IBM and Cisco Have the Same Security Strategy

Image source: IBM.

Information security was a $75 billion market in 2015, and demand is expected to grow rapidly in the coming years as cyber attacks become more common and more expensive to deal with. The Wall Street Journal estimated that cybercrime costs in the U.S. totaled $100 billion in 2013, and British insurance company Lloyd's put the global figure at $400 billion in 2015. Juniper Research expects global cybercrime costs to balloon to over $2 trillion by 2019.

Demand for cyber security products and services is expected to grow to $170 billion by 2020, according to a report from MarketsandMarkets, fueled by the growing threat of cybercrime. Given this growth, buying shares of fast-growing cyber security companies may seem like a no-brainer. In fact, there's an exchange traded fund, PureFunds ISE Cyber Security ETF (HACK -0.74%), that allows investors to do just that.

Unfortunately, this strategy has been disastrous for investors. HACK is down about 30% from highs reached about a year ago, driven by former high-flying stocks like FireEye (MNDT) collapsing because of unrealistic expectations. FireEye, while posting rapid growth, is wildly unprofitable, and the stock has lost nearly 70% of its value since June of 2015.  

Both International Business Machines (IBM 0.06%) and Cisco Systems (CSCO 0.44%) are major players in the cyber security market. Security represents a small portion of IBM's and Cisco's revenues, but both companies expect their respective security businesses to grow rapidly in the coming years. Neither company offers the same growth potential as smaller, pure-play companies like FireEye, but the strategy both IBM and Cisco are employing give the tech behemoths a good chance of becoming dominant industry leaders in the long run.

A fragmented market
When a market is growing as quickly as the cyber security market, a large number of companies can be successful. As the market matures, though, consolidation becomes inevitable as the weaker players struggle to effectively compete. Last year, Cisco estimated that the typical large enterprise deals with more than 54 different security vendors. IBM put the number at 40 during its first-quarter conference call, but either way, working with dozens of separate vendors is inefficient, and it raises the likelihood that something goes wrong.

Cisco, still predominantly a hardware company, competes in the security infrastructure market in addition to offering security software and services. In fiscal 2015, Cisco's security business generated $1.75 billion in revenue and posted 12% growth. Over the next 3-5 years, the company expects security revenue to grow at a 10%-15% annual rate.

IBM's security business is roughly the same size, generating $2 billion of revenue in 2015 and growing by 12% adjusted for currency. Security is one of IBM's strategic imperatives, along with analytics, cloud, mobile, and social. The company is investing heavily in these areas, shifting resources away from shrinking legacy businesses in an effort to return to growth.

Both Cisco and IBM have the same idea: Broaden their respective security businesses through acquisitions. This strategy allows both companies to offer an increasing variety of security products, potentially cutting down on the number of different vendors a typical organization depends on. There's certainly an incentive for organizations to simplify and deal with fewer vendors, and both Cisco and IBM are aiming to emerge as diversified leaders in the industry.

Cisco has been actively acquiring security companies over the past few years, starting with the $2.7 billion purchase of Sourcefire in 2013. Acquisitions of ThreatGRID, OpenDNS, and Lancope followed, helping Cisco accelerate the growth of its security business. The company is shifting more heavily toward software and services with these acquisitions, and its security-deferred revenue jumped 26% year over year during Cisco's second quarter.

IBM has also been buying up security companies, including Trusteer in 2013, Lighthouse Security Group in 2014, and Resilient Systems earlier this year. IBM now employs more than 7,000 security experts, and the company claims to lead the market in four out of its six security segments. IBM's business model has long been built around providing integrated solutions, and its security business is no different.

While a large number of specialized cyber security companies are currently scrambling for market share, consolidation in the industry is inevitable. Both Cisco and IBM enjoy existing customer bases that give the companies a major advantage, and both have the resources to grow by acquisition. Betting on smaller companies like FireEye may seem more attractive to growth investors, but Cisco and IBM will be tough to beat.