For a successful midtier company in a consolidating market dominated by large, acquisitive technology players, staying independent sometimes seems like an uphill battle.
Such is the case for Sourcefire Inc., a 10-year-old provider of cybersecurity technology. As the pace of multibillion-dollar acquisitions in the network security market has taken off in the past year, the Columbia, Md.-based company is
incessantly mentioned as the next potential target, especially in light of the size of the companies it views as its top rivals: McAfee Inc., Cisco Systems Inc. and IBM Corp.
"It makes us feel good, and we laugh about it a bit," says Sourcefire CEO John Burris. "But what we don't want is to get it into your customers' heads that we aren't going to be around or are going to be distracted."
Avoiding that fate has not been simple as consolidation roils the data security industry. Symantec Inc., the largest independent company in the space, struck four deals last year worth nearly $1.7 billion. Hewlett-Packard Co. in October paid $1.5 billion to buy ArcSight Inc., and chipmaker Intel Corp. last year agreed to purchase McAfee for $7.7 billion.
Reports surfaced more than once last year that IBM was interested in acquiring Sourcefire.
Though Sourcefire declined to confirm this and nothing so far has come of the speculation, Sourcefire repeatedly has been singled out as one of the remaining security targets.
The company's status as a buyout candidate has moved beyond speculation at least twice since it was founded in 2001. The first instance was in 2005, when Israeli network security provider Check Point Software Technologies Ltd. agreed to pay $225 million for Sourcefire.
"The deal represented a bunch of innovation for Check Point ... and a nice exit for our VCs," says Sourcefire chief financial officer Todd Headley. The deal would have represented a 9 times investment return for Sourcefire's backers, who owned 80% of the company.
But the Committee on Foreign Investment in the United States intervened, viewing an acquisition of Sourcefire by a foreign company as a potential national security threat, in large part because the federal government was a significant user of the company's technology.
Eight months later, following a $20 million mezzanine round, Sourcefire went public in an $80 million offering. Then, in mid-2008, it attracted the unwanted attention of Barracuda Networks Inc., a Web security company that offered $187 million. Even after the hostile bid was sweetened to $206 million, Sourcefire rejected it as too low and continued on its independent path.
The consolidation that is shrinking the network security market isn't all bad for Sourcefire. For example, Burris likens the McAfee deal with Intel to IBM's acquisition in 2006 of Internet Security Systems Inc., which Sourcefire at the time considered its biggest rival. IBM is widely viewed to have stumbled in the integration of ISS, which was folded into the Armonk, N.Y.-based company's global services arm.
"ISS was trying to develop product inside a consulting organization," Burris says. "IBM screwed up all ISS' partner relationships by integrating it so quickly. We're hoping the same thing happens to Intel-McAfee."
It's common for small companies to publicly applaud the acquisition of rivals as a chance to gain advantage while the competition is distracted. But the bottom line is that Sourcefire is a lone fish swimming in a pool with increasingly larger predators.
The company has, for now at least, trained its focus on growing its own business. Earlier this month it announced the $21 million acquisition of anti-malware software startup Immunet Corp., Sourcefire's largest purchase to date.
"This acquisition makes the statement that we are really broadening the markets we are in," Burris says, arguing that with the Immunet deal Sourcefire's potential market will expand to
As company founder and chief technology officer Marty Roesch describes it, Immunet provides a "social network for antivirus," in that it harnesses information about new malware from its community of users to strengthen its product. The startup's business model will also enable Sourcefire to offer future security offerings via a cloud-based platform.
All of which, Burris acknowledges, is unlikely to remove Sourcefire's name from the next story about a security deal, whether it is involved in the transaction or not.
"The Immunet deal makes us a bigger target for sure," Burris says.