jump to navigation

Evolving the consumer security market beyond the PC June 11, 2010

Posted by jonathanpenn in client security, cloud, trends & futures.
add a comment

Today came the news that Trend Micro is acquiring humyo, a service that offers file backup, access, sync, and sharing across PCs and mobile device.

As I wrote about in “New Growth Opportunities In The Consumer Security Market “, my view is that PC-based protection, no matter how broad, is the new “point product”,  and the new “suite” that consumers seek is product plus services whose functionality goes beyond security to help consumers deal with their other major challenges as well. Security is still important, but privacy is a huge and largely unmet need, and so is supporting the new consumer computing models, as my Forrester colleague Frank Gillett formulated a year ago with the concept of The Personal Cloud. Frank and I are currently discussing ways to bridge our research streams more formally.

What does this mean for consumer focused Tech Industry vendors, and especially consumer security vendors? One of the implications of these shifts in consumer computing away from apps running on a single PC to Internet services accessed from multiple devices/device types, is that there is opportunity for what the tech industry likes to term ‘stickiness’. While AV companies may engender loyalty from their customers, AV products are most effective and appreciated when they operate transparently and the user is unaware that they’re there: not slowing down the machine, and not popping up undecipherable warnings requesting your attention. On the other hand, the engagement model for Personal Cloud services is one of regular and deep interaction. In this context, the acquisition by Trend Micro offers far more promise in contrast to, say, McAfee’s partnership with Mozy.

This is not just about backup, but backup does serve as a great example of the way these dynamics change the market, the new services opportunities that can arise, and way consumer security vendors can get into the business of providing consumers with Personal Cloud services. It’s no longer just “backup, but to the cloud”. It’s about anywhere access, file sharing, and file sync services like those of humyo or SugarSync. It’s not even just your device-resident data but also data held at the Internet services you use like Gmail and WordPress, which  is what Backupify is doing that’s new and unique. Eventually, it will also encompass the ability to deliver information from the Personal Cloud to enhance the experience of other services: e.g., having Pandora or Slacker augment their radio streams with users’ own MP3s held in online storage services, or brokering identity information to limit proliferation of personal information while still enabling order fulfillment at retail sites.


Are we losing yet? March 23, 2010

Posted by jonathanpenn in client security, trends & futures.
add a comment

That’s what I asked myself after reading the IC3 Internet Crime Report, which shows:

  • A 22.3% increase in complaints over 2008
  • Total dollar loss from all referred cases was $559.7 million, up over 110% from 2008
  • Of the top five categories of offenses, identity thieft was #2 at 14.1% of complaints; computer fraud (destruction/damage/vandalism of property) was #5 at 7.9% of complaints.

The security industry readily admits that cyber-criminals are evolving their attack tactics faster than we’re evolving our defenses. How long can we continue to fall behind before we should start saying that we’re losing?

Me being interviewed at The Heretech February 2, 2010

Posted by jonathanpenn in trends & futures.
add a comment

My colleague at Forrester, Tom Grant, interviewed me for his blog, The Heretech, where we discuss the state of security and what tech product markets of all stripes – security and otherwise – need to think about in light of these trends.

Forrester’s latest Security Survey findings published January 22, 2010

Posted by jonathanpenn in client security, identity, news, trends & futures, value.
add a comment

I wanted to announce that the reports based on our annual Security Survey of nearly 2,000 organizations are live as of Monday, January 25. These are among our most widely-read security reports, with insight into IT security priorities, challenges, state of compliance efforts, and of course adoption of security technologies and services.

The two reports are:

Here’s a taste of some of the findings:

  • Security budgets, which didn’t take too much of a hit overall last year, continue to fare well. Most notably, budgets for acquiring new security technology are recovering quite strongly. But insufficient staffing is still going to be an issue in 2010. Top security technologies areas identified for growing investment are network security and data security (for a slightly alternative view to data security spend and related 2010 prognostications, see Andrew Jaquith’s report, “Data Security Predictions 2010”).
  • The top IT security priority remains data protection. Notably, managing vulnerabilities and complex threats moved several slots up the ranks to become the #2 IT security priority today.

Some findings at a more detailed level:

  • Across the board growth expected in adoption of various managed security services, with vulnerability assessments being the service organizations are most interested in adopting “over the next 12 months” (Sept 2009 – Sept 2010)
  • Compliance with PCI continues to look pretty abysmal. North American organizations are still not where they should be, and the level of PCI compliance in Europe is especially poor.
  • Organizations are expecting to investment big in client security, with renewed spending on more mature threat management technologies while simultaneously taking emerging data protection technologies mainstream.

Finally, some other observations from the data:

  • Diminishing distinctions between SMBs and enterprises with respect to priorities, challenges, and tech adoption. This is a continuing trend, and one that my colleague and economist-in-residence Andy Bartels is seeing across many segments of IT.
  • Not to minimize the fact that security concerns impede adoption of cloud, but security decision-makers expressed even more concern about consumerization (smart phones, web 2.0, etc). In general, this follows the broader trend of IT losing centralized control of technology adoption, deployment, and use. It’s not just consumer technology like iPods and use of Facebook or Twitter; it also shows up in the uncontrolled proliferation of SharePoint sites by business groups, or in the use of cloud compute services by application developers. All that aligns well with Forrester’s identification of the mega trends most affecting the technology industry.

