They all impact the winners and losers in information security for 2003. The state of the economy and its effect on IT spending are looming as the greatest influences on the rate of information security spending for this year, but other factors will help determine where and how that spending gets done. The greatest IT security spending uncertainty will be around corporate expenditures and the division between products and services.
Spending winners include the 'big three' of information security: firewalls, anti-virus, and intrusion detection. These categories will get the lion's share of security spending not because they are the best at improving security but because they are the biggest. Companies who have already invested heavily in security infrastructure around these technologies will need to continue to spend in order to improve deployment efficacy. Market share leaders like Check Point Software, Symantec and ISS will to do well as they continue to mine their installed bases. Companies like Netscreen, SonicWALL, Sophos, Sybari, NFR Security and Top Layer will continue to make inroads against larger and more established players, eroding their market share.
Virtual private networking technology will continue to do well in 2003 as companies look to replace expensive dial-up and leased-line connections with lower-cost IP and SSL-based connections. SSL-based remote access and web-enabled applications such as portals will begin to emerge as market forces as companies combine internet-based access with back-end application integration, using the web browser as the primary user interface. Companies like Netilla, Whale Communications, Safeweb and Neoteris will start bumping up against traditional IPsec VPN suppliers. SSL hardware acceleration suppliers like Chrysalis and Rainbow will also benefit as the more computer-intensive tasks of establishing an SSL session are offloaded to a dedicated hardware device.
The next major winner category for 2003 will be identity management. Companies continue to struggle with managing account information and enforcing end-user security policies such as password length, account permissions and enrollment/termination. The traditional solutions have been labor intensive and error-prone, creating security vulnerabilities that are too easily exploited. Simply automating the mundane task of helpdesk password resets catches the fancy of management who is looking in every nook and cranny for ways to cut costs. Look for companies like Waveset, BMC, Courion, BusinessLayers and IBM Tivoli to continue to expand in this area.
In many ways the losers in 2003 will be everyone. With uncertainty high, companies will be reluctant to spend, especially in a 'discretionary' area like information security. Doing more with less, which also includes fewer people, will be the mantra. Services firms will be hit proportionately hard, as the information security labor shortage turns into a job shortage. Without a differentiated offering, pure-play security consulting firms like @stake, Redsiren and Vigilinx will have a difficult time keeping consultants busy. Companies that can align themselves with a product offering or a specific activity, like web services security or HIPAA (or equivalent privacy legislation) compliance, will fare better than most.
Managed security services providers (MSSPs) will have a difficult time staying afloat as the clampdown on security spending will make it difficult for companies to go outside for managed services. With fewer companies outsourcing this will make it difficult for MSSPs to achieve profitability with the large fixed cost overhead spread over a smaller than expected customer base. Look for consolidation in this space by year's end, with Guardent and Counterpane at the top of the list.
One bright spot in security outsourcing is the U.S. Federal Government, which with the Homeland Security Bill and government rightsizing programs are looking to move management of IT resources and some (but not all) security out from under government control. Look for the usual government contractors (Computer Sciences Corporation, Lockheed, Booz-Allen Hamilton) as well as a few security pure-plays (Servervault and Xacta to name two) to benefit from increased government security spending.
The U.S. government is directly increasing its spending on IT security through critical infrastructure protection initiatives, and indirectly increasing corporate IT security spending via initiatives like the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach Bliley (finance) and Sarbanes-Oxley (public company accounting) Acts. As Wall Street continues to clean up from the dot-com excess and investment banking scandals there will be renewed interest in record retention and destruction. Renewed interest in privacy and the recent announcement of wholesale identity theft by insiders will prompt a beefing up of access control security as well as surveillance systems. Unfortunately, monitoring is going to be a way of life for all moving forward, whether at work or at home. This bodes well for the internet access management suppliers like Websense and SurfControl to prevent unwanted web surfing and productivity loss and 'total security' providers like Securify and nCircle for continuous monitoring and protection.
Security spending on e-business infrastructure will continue to suffer as the overcapacity built up during the dot-com boom still needs to wear off. Electronic payment systems, e-signing, extranet access management and digital signatures will all continue to suffer. The one possible bright spot on the horizon is the use of XML for business-to-business transactions and the need to securely exchange information. Web services may finally spark the otherwise moribund PKI industry as companies like Baltimore, Entrust and RSA revive their secure business infrastructure messages.
Slow and steady is going to be the rule of information security spending in 2003. Companies are going to invest reluctantly, and ideally in areas where capital can substitute for labor; i.e. jobs can be cut, hiring can stretched further, or existing employees can do more with less. Which side of the equation you end up on, whether you are part of the security problem or the security solution, will help influence your own individual win/loss for the year.
Robert Lonadier (firstname.lastname@example.org) is the president of RCL & Associates, a Boston-based consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security. RCL & Associates currently does not have any financial relationships with the companies mentioned in this article.