The Seeds of Security

Posted on by Wendy Nather

My colleague Garrett Bekker once described the security industry as a pomegranate. It is brilliantly accurate: from the outside it looks like one piece, but when you open up the fruit, you see hundreds of little seeds, and it all makes a big mess (and leaves stains on everything you touch). Is the industry really this bad? Yes, it is. Consider that in our 451 Research master list, we have over 1,100 security vendors – and most of those are only ones based in the US. We haven’t even gotten a good picture of the rest of the world, and we’re finding more startups every day.

This situation has two important consequences. One is that it’s very hard to corner the market across the board unless you offer as many different security products (or services) as possible, you integrate them well, and you build a walled garden around them. Yes, the antivirus and firewall markets are multi-billions of dollars, but even then we see very few vendors who take a significantly larger share than the rest. So you can’t offer just one thing and expect to grow; you have to keep developing or acquiring, or both. 

The other consequence is that enterprise buyers really have to be collectors. You need one of at least a dozen products, and you never know when you’re done buying. We see organizations with large budgets that pretty much get one of everything (if I had a nickel for every vendor who claimed a large multinational bank as a customer, I’d be in early retirement). I once did a research project in which I polled many security professionals to ask them what a 1,000-person enterprise needed in its security portfolio, and the answers ranged from four technologies to over 31 different technologies.

Most of the new offerings that we see are better (or at least different) approaches to doing a few basic things:

  1. looking for known bad things
  2. looking for variances from known good things
  3. blocking actions based on #1 and #2
  4. monitoring activities or configurations
  5. testing for expected or unexpected vulnerabilities
  6. alerting on events related to all of the above
  7. helping you figure out what’s bad
  8. telling you who else found something bad

This is an extreme simplification of some very complex technology, but consider that each of these things has historically been offered for individual components of the infrastructure. So you would need one product to do blacklisting on the network, one for the operating system, one for the database, one for some applications, one for the power management, one for user authentication, one for mobile, one for the cloud, and so on. Moreover, there are some emerging products, such as threat intelligence feeds and analytics, that are being billed as both complementary and additive – they’re not supposed to replace anything else, and if one is good, more are better. These multipliers mean plenty of opportunities for startups, but a lot of headaches for the CISO.

Now consider that all of these security products are supposed to work separately from the systems they’re monitoring or protecting. It’s a lot like baking a cake, discovering you forgot the sugar, and trying to fix it by layering a lot of icing on top. Icing can only take you so far, but that’s the model the security industry is operating with. And it’s not even one can of icing: it’s dozens of different colors of icing. 

This extreme fragmentation of the security market is not sustainable. We simply cannot continue to expect organizations – who are all busy with their core businesses – to keep endlessly collecting and layering on whatever we come up with, adding a quality that should have been there from the start – especially when we can’t even tell them when they have enough. I believe that over the next several years, we will see a strong movement towards consolidation, simplification, and built-in security, if for no other reason than the Internet of Things won’t be securable any other way. In the interests of our ultimate customers, we need to start treating security as a problem to be solved, not a puzzle, where more pieces make it intellectually exciting.

Wendy Nather

Head of Advisory CISOs, Cisco

Business Perspectives

security operations

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs