Consolidation or Proliferation? The Future of Security Products

On Thursday I attended an excellent seminar organised by Comsec Consulting, a company that is relatively new to the UK but with a long, pioneering history in Israel, The Netherlands and Japan. Nissim Bar-El, their CEO, is a well-known international figure in the Security world. Over the last twenty years he’s been quietly building one of the largest IT Security consultancies in Europe. You can see him on the front cover of the current UK edition of SC Magazine.

At the seminar Nissim raised the issue of complexity arising from the proliferation of security products – more than 700 at the last count – and highlighted the difficulties this presents for customers. Could there and should there be a consolidation of products? ZDNet and RSA amongst others have predicted this. A few postings ago I commented on the future of single point solutions. But as it’s a hot topic, I though I’d add a few more points and a little extra analysis of what might happen and why.

I’m often asked whether the future will bring greater standardisation or more variety in technology. The answer is both. It all depends on the nature of the product and the market. Certain factors, such as network effects and economies of scale favour the first mover in any new market. A high cost of change will also present a barrier to new products in an existing market. These factors can operate either against or in favour of new products. But the increasing speed of product cycles coupled with changes to the problem space will continue to present more and more opportunities for new products. That’s why the number of security products has multiplied by an order of magnitude over the last decade.

New products that exhibit network effects (i.e. the greater the size of the network, the more powerful the product) will become pervasive and hard to dislodge. But this is rare. Microsoft and e-Bay are two of the handful of products that actually become more powerful with greater usage. Amazon and Google and most other technology products are not. Network effects are exceptional. But they’re not the only barrier to entry. Better products that emerge later in the marketplace can only succeed if the cost of change is low enough to enable a positive business case. Changing an encryption algorithm can be prohibitively expensive. Moving to a different anti-virus package is easier but still quite disruptive. But switching to a new IPS product is relatively easy.

A further key factor is architecture. Products that have proprietary interfaces can lock in users but will become increasingly difficult to sell to street-wise organisations. Some organisations will aim to simplify the number of products in their architecture, but smarter ones will look for open interfaces and protocols. And I believe we are increasing likely to see more open security standards, potentially favouring point solutions that offer superior functionality and cost.

So what will be the overall result? Well hopefully a greater choice of solutions from both big vendors and small vendors. Big vendor acquisitions will encourage, not deter, new security start-up companies. The consumer may find proliferation of technologies a bit of headache. But it’s just a part of the rich tapestry of the Information Age. And we should embrace the variety this brings. There’s certainly plenty of scope for consultancies to help out. Especially if they can show their customers how to achieve greater performance and savings through a smarter choice of products.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I think there is a significant challenge developing standards for Security Products. Based on my experience of standards development in other areas, you can expect significant resistance to standards development from the major vendors in the space, they will see themselves (probably incorrectly) as either owning/being the standard or being threatened by them. Smaller players are likely to see standards as making market entry easier for them. The question is, who will have enough clout with the major vendors to persuade them to implement standards?
Of course, were the proper security measures built into the products we buy, at their design stage, we might not need so many bolt-on goodies, whether or not they work to common standards. But that's just wishful thinking.