What Google v. China tells us about how the security market is changing January 15, 2010

Posted by jonathanpenn in cyberwar/CIP, trends & futures.
add a comment

Rather than discuss the extent of the cyber threat from China, or whether Google should effectively pull out of China by ending the censoring of search results (or why it was even in China to begin with), the most interesting and telling thing I’m seeing from all the discussion on this is the visibility of the defense contracting and intelligence consulting community, and how that visibility and even dominance is going without much comment by industry watchers and without much challenge by traditional security firms. Who is going to analyze and say with confidence whether the attack came from proxies or direct representatives of the Chinese state? It’s the defense contractors. Like the July 4 attacks targeting the US and South Korea, the traditional defense contractors — Lockheed Martin, Northop Grumman (also targeted), and Raytheon, most notably) are the go-to authorities on this, while Symantec (which was also one of the targets in the multi-pronged attack), McAfee and others are left merely to talk about how the attacks in and of themselves might fuel greater interest in their security technologies.

Traditional defense contractors (Lockheed Martin, Northop Grumman, and Raytheon, most notably…but also BAE, Boeing, and General Dynamics, among many more) have successfully expanded from military and aerospace to cyber-surveillance and from the predominantly physical security aspects of homeland security to cyber-defense. Being so well-resourced and well-connected, they are extremely powerful and effective competitors to the traditional security vendors and security services (MSS, security consulting, and security integration) players.   Some estimates for the size the cyber-defense market place it at already about one-fourth the traditional IT Security market, and growing at a far faster rate. Given this, and that it should now be extremely clear that private sector IT lies within the cyber-warfare theater of operation, we can expect a formidable battle ahead.

Tip of the Hat to Richard Stiennon for posting similar thoughts — but even more pointedly and vociferously — here at ThreatChaos.com prior to these attacks.

And if I were to comment on Google’s effective exit from China, I’d ask: What’s exactly is Google’s goal in pulling out? Given that other tech companies that don’t host email accounts of Chinese human rights activists were also targeted, pulling out of the China market won’t likely remove it from the target list in future attacks.

[This entry is cross posted to Forrester’s Security & Risk Management Blog]

Security Predictions For 2010 December 23, 2009

Posted by jonathanpenn in trends & futures.

[This entry is cross posted to Forrester’s Security & Risk Management Blog]

Trying to avoid the obvious and the already underway, here are my predictions for 2010.

1. Cloud security standards emerge. By the end of 2010, we’ll see a framework emerge for establishing a well defined set of technology, practices, and processes, organized into different levels of trust. Ultimately, adherence to these specifications will need be certified by third parties. The effort won’t be complete, but it will be underway. Look to the government as key industry (other than the vendors) driving this effort.

COROLLARY: The use of cloud will take off as adopting organizations by and large overcome their security concerns – or at least, understand them at a specific enough level to seek out providers that satisfy these concerns.

2. Federation will start to take off by the end of 2010. Use of federation will be fueled by SaaS and cloud computing and the need for single sign-on to bridge identity from the enterprise to those external environments. Where standards reign over kludges, SAML will be the leading mechanism. OpenID will continue to be just a lab toy for the “Identerati”.

3. Managed Security Services expands far beyond “Managed”. Organizations are not only turning to managed security services, they are seeking more from their providers than merely assuming operational functions. Increasingly, they seek partners to help them with security strategy, benchmarking, making the business case, and integration. MSSPs that are in fact multifaceted solution providers will start to establish market dominance. Big winners will be IBM, VZB, Wipro, among others.

4. Web content security in the cloud will take off. Though managed email security is one of the more popular areas of security SaaS, organizations have been slow to adopt the SaaS model for web content security. This will change in 2010. Fueled by the increasing focus of attacks on browser and browser plug-in vulnerabilities, exacerbated by growing degree of mobility among users, and further boosted by the acquisition of some major  SaaS-based vendors (PureWire by Barracuda and ScanSafe by Cisco), SaaS-based web security is primed to enter the mainstream.

5. Cybersecurity starts to look like a bonanza for security vendors. Cybersecurity and critical infrastructure protection are real challenges. But with the need to act gaining visibility, and so much money being made available, we’re likely to look back on 2010 as a rather large give-away to the security vendor, service provider and consultant communities.

What won’t happen:

  1. Federal data privacy legislation. By the end of 2010, we’ll still be grappling a hodgepodge of state and industry laws dealing with breach disclosure, encryption, auditing and other forms due care.
  2. A big “I told you so” mobile malware outbreak. I do expect mobile to be the next frontier in malware – but that’s a 5-yr trend, not a 12-month one. And does anyone else share my perverse sense of amusement at the irony that in the mobile world, it’s Apple that owns the malware target platform, not Microsoft?
  3. Investment in training and awareness. Despite the fact that inadvertent insider activity (including getting fooled by social engineering attacks) continues to represent a significant vector for breaches, and despite its value in enlisting users as a front-line defense to spotting suspicious activity, security training and awareness will remain on the back burner of IT security priorities.

