Not just from, as you might think, hackers, crackers, script kiddies or even disgruntled employees, but from some security vendors and distributors as well. The problem is such that it is causing IT security levels to degrade as companies find that the price of products such as firewalls and anti-virus are just too high.
The U.K. has a traditional, two-tier distribution model, allowing products to pass from manufacturer to distributor (tier one) to reseller (tier two) through to the end user.
With this model, what should happen as a product passes down from one to the other is that its value passes down with it. Take the DVD player for example: when the technology was new to the market it was extremely expensive to buy. The manufacturers held the largest share of the DVD's value, and rightly so; they had invested a lot of time and effort in the technology. However, now DVDs can be bought for not much more than peanuts. This is because the technology has matured and become more ubiquitous, with outlets such as supermarkets now selling DVD players. The consumer is better off because they are still buying great technology but at a smaller price.
In principle, the same value distribution should be found with IT security. As a product matures the share of its value should pass from the manufacturer and distributor through to the reseller and eventually to the end user. At the low-end of the market this is starting to happen, but it is not the case with the products at the higher end. Manufacturers and distributors are keeping mature security products at unrealistically high prices and are not passing along enough margin; this places the market under incredible pressure.
Under these circumstances, the reseller does not have enough margin in the product to be able to provide the end user with a reasonably priced product. This leads to a situation in which the end user perceives certain technologies, despite the fact that they are mature, as too expensive to invest in. Ultimately, this degrades the standards of security implemented by U.K. businesses.
The products most affected by this situation tend to be anti-virus and firewalls. Some firewall manufacturers are trying to redress the situation by introducing modular firewall solutions at a sensible price; unfortunately this action is not commonplace. AV is a prime example of a mature product that is still priced too high, even though most of its development, such as signature writing, is complete. Often manufacturers attribute the expense of AV to the number of new viruses that crop up time after time. However, in reality most of these new viruses are either hybrids or very similar to an older virus, meaning that it will only take a small signature adjustment to create a patch.
The problem is that this unrealistic pricing is preventing businesses from buying well rounded, security solutions. As established, tier one products remain uncompetitively priced so those holding the IT budget are unable to implement tier two security such as content inspection and intrusion detection. This is because the technology is still relatively new and, with continuing research and development, it remains expensive. What the IT purchaser is then left with are, on the one hand, keystone security products that are mature but expensive, so eat up a sizeable portion of the budget available, while on the other hand, there are the softer security products that compliment and complete a sensible security solution but which are too expensive for the remainder of the budget.
Of course security vendors aren't running charities, they want to squeeze the most value out of product during its life cycle - after all they have shareholders to placate. However, what is curious is just why the U.K. is one of the most expensive places to buy security products when most of the product development is carried out in less expensive areas such as Eastern Europe or the Middle East. Eventually the vendors and distributors are going to come unstuck as, even now, more and more resellers and end users are becoming savvy to the fact that security products can bought more cheaply elsewhere. For example, tier one products are approximately 15 percent cheaper in the U.S., about 6 percent cheaper in Germany and a whopping 40 percent cheaper in South Africa.
As in most cases if something is not acceptable people tend to vote with their feet. So, smaller, less established resellers are now turning to these markets and gray-importing mature security products. It means that they can buy at a cheaper rate and retail at a cheaper price, only focusing on selling products and not worrying about the ongoing support of those devices, much to the annoyance of the manufacturers who refuse to support products bought outside regional distribution. This attitude means that the established, accredited reseller suffers as they have invested heavily in skills to add value to product lines. Missing out on product sales means no return on product investment and reduces future investment and, therefore, knowledge.
End users are also wising up to this buying pattern, which again has a derogatory effect. U.K. organizations with satellite offices in places such as South Africa or the U.S. are making their purchases from these alternative routes even though the purchase order number may come from the U.K.. Being forced to buy in this way means, in the long term, that the end user suffers because they have no dedicated security partner who can provide specialist security advice and support.
From an economic perspective this gray importing is having a negative impact on the U.K.. Traditionally the U.K. has been the second or third highest grossing area for nearly all technology behind the U.S. and Germany. Now it is falling way down the league table, which is just beginning to light the fire under manufacturers and distributors. It's unfortunate that it is this devaluation of the market, and not a concern for U.K. security, that is prompting action from the vendors.
However in 2003, under the pressure of reseller and end user buying habits, what we should start to see is a reduction in price of the mature security products. This will then allow more scope for the adoption of tier two security devices with two-factor authentication, intrusion detection and content inspection leading the way. In turn, this will have the overall positive effect of improving security throughout U.K. businesses, which is something all those involved with IT security should strive for.
Matt Tomlinson is business development director for MIS Corporate Defence Solutions (www.mis-cds.com).
MIS Corporate Defence Solutions are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29 -May 1, 2003. www.infosec.co.uk