The creation of genuinely new security technologies has reached a plateau, as IT security reaches a level of maturity, analysts told the RSA Security Conference this month.
The analysts said IT security suppliers had moved on from a phase of developing breakthrough security technologies to making their existing security technologies work more effectively.
The trend, which reflects how security technology is changing from a specialist into a commodity item, would have significant benefits for IT departments, analysts said.
Laura Koetzle, vice-president and research director at Forrester, said this year's RSA show had little new technology on display in the exhibition stands.
"There is not much shiny new technology out there, and that is a good thing. Enterprise customers need solutions to their actual problems, things that can be integrated well and allow them to expand their companies," she said.
Chris Christiansen, vice-president of security products and services at IDC, agreed. "That we are not seeing a lot of change is a great thing. That we are not seeing new earth-shattering products coming out addressing problems that we aren't really sure exist is a step forward," he said.
Security conferences were attracting more business-focused IT professionals and fewer pure technologists, the analysts said.
As time goes on, IT security will become part and parcel of the IT infrastructure, rather than a series of add-on products. Smaller IT suppliers would merge with large firms to become IT infrastructure firms, rather than pure security providers, the analysts said.
This has already started to happen, with the merger of Symantec and Veritas and the merger of RSA and EMC, in both cases creating companies with expertise in storage and security.
"IBM wants to have a security story. Symantec wants a broader datacentre strategy. That puts them in the same league," said Andrew Jacquith, senior analyst at Yankee Group.
But the analysts poured cold water on predictions made at the conference by Art Coviello, RSA president and executive vice-president of EMC, that standalone security companies would disappear completely within three years.
Christiansen said that security differed in one key respect from other maturing industries - it was engaged in a constant battle with criminals intent on trying to break its products.
"In a lot of industries you see a maturation process, where growth slows and the industry matures to a few companies," he said.
"The difference is, in other industries you don't have a threat environment, with hackers, crackers and industrial espionage looking for gain. You don't have a level of ingenuity out there trying to crack products. For that reason alone, you will see innovation coming from small companies."
Jacquith said, "There has been an awful lot of money flowing into information security over the past few years. There are an estimated 700 to 3,000 companies doing security. They can't all be winners. It is not a question of standalone or not. The chickens are coming home to roost."
Koetzle said that large security companies would continue to rely on smaller firms to develop innovative ideas, buying up the most successful.
She said the garages where enthusiasts develop breakthrough technologies would continue to be snapped up by large companies. "Some of them are going to solve problems we genuinely have and be successful," she added.
Christiansen said that investors would look at the research coming out of universities for opportunities to form new companies to exploit security innovations.
David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security
Stuart King’s risk management blog
Dealing with the operational challenges of information security and risk management
Comment on this article: firstname.lastname@example.org