You’ve seen the numbers: the managed security services market projected to reach $2.24 billion by 2003 and content security sales to achieve $952 million by 2004, according to International Data Corporation. The European Internet security market is also forecasted to grow dramatically -- to $2.74 billion by 2006 (Frost & Sullivan).
Happy days are on the horizon for security vendors. Even notorious cracker Kevin Mitnick, one of the most popular convicted felons on the security circuit, is helping out with hype as closing keynote speaker at the Giga Information Group's Infrastructures for E-Business conference held in Los Angeles. In his words, "In God we trust. Everybody else is suspect."
Good times for vendors, bad times for customers
As a cyber-security industry analyst, its my job to keep track of all the cyber-security firms out there -- both U.S. and worldwide. In other words, I need to know what they offer, their business strengths and weaknesses, their technology advantages and shortcomings, services levels, estimated longevity, and everything else in order to determine if they’re a serious player for the long haul. So many security firms are either cropping up, widening their offerings or touting Internet infrastructure security solutions that assessments are nigh impossible for customers to conduct effectively.
I’ve got to tell you this market is getting crowded and it’ll be standing room only for quite a while. Shakeouts will come, but now is not the time for several reasons:
- On this frontier, products are primarily proprietary, making them difficult to compare.
- Well-known security vendor products’ often come from a consumer tradition, leaving doubt about their industry depth and level of commitment.
- Customer support varies dramatically by vendor. Small vendors may expect security expertise within their client’s staff to handle technical details while large vendors may focus on client support, assuming little in-house client security expertise. (Let’s not talk product quality and success right now.)
- Outstanding security applications are a necessary but insufficient criteria for vendor success.
- Too many other variables impact protection reliability including responsive support, continual updates, integrative capabilities with other security products, etc.
- The security managed services provider market offers so many advantages that it will rival traditional software installation.
- New vendors (i.e., less than two years in the security industry) often have underlying business agendas that differ dramatically from their marketing promotion such as acquisition, partnership, going public, "niche-and-stick."
The product-services mix is evolving quickly, further muddling vendor categories and security business models.
Security Focus has encouraged vendors to add their services to a growing list of companies offering cyber protection. Currently over 400 security-related firms are listed under:
forensic analysis
free secure email
ids & firewall deployment
information security training
integration and general security consulting
managed firewall or perimeter monitoring (ids)
penetration testing and risk analysis
security & it related jobs
security policy development
security related insurance
source code auditing
Hats off to Security Focus for providing this public service. (Careful vendors; when you’re listed in many, if not all categories, are you truly a "total solution provider" (whatever that means) or stretching true capabilities and planning to catch up later?)
It’s your business and you can cry if you want to
Bet you feel like your company is between a rock and a hard place: crackers, government agencies, and pundits on one side; and security experts and vendors on the other. Take heart! The good news is lots of very smart folks are working extremely hard to deliver protection in an increasingly complex new world.
Check out Security Focus’ security vendor services listings. They’re a start toward identifying candidates to deliver your firm’s protective services. Keep in mind my column titled "Stumbling Toward Protection, Finding Few Answers". Best wishes and good luck!
Dr. Goslar is principal analyst and founder of E-PHD, LLC -- an e-security research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.