What do you think I missed? Where do you think I’m wrong?

Verticals will replace SMB/enterprise segmentation December 7, 2009

Posted by jonathanpenn in trends & futures, value.

As I posted earlier, it doesn’t make much sense anymore to make distinctions between SMBs and enterprises. When looking at their priorities and challenges, what they’re adopting and why they’re adopting it, there are far more similarities than differences.

Vertical or industry specialization is what’s most relevant, based on everything I see in conversations with product vendors, consultants, service providers and security practitioners. Security is becoming more of a business issue, and so quite naturally executives and business managers are increasingly involved in setting security strategy, determining solution requirements, and even selecting and approving solutions. These solutions must therefore address security in business terms and focus on solving business challenges. And the business challenges are defined by the vertical. Sometimes it’s quite clear that security vendors should look at the market through vertical glasses – especially when it comes to regulatory compliance. But it also makes sense when you look business consulting — and even IT consulting — firms are structured: they orient their services along verticals because providing business advice requires more than anything an understanding of that vertical.

SMB-enterprise distinctions will continue, as they certainly make sense from a go-to-market perspective and also because small companies need less complex and less complicated solutions. But I think we’ll see verticalization by vendors, which is now almost exclusive around go-to-market, elevate to the product/service level.

The death of the SMB/enterprise distinction? November 20, 2009

Posted by jonathanpenn in trends & futures, value.
1 comment so far

There are several topics mentioned in my last past that I want to return to. But first, I want to make one observation that I hope will generate some new thinking. One trend I’ve been seeing play out over the past two years, and is also borne out by Forrester’s most recent Security Survey of roughly 2,000 security decision-makers, is that company size (ie, SMB vs. enterprise) should longer be the principal segmentation variable in developing solutions and taking them to market.

The blurring between SMB and enterprise is happening for two reasons.

  1. SMBs are hit just as hard as large companies by regulations such as PCI and HIPAA, and from sophisticated security requirements and contractual obligations required by their enterprise partners (mostly in response to data breach disclosure laws).
  2. Large enterprises are now under pressure to cut or maintain current levels of staffing and  to be more operationally efficient. Moreover, they are trying to perform more strategic work in light of the increasing business needs around security. As a result, they are rethinking how their security programs are structured and making decisions about what kinds of competencies they need to keep in house, and what competencies they don’t need to acquire but can shift to a managed services provider.

So the challenges that were unique to enterprise – complex security policies and regulatory requirements – are now shared by SMBs. And the challenges that were unique to SMBs – staffing and skills pressures – are now shared by enterprises.

That begs the question: Is anything replacing company size as the key variable in segmenting the market?

I’ll leave my thoughts on that for the next post. But please feel free to share yours here in the meantime.

There’s only one IBM November 9, 2009

Posted by jonathanpenn in trends & futures.

Last week, I spent a day at IBM for an analyst event focusing on security. This was only the second year IBM held such an event, but it was well run and quite informative. It was clear that in the past year, IBM has made a lot of progress in integrating security across the company. IBM is no longer just Tivoli, or even Tivoli-plus-ISS. How IBM has transformed and positioned Rational in the wake of the Watchfire and recent Ounce Labs acquisitions is one obvious example of this integrated view, and that IBM has multiple vehicles in delivering security to its customers. And with Tivoli and ISS, there are clear indications of coordination and cooperation rather than siloed development, marketing and sales. This extends not just to X-Force research or ISS delivering Tivoli products as a hosted or managed service, but also in how product capabilities shape strategic security consulting offerings, and how that in turn feeds back into product development. I expect the security tendrils to extend further as IBM’s cloud and SaaS solutions develop and broaden: as IBM has the opportunity to make security a significant differentiator here.

Many other large companies seek to build some combination of products, integration services, managed services, and strategic consulting.  I believe this is a necessary transformation for the security industry. But these companies are wrong in thinking that replicating IBM’s model and capabilities is easy. Most eventually run into political infighting, channel conflict, or simple failures to acquire or effectively sell certain competencies.

While IBM’s progress in weaving security together was noticeable on many fronts, less clear is the degree to which IBM GBS is participating in this unified and permeating security vision. IBM says this is happening, though feedback from our clients indicate that it doesn’t seem to be widely achieved from an execution standpoint.

It’s my thesis that vertical specialization – from a solution perspective, not just go-to-market – will become more important during the next two to three years. IBM security solutions such as SecureStore for retail that it announced last year, or what it’s doing in energy around Smart Grid, or the needs in healthcare with electronic records or in government with critical infrastructure protection and cyber-security —  all of these are examples of tremendous opportunities for which IBM is uniquely suited to capture. IBM is one of the few companies that has the potential to bring security in within the context of transformative business initiatives.

There’s only one IBM: this is something competitors must recognize and adapt to as they strive to evolve into multi-faceted solution providers: emulate, don’t imitate. But, to twist the phrase, when IBM finally operates as if there’s only one IBM, and not silos of business units, we’ll see an even more formidable player emerge.