The great security spend: Why is cyber-defence such big business?

"You saw IT spending dip during the recession years, but you did not see security dip," crackles the voice of Jody Brazil, CTO and Founder of FireMon from the boardroom phone. "it's because security is seen as a must-have, and whilst IT is of course one too, it's one that measured by ROI whilst security is measured more by 'How scared are you?'"

He has a point of course. A recent report found that security vulnerabilities have hit their highest level since records began, and finding a means to combat these is becoming big business. Such big business in fact, that IT security companies are now sealing some of the most lucrative mergers and acquisitions this side of J.P Morgan & Chase.

It's the amount of these deals, however, that is so fascinating. IT security companies are carving a huge slice of the market – so why are we seeing so many mergers and acquisitions in the security sector?

"It's the pace of which the attackers are going after new opportunities they find," says Brazil, "whether it's stealing credit cards or taking down someone's network for political reasons. The pace at which they're moving to damage a business requires very rapid innovation and it's very rare that you will see an established, large company who can innovate at that pace. So you see a lot of smaller companies that come up with innovative solutions bring them to market, and companies that have a lot of money just buy the innovation from these companies."

It means that in the security space, it's rare to find valuations based on profit are rare. Instead, the price of a business is based on the quality of its products. Consequently in an acquisition the aim is not so much to buy revenue, as technology.

In recent years, this has meant that more and more businesses whose core values are not associated with IT security are outbuying security companies. Brazil believes "this is being driven by a couple of things. One, it's a hot space. People will pay high multiples for security solutions because they know that it's a hot business and it's growing rapidly. Secondly there's also a little bit of a protection mindset, that even in down economy years people are still spending at the same rates on security whereas that's not true in IT."

In other words, cyber-attacks are a constant threat whilst IT has become the equivalent of buying some spendy scatter cushions and a big candle from Marks and Spencers. Security and defence, meanwhile, remain very much "essentials" – the fridge and duvets in the business world's putative semi.

As a software company that gives customers visibility into the complex security systems protecting their network, Firemon itself has felt the pressure of offers with Brazil admitting that the numbers investment conversations initiated by others having ramped up exponentially over the past two years.

Whilst Firemon are currently not interested in those calls, the deals are not without temptation. "The average multiple now that people are paying for a security company is approaching ten times revenue," says Brazil disbelievingly. "To pay ten times on services in the normal world is crazy, in the security world it's normal. Look at what Fireye paid for Mandiant for example, and Mandiant isn't even a software company! It's primarily a service. There are some pretty high multiples happening in the security space."

And no wonder. With the practically daily accounts of hacks and governmental spying, you'd be forgiven for retreating to an underground bunker with nothing but a box of canned beans and a colander helmet. So is this spike in security investment just capitalising on a growing sense of fear?

Brazil disagrees. "It's definitely value," he asserts. "These companies are not being silly with their money. They're paying high multiples because they have to, because someone else is bidding them up to that level."

The result is some very interesting purchases, such as Cisco's acquisition of sourcewire or more recently VMware buying Airwatch for the princely sum of $1.54 billion. As Brazil notes, Airwatch is "the number one mobile device management (MDM) platform in the market, clearly the leader in the space, and VMWare – who has nothing in the mobile world, never has – goes out and doesn't just buy a mobile company, goes and buys a security company."

Considering that last year VMware also paid out for Nicira, an SDN company that has become the backbone of their security platform, the pattern of its mergers and acquisitions tells us an interesting story. "We're talking about VMware who has never been thought of as a security company making a couple of acquisitions in the last couple of years that is squarely putting them in the security space. That's just interesting," says Brazil.

The ripples of these deals are being felt throughout the entirety of the IT sector, as more and more private equity firms look for investment in security, making more cash available to startups and prompting an exciting cycle of innovation. But is this a fad or are security based mergers and acquisitions in for the long haul?

"No I don't think it's a fad," says Brazil as he closes off. "It's around for a while for sure, a decade, two decades or longer I can't say but it's not going away any time soon. A lot of things will join it, mobile has had it's share of excitement and cloud certainly too, but what's interesting about security is that each one of these innovations whether it be cloud, or whether it be virtualisation, security is becoming a key element of that new story. While cloud may only be the cool thing for the next five years, whatever comes after it will also need security, so I think it's going to have a pretty good run."