• Who We Are
  • What We Do
  • Success Stories

News & Events

Transaction Highlights


In The News

Security start-ups ripe for picking

The Boston Globe
by Scott Kirsner

Monday, January 03, 2005 - Avid sports fans often participate in rotisserie leagues, in which you get to draft real-world basketball or football stars for your fantasy team, then see how they perform throughout the season. Here's my idea: a rotisserie league for security start-ups.

Pick three Boston-area companies that sell technology that enhances the security of networks, corporate infrastructure, or home PCs. At the end of 2005, we look at how many of your picks attracted venture funding, were acquired, or went public.

(Of course, the best statistic to follow would be revenues, but private companies don't usually disclose those.)

Last year, you could have picked almost any Boston-area security company for your rotisserie team and done pretty well.

Netegrity, a publicly held Waltham company, was acquired for $430 million, and @stake, a Cambridge firm founded by hackers who analyzed security gaps for clients, was bought by Symantec Corp. for an undisclosed sum. Framingham-based Courion, which like Netegrity is in the access-management business, raised $5 million; Intrusic, Q1 Labs, Mazu Networks, and Ounce Labs also took in venture money.

Why was there so much activity in security tech? Because the things that have corporate technology executives biting their nails are all security threats: worms, bots, viruses, rogue employees (current and former), hackable wireless networks, and vulnerable software applications produced in-house.

And home computer users are increasingly concerned about spyware that captures their keystrokes, which can be used in identity theft, and about viruses.

''There's a good reason you're seeing so much happening in security," says Jim Slaby, a senior analyst at Yankee Group in Boston. ''It's the same question as, 'Why do you rob banks?' That's where the money is. Security is where a lot of customer dollars are now."

In 2004, Yankee recently estimated, $13 billion was spent on corporate security tech around the world. At a time when chief investment officers are stingy about most new products, they're spending freely on security software and services.

As a result, venture capitalists are eager to put money into security start-ups. It's nice, for a change, to fund companies that actually have customers clamoring to buy their products.


''Venture firms agree that they need at least one security company in their portfolio," says Shaun McConnon, founder and chief executive of Q1 Labs of Waltham, which has raised nearly $30 million to develop software that analyzes external and internal security threats and presents them on a digital ''radar" screen.

Many of those security start-ups, no matter how small, will be attractive acquisition candidates for larger companies.

(Last month, Microsoft bought New York-based Giant Company Software, a maker of antispyware tools that employed just 12 people.)

''Security mergers and acquisitions were the hottest single sector in the 2004 M&A market," says Ben Howe, managing director of America's Growth Capital, a Boston investment bank. ''I think it will accelerate in 2005."

Last year's biggest deal was Symantec's acquisition of Veritas Software, for $13.5 billion. That deal, which united two Silicon Valley companies -- one known for security and one known for backup and storage software -- seems likely to trigger an acquisition by Hopkinton-based EMC Corp., a Veritas rival, sometime soon.

The reason security acquisitions will continue in 2005, says Paul Deninger, is that the CIOs responsible for buying security tech don't want to buy from 20 vendors and then deal with the headaches of making sure all those products work together.

Deninger, chairman of Broadview, an M&A advisory firm in Waltham, says: ''This happens in every niche of the software market. You have customers pointing to their larger vendors, and telling them, 'Go out there and consolidate. I want to be able to wring one neck if there's a problem.' "

The likely buyers of Boston-area security companies this year include Cisco Systems, Juniper Networks (which a Valley company that has an executive in Westborough who helps to hunt for acquisitions), McAfee, IBM, HP, CA, Novell, BMC, and EMC.

Symantec, which bought @stake in September and invested in Mazu Networks of Cambridge in December, will probably keep shopping in Massachusetts.

RSA Security, a publicly held Bedford company that makes hardware and software ''tokens" for user authentication, could be an acquirer or an acquiree in 2005.

''They'd make a choice acquisition candidate for someone like IBM or Computer Associates or EMC," says Maria Lewis Kussmaul, another managing partner at America's Growth Capital.

But RSA chief executive Art Coviello says, ''We think our shareholders are best served by remaining an independent company."

His bias, he says, is toward ''organic growth," though he says the company will ''look at acquisitions as they make themselves available."

Like Coviello, chief executives of venture-backed private security companies hate to present themselves as small fish eager to be swallowed by bigger fish.

''We're not out there holding up a 'for sale' sign," says Peter Rendall, chief executive of Top Layer Networks, a Westborough company whose 116 employees make an intrusion prevention system called Attack Mitigator.

''We want to go public," McConnon says.

But Bay State venture capitalists are notoriously impatient to cash out, and the criteria for a successful IPO are extremely hard to meet right now.

''Unless you can do a billion-dollar market cap, you can't really go public," says Deninger, whose firm advised Netegrity in its acquisition by Computer Associates. Deninger adds that the costs of complying with Sarbanes-Oxley regulations -- not to mention the associated liabilities for company officers -- are dissuading many companies from going public.

Arbor Networks of Lexington, which makes hardware and software to combat worms and denial-of-service attacks, is a possible IPO candidate for this year.

Everyone else is a possible acquisition: from Pedestal in Newton (security audit software) to Waltham-based Verdasys (limiting distribution of sensitive information), to Silverback Technologies in Billerica (security monitoring for small and medium-size businesses), to Braintree-based InterMute (software to fight spyware and browser-hijacking).

Also on the acquisition chart: GeoTrust, Mazu Networks, Q1, Intrusic, Top Layer, and Ounce Labs.

Jack Danahy, chief executive of Ounce Labs in Waltham, has made a career of being acquired. While he hasn't taken a company public, he has worked for six companies that were acquired, including one he founded: Qiave, which was sold to Watchguard Technologies in 2000 for $66 million. His new company helps customers spot security lapses in home-grown applications.

Perhaps because of his history, Danahy was the one executive I spoke with who didn't have a visceral objection to the notion of being acquired.

''If the customer feels more value if it was tightly integrated with somebody else's product, you've got to serve the customer," Danahy says. ''Acquisition is all about the way the customer wants to buy."

Which three Boston-area security companies would you draft for your rotisserie team? Drop me an e-mail, and at the end of the year, we'll see how you did.

One point for companies that get VC funding, three for companies that are acquired, five for an IPO. First prize will include a mention in the column. And maybe a couple of tech tchotchkes that we're not allowed to keep around here.

© Copyright 2005 Globe Newspaper Company.