Security industry M&As under the spotlight

Security companies that are privately held and in the business of protecting information from espionage and offering up secure access are attractive among potential buyers, a panel of security titans and bankers said on Thursday during the RSA Conference 2006.

The panel, speaking to a standing-room-only crowd, addressed the current mergers and acquisitions environment for security companies, as well as what it takes for them to gain interest in potential buyout candidates.

The current valuation for privately held security companies, based on projecting out future revenues, is a mean of slightly more than 6.5 times those revenues. But valuations for publicly traded security companies are substantially lower, said Rob Owens, vice president of equity research for Pacific Crest Securities and panel moderator.

Explaining the difference between valuing a private security company and a public one, Parveen Jain, executive vice president of corporate development and strategy for McAfee, said: "Most of the innovation comes from smaller companies."

Another issue for buyers is public companies tend to be more mature, offering less potential revenue growth, according to Michael Cristinziano, vice president of strategic development for Citrix, which acquired SSL VPN start-up Net6 for $50m two years ago.

He added that the ability of a potential buyout target to add to his company's profits within a 12-month period is a key consideration on whether to do a deal.

Symantec, which has been on a big and small acquisitions frenzy, wants its potential lifelong partners to have frank discussions with the security giant on its financial outlook and performance. James Socas, senior vice president of Symantec's corporate development, recalled a time when a private company provided financial information that showed declining revenues over a three-year period, yet had a forecast of more than doubling its revenues in the following year.

McAfee, meanwhile, hones in on the candidate's operating team, assessing whether they can deliver on the technology and financial numbers they have projected, and be flexible if changes are needed to their business plan.

In providing a broad view of areas in which they are interested in making acquisitions, Jain said McAfee finds areas that need addressing include industrial spying, or the tampering and theft of information.

Symantec is anticipating more companies will find it incumbent to take on the role of managing their own security, similar to what consumers have done. Citrix is focusing on deals that will provide its customers with the "best access experience", Citrix's Cristinziano said.

Technology to solve the leakage of sensitive information is an area that a number of large potential buyers are interested in, said panellist Neel Kashkari, an investment banker with Goldman Sachs.

Kashkari noted Microsoft's entry into the antivirus market has had a negative effect on start-ups in a similar market that are seeking funding or a buyout.

He noted: "It's created an overhang with valuations."

A number of security companies are turning to a buyout, rather than going public, as a means to pay back initial investors, the panellists noted, pointing to NetScreen Technologies' 2002 IPO as the last "meaningful" public offering of a security company.

The regulatory environment, including Sarbanes-Oxley, has made executives of private companies more hesitant to go public, rather than selling their operations, the panellists said. Another issue is that single product security companies are finding Wall Street is less receptive in the post-bubble environment.

And then there are the attractive valuations for privately held security companies, in the current climate.

Symantec's Socas said: "Mergers and acquisitions are white hot right now. We've seen a lot of good companies on the private side."

Dawn Kawamoto writes for CNET News.com