Login  |  Register  |  Contact

Guardium Acquired by IBM

Tel Aviv newspaper TheMarker reports that IBM will complete its acquisition of database activity monitoring company Guardium Monday, November 30th. While it is early, and I have yet to confirm the number with anyone at IBM or Guardium, the sale price is being listed at $225 million. This is by far the largest acquisition in the DAM space to date! I had estimated Guardium’s revenue for 2008 at $35-38M, and $38-40M for 2009. If the $225M acquisition price is accurate, at a standard 5x multiple, it would suggest that they were closer to $45M. But my guess is, with an impressive customer list like Citigroup and BofA, the bookings multiple is a little higher than standard.

Rumors have been circulating for over a year that large firms have approached Guardium and Imperva about being acquired. These two firms are the unquestioned leaders in database activity monitoring, and for larger technology firms looking to fill gaps in their data security portfolio, these discussions made sense. IBM has been interested in DAM for many years, with multiple divisions playing footsie with different DAM vendors, but most didn’t fit IBM’s business. Guardium is one of the only firms still standing with a mainframe monitoring solution, which is a major prerequisite for much of IBM’s customer base. From the IBM perspective, the functionality makes sense and fits well into some of their existing security products. From an architectural standpoint, integration (as opposed to just sharing data and events) will be a challenge. I do not know which section of IBM will own this product or how it will be sold, but those are certainly questions I will ask when I get the chance.

Last year around this time I predicted, based upon the harsh economic climate, that several vendors in this space would be acquired or out of business by now. Tizor was sold for $3.1 million, and as predicted the remnants of IPLocks disappeared. From the rumors I thought Guardium would be next and it was. I was dead wrong, though, in that many security vendors – such as in the SIEM space – were seeing revenue growth despite the miserable economic climate. The impressive $225M figure really surprised me. I had estimated the DAM market at $70-80 million last year, the wide range resulting from the many smaller firms with unknown revenue. For 2009, I estimate revenue has climbed into the $85M range, and that’s with fewer players overall.

Where does that leave us? With Guardium & Tizor now sold to IBM & Netezza respectively, and the list of viable competitors having thinned out, I think that Imperva, Sentrigo, AppSec, and Secerno just became a little more valuable. I hate to call it validation, but this is the first time we have seen a big dollar buy. There remain a lot of firms like EMC, McAfee, Oracle, Symantec, and others who would really benefit from gaining DAM technology, so I expect additional acquisitions in the next 6 months. I spoke with some security product vendors who are building their own DAM variants in house, with anticipated launch this coming year. Still others, like Fortinet, launched a DAM product based upon a combination of in house product development in conjunction licensed code. Rich and I still consider DAM more a collection of markets and tools than a single market, but regardless, IBM is betting on the value DAM can provide their customers.

I must add a personal note regarding this sale, having competed against the Guardium product and team head to head for four years. In 2004, I thought they had a terrible product. I used to tell them as much, which made me a very popular guy! I also remember a particular ISSA meeting where the Guardium presenter was ridiculed mercilessly by the audience for what was perceived as a failed implementation (honestly, I was not one of the hecklers!), but it showed that at that time security professionals did not believe Guardium’s proxy model would work. But Guardium is the only vendor to have truly focused on their monitoring product and offer significant improvement quarter over quarter, year over year. By 2006 they were consistently beating their competition in head to head evaluations of database activity monitoring. While they started with a product that was barely good enough, I have to applaud their staff for being responsive to market trends, for consistently addressing customer complaints, and for systematically outstripping most of their competition in performance and out-of-the-box functionality. I still think the product is hard to deploy and the appliance based model has scalability and large deployment manageability issues, but hey, no one’s perfect. They have stayed focused better than anyone else in this space, and most importantly, have the most tenacious and omnipresent sales force I have ever seen in a small company. This is a personal ‘Congratulations!’ to the Guardium team on a job well done! You guys deserve it.

—Adrian Lane

No Related Posts
Previous entry: We Give Thanks | | Next entry: Coming Soon: Bit.ly Adding Real Time Security Scanning for All Links


If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Thom VanHorn, Application Security, Inc.  on  12/01  at  02:02 PM

The acquisition of Guardium by IBM validates the importance of database security risk and compliance for enterprise customers.  However, IBM customers will be challenged to successfully integrate Guardium’s technology into an already disparate portfolio of one off, point solutions for data governance acquired from previous transactions.  Serious customers seeking an enterprise approach and an integrated platform for database security, risk and compliance will find that IBM has in fact complicated the task by providing yet another non-integrated point solution.  IBM’s check box architecture approach overlooks the primary requirement to provide integrated solutions for discovery, policy management, vulnerability assessment and user entitlement management (the underpinnings which drive an activity monitoring rules based solution).  Instead they have brought forward a confusing array of user consoles, policy managers, report formats, and rules engines all built by separate companies to achieve separate goals. 

We do, however, expect an uptick in demand as the acquisition highlights our market, and we invite all such prospects to join the list of over 2000 customers that currently deploy scaleable enterprise solutions from Application Security, Inc.

By Adrian Lane  on  12/01  at  04:08 PM


Thanks for the comment. I am going to write one or two follow-up posts on this acquisition, both as it is a big milestone for the DAM industry, and there is a lot of confusion about the IBM strategy. I will discuss both. If there is one thing that makes me happy about all this is it has taken years for a handful of customers to view DAM as helpful for compliance, and most press still do not believe this to be true. Hopefully this acquisition will open some eyes and benefit the segment as a whole.


By Thom VanHorn, Application Security, Inc.  on  12/01  at  07:51 PM

You are right Adrian, but I have to reinforce our position - and it’s a position that you and Rich seem to support in your writing -  that DAM is only one component of a comprehensive database security, risk, and compliance solution.  I do not believe that an enterprise organization can effectively secure sensitive data and meet compliance requirements with database activity monitoring alone.  As we see the components, they consists of database discovery, classification,vulnerability assessment, prioritization, policy creation/fixing, DAM, and comprehensive analytics and reporting from an enterprise console to tie it all together.  DAM is important, but DAM alone is not enough - and to some degree it is a reactive notification, vs the proactive assessment and mitigation that the other components afford an organization.

By Adrian Lane  on  12/01  at  07:57 PM


I agree, and I am glad you said it as this will play a major theme in upcoming posts.




Remember my personal information

Notify me of follow-up comments?