Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Face-Off: Is Security Market Consolidation a Plague or Progress

Bruce Schneier and Marcus Ranum debate the impact of market consolidation on information security.

Marcus Ranum

You did your research and comparisons, and convinced your boss you'd found the right product to suit your company's needs. You invested hours in evaluation and testing before making the purchase, not to mention the days spent fielding it, learning its intricacies, and configuring and tuning it. Then comes the email informing you of an announcement that your chosen product/vendor had just been acquired by an industry giant and the product was going to be offered bundled with the giant's "complete, enterprise solution." You'd be happy except for the fact that most of the other products in the bundle are lousy, and the industry giant has had a history of discontinuing good products, apparently at random, or putting them in maintenance-only mode so they quickly become obsolete also-rans.

Sound familiar? Welcome to the downside of consolidation! It's living proof that bigger is not always better and that capitalism exists to serve businesses' profit margins, not the customer. Practically every one of us who works in the security industry has had this experience--for the simple reason that only about 25 percent of security products last longer than five or six years without some major life-threatening event. Most of us have had a product suddenly go extinct--to be followed shortly by a sales call from the vendor that fired the fatal shot--in spite of the fact that we depended on it and paid 20 percent annual maintenance.

I'm not saying consolidation is always bad; sometimes you'll see a good match between a standalone technology and a large vendor that can sell, support and maintain it better. But the sad truth about our industry is that there are too many products vying for the available niches. Each time some new technology becomes the hot topic, there's a brief flurry of Darwinian activity, one or two really good products rise to the top, and then the scavengers move in to gobble up the weak and stupid. Here's the problem--there's just no room in any given security product niche for 10 venture-backed startups chasing the same group of customers. Now that venture capitalists are less interested in security (we're back to being a backwater!), the number and size of new niches is shrinking.

The reality is that the IT security industry exists to serve itself--not the customer. Whenever we forget that, we're bound to be frustrated by our experience. Consolidation is an inevitable result of what happens when you have big players that cannot innovate, and too many startups innovating on a tight venture-fueled schedule. If you look at it from the industry perspective (or the venture capitalist's), it makes perfect sense that the industry will go through this boom-and-bust cycle.

What does it mean for customers? To me, it's the best argument for do-it-yourself or integrating open source technologies into your product choices. Remember: the big argument that's levied against open source is "Who is going to maintain it?" That argument stacks up pretty neatly against, "Is this product going to exist tomorrow?"

Bruce Schneier

We know what we don't like about buying consolidated product suites: one great product and a bunch of mediocre ones. And we know what we don't like about buying best-of-breed: multiple vendors, multiple interfaces, and multiple products that don't work well together. The security industry has gone back and forth between the two, as a new generation of IT security professionals rediscovers the downsides of each solution.

The real problem is that neither solution really works, and we continually fool ourselves into believing whatever we don't have is better than what we have at the time. And the real solution is to buy results, not products.

Honestly, no one wants to buy IT security. People want to buy whatever they want--connectivity, a Web presence, email, networked applications, whatever--and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.

It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling. It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.

The critical driver here is outsourcing. Outsourcing is the ultimate consolidator, because the customer no longer cares about the details. If I buy my network services from a large IT infrastructure company, I don't care if it secures things by installing the hot new intrusion prevention systems, by configuring the routers and servers as to obviate the need for network-based security, or if it uses magic security dust given to it by elven kings. I just want a contract that specifies a level and quality of service, and my vendor can figure it out.

IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it.

This is the future of IT, and when that happens we're going to start to see a type of consolidation we haven't seen before. Instead of large security companies gobbling up small security companies, both large and small security companies will be gobbled up by non-security companies. It's already starting to happen. In 2006, IBM bought ISS. The same year BT bought my company, Counterpane, and last year it bought INS. These aren't large security companies buying small security companies; these are non-security companies buying large and small security companies.

If I were Symantec and McAfee, I would be preparing myself for a buyer.

This is good consolidation. Instead of having to choose between a single product suite that isn't very good or a best-of-breed set of products that don't work well together, we can ignore the issue completely. We can just find an infrastructure provider that will figure it out and make it work--who cares how?

Send comments on this column to
Coming in May: Is vulnerability research ethical?

Article 11 of 14

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All