News Stay informed about the latest enterprise technology news and product updates.

Security market consolidation a double-edged sword

Consolidation in the security market could mean a more secure IT infrastructure, but it could also mean fewer choices and less innovation.

Looking back on it from the distance of a few years' time, 2007 may well be seen as the beginning of the end of the security industry.

The most significant contributor to this state of affairs is the continued consolidation among security vendors. This year, we saw more than a dozen mergers and acquisitions in the industry, including IBM acquiring Watchfire, HP buying SPI Dynamics and VMWare purchasing Determina, just to name a few. Consolidation has been a major factor in the security market for several years now, but the pace of the acquisitions has been increasing of late, as has the size and significance of the deals. It's no longer just small startups fusing together. Now, major players such as RSA Security and ISS are being subsumed by larger IT infrastructure companies where they're just another piece of the machinery.

Behind the Firewall

Those are the kinds of deals that in the long run can end up being bad for customers. Not only do they result in fewer choices for IT buyers, but in many cases they also stifle innovation and creativity. The security folks who joined larger IT companies through acquisitions say that these companies see security as an item on list to be checked off, something that they want to be able to tell their customers that they can provide. In that environment innovation becomes an expense rather than an asset and therefore takes a back seat to just about everything else.

But the acquisitions also serve a larger purpose for many vendors, such as Cisco, Microsoft and others: allowing them to integrate security directly into their products rather than adding it after the fact. The entire security industry was built up around the premise that operating systems, applications and even hardware are inherently vulnerable and customers therefore need third-party products in order to lock them down. That isn't going to change anytime soon, or at least not until developers begin turning out mistake-free code. So there always will be a need for added security.

About Behind The Firewall:
In his weekly column, Executive Editor Dennis Fisher sounds off on the latest issues affecting the information security community. 

Recent columns:
Security questions irritate VMware, but critics see holes

Eyeing unnoticed security researchers

Microsoft should scrap Patch Tuesday

Private sector should learn from government insecurity

WEP crack demonstrates need for WPA2

The question becomes, then, where does that security come from? Increasingly, the answer is that it comes from within the same organization that built the original product. When Microsoft released Windows XP several years ago, it was like a national holiday for antivirus, vulnerability assessment and antispyware vendors who knew that the new OS would be the prime target for attackers for the foreseeable future. And that meant more business for the vendors. But when Redmond finally launched Vista in late 2006, the security vendors were in full panic mode, gnashing their teeth at the integration of AV, antispyware and other security features and complaining about their own limited access to the Windows kernel. Microsoft made some small accommodations, but the Symantecs and McAfees of the world are staring at a future full of this kind of fight. Why should Microsoft, Cisco, IBM or EMC bother to partner with outside vendors when they have the in-house capability to build their own security features?

In addition to these market forces, there is also the less obvious movement within enterprises to bring the security function either back into the IT department as a whole or under another banner entirely. As security becomes less of a specialized function and more of a part of the daily operations of the company, security loses its uniqueness. And it also loses its ability to hold budget dollars hostage on the sort of vague premise that there are bad people out there trying to hurt us and we need bags of money to prevent that from happening. This is not an altogether bad thing. Of course security is important, but bringing it under the umbrella of a larger group such as risk management or compliance puts it into better perspective, ideally without marginalizing it.

To be sure, independent security companies will continue to exist. But there will be fewer and fewer of them as the years go by and I would guess that their influence and importance in the IT landscape will wane steadily. This may result in a decrease in the annual FUD harvest, which is always good for customers. But I'm hoping that it doesn't result in enterprises and vendors deemphasizing security, as well. Time will tell.

Dig Deeper on Security vendor mergers and acquisitions

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.