Information security is no longer an issue your technical staff handle while they are busy with other things. Today, security is a skill and a business issue in its own right.
Starting all those years ago when previously unheard of companies and people battled against viruses with names like Michelangelo, the security industry has blossomed into a multibillion dollar business producing everything from antivirus software to firewalls and even hardware protection devices. Along the road we have seen many companies coming and going, with many of the best startups being swallowed by the giants of the industry.
The consolidation is far from over, however. We can still see many small startups setting the pace with innovative solutions the more established payers are trying hard to meet.
"I do believe we will be seeing more consolidation in the IT security space," says Brett Myroff, CEO of NetXactics. "This consolidation will more than likely be from the perspective of niche security vendors merging or purchasing other vendors with complementary products and technology. This will enable them to offer a more consolidated solution as opposed to a single technology approach."
Clifford Katz, CEO of Information Security Architects (ISA), believes positive consolidation amongst manufacturers is coming. "I would like to see more complementary consolidation moves amongst manufacturers where one vendor acquires a competing vendor with the purpose of increasing their client reach (for economies of scale) and access to specialised skills (for research and development). A good example of this is Check Point's recent acquisition of Zone Labs - an obvious win/win consolidation move."
Within the consolidation debate, there are still questions among vendors and users as to the different approaches of investing in security technologies. Do you opt for a best-of-breed approach and select the best product in each category of security; or do you go for a suite consisting of multiple security components?
Best-of-breed means multiple suppliers and service partners, while the suite approach gives you one company to blame if anything goes wrong. But there are more important issues to consider in this debate, such as integration.
"The argument in favour of best-of-breed point products is that the user will be able to achieve the strongest level of security at any of the levels within the overall security model," adds Katz. "The logical downside to this argument is that although the client can achieve the strongest level of security, theoretically, the lack of centralised management over the disparate technologies practically suggests that the theoretical advantages cannot be achieved."
On the other hand, Katz continues that the argument supporting a security suite investment is that it has centralised management and one can "leverage the technology synergies to a level unachievable otherwise. Where any of the specific levels in the overall security model could be argued as weaker than competitive best-of-breed point products, the benefit of centralised management dilutes this shortcoming.
Myroff believes a vendor "needs to have a certain level of specialisation, due to the complexity of threats. A vendor that is spread too thinly with regards to R&D; and does not provide the level of protection needed is also not desirable."
"In the short term we will probably see the market swaying towards the best-of-breed manufacturer offerings as I believe that the value-proposition is greater than vendors who present a suite offering," Katz states. "The main reason for this is that most of the suite solutions have grown by acquisition, thereby effectively diluting the advantages of a suite as the technology management overhead is not simplified (it is often complicated even further). In other words, the suites that we see these days tend to adopt the weaknesses from both approaches. Their management is not centralised and their point-products are not best-of-breed."
Whatever the final outcome is, vendors have also realised that security is about far more than product. With all the potential threats companies may have to face, the first step in information security must be developing a security policy that meets the organisation's needs in theory.
Once completed, the next step is to move onto upgrading staff to understand the concept of information security and their role in keeping data and systems secure. Then the technology acts as an aid and a watchdog.
"I can see the market re-inventing itself over the next few years to a point where the traditional IT paradigm will shift and security will become an inherent attribute of IT - not a plug-in or plug-on," explains Katz.
Of course, before security staff can begin the process, they first need buy-in and understanding from the top to ensure the budget and commitment of management to security is there. "The pain points in modern companies are ensuring that the importance of IT security is recognised and the correct funding is provided," Myroff concludes.