As the e-security threats become more complex and business-critical in their potential impact, corporations want to know that there are no weak links in the e-security infrastructures.
The easiest way to reduce perceived risk in this regard is to buy all the software or hardware solutions from the same vendor. In the 3i E-Security 2002 survey (in association with the Economist Intelligence Unit), two-thirds of the correspondents said they thought that 80 percent of the market would be owned by five or fewer brands in three years' time.
We agree that customers would benefit from a reduction in choice of vendors in some areas, particularly consumer sectors such as anti-virus, in return for an increase in product breadth and customer support. However e-security is a broad sector and consolidation is not inevitable in all areas of the industry. In this article, we will look at what e-security vendors need to do to succeed in what could continue to be a difficult economic climate and which areas of e-security will continue to grow and encourage investment over the next year.
Corporate spending on IT security and business continuity products continues to grow and is expected to surpass $150 billion by 2006, according to IDC - that's 8.6 percent growth this year. This is in comparison to overall spending on IT, which is predicted by the Information Technology Association of America to remain at 0-4 percent growth this year. However, as there are more than 400 e-security vendors/service providers globally selling countless products, it will be a case of survival of the fittest.
As venture capitalists (VCs) active in a changing market, we know that we need to support our portfolio companies in any way we can so that they win out as the market consolidates. For vendors, the support of their investors is critical during challenging times as a source of ideas, resources and support. Successful VCs are not just investing capital in a company, but spending time working 'hands on' with the vendors as part of the management team to shape their market proposition, and help them forge partnerships with potential customers, buyers, distributors, and trading partners with the aim to help build critical relationships and strategic alliances. VCs should also proactively challenge strategy and build more effective boards.
The CEO e-security conference that we recently hosted in Barcelona, Spain, which gathered together our e-security portfolio companies with corporates such as IBM and Computer Associates and experts such as GIGA Group, is a good example of this theory in action. The overriding discussion centered round the current market, and what e-security vendors need to do to succeed in the short- and long-term future.
Strategies in a consolidating market
It was agreed that in order to thrive in the upcoming market, it is critical that vendors have a strategy to deal with the inevitable market consolidation. The following five areas were considered important when developing such a strategy.
1. Listen to the customer
It's an obvious piece of advice, but listening to the customer is absolutely essential in creating a successful and viable offering. Many large organizations are struggling to manage complicated and disparate e-security systems and, not surprisingly, this represents a growing headache for IT directors. In addition, upgrades and additional features mean that the IT director has to frequently find not only the budget but also the manpower (which Forrester Research estimates alone costs an average company $700,000 annually) to integrate all these products and applications.
The plethora of software solutions on the market makes purchasing decisions complicated. Vendors need to make this situation easier for customers and prospective clients by understanding the business issues the product has been bought to address and then spelling out the business benefits and value proposition of their products in terms that the board will understand. In particular, this means explaining how a vendor's product can interoperate with other vendors' products.
John Thompson, chairman and CEO of Symantec, recently predicted that security integration would be the industry's top seller. Symantec believes customers want network security made easier to install and manage, thus reducing the number of suppliers.
2. Get your proposition right
Successful companies truly understand their market and know to whom they are selling. Focusing your value proposition purely on the technology is an easy and very common mistake to make. Too few technology-driven vendors position themselves as providing a solution to a business problem and quantify the benefit. If one looks at a technology like public key infrastructure (PKI) one can see how an outstanding technology has failed to capture the imagination of large businesses because the return on investment (ROI) is not clearly articulated by the vendor or understood by the buyer. It is essential, therefore, that vendors understand their customers' business problems and the market in which they operate.
In turn IT security managers need to learn how to communicate business value and justify spend within the organization. They can only do this with the support and input of their vendor partners - especially when it comes to finding the tales of e-security problems that will demonstrate the dangers of under-investment. Technology is obviously a key part of any offering, but don't baffle prospective clients with unnecessary jargon. Vendors must be clear about who they are selling to and communicate this to both the sales team and channel partners. Then they must put the right range of communication tools in place to get the message across, whether it be seminars, direct mail or PR.
