words, the entire DLP market is, at most, about half of what Symantec paid for Vontu.
I’ll talk more about the future of DLP at some point, but the big vendors that win will be those that see DLP as a strategic acquisition for a future platform base around content-aware security (and maybe more than security). The losers will be the ones that buy just to get into the game or add a feature to an existing product line.
We’ve hit the point where I don’t expect to see more than one or two acquisitions before the end of the year, and I doubt either of those will be as big as even the PortAuthority/Websense deal ($80M), never mind Vontu/Symantec. It’s possible we’ll see one more near the $100M range, but I suspect nothing until next year. As such it’s a good time to reflect on the acquisitions over the past eighteen months and figure out which ones might be more successful than others.
Disclaimer: Although I currently have business relationships with a few DLP vendors none of those relationships preclude me from giving my honest opinions. My position is that even if I lose some business in the short term (which I don’t expect), in the long run it’s far more important for me to retain my reputation for accuracy and objectivity.
I’ll discuss these in roughly chronological order, but I’m too lazy to look up the exact dates:
McAfee/Onigma: McAfee acquired a small Israeli startup that specialized in endpoint DLP fairly early on. Onigma was unproven in the market and pre-acquisition I didn’t talk to any production references. Some of my Israeli contacts considered the technology interesting. McAfee no offers DLP as a combined network/endpoint solution, but based on the customers I’ve talked with it’s not very competitive as a stand-alone solution. It seems to be reasonable at protecting basic data like credit card numbers, and might be a good add-on if you just want basic DLP and already use the McAfee product line. It lacks content discovery or all-channel network protection, limiting its usefulness if you want a complete solution. I need to admit that this is the product I am least familiar with and I welcome additional information or criticism of this analysis. Overall, McAfee has a long way to go to be really competitive with DLP. Onigma got them into the game, but that’s about it. Rating- thumb slightly down.
Websense/PortAuthority: Before the Vontu deal, PortAuthority was the one raising eyebrows when Websense acquired them for $80M. When they were still Vidius, I didn’t consider the product competitive, but a year after they injected some cash and changed the name the product became very solid with a couple unique features and good unstructured data capabilities. My initial evaluation was a thumbs up- Websense had the channels and exiting market for some good up sell, and their endpoint agent could be a good platform for the PortAuthority technology to extend DLP onto workstations (they do use technology from Safend, but some of the features of the Websense agent make it potentially a better option). The challenge, as you’ll see in some of these other deals, is that DLP is a different sell, to a different buying center, and a different way of looking at security. Nearly one year later I think Websense is still struggling a bit and Q4 numbers, when released, will be extremely telling. The Content Protection Suite is an opportunity for Websense to move a way from a more commoditized market (web filtering) and build a strong base for long term growth, but we have yet to see them fully execute in that direction. I’ve always considered this one a smart acquisition, but I worry a bit that the execution is faltering. Q4 will be a critical one for Websense, and 2008 an even more critical year since the initial integration pains should be over. Rating- thumb slightly up, able to go in either direction based on Q4.
EMC/Tablus: Tablus was an early visionary in the market and, with PortAuthority, one of the top two technologies for working with unstructured data (as opposed to credit card/Social Security numbers). Despite a good core technology (and one of the first endpoint agents, via early acquisition) they faltered significantly on execution. The product suffered from integration and UI issues, and we didn’t see them in as many evaluations as some of the others. That said, the EMC acquisition (undisclosed numbers, but rumored in the $40M range) is one of the smarter ones in the market. EMC/RSA is the biggest threat in the data security market today- they have more components, ranging from database encryption to DRM to DLP, than anyone else. Because of Tablus’s stronger abilities in unstructured data it’s well positioned to integrate across the EMC product line. The biggest challenge is execution- EMC/RSA has an ambitious strategy, and while they acquired a good technology they are probably 9-12 months away from being able to leverage it and improve the market position of the Tablus product. Also, should they spend more time on integration than building up a strong stand-alone product they could put themselves a couple years behind the competition. Right now, it’s just too soon to tell how well they’ll execute, but the possibility is there. EMC is the sleeping giant of data protection that the other large vendors should be keeping their eyes on. Rating- cautious thumb up, with a question mark that might be erased in 9-12 months.
Trend/Provilla: Provilla is a small endpoint-only vendor that I was just starting to hear good things about. They seemed to be a ripe acquisition target to one of the existing DLP vendors with weak endpoint capabilities. Unfortunately, Trend snapped them up for an undisclosed amount. This is an easy one to judge- unless Trend makes a major shift and also acquires network DLP (and content discovery), they’ll never be competitive. Provilla has partnerships (most notable Reconnex), but we’re quickly moving away from network/endpoint partnerships being as desirable to customers when complete solutions from recognized vendors are available. Rating- thumbs down until Trend adds network and discovery.
