Tools for Chief Security Officers

Westpac Bank chief information security officer discusses identity theft and more in this special report.

Westpac CISO on defence-in-depth

One of the most difficult aspects of dealing with information security is the overwhelming scope of it all.

Security isn't something that's isolated to the network, desktops or applications; rather, it spans every layer of the technology stack. That said, an extremely large percentage of security dollars is spent on PC security tools such as firewall, anti-virus and anti-spyware software. The global market for these tools exceeds US$5 billion.

PC security used to be a cozy, high-margin oligopoly dominated by three vendors: Symantec (Norton), McAfee and Trend Micro, which together owned 80 percent of the market. While these vendors sat at the top of the pyramid, others such as CA, Kaspersky Lab, Panda and Sophos did quite well in specific geographic areas or with certain types of customers.

That was then; this is now. Enterprise Strategy Group believes that the PC security market will go through a profound transition over the next few years for several reasons:

  • Microsoft is crashing the party
    Microsoft has become a PC security player with OneCare for consumers and Forefront for the commercial market. Just ask Netscape, Novell, Sybase and WordPerfect whether Microsoft can change market dynamics.

  • Users have unique requirements
    Firewalls, anti-virus protection and anti-spyware tools are now table stakes. Consumers want features for child safety and identity protection; small businesses want built-in disk encryption; and large organisations want network access control functionality. Vanilla products are passe.

  • The threat landscape is more ominous than ever
    Melissa viruses and Blaster worms are still out there, but today's threats are dominated by things like blended threats, rootkits and crimeware. Users need stronger locks.

    To avoid typical analyst hyperbole, Enterprise Strategy Group recently surveyed 206 North American-based security professionals working in organisations with 1,000 employees or more. Their plans and opinions support our "desktop security at the crossroads" hypothesis.

    The first thing we uncovered is that most security professionals believe that their current desktop security software suites are no more than commodity products. In fact, only 22 percent of security professionals disagreed with this statement. It didn't matter whether respondents came from the smallest or largest organisations surveyed; they all looked at security software as the classic "widget" of business school textbooks.

    When it comes to new security software features, you start to see a growing need for market segmentation. The biggest organisations want to see more anti-phishing protection and integration with two-factor authentication, while smaller companies want full disk encryption built into their security software products. Different skills, different threats, different requirements, so why not different products?

    Here's a real metric of a market in transition -- 40 percent of organisations are either "extremely likely" or "likely" to switch desktop security vendors when their annual subscriptions run out. Again, this was true regardless of organisational size. With the exception of PCs, I can't think of another IT category where users are willing to swap products without hesitation.

    A combination of new vendors, new requirements, and a lot of product switching will open the market as never before. Obviously, Microsoft will capitalise on this trend, but so can others. That said, the rules of the game have also changed. Market segments are looking for specific products that address their needs and not vanilla protection suites. Large vendors like CA, McAfee, Microsoft, Symantec and Trend will need to tailor product design, marketing and distribution to assorted markets with unique needs. Smaller vendors will most likely focus on a single market segment and try to out-execute the big guys.

    One other point worth noting; this desktop security market transition does not mean that today's leaders fade into the sunset. Quite the contrary: CA, McAfee and Symantec were the first to recognise this market segmentation trend and are already responding with new products and strategies. For example, Norton 360 and Confidential have a number of consumer-focused features, CA offers small-business bundles, and McAfee is adding data leakage protection to its corporate desktops. This is the start of a segmentation strategy that will only accelerate over time.

    Costs will certainly go up as vendors invest more in market research, segmentation and product design, but margins won't necessarily go down. Users will pay more for differentiated products, but the days of generic desktop security for the masses are dead and gone. -- Jon Oltsik

    Jon Oltsik is a senior analyst at the Enterprise Strategy Group. Video interviews with Westpac Bank chief information security officer David Backley (top right) conducted by ZDNet Australia's Munir Kotadia.