As Rich described on Friday, he, Adrian, and I were sequestered at the end of last week working on our evil plans for world domination. But we did take some time for meetings, and we met up with a small company, the proverbial “last company standing” in a relatively mature market. All their competitors have been acquired and every deal they see involves competing with a multi-billion dollar public company.

After a few beers, we reminisced about the good old days when it was cool to deal with start-ups. Where the big companies were at a disadvantage, since it was lame to buy from huge monoliths. I probably had dark hair back then, but after the Internet bubble burst and we went through a couple recessions, most end user organizations opt for big and stable vendors – not small and exciting.

This trend was compounded by the increasing value of suites in maturing markets, and most of security has been maturing rapidly. There is no award for doing system integration on the endpoint or the perimeter anymore. It’s just easier to buy integrated solutions which satisfy requirements from a single vendor. Add in the constant consolidation of innovative companies by the security and big IT aggregators, and there has been a real shift away from start-ups.

But there is a downside of this big company reign. Innovation basically stops at big companies because the aggregators are focused on milking the installed base and not necessarily betting the ranch on new features. Most of the big security companies aren’t very good at integrating acquired technology into their stacks either. So you take an exciting start-up, pay them a lot of money, and then let the technology erode as the big company bureaucracy brings the start-up to its knees. A majority of the brain power leaves and it’s a crap show.

Of course, not every deal goes down like this. But enough do that it’s the exception when an acquisition isn’t a total train wreck a year later.

So back to my small company friends. Winning as a small company is all about managing the perception of risk in doing business with them. There is funding/viability risk, as more than a couple small security companies have gone away over the past few years, leaving customers holding the bag. Most big companies take a look at the balance sheet of a start-up and it’s a horror show (at least relative to what they are used to), so the procurement group blows a gasket when asked to write a substantial check to a start-up. There is also technology risk, in that smaller companies can’t do everything so they might miss the next big thing. Small companies need good answers on both these fronts to have any shot of beating a large entrenched competitor. It’s commonly forgotten, but small companies do innovate, and that cliche about them being more nimble is actually true. Those advantages need to be substantiated during the sales cycle to address those risks.

But end users also face risks outside of the control of a small company. Things like acquisition risk, which is the likelihood of the small company being acquired and then going to pot. And integration risk, where the small company does not provide integration with the other solutions the end user needs, and has no resources to get it done. All of these are legitimate issues facing an end user trying to determine the right product to solve his/her problem.

As an end user, is it worth taking these risks on a smaller company? The answer depends on sophistication of the requirement. If the requirement can be met out-of-the box and the current generation of technology meets your needs, then it’s fine to go with the big company. The reality of non-innovation and crappy integration from a big company isn’t a concern. As long as the existing feature set solves your problems, you’ll be OK.

It’s when you are looking at either a less mature market or requirements that are not plain vanilla where the decision becomes a bit murky. Ultimately it rests on your organization’s ability to support and integrate the technology yourself, since you can’t guarantee that the smaller company will survive or innovate for any length of time. But there are risks in working with large companies as well. Don’t forget that acquired products languish or even get worse (relative to the market) once acquired, and the benefits of integration don’t necessarily materialize. So the pendulum swings both ways in evaluating risks relative to procurement.

And you thought risk management was only about dealing with the risk of attack?

There are some tactics end users can use to swing things the right way. Understand that while negotiating the original PO with a small company, you have leverage. You can get them to add features you need or throw in deployment resources or cut the price (especially at the end of the quarter). Once the deal closes (and the check clears), they’ll move onto the next big deal. They have to – the small company is trying to survive. So get what you can before you cut the check.

So back to the topic of this post: are we going to see a return of the security start-up? Can smaller security companies survive and prosper in the face of competition from multi-billion dollar behemoths? We think there is a role for the security start-up, providing innovation and responsiveness to customer needs – something big companies do poorly. But the secret is to find the small companies that act big. Not by being slow, lumbering, and bureaucratic, but by aligning with powerful OEM and reseller partners to broaden market coverage. And having strong technology alliances to deliver a broader product than a small company can deliver themselves.

Yes, it’s possible, but we don’t see a lot of it. There are very few small companies out there doing anything innovative. That’s the real issue. Even if you wanted to work with a small company, finding one that has the right mix of decent product in a growing market, non-horrifying balance sheet and funding prospects, and interesting roadmap is not easy. That’s the real downside of the big company/small company pendulum. For the last few years, fewer and fewer new security companies have been funded (as investors tried to make their existing investments work), and that’s resulted in fewer companies and (much) less innovation.

With the lack of liquidity (no IPO market, few high multiple M&A deals), it’s hard to see how this might change any time soon. VCs won’t jump back in until they think they can make money. There are still a lot of crappy small companies out there trying to get bought, so the buyers can be picky and drive hard bargains. That means end users will be working with bigger companies (with all the heartburn that entails) for the foreseeable future. The market could improve, welcoming small outfits and lots of innovation – it just doesn’t seem likely, at least for a couple of years.