jump to navigation

Evolving the consumer security market beyond the PC June 11, 2010

Posted by jonathanpenn in client security, cloud, trends & futures.
add a comment

Today came the news that Trend Micro is acquiring humyo, a service that offers file backup, access, sync, and sharing across PCs and mobile device.

As I wrote about in “New Growth Opportunities In The Consumer Security Market “, my view is that PC-based protection, no matter how broad, is the new “point product”,  and the new “suite” that consumers seek is product plus services whose functionality goes beyond security to help consumers deal with their other major challenges as well. Security is still important, but privacy is a huge and largely unmet need, and so is supporting the new consumer computing models, as my Forrester colleague Frank Gillett formulated a year ago with the concept of The Personal Cloud. Frank and I are currently discussing ways to bridge our research streams more formally.

What does this mean for consumer focused Tech Industry vendors, and especially consumer security vendors? One of the implications of these shifts in consumer computing away from apps running on a single PC to Internet services accessed from multiple devices/device types, is that there is opportunity for what the tech industry likes to term ‘stickiness’. While AV companies may engender loyalty from their customers, AV products are most effective and appreciated when they operate transparently and the user is unaware that they’re there: not slowing down the machine, and not popping up undecipherable warnings requesting your attention. On the other hand, the engagement model for Personal Cloud services is one of regular and deep interaction. In this context, the acquisition by Trend Micro offers far more promise in contrast to, say, McAfee’s partnership with Mozy.

This is not just about backup, but backup does serve as a great example of the way these dynamics change the market, the new services opportunities that can arise, and way consumer security vendors can get into the business of providing consumers with Personal Cloud services. It’s no longer just “backup, but to the cloud”. It’s about anywhere access, file sharing, and file sync services like those of humyo or SugarSync. It’s not even just your device-resident data but also data held at the Internet services you use like Gmail and WordPress, which  is what Backupify is doing that’s new and unique. Eventually, it will also encompass the ability to deliver information from the Personal Cloud to enhance the experience of other services: e.g., having Pandora or Slacker augment their radio streams with users’ own MP3s held in online storage services, or brokering identity information to limit proliferation of personal information while still enabling order fulfillment at retail sites.

What Facebook and Google can learn from Avast! and AVG May 17, 2010

Posted by jonathanpenn in client security, privacy.
add a comment

The latest string of privacy fiascos from Google and Facebook lead me wonder if they will ever learn to respect their consumer users. For both companies, I think one of the dynamics behind this is the fact that their these consumers aren’t the ones from whom the companies collect revenue, the incorrect conclusions the founders and executives derived from that, and the cultures they developed within their companies as they grew based on these erroneous assumptions.

Google has an almost innate ability to develop applications and services that unleash the power of the Internet to transform people’s lives. Yet the engineering culture that drives such stellar technical achievements is what hinders Google in their relationships with consumers. Google doesn’t have what it takes to run a consumer business: it’s just not in their DNA. This is how we can hear on the one hand about how Android is a smashing success from an engineering perspective and is purportedly is now outselling the iPhone in the US, while learning the same week that Google is going to stop selling Nexus One direct to consumers.

To succeed with consumer products would require Google to have more polish and quality assurance beyond the core engineering challenge (versus relegating some services to the purgatory of perpetual beta), development of consumer customer support services (a la the Nexus One), and of course a more respectful approach to users (see: privacy).

It would be a shame if the lesson Google took from the Nexus One would be to forgo future efforts at selling direct to consumers. Having a deeper relationship with consumers and being accountable to them as paying customers would teach Google to be more sensitive to their concerns. It’s same thing with Facebook: it, too, would have a completely different attitude and approach to privacy changes if consumers paid for their accounts.

It doesn’t have to be that way. Some companies that don’t get revenues from their consumer users approach them with understanding and respect just the same. I just spent a few days in Prague, where I met with the AV companies Avast! and AVG. At each of these companies, the vast majority of users are running the free version of their products. But the difference between Avast! and AVG on the one hand, and Google and Facebook on the other, in their attitudes towards their non-paying users cannot be more stark. Avast! and AVG exhibit the utmost deference and sensitivity in dealing with their non-paying consumer users. They are fully aware that the future of their companies depends on their ability retain and expand upon these relationships. As they explore ways to monetize these relationships, it’s by delivering more value and developing stronger bonds of trust. The Google and (especially) Facebook approach seem to be through exploitation and indifference.

