Behind the firewall with Dennis Fisher: The last few weeks of the year are the busiest ones for many people. That's true in the media world too, which means that instead of actual news and analysis, readers often are subjected to tiresome year-in-review and year-ahead stories. If you haven't been catatonic since last January, you already know what happened this year. And predictions for the year ahead are completely useless, especially in an industry that moves as fast as security does.
So instead of insulting your intelligence, we're going to enhance it and take a look at some of the important lessons we've learned in 2006. In no particular order, we learned that:
Consolidation is not slowing down. For a while it looked like the buying sprees of the last couple of years were an aberration driven by all of the cash that large security vendors had stockpiled in the booming security market. Not so much.
Symantec has continued to make acquisitions, and plans to do so again next year; IBM announced its presence with authority by purchasing ISS for $1.3 billion; and storage giant EMC bought RSA Security , the most venerable and recognizable name in the industry, for $2.1 billion. Don't be surprised if Microsoft, IBM, Cisco and others continue to add security companies to their holdings in 2007.
Microsoft is serious about the security business. Although its Trustworthy Computing efforts have gotten most of the ink in recent years, Microsoft's move to become a security vendor is no joke either. The company recently split its security group into a technology unit and a business unit, and has made some waves by hiring a number of smart guys like Adam Shostack and Vincent Gullotto . And its willingness to incur the wrath of its security partners over the Kernel Patch Protection mess shows that PR and marketing aren't piloting the ship.
Spam is here to stay. Despite the best efforts of a lot of very smart and well-intentioned people, we're no closer to solving the spam problem today than we were three years ago. The latest statistics show that about 90% of global email traffic is spam . Think about that—if nine of every 10 pieces of snail mail you got were junk, you would have abandoned the U.S. mail a long time ago. The fact that we're all still using email is a miracle by itself. Security measures like reputation systems and SenderID have proven useful, but the harsh reality is there's just too much money to be made via spam for it to ever stop.
George Bush doesn't care about cybersecurity. Exhibit A: The top cybersecurity job at the Department of Homeland Security sat vacant for more than a year until Gregory Garcia finally took the post this fall. Exhibit B: The vast majority of the initiatives laid out in the National Strategy to Secure Cyberspace are gathering dust on the shelf. Sad.
Your private information isn't. If the rash of laptop thefts, lost backup tapes and data breaches has shown us anything, it's that both huge multinational companies and government agencies—such as Boeing, Ameriprise and the Department of Veteran Affairs, all who have comprehensive security and privacy policies—are no better at protecting confidential data than the average user is. As one privacy and security expert said to me recently, you should just assume that your Social Security number and credit card numbers have been compromised. As cynical as that is, it's probably not far off the mark. Maybe it's time to think about something radical, like publishing a list of everyone's Social Security numbers. This would eliminate their usefulness as identifiers, thereby making them worthless to identity thieves. But that would solve only part of the problem and would require banks, government agencies and myriad other organizations to purge their databases and assign random identifiers to all of their customers. Even if they started tomorrow, it would likely take years to become effective.
The all-in-one security provider is an endangered species. Symantec's acquisition strategy and the arrival of Microsoft in the market have made this a foregone conclusion. No single vendor has all of the pieces in place to challenge Symantec for supremacy in the security market as a whole. McAfee still has a varied portfolio, but management turnover and legal troubles have hampered its efforts of late. And while CA has a large security presence, it is much more focused on the overall systems management market. Microsoft's arrival on the scene certainly makes things interesting, and portends bad things for standalone antivirus and anti-spyware vendors. Their presence also makes it unlikely that smaller players will get frisky and try to roll up a bunch of acquisitions and present a challenge.
What will we learn in the year ahead? Hard to say, but by the looks of things, it will be just as interesting as 2006.
This was first published in January 2007