But much like any burgeoning industry, the structure of the IT security market faces an uncertain future. Just what will the landscape look like in two, five, 10 years? Experts agree that the security space is here to stay — after all, hackers are quitting their day jobs — but opinions are mixed on how the market ultimately will play out.
Industry players believe a trend toward consolidation will continue, potentially leaving just a few large players standing. Others foresee ample room remaining for the small players, but anticipate a growing gap between them and the large shops, essentially eliminating mid-size vendors from the landscape. Still others predict IT security could become a more integral part of the network development, thereby lessening the need for new pure-play security vendors.
As with any fledgling technology industry, IT security is rooted in small start-ups — venture capital-funded firms whose business model relies on innovation and the ability to harness a bright idea that successfully combats the latest threats.
New security firms regularly pop up on the landscape and, for now at least, many are thriving with a rare few folding, says Richard Stiennon, founder and chief research analyst at IT-Harvest, a security research firm based in Birmingham, Mich.
"I think the market is not oversupplied because there [have] been so many years of under-investment in security by enterprises," he says. "I think we're at the beginning of the maturation cycle and that means universal demand. There's going to be a lot more startups to fulfill that demand, and the boutiques, in my understanding, are doing very, very well."
Security vendors, by their very existence, compensate for the holes left in critical infrastructure; therefore they are a key component to an organization's success.
"In the real world, information security is there to make up for shortfalls and mistakes made by the infrastructure side," says John Pescatore, a Gartner analyst. "If everybody configured their servers correctly, you wouldn't need security [companies]. However, we know people make mistakes. Things get misconfigured. If the only security we have is built into the infrastructure, we're dead."
While the demand for security products remains strong, signs point to a slight slowdown in new company launches, according to statistics from Thomson Financial and the National Venture Capital Association (NVCA).
Global venture capital investment in security software companies may have hit a ceiling in 2004, when firms invested $928.4 million on 165 new startups. That number slipped to $916.2 million the following year.
The figures indicate an even greater slowdown this year, as only $121 million was poured into 27 new companies through the first quarter. Carried out 12 months, total venture capital investment would total just $484 million in 2006, a drop-off of about 47 percent from 2005. Industry experts warn, however, that first-quarter results may be misleading as the first three months of a year typically are the quietest among venture capitalists.
Jo Tango, a general partner with Highland Capital Partners in Lexington, Mass., says IT security "has fallen a bit out of favor with the venture community." But not with him. Tango, whose firm recently invested in an unnamed new security company, says drivers — such as growing security budgets within organizations — still signal a strong a market.
"Security is like any other space people are investing in," he says. "There are some bad ideas out there being funded, there are some nice-to-have ideas being funded, and then there are a handful of game-changing ideas beings funded."
Having a unique product is the differentiator needed to succeed in a market that appears to have reached a growth plateau, contends John Becker, CEO of Cybertrust, based in Herndon, Va.
"If you don't have the ability to distinguish yourself in the marketplace and rise above everyone else, I think you're going to have a problem," says Becker, whose 1,000-employee company provides consulting and managed security services. "The smaller shops continue to have a more difficult time. I don't think what's happening in the marketplace puts everyone out of business, but it does make it more difficult [to succeed]."
To be or not to be
Other industry players, such as Buck French, chairman and CEO of Cupertino, Calif.-based Securify, share a more absolute opinion. French contends the space is flooded with a slew of companies addressing all the major problems. And he says he does not foresee any major threats developing that would necessitate the formation of new vendors.
"No new security companies should be born," says French, whose 75-employee organization specializes in insider threats. "If you're a venture capitalist, you're not looking to fund a security company. The problems that are left out there aren't meaty enough to support the time it takes to build a product and build out your distribution model."
Axel Tillmann, vice president of marketing for Reston, Va.-based ENIRA Technologies, says the increasing costs of technology development and market presence could stymie innovation, thereby limiting new companies from entering the space.
"Innovation in that market becomes cost prohibitive because fabrication costs are extremely high," he says.
Still, when compared to other sectors, IT security is booming, says John Taylor, vice president of research at the NVCA. IT historically compromises about 70 percent of the venture capital market. And Taylor says he does not view the modest drop in investment as a trend.
