Key Trends in Security: No Risk, No Reward
Threats, intrusions, spam, phishing and other malicious elements show no signs of diminishing. Indeed, with each solution often comes a new set of threats. Additionally, though Microsoft platforms have been a significant target of many of those threats, no platform will ultimately be safe; as the Linux OS or other applications proliferate, they too will become targets of opportunity for security breaches. As a result, there continues to be innovation as well as mergers and acquisitions across the security markets for the following reasons:
Security vendors also have a relatively new ally in the Chief Security Officer (CSO). While this position is not in place at a majority of large organizations at this point, it exists often enough to garner budget dollars (and thus sales focus). Though there does sometimes tend to be somewhat of a political struggle between the Chief Information Officer (CIO) and the CSO, the growing awareness of regulatory, brand, and privacy risk across organizations may both refine the purview of the CSO position further and provide room for its growth in stature, differentiating it further from the CIO.
Elements of Risk
Risk exists in many forms in organizations, but the risk associated with information has become paramount of late. Largely due to Sarbanes-Oxley concerns, but also driven by SEC, HIPAA, and other industry specific regulations, organizations have begun to take steps to mitigate information risk by shoring up authorization/authentication capabilities (indeed, many portal implementations are undertaken to unify single sign-on, authentication and authorization across a wide variety of applications and content stores); consolidating information by removing or at least decreasing redundancy, local stores, etc. (through content management, content integration, records management, and improved policy management); and applying better performance management and analytics to various business processes (regulated or otherwise). Additionally, organizations in certain vertical markets such as life sciences, financial services or CPG that must address multiple regulations (as well as ongoing threats of litigation, legal discovery costs, etc.) and privacy issues are treating these issues more in the aggregate and exercising greater leverage across them.
The Internet Paradox: The More Open You Are, The More Secure You Must Be
Since the late ’90s, organizations have extended their reach – and their ability to be reached – outward through the implementation of WANs, VLANs, and most recently, a wide variety of wireless technologies. While most salute their newfound exposure to customers, suppliers, partners, etc., they are also more guarded than ever due to the increased risk of security breaches. Wireless in particular opens a Pandora’s box of issues given the often cavalier means by which it has been implemented and in which it is utilized outside the firewalls of most organizations.
Because it spans the gamut of internal and external network and application users, the wireless space also demands a broad array of security capabilities ranging from low levels in the OSI stack to vulnerability and intrusion detection and prevention, identity management, rogue device identification, and other areas. Broad Internet usage and the incorporation of outside services such as instant messaging, e-mail, etc. will also continue to force organizations to be vigilant and expansive in their e-mail and messaging hygiene approaches. We believe that ongoing M&A activity in the areas above will focus on the consolidation, intelligent provisioning and management of all of these security facilities.
Relative to compliance, the instant messages, e-mails, and other electronic communications and documents brought inside the four walls must also adhere to appropriate records management and dispensation policies to meet with regulatory and/or discovery requirements. Most organizations are barely at the stage of having created comprehensive policies for this information, let alone having implemented solutions to address them.
Today, the e-mail and e-mail hygiene market, an area that is garnering significant attention, is still fairly fragmented along with much of the rest of security, but there is no reason that vendors that offer anti-virus solutions, IDS/IPS, anti-spam, and other functionality should not add e-mail solutions as well. From an organizational standpoint, this represents an additional security silo that should be consolidated from an administration perspective with other capabilities. We also believe that hosted hygiene facilities will make more sense as organizations realize that the appropriate place and time to attack the issue is before the problem enters their firewalls and mail servers.
Operating a Secure Environment
Just as CSOs might be finding their way, those in IT operations will begin to have a major say in security efforts. Since there are few situations involving security breaches or issues that operations will not want to know about, it also makes sense for the two worlds to begin to merge from a technical and/or administrative standpoint as well. Today, there are numerous systems management capabilities that bridge over into security, at least at the level of being able to identify what is an intrusion, when there are significant amounts of abnormal traffic, etc. There are also some security oriented facilities – WebSense comes to mind – that go about their jobs in a fashion complimentary to the way in which network and application performance management technologies go about theirs. Lastly, numerous network and major infrastructure providers already have diverse interests across these camps (e.g., Cisco, CA, Opsware, IBM).
Given the ongoing IT emphasis on governance (particularly through the ITIL model), managing to business SLAs, and an overall desire to justify additional expenditures and keep business customers happy, we believe that the convergence of these two worlds will also create additional M&A opportunities.
Securing IP before IT Goes Out Over IP
Ensuring that an organization’s intellectual assets and property – including customer information – are secure is garnering more attention due to phishing exploits, accidental dispensing of information and even internally based criminal activity. Brand security is also a significant issue given the easy ability to create a presence and stake a claim to a brand on the Internet. While the business models and technologies associated with digital rights management continue to confound most organizations, the applications of advanced search and analytical capabilities to this issue are already bearing fruit. Whether in response to particular situations or proactively in an attempt to determine where the next attack might come from, we believe that several verticals – diversified financial services, life sciences, and CPG in particular – will invest more heavily in this space. Vendors here will also garner the attention of major security platform providers (Symantec, RSA, CA, etc.) as they continue to consolidate capabilities to add value.
Implementation: Appliances Abound
Many security technologies are being introduced by vendors as appliances. Theoretically, this is a good thing since an appliance represents a simpler implementation path than does an addition of software (involving more servers, more asset management, more testing, etc.). However, the sheer number of appliances that can enter the organization, especially given the parallel circumstances in network management, application delivery/optimization, and integration, will begin to frustrate organizations. This will lead to an increase in consolidated solutions on a given appliance as vendors move facilities to a single box. It will also lead to improved administrative control over all the functions, allowing those in charge to work one screen (hopefully)