Face-Off: Is Security Market Consolidation a Plague or Progress


This article can also be found in the Premium Editorial Download "Information Security magazine: Reviews of six top Web application firewalls."

Download it now to read this article plus other related content.

Marcus Ranum

You did your research and comparisons, and convinced your boss you'd found the right product to suit your company's needs. You invested hours in evaluation and testing before making the purchase, not to mention the days spent fielding it, learning its intricacies, and configuring and tuning it. Then comes the email informing you of an announcement that your chosen product/vendor had just been acquired by an industry giant and the product was going to be offered bundled with the giant's "complete, enterprise solution." You'd be happy except for the fact that most of the other products in the bundle are lousy, and the industry giant has had a history of discontinuing good products, apparently at random, or putting them in maintenance-only mode so they quickly become obsolete also-rans.

Sound familiar? Welcome to the downside of consolidation! It's living proof that bigger is not always better and that capitalism exists to serve businesses' profit margins, not the customer. Practically every one of us who works in the security industry has had this experience--for the simple reason that only about 25 percent of security products last longer than five or six years without some major life-threatening event. Most of us have had a product suddenly go extinct--to be followed shortly by a sales

    Requires Free Membership to View

call from the vendor that fired the fatal shot--in spite of the fact that we depended on it and paid 20 percent annual maintenance.

I'm not saying consolidation is always bad; sometimes you'll see a good match between a standalone technology and a large vendor that can sell, support and maintain it better. But the sad truth about our industry is that there are too many products vying for the available niches. Each time some new technology becomes the hot topic, there's a brief flurry of Darwinian activity, one or two really good products rise to the top, and then the scavengers move in to gobble up the weak and stupid. Here's the problem--there's just no room in any given security product niche for 10 venture-backed startups chasing the same group of customers. Now that venture capitalists are less interested in security (we're back to being a backwater!), the number and size of new niches is shrinking.

The reality is that the IT security industry exists to serve itself--not the customer. Whenever we forget that, we're bound to be frustrated by our experience. Consolidation is an inevitable result of what happens when you have big players that cannot innovate, and too many startups innovating on a tight venture-fueled schedule. If you look at it from the industry perspective (or the venture capitalist's), it makes perfect sense that the industry will go through this boom-and-bust cycle.

What does it mean for customers? To me, it's the best argument for do-it-yourself or integrating open source technologies into your product choices. Remember: the big argument that's levied against open source is "Who is going to maintain it?" That argument stacks up pretty neatly against, "Is this product going to exist tomorrow?"

This was first published in March 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: