(Bloomberg) -- In March, VMware Inc. Chief Executive Officer Pat Gelsinger took the stage at a premier cybersecurity conference to deliver a cutting message to attendees: The industry had failed its customers and many of the companies were akin to ambulance chasers.
“We have 6,000 products, 5,000 companies, highly fragmented, (and) not operational,” Gelsinger recalled telling those at the RSA Conference in San Francisco. “We’re the fastest growing line item for IT and the number and scope of breaches has increased.”
The reaction: “There were people who wanted to kill me,’’ he said. “There were people who considered me a prophet of the future.”
Five months after Gelsinger’s speech, VMware entered the fray, buying cybersecurity company Carbon Black Inc. for $2.1 billion, and joining an estimated 5,600 companies that offer security hardware, software or services. VMware, majority owned by Dell Technologies Inc., and Box Inc. are among the software makers that have targeted the area as the next frontier for growth. Businesses are spending more to protect their information in an era when cyber-attacks have become more frequent and data is moving from corporate servers to huge public cloud-computing vendors.
Companies spent $112.7 billion on information security and risk management in 2018, and are projected to increase that outlay almost 9% more per year through 2022, according to research firm Gartner Inc. Still, with the industry so diverse, and so many niche products available, it will be difficult for any new entrant to capture a big share of the business, said Erik Suppiger, an analyst at JMP Securities.
“Security is a very specialized technology and it’s difficult to replicate the culture of security innovation at a company that’s not focused on security,” Suppiger said in an interview. “When you have other companies trying to expand beyond their core focus, I think a lot of times they are more successful if it’s adjacent to what they do. It’s when they move beyond a good complement that they get into trouble.”
The top public cloud companies, Amazon.com Inc., Microsoft Inc. and Alphabet Inc.’s Google also have started to develop add-on security tools to protect clients’ data on their platforms, suggesting another new, powerful force in the industry.
“We haven’t seen them dominating yet, but they are in a very good position,” Suppiger said of the three cloud titans.
Despite the market chaos, Gelsinger sees an opportunity for VMware. It plans to integrate Carbon Black’s data-protection product with its existing software and sell them as a suite.
“We’re going to redefine the category to say if you’re not a platform and you’re not doing management and security, you’re part of the problem, not part of the solution,” he said.
VMware makes software that allows customers to combine multiple tasks on a single server, and is trying to shift to selling more programs that help companies run applications in the cloud and in their own data centers. For years, the 22-year-old company has sought new avenues to boost sales growth, including networking solutions and products that authenticate the identities of those accessing corporate devices and systems.
Revenue growth of about 12% year over year for the last four quarters hasn’t matched business cloud applications companies such as Salesforce.com Inc. or Adobe Inc., which regularly post quarterly revenue gains of more than 20%.
While no individual companies dominate the market the way former titans McAfee and Symantec once held sway, VMware’s Carbon Black competes with Crowdstrike Inc., a Wall Street favorite since it went public last June. Carbon Black makes software that helps companies detect malicious behavior on their systems. Gelsinger said he considered buying Crowdstrike and others, but dismissed the notion of spending one-third of his company’s $60 billion market capitalization on “one solution.”
Instead, VMware is betting it can capture bigger deals by integrating Carbon Black’s tools and selling them through its existing, much-larger salesforce.
Suppiger said VMware’s entrance into the market is unlikely to rattle rivals.
“I don’t view them as a major threat to the vendor landscape in the endpoint space,” Suppiger said. “There’s a pretty strong case to be made that Crowdstrike is out-executing Carbon Black as part of VMware.”
Other companies may emerge as targets for those looking to bolster their positions in the cybersecurity market. Dell is said to be exploring a sale of RSA Security, which it hopes could fetch at least $1 billion, Bloomberg News reported in November. CrowdStrike remains a coveted asset, as is Zscaler Inc., which provides web and mobile security, and analysts have pointed to Palo Alto Networks Inc., though its $24 billion market value makes it an expensive acquisition.
Box CEO Aaron Levie, too, sees cybersecurity as a way to expand. His company’s sales growth dropped to less than 20% a quarter in the current fiscal year—far slower than many of its cloud peers.
Last October, Box launched a security product, Shield, that’s meant to help companies reduce data leaks through additional controls. The introduction of the new product coincided with activist investor Starboard Value LP taking a stake in the Redwood City, California-based software maker, pushing the company to increase sales growth and make a profit.
Box’s future will be determined, in part, on how well it can sell Shield. Levie said he came to believe that a security product would be a natural evolution for the company that sells file-sharing and collaboration tools.
In “a world where companies are sharing and collaborating inside and outside of their organizations, you need an all-new security model to protect information that flows between companies,” he said.
For all of VMware CEO Gelsinger’s complaints about how fractured the cybersecurity market is, Suppiger still sees the best solutions coming from smaller companies that concentrate on specific problems. But the market remains wide open.
“Cloud security is still the wild, wild west where the competitive dynamics have yet to really play out,” Suppiger said.