Sophos takes on new investors May 4, 2010

Posted by jonathanpenn in client security, news.
add a comment

On the heels of Symantec’s two encryption acquisitions,  there’s another development in the client security space. Sophos’ original investors just sold their stake. Sophos’ new investors, Apax Partners, invested $400m and acquired a majority stake – thus valuing Sophos at just over $800m.

Sometimes, these investments serve as a lifeline for a vendor (e.g., private equity firm Thoma Bravo’s acquisition of Entrust a year ago). That is not the case here. Sophos was a healthy and growing company – though it faces increasingly stiff competition from the top-tier client security companies.

This is not just a buyout of early investors, but an additional investment in Sophos. So this will ultimately help Sophos by fueling acquisitions as well as global expansion.

There are several possible dynamics going on here. It could be that Sophos investors saw a good opportunity to pull out. In fact, those investors (TA Associates), were also the ones who invested $200m in AVG recently. So it could also simply be that TA didn’t want to have two AV vendors in its portfolio and decided to rationalize, especially since these two vendors have very different strategies and business models. Sophos was also purportedly on the IPO track – with estimates placing the valuation at ~ $1b. It could also be that Sophos saw that, for whatever reason, the IPO route wasn’t optimal.

Symantec’s acquisition strategy May 4, 2010

Posted by jonathanpenn in client security.
1 comment so far

Late last week, Symantec made two acquisitions in the encryption space, scooping up both PGP and GuardianEdge. My colleague, Andrew Jaquith, is publishing an in-depth report analyzing the acquisition, so there’s no need to go into too much detail here. We’re in total agreement that encryption has been a significant hole in Symantec’s security portfolio, given that data security is the #1 focus for IT security shops. You can also see some of my initial comments to the press on the acquisition here.

These two acquisitions got me thinking about Symantec’s acquisition strategy in general. What we’ve seen from Symantec over the years is a clear proclivity to paying more in order to acquire market-leading vendors. This doesn’t mean Symantec overpays. Simply that Symantec seems to weigh established customer base and market share more than other security specialists. Certainly, McAfee has its share of big acquisitions (it paid about as much for SafeBoot as Symantec paid for PGP and GuardianEdge combined, and the Secure Computing acquisition was no small purchase either), but as a more general rule Symantec goes after the big game on the plains more than other security specialists. In security, Symantec is clearly moving to more head-to-head competition against the mega-vendors with deep pockets: IBM, Cisco, Microsoft, EMC, etc. I believe that this approach to acquisitions is a key factor that helps Symantec over the long term against this competition.

Are we losing yet? March 23, 2010

Posted by jonathanpenn in client security, trends & futures.
add a comment

That’s what I asked myself after reading the IC3 Internet Crime Report, which shows:

  • A 22.3% increase in complaints over 2008
  • Total dollar loss from all referred cases was $559.7 million, up over 110% from 2008
  • Of the top five categories of offenses, identity thieft was #2 at 14.1% of complaints; computer fraud (destruction/damage/vandalism of property) was #5 at 7.9% of complaints.

The security industry readily admits that cyber-criminals are evolving their attack tactics faster than we’re evolving our defenses. How long can we continue to fall behind before we should start saying that we’re losing?

Forrester’s latest Security Survey findings published January 22, 2010

Posted by jonathanpenn in client security, identity, news, trends & futures, value.
add a comment

I wanted to announce that the reports based on our annual Security Survey of nearly 2,000 organizations are live as of Monday, January 25. These are among our most widely-read security reports, with insight into IT security priorities, challenges, state of compliance efforts, and of course adoption of security technologies and services.

The two reports are:

Here’s a taste of some of the findings:

  • Security budgets, which didn’t take too much of a hit overall last year, continue to fare well. Most notably, budgets for acquiring new security technology are recovering quite strongly. But insufficient staffing is still going to be an issue in 2010. Top security technologies areas identified for growing investment are network security and data security (for a slightly alternative view to data security spend and related 2010 prognostications, see Andrew Jaquith’s report, “Data Security Predictions 2010”).
  • The top IT security priority remains data protection. Notably, managing vulnerabilities and complex threats moved several slots up the ranks to become the #2 IT security priority today.

