Spending on information security is forecast to multiply 10-fold over the next decade. Security threats continue to grow. Identity theft, theft of proprietary information, malware, advanced persistent threats, and now we are learning about governments insatiable desires to access our private information. Company board members are rightly scared of the consequences of high profile data breaches – they are potentially terminal for an organisation. Already information security is a $60bn industry, growing at 25% per annum. A multi-fold increase will balloon revenues to truly spectacular levels.

Threats will come from devices in addition to end PCs and servers as in the past. As mobile computing takes off, mobile security threats are growing accordingly. I have already posted about threats to motor cars and smart houses. As more and more products gain software control and are connected to the internet, so too the Internet of Things will become the new frontier for security threats.

The information security industry is characterised by major players who traditionally grow by acquiring new technology. This provides the attractive exit path for entrepreneurial start-ups who bring innovation into the industry. Many of the attractive purchases are of companies who are not yet making a profit. They are purchased for their strategic value and their technology, and occasionally for their customers.

A good example is the news which came out last week that our main competitor Trusteer has been acquired by IBM for a reported $1bn. Word on the street is that Trusteer’s revenues were only around $50m, which makes the sales price about 20 times annual revenues – a high multiple indicating the company’s high strategic value. The price is around the correct level in our viewpoint, and it should be a good fit. There are a reasonable number of sizeable conglomerates eager to carve out an increased slice of the lucrative information security market by snapping up technology which will be valuable in the future.

Security companies who deviate from this formula tend to lose their way a bit. Symantec is an example, where they placed more emphasis on management controls than innovation. Some are now suggesting that Symantec should go back to the tried formula, and grow by acquiring innovative, fast-moving security start-ups.

When companies are acquired they are either closely integrated into the acquiring organisation or left alone to operate independently, or some position in-between. It appears that IBM’s intention is to closely integrate Trusteer into one of their operating divisions. The recent Yahoo purchase of Tumblr for $1.1bn is an example of leaving the acquired company to continue to operate independently. In order to recreate the necessary entrepreneurial environment, Tumblr CEO David Karp has reportedly been offered a $81m package to remain with the company over the next 4 years. Not a bad contract for a 27-year old.

Medium and long-term investors try to pick a growing industry as a first step in the investment process. They would be hard pressed to match the growth prospects and future outlook of Infosec in a mature industry. Increasing demand for security solutions will continue to fuel the bullish market.