Mergers and acquisitions in the information security industry always come in waves, just like they do in the IT industry. After every wave, there is always talk of "consolidation" and "enterprises want one stop shopping" – and that talk is always proven wrong. Just as in the overall IT industry, the majority of mergers and acquisitions do not succeed and the ones that do are all about rationalization, not consolidation – adjacent areas of the market coming together into platforms that make sense to deliver security controls that have lower total cost of ownership to deal with older threats or provide more effective security against evolving threats.

There are some clear failure patterns for mergers and acquisitions in the security space:

• Those that only have the “single vendor” argument as justification – see Symantec exiting the network security space it got by acquiring Raptor and Recourse and CA selling what was left of SilentRunner.
• Those that are essentially two sinking ships roping themselves together – too numerous to mention.

Some clear patterns that can lead to success:

• Host or network based security "platforms" acquiring technology to add protection vs. building it themselves: firewall companies acquire and integrate network IPS, AV companies acquiring anti-spyware and host-based IPS to integrate into end point protection platforms.
• Major IT platform companies acquiring “let the good guys in” technology such as IAM products to embed access control and authentication capabilities into these business-driven products

Easily six out of 10 mergers fit the failure pattern. Plus, after every wave of acquisitions, for every company that disappears two or three new ones pop up. That's one of the reasons why the information security space is so interesting and complex – between changing threats, changing business practices, and changing technology, nothing stays still.