« Microsoft OneCare: The Wrong Security Model | Main | The benefits of biomimicry »
May 19, 2005
The IT Security market will never be "mature"
The security giants, such as Symantec and Cisco, are pushing for integrated suites of security solutions. They want us to believe that the best possible solution for the enterprise is one that includes all technologies from a single vendor. For example, Symantec has this to say:
... which combine firewall, intrusion detection, anti-virus and other technologies, Symantec set a new standard with protection that is more secure, less expensive and easier to manage than individual, non-integrated products.
Clearly, getting all your goods from one location would be easier, but there are several reasons why this is unlikely to ever work in security. The IT security industry is different from other IT industries, because the nature of the problem is always changing. A solution that is effective today is useless tommorow, because the attackers are always coming up with new ways of compromising security. This requires continual innovation on the part of the defenders, and unfortunately, the big players are very poor at innovation. This is nothing specific to the security industry: it is well known that big players are poor at embracing innovation, particularly disruptive innovation.
Consequently, in security (as in every other industry), most innovation comes from the little guy, and the big players either stomp out the innovators, or acquire them, resulting in consolidation of the industry. Typically we see that when a new market niche appears, there is a "Cambrian explosion" of diversity as a plethora of new players emerge to target the niche, followed by a subsequent mass extinction as companies fail or get acquired, until only a few large players are left to dominate the niche. At this point, the industry moves on and the niche is left as a well-established and understood market category, with little innovation and simply refinements of old ideas.
But IT security doesn't work this way. The difference is that the market niches never stabilize, because security is a moving target. The attackers are always changing the game. They tend to do so in cycles, so just as the security industry appears to be consolidated and stabilized, a new slew of threats emerges to destabilize it. A good example today is spyware, phishing and rootkits. All of these threats have required completely new approaches to security, which has lead to an explosion of new small companies addressing these threats, and increasing irrelevance of old-style anti-virus technologies. The security industry really fits with the punctuated equilibria model.
Of course, the giants don't address these new threats effectively and so there is a feeding frenzy as the big boys snap up the small companies that do. So in the near future, we can see ongoing consolidation and mass extinction, but it won't last long: the next new threat will emerge and the whole process will repeat. Along the way, those giants that aren't nimble enough or lack foresight, believing they can rely on outdated technology, will topple. But the important point is that they can never get ahead of the game, they can never have the complete solution: that is just a pipe-dream.
This picture is further complicated by another peculiarity about security: the best technology is often the only technology that is useful. It's a well recognized adage that the best technology doesn't always win, but that is less true in IT security than in most other industries. Why? Because failures in security are not random, they are targeted; we have intelligent adversaries finding all the weakest points in the system. Consequently, a mediocre product could be worse than useless, failing catastrophically, where only a superlative product will actually work. In other industries, the difference between mediocre and superlative may not be that important, but in security it is critical. Security continues to be a best-of-breed buy and probably always will be.
So we have two pressures that keep up a rapid cycle of Cambrian explosion and mass extinction, preventing true consolidation:
1. New threats are continual, requiring new responses and innovations from the defenders, and the big guys can't keep up.
2. Failures are targeted and costly and hence mediocre solutions don't cut it, which favors best-of-breed and new innovative players, not established brand, especially as the nature of threats changes.
The IT security industry is particularly fascinating to me because it is so dynamic, and it gives the little guys a chance. It will never be a stodgy, mature industry.
Comments
Steven, an excellent article. I wrote a smaller one as to why all-in-one security appliances will never take off (http://secure-o-gram.blogspot.com/2005/09/multifunction-appliances-market-gamble.html) but your article illustrates the idiosyncronacies of the security market beautifully. If you dont mind i will be posting a link to this story from the opinion piece pages on my blog. Im glad I found this site I will be coming back regulary!
Posted by: Dwaine van Vuuren at November 8, 2005 10:51 PM
Hehe! Good work! -alprazolam
pink alprazolam
Posted by: pink alprazolam at March 28, 2006 02:55 AM