"The underlying need [for IT security] is increasing, and that's not going away and that's not going to backtrack," he says. "What we don't know is how much of the total innovation is going to come from the entrepreneurial sector and how much from the established firms."
Going the M-and-A route
The goal of many startups is to ultimately be absorbed into one of the sector's bellwethers, which guarantees a handsome payday for small firms that took a flier on a novel idea.
"I met an interesting company, a switch and router company out of Dallas, and they had a business plan that said after three years, we want to be acquired," recalls Tillmann, who expects ENIRA, a 15-employee network security company, to someday be acquired as well [editor's note: ENIRA was, in fact, acquired by ArcSight on May 23.]
This sort of business model also makes sense for the established organizations writing the checks.
"When you're a large company, you shouldn't be developing every new technology because that's a risk," Pescatore says. "It's much smarter to purchase a company that has already demonstrated success."
Symantec, for example, has acquired approximately 25 companies since February 2000, including eight since last April, company spokeswoman Sarah Tolle said. The anti-virus giant now rakes in almost $5 billion a year, firmly entrenching it as the IT security space's leading provider.
"I think there will be a handful of big players that survive," says Francis deSouza, a Symantec vice president charged with overseeing the vendor's enterprise management solution. "That has been a consistent theme of our strategy. Most small companies realize that acquisition is a preferred outcome for them. Most of them realize that they won't be a pure-play, small standalone security company for long."
"The security industry, as a whole, is consolidating," he adds. "For IT departments, the first thing they're seeing is that environments are getting more complex. It's not uncommon for there to be 40 different security solutions in one company. That's unmanageable for many when you have so many different point solutions."
Securify's French also foresees a shrinking marketplace, going so far as to call the small shops "walking dead."
"I think innovation has crossed over to the point where the small company is no longer the organization the customer looks to to provide a product," he says. "The difference between the little guy and the big guy narrowed enough that they would rather not take the risk with the little guy."
But do not drop the curtain on the boutique shops just yet as they play a significant role in the IT security space, some industry leaders say. Most importantly, perhaps, is that the small vendors provide best-of-breed alternatives for network administrators who prefer quality to the convenience of dealing with a single vendor, says David Ting, founder and CTO of Imprivata, an authentication and access management provider with its U.S. base in Lexington, Mass.
"The knowledgeable IT administrators today would prefer to pick best-of-breed," he says. "They like the flexibility to pick. We see the administrators doing their homework. They're going to focus on the product."
Other times, the smaller vendors provide a worthy alternative to the major players, should administrators grow frustrated with the current solution they are using, says Stiennon of IT-Harvest. Boutiques often provide better defenses against the latest threats, and it is not unheard of for a customer to stop using a Symantec or McAfee solution in favor of a lesser-known brand, he adds.
And the more success small vendors have, the likelier they are to be acquired, Stiennon says. This encourages the venture capitalists to invest in more startups, "and that's how the cycle keeps going," he adds.
Growth of the IT security industry faces other challenges, experts say. Safer software, tool and infrastructure development could lead to fewer security problems, thereby limiting the need for more solutions and new companies, Ting predicts. Within the organization, a shift is underway in which security no longer is viewed as an add-on, but as an integral part of the building process, he says.
In order to achieve this, leading software and platform makers, such as Microsoft, Cisco and Oracle, likely will acquire more companies "to get security in their development process," Gartner's Pescatore says.
Improved corporate policies regarding access and security awareness — especially as insider attacks continue to skyrocket — may also lessen the need for security vendors, some experts say.
Organizations may spend fewer resources on security solutions and more on addressing issues inside the workplace. "If you're chasing the next threat, you will, by nature, never be secure," French says.
There also has been a trend toward service providers integrating security into their offerings. As an example, some ISPs and email providers are offering an integrated anti-spam service for users.
Reading the crystal ball
In the end, nobody knows for sure how the IT security market will settle. Some insist there will not be much change between now and future years. Others foresee a few large players separating themselves even further from a dwindling pack of smaller suppliers. And some think general IT companies may someday be the ones offering the solutions. After all, Microsoft has formally entered the security space with its Windows Live OneCare package.
Whatever the result, experts and industry players agree that the market will experience change — but it will not die as long as hackers are still plotting.
"I personally believe IT security will not disappear," Becker of Cybertrust says. "I think it's distinct enough from the routine stuff. I believe it will remain a standalone industry."