Confusion about exactly what IT security products deliver is presenting security consultancy TruSecure with new opportunities to grow its business, it claims.
A new round of funding and unprecedented levels of fresh customers seem to support TruSecure's view that the security market is ready for services that manage the whole of an enterprise's IT security infrastructure.
Risk versus cost is the real equation a company needs to consider when purchasing IT security products and services. But the fragmented and complex nature of securing information assets means that this can be difficult to figure out. With the security of corporate data a hotter topic than ever, coupled with IT-spending decisions being under higher scrutiny, many companies are concentrating on optimizing previous purchases and updating security procedures.
"A lot of our customers say, 'We've spent all this money already and we're not sure we're covered,'" said David Snape, UK director of TruSecure. "It's often about the best way to use what you've got already. Generally speaking, people are looking at what they're spending and what they're getting for it."
TruSecure emerged as a consultancy out of the ICSA labs (the global accreditation center for security products and testing procedures) four years ago. Its 500-plus customer base includes Capital One, Experian and Unisys. The privately held company, headquartered in Reston, Virginia, secured $22m in funding earlier this year, led by investors Gartner and JP Morgan. TruSecure claims that it is currently adding 30 new customers a month as firms try to make sense of their IT security strategies. This has persuaded TruSecure that now is the right time for an aggressive expansion into Europe, following up a presence in Belgium, Scandinavia, Italy and the Netherlands with the opening of its European headquarters in the UK.
Eventually, security will be sold like insurance: on risk. A lot of the major insurance companies, like Zurich, Lloyds and AIG, are looking at "cyber insurance," and some even offer a discount on premiums if a TruSecure certification is in place. But this market is unlikely to come fully into its own until litigation draws a line under exactly which security breaches corporations are liable for.
"The insurance companies are trying to get their heads around what exactly the risk is they're insuring against," said Snape.
Still, TruSecure's "assurance" consultancy approach is, in some senses, a precursor to this future, in that the firm offers to share some of the monetary damage from any security breaches following its certification with its customers. This is calculated on a multiple of the annual subscription fee the customer paid to TruSecure - a figure Snape refused to divulge.
Managed security vendors Counterpane and Securify have already teamed up with insurance giants Lloyds and AIG respectively to insure their services, despite the lack of clear guidelines on how actuaries calculate risk.
Analysts predict that these types of managed services could form a large part of the future market for IT security. Market analyst Yankee Group estimates that the managed security market was worth $140 million in 2000 and will grow to almost $1.7 billion by 2004.
"Companies have come to realize that they do not possess the requisite skills to evaluate the multitude of security-vendor products, deploy them into their existing network infrastructure, integrate them and then manage these security systems," Yankee said in a report released in May.
the451 (www.the451.com) is an analyst firm that provides timely, detailed and independent analysis of news in technology, communications and media. To evaluate the service click here.