There's nothing like federal spending to energize an industry. Or is there? The government has earmarked $4.5 billion to secure its computer networks in 2003; by contrast, total revenue for security software vendors in 2001 was $5.9 billion. Small companies and startups, however, may have to wait a while to see any of that cash.

There's "a little bit of unfounded euphoria in IT," says Mark McClain, president of Waveset Technologies, a two-year-old company that makes identity-management software. "The government is not bouncing around looking for vendors to throw checks at." Indeed, money is likely to go first to large system integrators, consultants, and managed security service providers. Those firms, in turn, will look to smaller, niche firms to fill the gaps in their product lines. Waveset, for example, has recently partnered with the defense contractor Northrop Grumman Information Technology (a division of Northrop Grumman) to resell Waveset's identity-management product to the federal government.

This doesn't mean, however, that innovative security startups will be squashed in the wheels of the government machine or, worse, overlooked by bureaucrats who will talk to only the largest, most established firms. In 2003, those with the resources to pursue government contracts and the need to provide comprehensive offerings will purchase the best startups. In fact, the security giant Symantec made four acquisitions worth a total of $375 million this summer.