Analysis: Have pure IT security firms disappeared?

In 2007, Art Coviello, executive chairman of RSA, the security division of EMC, predicted that by 2010 there would be no need for standalone security companies. Was he right?

In 2007, Art Coviello, executive chairman of RSA, the security division of EMC, predicted that by 2010 there would be no need for standalone security companies. Was he right?

With more than 300 security firms exhibiting at RSA Conference 2011, it would appear not, but Coviello still insists his prediction was accurate.

Very few of those exhibitors are pure security companies, with most including security as part of a much broader product offering.

"This is exactly as I predicted, which was that security would become information-centric and would become built into the infrastructure," says Coviello.

He also points out that his prediction about there being no standalone security companies was a qualified one.

"I said there would always be room for start-ups in the security field."

These start-ups are typically acquired by bigger companies, he says, and the new security technologies they have developed are added to well-established products and services.

"Data leakage prevention technologies, for example, never emerged as an independent category because the start-ups that developed them were quickly bought up," he points out.

Security information and event management (SIEM) is another example, with start-ups here simply being snapped up by larger IT management companies.

According to Coviello, other than Check Point, there are not many independent standalone security companies of significant size and scale.

He even dismisses SafeNet as a contender because of its size and the fact that it is "made up of an accumulation of stuff".

Would Coviello be willing to follow up his 2007 prediction with another about the future of security?

Yes, he would. "I predict that within the next three years there will be a substantial change in the way security is done, with security controls being embedded in virtual environments," says Coviello.

That is a fairly safe bet, he admits, because it is happening already, and RSA is among the companies pursuing this approach.

Coviello believes the virtualisation environment can be used to secure itself. By embedding security controls in the virtualisation infrastructure, businesses can achieve data protection that is equal to, or greater than, what can be achieved in physical environments, he says.

"There are too many physical points of presence that need more controls, so security has to be done differently."

According to Coviello, in the virtual environment, controls will have to be embedded only once and then can be automatically applied across the whole infrastructure.

Will this not affect the jobs of people working in security operations?

Yes, he says, but not in a negative way. Coviello sees many operations jobs converging into a new role of risk manager, who will develop security rules and automate implementation of those rules.

This new approach to security will also enable chief information security officers or anyone in an equivalent role to spend more time understanding business needs, he adds.

"We are likely to see the emergence of the role of chief risk officer to help organisations ensure that their risk management capabilities keep pace with the services enabled by continual technology innovation."

Read more on IT risk management