It was recently reported that the worldwide market for IT security and business continuity products and services is growing twice as fast as overall IT industry. By 2006, this market is expected to surpass $150 billion (IDC, 2002).
This one bright light in an atmosphere of caution is encouraging, but from which parts of the industry is this growth going to come?
The theme at 3i's recent annual CEO e-Security Conference reflected this market view. Specifically, findings from digi-voting and discussion amongst senior decision-makers from corporates and e-security companies at the conference show that globally, organizations are demanding more simplicity from e-security solutions and services.
As part of our commitment to the companies we back, 3i regularly brings together an international network of relevant contacts that may benefit them. At this conference, CEO's from over 20 e-security organizations joined e-security experts from 24 corporations at the event to discuss the state of the e-security sector.
A unique market with unique issues
IT research group Giga Information recently stated that there are more than 400 e-security vendors/providers around the world. With some of those vendors offering one or more services or solutions each and some many, many more, the number of products on the market is vast. This, coupled with emerging and future solutions to combat up and coming threats, creates a mind-boggling set of options for the chief technology officer (CTO).
It is not only the plethora of solutions and services that are causing confusion for organizations. Many businesses, particularly larger enterprises, have been addressing specific e-security issues for a number of years. For example, when a company wanted to protect against viruses, it implemented one or more anti-virus (AV) solutions. Similarly, the same organization may have deployed a firewall to keep the network secure from intruders and a virtual private network (VPN) to ensure a high level of privacy. Add to this a range of content security, access control, intrusion detection and authentication products, and it adds up to a huge task to manage and administer across a multi-geographical, complex organization. The management and integration of these products and solutions is creating an administrative pain and has the potential to expose an organization rather than protect it.
Simplification and streamlining
The e-security industry is not making it as easy as it could be for the customer. The CTO knows that the piecemeal method of implementing e-security solutions described above is not a strategic way to exploit an organization's IT investment. By not considering how their products relate to other security products, both now and in the future, vendors are being very short-sighted. Customers want a streamlined, simplified solution that works across the organization.
A key future e-security trend is integration. Smaller companies don't want big bespoke software, the key is whether it can integrate with existing systems.
The U.S. has certainly been focusing on the integration area, and this looks set to continue over the next few years. In a recent survey conducted by AMR Research Inc., Boston, 509 chief information officers at U.S. manufacturing and services companies said their IT budgets for 2003 and 2004 will grow by a modest 2 per cent. But security and infrastructure integration applications will be much more of a focus this year compared with previous years, according to the survey.
Longer term versus quick return
While a saturated market and a customer demand for simplicity are key drivers in this industry-wide push for integration, what other elements are contributing to this growing area? Our portfolio companies tell us that their customers are increasingly looking for solutions that are 'future-proofed.' Products and services that will integrate with a future IT infrastructure are becoming more important than the immediate return on investment (ROI) requirements we saw from organizations a few years ago.
During a digi-vote at the conference, delegates agreed that organizations are now taking a longer-term view in their e-security purchasing decisions, selecting products and services that will integrate easily into their existing infrastructure and are future-proofed for further implementations. Nearly half, 47 per cent, of the corporate delegates backed this up by citing ease of installation, maintenance and administration as the key issue for customers when making e-security purchases. Of the e-security companies, 40 per cent agreed with this statement.
John Thompson, chairman and CEO of Symantec recently predicted that security integration would be the industry's top seller. Last year Symantec spent $965 million acquiring Axent Technologies to gain a base of intrusion-detection and firewall products. It has dedicated 15 to 16 per cent of its revenue and 1,300 of its 1,700 engineers to a research and development effort aimed at improving them and integrating them as a set of products that can work together. Symantec believes customers want network security made easier to install and manage, thus reducing the overall cost of ownership associated with complex technologies.
Integration in practice
Many of these industry experts are agreed that integration is going to be vital to a healthy and competitive e-security industry, but how will this translate in the real world?
Standards and interoperability
Vendor agreement on industry standards and increased interoperability are essential, in order to provide the foundation. This drive towards integration is largely dependent on the adoption of common standards in order to facilitate interoperability.
If vendors work together to smooth the progress of interoperability, customers will see improved protection of their IT investments and the ability to migrate smoothly to new and future technologies. So will we see more vendors working together without compromising their competitive position? Vendor-led initiatives, such as Check Point's OPSEC, have worked to an extent. It has over 325 partners and is a leading alliance for integrated internet security solutions.
Will the saturated market actually drive demand for a new type of e-security service? Given many organizations are managing numerous point products and complex, bespoke systems across diverse architectures and geographical locations; there is a need to reduce the complexity. Over 45 per cent of delegates agreed that security management and administration would be the hot security area for 2003.
Jan Hichert from Astaro, provider of all-in-one open source security solutions, agrees. "Out of all the upcoming innovations in the sector, security management is the most important." Another one of our portfolio companies, ADD Servicios Informáticos, has a consulting arm that specializes in providing customers with fully integrated e-security systems. They have found an increased demand for these services over the past 12 months.
Most delegates agreed that IT managers within organizations have to justify the business benefits of e-security solutions. Over 44 per cent of respondents cited a lack of understanding of the issues and requirements within organizations as holding back the further adoption of e-security.
The market is only becoming more complicated for customers, and vendors need to take responsibility for educating prospects. Steve Hunt of Giga, who presented at the conference, agrees: "This year in particular, IT security managers have been asked to prioritize security initiatives while also explaining the business benefits of these initiatives. These managers have to justify everything they do, and be clear that whatever they buy has business benefits. It's up to the vendor to teach and educate the IT security manager on how to communicate business value to the board. Vendors shouldn't focus on the technology but the business problem."
Treat each customer as an individual. Start with the problem rather than the technology. Vendors need to be able to offer products and services that integrate with existing IT systems. Unless these companies have a very niche offering, you have to be able to integrate into existing and future IT infrastructures. How they do this is up to them, but they will be at a serious competitive disadvantage if they don't. Alliances and partnerships will be particularly important in developing a more holistic offering for their customers. It's an exciting time, and we believe that 2003 will be an important time in determining the key areas and players in the e-security industry.
Russ Cummings is head of the software practice at 3i (www.3i.com).