Looking back on it from the distance of a few years' time, 2007 may well be seen as the beginning of the end of the security industry.
The most significant contributor to this state of affairs is the continued consolidation among security vendors. This year, we saw more than a dozen mergers and acquisitions in the industry, including IBM acquiring Watchfire, HP buying SPI Dynamics and VMWare purchasing Determina, just to name a few. Consolidation has been a major factor in the security market for several years now, but the pace of the acquisitions has been increasing of late, as has the size and significance of the deals. It's no longer just small startups fusing together. Now, major players such as RSA Security and ISS are being subsumed by larger IT infrastructure companies where they're just another piece of the machinery.
Those are the kinds of deals that in the long run can end up being bad for customers. Not only do they result in fewer choices for IT buyers, but in many cases they also stifle innovation and creativity. The security folks who joined larger IT companies through acquisitions say that these companies see security as an item on list to be checked off, something that they want to be able to tell their customers that they can provide. In that environment innovation becomes an expense rather than an asset and therefore takes a back seat to just about everything else.
But the acquisitions also serve a larger purpose for many vendors, such as Cisco, Microsoft and others: allowing them to integrate security directly into their products rather than adding it after the fact. The entire security industry was built up around the premise that operating systems, applications and even hardware are inherently vulnerable and customers therefore need third-party products in order to lock them down. That isn't going to change anytime soon, or at least not until developers begin turning out mistake-free code. So there always will be a need for added security.
In addition to these market forces, there is also the less obvious movement within enterprises to bring the security function either back into the IT department as a whole or under another banner entirely. As security becomes less of a specialized function and more of a part of the daily operations of the company, security loses its uniqueness. And it also loses its ability to hold budget dollars hostage on the sort of vague premise that there are bad people out there trying to hurt us and we need bags of money to prevent that from happening. This is not an altogether bad thing. Of course security is important, but bringing it under the umbrella of a larger group such as risk management or compliance puts it into better perspective, ideally without marginalizing it.
To be sure, independent security companies will continue to exist. But there will be fewer and fewer of them as the years go by and I would guess that their influence and importance in the IT landscape will wane steadily. This may result in a decrease in the annual FUD harvest, which is always good for customers. But I'm hoping that it doesn't result in enterprises and vendors deemphasizing security, as well. Time will tell.