The groups have started to get smaller as we work our way toward the end of this year's collection. Security infrastructure has begun to emerge as a small, but specialized group. Arguably, this is a catch-all and with only three subcategories one might take the position that we really haven't caught all.
We don't think so. First, there are a lot of product types that we have traditionally included which have carved out their own niches. Some companies, for example, that in prior years we would have considered policy management have gone on to specialize in highly granular policy-driven access management. So we have to see them in a somewhat different light.
Additionally, there has been some convergence in this particular market space. A bit of that was caused by the emergence of yet another marketing buzz-phrase: GRC (governance, risk and compliance). GRC, for whatever reason, has become the darling of the consulting community. Driven by compliance requirements, consulting companies are offering all sorts of compliance analysis services. And then along came product vendors.
With compliance there is the implication that risk and governance are equally important. That is something that information security professionals have been saying for decades, but until the current batch of compliance laws took aim at the individuals who have fiduciary responsibility within an organization, the two step-children of compliance were, largely, ignored as too expensive and disruptive to address.
Now the ballgame has changed and organizations have taken big steps to get in the game, opening up a promising market for the forgotten vendors of years past.
The result has been a new batch of products that combine governance, risk analysis and compliance into single products. That is a win for everyone, and the bottom line for this batch of vendors is that they have a market that is unlikely to go away. They also have significant challenges, such as staying current in an environment that can change rapidly.