The information security market has grown dramatically in the last decade, and there are no signs of it slowing down. In fact, Cybersecurity Ventures estimates that the worldwide cybersecurity market grew from $3.5 billion in 2004 to $75 billion in 2015, and forecasts growth to reach $170 billion by 2020. At some point, these big numbers are just that – big numbers. But these big numbers create even a bigger dilemma for industry analysts, security vendors, and investment bankers in terms how we speak about the security industry:
- For analysts, they have to be able to divide the industry in a way that they can speak to sub-parts of the industry. Otherwise, how will they format and sell their research?
- Security vendors, especially the start-ups, naturally want to be associated with the biggest and/or highest growth part of the security segment. One year, they all become Threat Intelligence companies (that was so cool in 2015…) and the next year, they are all clamoring for attention as the best next-generation endpoint solution.
- Bankers, realizing that information security is where the money is, do their best to sort through what each vendor does as they try to play matchmakers between them.
But what is forgotten in all of the above is the one member of the industry ecosystem that truly matters – the end user – the actual consumers of the security products. The life of a security professional in an enterprise – small, medium or large – is getting more complicated every day. They are hit with breaches and resulting pressure from top brass to have best-in-class protection on one hand, and are inundated with security technologies and jargon from vendors/analysts on the other hand. It is their job to sort through all of that to come up with a deployable solution to meet their needs.
The separation of security segment by technology, which is unfortunately how everyone defines the markets today, falls apart as you go one level deeper. Take, for example, the so-called Identity and Access Management (IAM) security segment. Most will agree that IAM means a grouping of technologies that allow enterprises to identify users and machines in order to control access to critical enterprise resources. But you try to subdivide IAM into Authentication, Single Sign-on, Authorization, Privilege user identity Management, etc., and it doesn’t work. Why? Because vendors do multiple things in one platform and don’t want to undersell what they do by being restricted in one sub-grouping. Similarly, enterprises expect these technologies to be integrated and can get lost in the acronym soup presented to them by the industry.
An example closer to my heart is network security. The world was a lot simpler when there were discrete pieces to what that meant: stateful firewalls, VPNs, intrusion prevention. I still recall when the biggest terminology debate was Intrusion Prevention vs Intrusion Detection solutions (yes, I have been in this industry too long). Just recently, I had a chance to review a paper on UTM vs NGFW, which are nothing more than a grouping of network security technologies ranging from IPS, antivirus, web filtering, VPN, etc. While the paper made many valid points, what was lost (yet again) is that end customers just want the best protection. The best solution includes intelligent use of various security technologies – everything from gateway antivirus to advanced malware detection to advanced use of reputation services. Whether you originated as an NGFW vendor or a UTM vendor, it really doesn’t matter. Good example: today, many NGFW vendors have added cloud sandboxing for advanced malware detection, and so have UTM players like WatchGuard. We did so because we want to provide the best security technology to our customers.
A better way to segregate the market is not by technology but by either use case or by customer type. I would rather go back to simple definitions of Large Enterprises, Small to Medium Enterprise, and Consumer, and define use cases based on those segments. There are several advantages to this approach:
- It is easier to capture true customer requirements by the size of the enterprise. For example, large enterprises require a high throughput since they are likely to have large data centers. Not so much for a small 50-person company.
- It is also easier to speak to limitations of each of these enterprises. Smaller enterprises are resource-constrained, and might make different buying decisions compared to larger enterprises. Larger enterprises have larger IT and security groups, which also affects their buying processes, not just technology evaluations.
- Technologies change all the time – for example, the same paper I read on UTM vs NGFW did not know where to place cloud sandboxing. We can avoid that problem when we let enterprises evaluate these technologies based on their needs and use cases, rather than arbitrary classification of the new technologies. Building on that cloud sandboxing example, if it were grouped under NGFW, many SMBs might not consider that as a technology they need, even though the rise of ransomware in last two years has proven that it is as useful to them as it is to the largest enterprises.
- Most importantly, this categorization doesn’t insult the enterprise user. So often, I hear from analysts that the SMBs are not security-aware. This couldn’t be further from the truth. More and more SMBs are very aware of security threats, and one could argue, even more concerned since one breach can destroy their whole business. The issue for them is actually finding the best security solution that fits within their resource constraints.
I, for one, am glad to see Frost & Sullivan taking a step in this direction. Their latest paper focuses on the needs of the SMB. They have also resisted the temptation to sub-divide the network security segment into NGFW and UTM, realizing that in the end, each vendor has built more and more network security functions into their platform anyway.
It is time for vendors and analysts to take a more customer-centric view of security technology. Let’s not drown them in our acronym soup – what we do is too important and relevant to not allow our customers to make the right choices!