The Story of McAfee: How the Security Giant Arrived at a Second IPO
Industry watchers explore the story of McAfee, from its founding in 1987, to its spinoff from Intel, to how it's keeping up with competitors.
Last week, McAfee made its second appearance on the public market with its second initial public offering. It's the latest in a long series of major changes for the cybersecurity software giant, which has had an interesting path to growth since it was founded in the industry's early days.
To see how it got here, we take a look back at McAfee's history and explore the corporate changes and industry trends that shaped the company it is today.
McAfee was founded in 1987 as McAfee Associates, named for its founder, John McAfee, who later resigned from the business in 1994. The security company went through its first of several changes in 1997, when it merged with Network General in an effort to create a cybersecurity company that focused on endpoint and network security, a mix that "continues to fail as a strategy," industry analyst and adviser Richard Stiennon wrote in his Security Yearbook 2020.
Stiennon worked with McAfee as a Gartner analyst in the 2000s. In 2003, new president Gene Hodges aimed to restructure the firm, focusing on security and shedding desktop management, LAN management, and other tools. The Gauntlet firewall went to Secure Computing, divisions were sold off, and the remainder, left with an antivirus product, was rebranded as McAfee.
"I told them that they should end-of-life their firewall," says Stiennon in an interview with Dark Reading. "I've always felt that companies can't have both firewall and endpoint security because it's two completely different buying centers. Desktop support is way different from the network security team."
At the time, McAfee and Symantec were the biggest names in cybersecurity software. Peter Firstbrook, vice president analyst at Gartner, began watching McAfee in 2002 and says that at the time, most customers used either Symantec or McAfee. "There wasn't a lot of alternatives," he says, noting Trend Micro, Kaspersky, and Sophos were also industry players at the time.
McAfee's evolution progressed "in a couple of waves," Firstbrook continues. In its first wave, it tried to focus on endpoint, firewall, and network security with a firewall and intrusion detection system. In the second, it zeroed in on data security and regulation, acquiring a number of smaller security companies as data security and regulation became prominent industry topics.
During this time, it bought endpoint intrusion prevention provider Entercept (2003), network intrusion prevention company IntruVert (2003), and vulnerability scanning firm Foundstone (2004) as it strengthened its focus on enterprise security.
Even with its security focus, more technology wasn't necessarily the answer, notes Forrester senior analyst Chris Sherman.
"McAfee has been a very important player overall in the cybersecurity ecosystem, but it's generally been viewed as one of the more feature-heavy products," he says. "[It's] notorious for slowing down endpoints with its multitudes of endpoint-scanning technologies." It has gone through "a lot of peaks and troughs" in terms of consumer satisfaction and trust in its products.
The company again decided to reinvent itself in 2006 with plans to combine old and new products into an overall risk management framework. McAfee released compliance auditing tool PreventSys 2.6 and Web security tool SiteAdvisor, with its ePolicy Orchestrator (ePO) as the glue bridging old and new. Analysts saw the move as a way to expand beyond its "traditional threat play" into compliance, and beyond the consumer market into the enterprise sector; more acquisitions, including its $20 million buy of Onigma at the time, would integrate into its ePO.
While McAfee "lost the opportunity" to take over the market around then, it was still "making great headway," Stiennon says. Its ePO became a standard inside the US government, and it still had a large customer base. The following years, however, would prove tumultuous.
In 2007, McAfee appointed CEO Dave DeWalt, who acquired Secure Computing and brought back the Gauntlet Firewall McAfee had sold to the company, along with other firewall brands it had acquired over the years. "I was very critical of that, because they're an endpoint protection company and they bought a network security company," says Stiennon, who believes DeWalt's goal was to demonstrate growth to the market.
"He just wanted to make the company look good," Firstbrook notes. "He didn't care if it was good; he wanted to make it look good and feel good." He speculates the driver was eventually to sell McAfee and move on.
The Intel Years: Gaining a Buyer, Losing an Identity
In August 2010, DeWalt sold McAfee to Intel for $7.68 billion in an all-cash deal. The acquisition was meant to solidify Intel's strategy of embedding security into silicon and establish its claim in the wireless market. However, industry watchers saw gaps in the strategy.
"A bunch of people in the industry said, 'No way,'" Stiennon recalls, adding that "there was no synergy between an antivirus vendor and a chip vendor — never has been, never will be."
Intel wanted to make hardware more secure, says Firstbrook. "And the fundamental problem with that is, unless you standardize your buying on a single brand of hardware, you can't rely on that security." Unless a company was willing to say, "I will forever buy Intel chips," it would also need software-based security that can run across all its different platforms, he explains.
McAfee operated under Intel from 2010 to 2016. Those years were transformative for the security landscape but a lull for the company. Many employees who left McAfee went on to found, or work for, future competitors. Kevin Mandia left to form Mandiant, which was later acquired FireEye; Stuart McClure left to found Cylance, which was later sold to BlackBerry. George Kurtz left to found CrowdStrike.
"When everyone else was moving month to month and trying to figure out what the next big thing was, they didn't have their eye on the ball during those years," Firstbrook adds, noting this put McAfee at a disadvantage when it was no longer part of Intel.
