Pareto and the security industry

I was recently asked by a VC what our ‘house view’ was on when M&A markets will return to normal. I didn’t have a convenient canned answer for him, maybe one day something like that will appear on this blog – though don’t hold your breath – if normal is defined by the last ten years (and two burst bubbles) then we’ve got a long way to go.

What I did provide an opinion on is the state of the IT security industry. This may be a somewhat controversial position, but I think things are going to flip over the next few years. Here’s why…

IT security is Pareto inverted. Consumers of IT security products (mainly enterprises) are spending 80% of their budget on network based security, and the remaining 20% on other things like host security, data security and application security (aka secure software development). The trouble is that network security is only 20% of the problem:

I can’t believe that organisations will continue to allocate their budgets so disproportionately, and there’s really no way that the budgets are going to rise dramatically, so there’s clearly some large (and uncomfortable) change coming down the pipe. The losers will clearly be the incumbent network (and network based) security solutions, and and vendors that are too closely tied to that model. The winners (if they can be called that for getting a larger slice of the same sized pie) will be those that provide more data centric approaches. That’s why we’ve seen an explosion in the data leak prevention (DLP) market over the last few years, with each of the large security vendors placing a big bet on the table. This is however the end of the beginning DLP for unstructured data suffers the same (or worse) than enterprise rights management (ERM) in that it’s not fit for purpose. The other trouble is that controls over unstructured data as it moves around web, email and file server mediums doesn’t address all of the stuff that’s wrapped up inside applications. It’s easy to get distracted here and throw a bunch of controls around structured data in relational databases, and there has been a burgeoning market for enhanced monitoring and segregation of duties solutions there, but once again the data store is just part of the problem – with the applications themselves being where the real trouble lies.

So where should the next bets be placed? Secure software development practices, and the tools that support it, have been slow to take off in enterprise environments; though in the last few years this stuff has become like religion in some of the larger software houses. The move from packaged software to SaaS also changes the game – in terms of where the problem lies and where the solution comes from… Now where can I find a SaaS based service that will tell me how secure my SaaS based app is?