Internet security companies are the Jiffy Lubes of the auto industry, they require constant innovation to keep up with the changing product stack they attempt to optimize, but not own. Some companies achieve innovation through non-organic growth (Symantec), others build a set of urgently needed technologies that becomes bigger as customer requirements grow (Trend Micro, McAfee). But keeping up is a challenge, and I expect security companies and the stack owners to aggressively pursue acquisition strategies to round out and secure their own future. Stack owners (Microsoft, Oracle, IBM, Cisco) will become fierce competitors to security companies, if partnerships are not appropriate. Today’s Security leaders need to change and look into new business strategies.
Looking at the security marketplace from a fresh perspective, I give the current marketplace a 1.2 grade on the following evolution scale.
Security 1.0: the internet is not secure by any stretch of the imagination, but neither is the conventional world. So, get over it. Security is also not an absolute science. Spam, Viruses, Exploits, Worms, Cross-site scripting etc. deliver a vast amount of opportunities to security companies that provide band-aids to the multitude and severity of security gaps. 83 Enterprise AntiSpam companies battle it out every day. Leaving it up to customers filled with fear, uncertainty and doubt to wade through a plethora of point products to select which one is best, and when. It’s a jungle out there.
Security 2.0: a secure enterprise, shielded from some of the garbage on the internet, needs protection in the same way you secure your house. Depending on personal preferences that define the vigor and quality of security, securing the doors without securing the windows doesn’t make a whole lot of sense. Security is really a risk management issue, a delicate balance in which no single piece of security, data type or communication channel prevails; the equilibrium of security techniques (AntiSpam, AntiVirus, AntiSpyware, Web Application Security etc.) needs to provides sufficient shelter and trust. Leading security companies need to move towards marketing that equilibrium and scope.
Security 3.0: while internal threats are becoming a force to be reckoned with, many security companies are developing a Security 2.0 strategy that incorporates content compliance and other technologies to protect company assets against the employees themselves. I believe security companies should focus on aggressively protecting against outside threats, yet stimulate and enable the internal exchange of information. Content compliance should be checked but not enforced. The integrity of your business lies in the hearts and minds of people, not technology. Moving on, Security 3.0 is a platform strategy consisting of a framework in which a multitude of vendors can provide plugins that separate threat detection from distribution. It will be a free-market in which the best technology will plug into a framework that allows this technology to be used on any type of information, in motion or at rest. I believe many stack owners and security behemoths will play a pivotal role in defining the key components of this security platform and new security specialists will define the new, and highly specialized, security threat detection capabilities.
Bottom line: plenty of acquisition opportunities continue to exist for emerging security companies as the incumbents and stack owners battle to own a large part of the security framework that is essential to instill trust with customers.
The size of after-market providers like Jiffy-Lube, AutoZone is larger than the market size of the car manufacturers, proving that after-markets will exist for quite some time. Security is still the after-market of the technology industry and I see no vendor changing that paradigm significantly today. New security vendors will continue to reap rewards and the incumbents will slowly move towards owning something they’ve never had, a technology (or platform) stack.
