Just two years ago, analysts were confidently predicting that the security market would be immune to the malaise affecting the rest of the computer industry. The security threats that organisations faced, they said, remained the same regardless of the economic climate.
Initially, that hypothesis seemed correct. As the rest of the industry declined, security companies, such as Check Point Software and RSA Security, continued to grow at a healthy rate. But during 2002, the IT spending downturn finally caught up with the security software vendors as well.
Giga Information Group analyst Steve Hunt cites a number of reasons why security spending grew so quickly up until the end of 2001 – and why it has stalled now.
When the economy was booming and companies were rushing to get online, he says, security was regarded as a business enabler and spending on security was, therefore,
not closely scrutinised. Second, says Hunt, security initiatives were largely driven by a small group of IT specialists who were able to set their own priorities, and were not asked to give a business justification for their activities and spending.
Finally, security marketing was effective at creating a general need in the minds of business leaders and IT managers, who were happy to fund new security projects, but not interested in the details.
“Today, we have another unique combination of factors: the world is even more aware of security, but also asks for justification of the value of security,” says Hunt.
Another factor slowing purchasing decisions down is the confusion and fragmentation in the marketplace. There are more than 700 different vendors in the computer security sector, each claiming to do something slightly different.
“It’s so confusing. I think a lot of users are really unsure about what to spend on,” says Martin Canning, vice president of research at analysts IDC. As a result, he says, many organisations have simply shied away from making big investments in computer security.
RSA Security CEO Art Corviello has a simpler explanation for the slowdown. Much security software spending is tied to new IT projects. When an IT project is complete, then an organisation will buy firewall, authentication and access control and perhaps intrusion detection software to secure it.
As projects initiated during 1999 and 2000 drew to completion, the security software market started to feel the downturn too – six months to a year after the rest of the software market. However, Corviello points to recent sequential increases in sales as evidence that the worst of the IT spending downturn may be over.
Analyst group IDC certainly expects spending on computer security products to continue growing, albeit at a much lower rate compared to the over-optimistic forecasts made at the height of the technology spending frenzy.
It suggests that total worldwide spending will rise from $6 billion in 2001, to $10.1 billion by 2006. Underlining the potential of the market, three of networking giant Cisco Systems’ last four acquisitions have been in the security sector and CEO John Chambers says that Cisco’s security revenues will soon top $1 billion.
Cisco is also among a handful of vendors pioneering the convergence of firewall, intrusion detection and other security technologies into single, integrated hardware appliances – a shift recently identified by analysts at both Gartner and IDC.
“We definitely see a trend to multi-function devices, with not only intrusion detection included but some content filtering, such as anti-virus and other email scanning functions,” says IDC research analyst Carla Arend.
Firewall software market leader Check Point Software has responded in two ways. First, it has licensed its software to a growing range of hardware vendors for incorporation into their devices. At the moment, it can boast some 20 hardware partners. “About half of the Check Point firewalls sold today are based on appliances,” says president Jerry Ungerman.
These include Finnish telecoms equipment manufacturer Nokia, which has emerged as one of three market leaders in the firewall appliance market alongside Cisco Systems and Netscreen, a four-year-old Sunnyvale, California company that has grown at a rate of more than 60% despite the depressed IT spending climate.
Second, Check Point has started offering a number of intrusion detection and prevention features as add-on modules to its core Firewall-1 software, called SmartDefense.
But many analysts have questioned the value of intrusion detection systems because of the number of problems that users have setting them up. “The two problems that intrusion detection systems have are failing to detect real attacks and failing to ignore false alarms,” says Bruce Schneier, chief technology officer of managed security services supplier Counterpane Internet Security.
Schneier has identified a number of challenges that threaten to damage the popularity of intrusion detection systems.
First, he says, there is the problem posed by encryption, particularly as a result of the introduction of the IPsec protocol for encrypting network traffic. This is because intrusion detection systems cannot scan encrypted data.
The second problem is the increased distribution of networks, which means that traffic is coming from more and more directions and users are logging in to do an ever wider variety of tasks. This makes it increasingly difficult to set rules and write signatures that can accurately detect nefarious activity.
Finally, intrusion detection systems are simply becoming overwhelmed by the increased bandwidth and speed of modern networks and cannot keep up. This is especially true of network-based intrusion detection. “Data transmission rates are getting so fast that no IDS can possibly keep up,” says Schneier.
But Schneier argues that intrusion detection systems can still provide complimentary security, tuned to detect certain types of network attacks, rather than trying to provide an all-encompassing alarm system at every point in the network.
Cisco has tried to address the problem of false positives by acquiring a start-up called Psionics, says Jeff Platon, senior director of technology and product marketing at the networking giant.
When a potentially damaging action is identified by the intrusion detection system, Psionics’ software subjects it to an extra level of analysis. For example, most intrusion detection systems will now have signatures to detect the presence of the SQL Slammer worm that attacks Microsoft SQL Server databases. But if the device is located on a Linux-based system, there is no need for the intrusion detection system to sound an alarm.
Yet while Check Point, Cisco and others battle it out for supremacy in the firewall, intrusion detection and integrated appliance sectors of the security market, IDC expects the market for access, authorisation and authentication software to boom.
This is partly because the streamlining of such procedures promises to help organisations save money, meaning that a clear business case can be made for such projects. Lost or forgotten passwords are now the biggest single cause of calls to IT help desks in most organisations.
Most significantly, many organisations will soon embark on the web-enablement of legacy applications in preparation for the advent of web services, says RSA Security CEO Art Corviello.
Opening up such mission critical software to the Internet also means that organisations much improve their security. “It’s pretty hard to do web services, application-to-application, if you have not web enabled those applications in the first place,” says Corviello.
But web-enablement will expose organisations to new risks that need to be secured. That is a message that an increasing number of security software suppliers will be eager to articulate during 2003 in a bid to re-ignite the kind of growth they enjoyed just three years ago.