Enterprises once limited security budgets to antivirus software and firewalls. Then laws like HIPAA and Sarbanes-Oxley prompted them to invest in broader defenses. If a new Yankee Group study is any indication, compliance concerns are paying off for vendors that offer command and control services.
"We're seeing something equally as important as threat mitigation, and that's command and control," said Phebe Waterfield, an analyst for the Boston-based research firm. "Regulation is the main driver. Companies are being held accountable for their security, and with accountability comes the need for a more mature process."
Waterfield reached that conclusion after talking to representatives from 606 enterprises about their security budgets over the past year. She said a variety of people were interviewed, including chief financial officers and chief security officers. "The respondents all had input into how their company's security dollars are spent," she said.
While threat mitigation has been the chief concern of enterprises in recent years, Waterfield said the trend is shifting in favor of command and control companies. "That's the biggest growth area," she said. "When we think security, we tend to think of threats and how to mitigate them. That's not really the goal, to avoid every threat out there. The goal is to have IT systems that are managed in a way that makes them consistently safe, especially if your networks house sensitive financial or health information."
The study predicts the global security market will generate $12.9 billion in revenue for 2004. Waterfield broke the security market into three components:
- Threat mitigation, layered defenses against worms, viruses, denial-of-service attacks, intrusions and buffer overflows. "The threat mitigation segments are perimeter firewalls, network integrity systems, application gateways and system integrity software," Waterfield said. "This component represents 42% of the security market and is estimated at $5.4 billion in 2004."
- Command and control, solutions for managing network security, representing 40% of the security market with an estimated $5.2 billion in revenue for 2004. "Command and control includes identity management, security event management, vulnerability assessments and patching, and intrusion detection audits," Waterfield said. While threat mitigation services have generated more revenue and a larger market share this year, Waterfield said command and control services have shown the most growth and the feedback she received indicates the trend will continue.
- Managed security services, the use of external expertise in operating and improving the performance of security processes. "Managed security services represent 18% of the security market and are estimated at $2.3 billion in 2004. This component includes augmenting in-house operational staff, enhancing security response, reducing operational expenses and improving the security process and strategy," Waterfield said.
She said Cisco Systems, Symantec and VeriSign have shifted a lot of emphasis to command and control services and have emerged as market leaders.
"Cisco Systems is adept at delivering security as an end-to-end network service. Its vision of a self-defending network, including network admission control, is resonating with large enterprises," Waterfield said.
She said Symantec was rated the most trusted security vendor for both products and services in Yankee Group's 2004 surveys. "Its leadership in desktop software and in fighting threats at all layers of an integrated defense sets a high standard for the industry," Waterfield said.
VeriSign, known for digital identities that drive secure communications on the Web, has been building an impressive global managed services business, she said. "The company has security in its pedigree and the capital to sustain a strong business," she said.