During the time McAfee operated under its new parent company, Firstbrook noticed more customers were asking to replace it. "They just weren't supporting them; they weren't modernizing their fleet," he says. This period stalled innovation and, consequently, McAfee's earnings.
The year before McAfee was acquired, it reported just over $2 billion in revenue, Stiennon says. Four years later, Intel's Software and Services Group was reporting $2.216 billion in revenue. Four to five years after Intel spun out McAfee, the company is still making $2 billion per year.
Post-Intel Innovation: Catching Up With the Market
Two years later, after it rebranded McAfee as Intel Security, Intel spun out McAfee to private equity firm TPG for $3.1 billion, with the company valued at $4.2 billion — a $3.48 billion loss since it was acquired. Since rebranding as McAfee, it has started to turn things around and find its way in a world running on cloud technology.
"How do we become relevant when the data center goes away, when the corporate network goes away? What are we going to do when the world is all about endpoints and users and applications?" Stiennon says of McAfee's need to compete in a cloud-first world. The threat space was changing; signature-based antivirus was becoming less prominent. More people were keeping their email in the cloud; desktop productivity tools moved to the cloud as well.
When McAfee re-emerged as a standalone company, CEO Chris Young made sweeping changes, eliminating non-core products, debuting new enterprise tools, and updating its market strategy.
It didn't take long for the company to go all-in on cloud post-Intel. In 2017, it acquired cloud access security broker (CASB) provider Skyhigh Networks, a "really brilliant acquisition … and that's now the anchor product in their portfolio," says Firstbrook. Skyhigh was a major part of McAfee's transition to the cloud. A couple of years later, McAfee debuted its MVISION portfolio in October 2019, consolidating the security management layer and bringing stability improvements, Forrester's Sherman points out.
MVISION includes MVISION Cloud for protecting software-, infrastructure-, and platform-as-a-service environments; MVISION Endpoint and MVISION EDR; and MVISION ePO. The lineup was released to help businesses protect data and block threats across endpoint devices, networks, and the cloud. At this year's RSA Conference, it launched a managed threat detection and response (MDR) service.
"They were the first to talk about native security integration with endpoint security products," Firstbrook notes; now, other vendors have followed suit. Sherman, who tracks customer satisfaction in annual surveys, says last year was McAfee's highest-scoring year for its endpoint security tool, though he notes McAfee's high scores were average compared with other endpoint vendors.
Its MVISION and MDR offerings are signs McAfee is working to compete with big players in the EDR and extended detection and response (XDR) spaces.
"Over the years, we have evolved our strategies to align with technology trends and ensure that we are able to defend customers, regardless of where and how they do business," says current McAfee CTO Steve Grobman, who points to the cloud as an example: "As enterprises change how they work and move to the cloud, we have invested more in protecting the cloud."
This strategy is evident in the recent acquisitions of application visibility and security platform NanoSec (2019) and browser isolation technology provider Light Point Security (2020). Grobman says McAfee plans to invest in artificial intelligence (AI) technology to protect against future threats.
But even with its commitment to aligning with technology trends, the company has obstacles ahead if it wants to be competitive. "How do you rebrand an old brand that has this loyal installed base but doesn't attract new customers? That's its biggest challenge," says Firstbrook.
McAfee's "saving grace" has been large enterprise customers who have remained loyal, he continues, but it will need to work hard to win over new users. Integration is a powerful sell, given the industry trend toward consolidation. Security teams want to eliminate technical debt and cut the number of vendors they work with, as a means to lower operating expenses. There's a huge demand for integrated products, he says — something Grobman also points out.
"We put a lot of focus on ensuring our technologies work together," Grobman says. "Defending an environment requires multiple technologies and having a strong portfolio of defense technologies is critical for our customers."
It's Not All Business: A Look at McAfee's Consumer Side
As McAfee's enterprise division evolved, so, too, did its consumer products, says Forrester principal analyst Heidi Shey, who has been watching McAfee since 2010. By then, consumers knew it was important to have security tools on PCs, and free tools were popular: Avast and AVG were favorites; McAfee was among the top five brands for consumer security in the US.
"McAfee's consumer products have evolved over time as well," she says. Its LiveSafe tool, which debuted in 2013, brought together antivirus protection and identity theft protection, among other features. In 2017, it broke into the consumer Internet of Things space with its Secure Home Platform.
"These changes reflected changing security threats like rising identity theft and Internet-connected smart devices in the home, as well as new ways of going to market like embedding their software onto home routers and working together with Internet service providers," Shey notes. Intel's acquisition had little impact on McAfee's identity as a consumer brand, she says.
Its position as an enterprise and consumer business gives McAfee visibility and insight into security threats across the home and the workplace. But while we tend to treat these as separate — and for good reason, she says — the current environment indicates this may evolve.
"In a world where the lines between work and home blur, and where work-from-home or remote work becomes the norm for many," Shey says, "how we think about security needs to change."
McAfee has shown it will invest in its consumer product line where and when it needs to, she continues. Its enterprise business generates a larger portion of its revenue, so it's "not surprising" to see more attention there.
In addition to investing in AI to power defensive technologies, Grobman says, McAfee is focused on tracking the expansion of security threats as the way people use cloud continues to change. "Over the next three years, McAfee will be very focused on ensuring that we have the right defenses in all these areas to help defend both enterprises and consumers," he says.
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024