3. Security standards
In the future we will begin to see a much greater move towards industry-wide standards. Some areas, such as internet protocol security (IPsec) and lightweight directory access protocol (LDAP), are well established, while other areas such as XKMS and the associated XBulk standard for bulk key registration (of particular importance for smartcards and mobile devices) will see major progress over the next 18 months. Concerns about web services security issues with SOAP (the web services transport layer) are being addressed through the WS-Security initiative, which has been jointly developed by IBM, Microsoft and VeriSign. Check Point's Open Platform for Security Alliance (OPSEC), is another successful vendor-led initiative, with more than 325 partners.
Those vendors co-operating with and contributing to these initiatives will be in a better position to respond to customer demands for interoperable solutions. However, vendors need to be open to any major independent standards committees that may arise, as standards and interoperability will be fundamental in shaping the market consolidation.
4. Keep innovating
In this current economic climate, it is often easy to overlook the value of innovation. Mike Reed, vice president of business development at Top Layer, a 3i portfolio company, believes innovation is crucial in the face of the strong increase in security intrusions, and that this threat will drive the market for intrusion detection and prevention appliances.
At 3i, when we analyze potential portfolio companies, the R&D function is essential to the value of the organization. We want vendors that are continuing to develop innovative technologies that customers will be demanding in the future while, at the same time, maximizing the market opportunity of their existing products. For example, we see artificial intelligence (AI) as having a key role in helping organizations to anticipate and understand new security threats faster.
Compelling and credible products and services drive partnerships with larger IT and e-security vendors, which have become critical routes to market for smaller vendors. It is vital to keep fuelling your investment in innovation, however tough the demands are on your cash.
5. Forging partnerships
For smaller e-security vendors, partnerships are essential to strengthening their position. As a 'hands on' investor, 3i actively initiates linkages and introductions between e-security businesses and corporate or non-competitive vendors who can offer strategic partnerships. These relationships can enable vendors to fill any technology or sales gaps, to de-risk the investment for their customers and also help to identify new opportunities. Not only does this help to open doors, it also provides companies with greater routes to market. Conversely, for the corporate or the larger vendors, a relationship with a more specialist vendor can provide them with specialist knowledge and innovation.
Hot areas and themes
Here are a couple of themes we see as being very 'hot' in the year ahead.
Intrusion prevention and detection systems have emerged as a hot area due to the growing number of sophisticated threats and attacks to corporate IT systems. An intrusion detection system is designed to protect the network by carrying out real-time monitoring of network/system activity and then analyzing the data for potential vulnerabilities and attacks in progress. However, these systems do not prevent damage, and as a result companies are also deploying proactive defense systems (intrusion prevention systems) to protect their networks. Intrusion prevention and detection systems as part of corporate security planning are essential tools for anticipating, auditing and analyzing an attack.
We believe that there will be continuing developments and investment in this area, reflecting the need for companies to secure all their point of access and anticipate vulnerabilities.
Integration enables companies to reduce the complexity within and streamline their e-security systems. It is the single most important issue for all companies right now as they seek to make disparate technologies work together. Companies will also be able to future-proof their solutions, ensuring that they will be able to integrate with a future IT infrastructure.
In a recent survey conducted by AMR Research Inc., Boston, 509 chief information officers at U.S. manufacturing and services companies said their IT budgets for 2003 and 2004 will grow by a modest 2 percent. But, according to the survey, security and infrastructure integration applications will be much more of a focus this year compared with previous years.
We believe the current market saturation is creating opportunities for vendors offering security management solutions and services.
It's going to be a rollercoaster ride over the next 12-18 months, and we will see a real divide emerge between winners and losers. Vendors need to prepare and adapt their business and technology strategy to combat difficult market conditions. We firmly believe that too many e-security companies have put certain activities on hold during difficult times, such as a focus on partnerships or investment in R&D, and ultimately this can weaken a company's position in a turbulent market. Look at your company as a whole, take stock, listen to your customer, have a clear, compelling value proposition and prepare to succeed in an exciting and innovative e-security industry.
Martin Gagen is President and CEO and Mikko Suonenlahti is Director, for 3i U.S. (www.3i.com).