Prospective buyers are also interested in anti-spyware companies and providers of security technology for devices and computers used by workers, said Anton Papp, vice president of information technology at investment bank Montgomery & Co.
Activity in the other direction -- security companies buying outside their niche -- is rarer, but still happening.
Symantec's acquistion of Veritas, a slower-growing storage company, is a case in point. The deal is expected to expand the security company's reach into the broadly defined systems management industry.
"Symantec is seeing their profit margins and market squeezed by IBM, Microsoft and Cisco, which are entering the security market, so they had to diversify," Papp said.
Hold the autopsy
Don't look for the demise of the security industry just yet, some industry observers countered. The trend toward absorbing and being absorbed hasn't been going on long enough to tell whether it's a real shift yet.
"(We're) still a year or two off from determining whether this hypothesis is real," Credit Suisse First Boston's Sidders said. "Once it's determined it's real, then it will take another three to four years to become ingrained in the industry."
The cost of acquisitions could also temper the speed of the shift. About 30 security companies have a market capitalisation of at least US$50 million. By comparison, seven years ago that was true of only six to 10 businesses, Sidders said.
And because this industry is viewed as high growth, most security companies are content to build out their business, rather than hang out a "for sale" shingle.
"Security companies are bought, not sold. It's such a hot space," Papp said.
Not all of the buying activity is taking security companies beyond that market. Some companies are firmly holding onto the concept of remaining independent and focused solely on purely protective products, even while they make acquisitions.
McAfee bought digital security company Foundstone to bolster its security product line. McAfee has also bought other security vendors recently.
In addition, Check Point Software Technologies has largely grown its business through internal efforts, with the exception of the Zone Labs acquisition in late 2003.
Richard Stiennon, vice president of threat research at Webroot Software, puts himself in the camp that believes a standalone security industry is here to stay.
"New security companies are starting all the time to deal with a specific specialisation," Stiennon said. "Five years ago, there were no antispam companies or anti-spyware companies. I don't think that will change."
1%
8%