Symantec/Vontu: You didn’t think I’d actually start with this one, did you? Vontu was an early entrant in the DLP market and has probably done the most to get the word out and grow the overall market, also making them the revenue leader in the process. Vontu is a strong product, even though some competition has closed the gap in the past year or two. The Symantec relationship started as an OEM partnership and wild rumors have been floating around these two for years. Symantec has announced that Vontu will remain an independent business unit, running under the current CEO, and even retaining their own sales staff/reporting structure. This one is Symantec’s to win or lose; they have a poor history of acquisitions and if they muck with Vontu too much and lose the leadership they’ll never get their $350M back. The only way this one will succeed is if Symantec takes the lessons of their past to heart and follows Vontu, rather than trying to paint them yellow. Symantec/Vontu will also need to prepare for the eventual management transitions- everyone says they’ll show up to work the day after they win the lottery, but no entrepreneur lasts forever in a big company. This acquisition is a huge long-term opportunity for Symantec, but it’s high risk based on their history. They have the golden snitch, let’s see if they can keep it. Rating- thumb level, this one is Symantec’s to win or lose and we’ll all be watching.
Raytheon/Oakley: Oakley is really more in the acceptable use space than DLP, and although a lot of people lump them in with DLP that isn’t how they position themselves. I think it was a good match for the government focused Raytheon where internal monitoring needs are different than regular enterprises, and it’s a good match with the Raytheon profile. Rating- thumbs up, but it isn’t really DLP.
One clear thumbs up out of the Symantec deal is for the DLP market overall- the visibility is increasing significantly and this will open doors for Vontu, and the competition. The top two independent core DLP vendors remaining are Reconnex and Vericept. Vericept has seemed to struggle in the recent deals I’ve been told about, but Reconnex is building well after a few early years under some bad management. Both are reasonable targets, but I give the lead to Reconnex right now.
Extending from there we move into Orchestria and Code Green. Code Green is focused on the mid-market and seems to be executing well. The product isn’t as full featured as the leading products, but it’s extremely well packaged and I loved the UI the last time I saw it. They are a good target for anyone looking for something network-focused. It’s a mid-market product, but as a technology buy could grow if needed with the right investment. Orchestria is bigger than any of the DLP products and just transitioning into the DLP market from their compliance/financial market. If they prove competitive in the DLP market they might be a good acquisition target, but with higher revenues the price might be too high for anyone looking to buy in. They will need a huge DLP customer base to get the valuation that they want, so I don’t expect any news from them for a while.
The next possibility is Fidelis and IBM. IBM just included Fidelis as part of their $1.5B data security alliance/campaign. The product has struggled for a while and will take some serious investment to be competitive (something IBM can always do if they want). I lay reasonable odds on an eventual buy. Verdasys is an endpoint-only solution that’s reasonably strong as a security platform, but still needs work to compete in DLP. They’re also part of the IBM alliance, but will cost more than Fidelis since revenues are higher. IBM could combine the two, but Verdasys uses an Autonomy engine for content analysis and I’m not sure if that would be good enough for IBM, or if they’d want their own. Even odds on that one.
After that we hit a bunch of companies that aren’t pure-play DLP but have some capabilities. It ranges from Secure Computing, to Clearswift, to Workshare, to Tumbleweed, to Palisade. I don’t see any of them as DLP-specific targets, even if they continue to expand into DLP. Remember, this is an acquisition post, not a product rating post.
In terms of buyers it’s all over the map. There are open industry rumors that most major security companies (or companies with a big stake in security) are all hovering over what’s left of the market. Considering the still-small DLP market, some may decide to ride it out and build themselves, or go small and snap up a technology that they can build up over 2 years.
Predicting market revenue for 2008 is extremely difficult. As more large vendors move into the space it will be harder to gain insight into DLP-specific revenue. We’ve seen about 1.5-2x annual growth over the past few years, and based on customer conversations I expect this trend to continue. My (very) rough guess is around $200M-$250M max in 2008, but I reserve the right to change my mind.
We live in interesting times, and all this movement and hype doesn’t change my position on DLP: it provides immediate value if you prepare for it properly and use it to limit the right kinds of risk (notice I didn’t say threat), but if you think this will end the insider threat and stop all malicious attacks you will be sorely disappointed. Long term, it’s a powerful platform to anchor major portions of the Data Security Lifecycle, and the really interesting times still lay ahead.