Some findings at a more detailed level:

  • Across the board growth expected in adoption of various managed security services, with vulnerability assessments being the service organizations are most interested in adopting “over the next 12 months” (Sept 2009 – Sept 2010)
  • Compliance with PCI continues to look pretty abysmal. North American organizations are still not where they should be, and the level of PCI compliance in Europe is especially poor.
  • Organizations are expecting to investment big in client security, with renewed spending on more mature threat management technologies while simultaneously taking emerging data protection technologies mainstream.

Finally, some other observations from the data:

  • Diminishing distinctions between SMBs and enterprises with respect to priorities, challenges, and tech adoption. This is a continuing trend, and one that my colleague and economist-in-residence Andy Bartels is seeing across many segments of IT.
  • Not to minimize the fact that security concerns impede adoption of cloud, but security decision-makers expressed even more concern about consumerization (smart phones, web 2.0, etc). In general, this follows the broader trend of IT losing centralized control of technology adoption, deployment, and use. It’s not just consumer technology like iPods and use of Facebook or Twitter; it also shows up in the uncontrolled proliferation of SharePoint sites by business groups, or in the use of cloud compute services by application developers. All that aligns well with Forrester’s identification of the mega trends most affecting the technology industry.

Even security experts endorse consumer security freeware December 16, 2009

Posted by jonathanpenn in client security.
add a comment

For the third time in two months (and second time mentioning AVG by name!), Bruce Schneier endorses and legitimizes consumer use of  freeware antimalware tools. As I write in Consumer Security Market Trends, 2009 To 2010: The Freeware Threat, “[For-pay products] must bring demonstrably better protection or added features that deliver real value.”

The rise of freeware is fascinating from a market watcher standpoint. Freeware forces the question “What makes ‘better’ truly ‘better’, rather than just ‘more’?” It’s a challenge for all the vendors competing in consumer security, but especially Symantec, McAfee and Trend Micro as they have the most to lose here.

The rise of freeware security October 14, 2009

Posted by jonathanpenn in client security.
add a comment

Nothing gets a vendor to focus on value to the customer than when you have a big competitor offering their solution free of charge. The rise in freeware is nothing short of astounding: the three big vendors – Avast!, Avira, and AVG – boast nearly 300 million users combined. The great majority of these users are indeed running the free software, but a recent event allows us to put some real dollars on it: AVG recently received over $200m in investment for a less than one-third stake. It’s pretty astounding that a company with what I’d estimate at somewhere around $20-$25 million in revenues (give or take a few million) could have a valuation of over half a billion dollars.

The freeware phenomenon is rightly a major source of anxiety for consumer security vendors, and now that Microsoft offers consumer security software for free, the anxiety should only get worse. The big vendors McAfee, Symantec, and Trend are being forced to justify their premium price. I don’t think the “more is better” approach of loading up suites is going to do it. Given how much of their revenue is from consumer security (about 30% for Symantec and McAfee), this is a challenge they’ll need to solve quickly.

Forrester’s market research indicates that these freeware products are taking a pretty big – and growing – bite out of the market, and their success is not solely due to their price.

The rise of freeware security means that dominating the market through expensive OEM and reseller arrangements is no longer an effective strategy. The big vendors have a lot of market share to defend, but they must look at how to compete head to head rather than seizing the prize de-facto solution that comes with a computer or with an ISP relationship.

Not all freeware solutions are alike, and not all pay products are alike either. Some of these freeware solutions are as good, or even better, than some of the pay version – and vice versa. But freeware raises the question: “When is ‘better’ really better?” Or put another way: “How much better does it need to be to be worth it?”

If there are freeware users out there, what to you like about the product, and what made you switch? Would anyone not use or recommend a product simply because it’s free?

Are there other markets or industries (and I don’t think newspapers offer t quite the right example) that we can look to where we can learn how pay offerings fought off and survived a challenge by free offerings?