jump to navigation

Work blog moved to Forrester site March 15, 2010

Posted by jonathanpenn in uncategorized.
add a comment

Please note that as of Monday March 15th I have migrated my work-related blogging activity to my new blog at http://blogs.forrester.com/jonathan_penn.


Investment and innovation in security October 9, 2009

Posted by jonathanpenn in uncategorized.
add a comment

Last week I attended a small investor/entrepreneur event in Palo Alto run by the Global Security Challenge (GSC). There were about 50 -70 people in attendance: a mix of entrepreneurs, VCs and other investors, and other companies interested in emerging and innovative technologies (ie, potential acquirers and tech/channel partners).

The heart of the event was indeed a competition: several companies gave their elevator pitches to the crowd, followed by a more detailed presentation privately in front of a panel of judges. I guess you could say it’s sort of a blend between Star Search and Star Chamber. At the end, the winners (there were two: one for “startups” and one for “SMEs”, as defined by their revenues) were announced, who each received some additional investment money as a prize.

In between the pitches and the announcement of winners, I had the pleasure of moderating a panel on the state and future of security investment and innovation. It was a great set of participants: Asheem Chandna (Partner at Greylock Partners), Jay Chaudhry (CEO of Zscaler, and former CEO of CipherTrust), Jon Fisher (former CEO of Bharosa, and author of Strategic Entrepreneurism), Ed Batts (of DLA Piper LLP), and Amit Raikar (a Business Development manager in with Symantec’s Enterprise Security Group).

When assessing the state of innovation and investment in security, there were several areas of contention as well as consensus. I won’t ascribe any statements to any panelist, and it’s not the case that all the participants even agree with this, but here are my own take-aways from the conversation:

  1. Investment in security is down, and the opportunity for entrepreneurs isn’t what it used to be. This will remain the case for at least a few years. Most IT security segments aren’t going to yield the next big company. In many cases, there won’t be a next big company. Most acquisitions in security are valued under $50m, so entrepreneurs make big bucks in IT security right now. There are a few areas of IT in general getting attention. Clean tech, biotech, and other areas are capturing the greater attention and dollars of investors. This does not spell the end for security innovation, but it does represent a pause.
  2. Where are the big investments and big opportunities? There was not a lot of consensus on this, but here’s my sense.
    • Fraud. Fraud is discretely identifiable as a multibillion dollar problem today. However, most of the antifraud solutions I see today are really authentication solutions, and that’s not what we need – no more risk-based authentication, no IP geolocation, no OTP over SMS. The problem isn’t only account takeover; though that’s certainly an issue, a lot of fraud occurs without accounts and you often have fraud even when people are who they purport to be.  What’s needed are solutions in the areas of device and identity analytics/reputation that have nothing to do with login and accounts (companies like Iovation, ThreatMETRIX, or Ethoca) and transaction analysis (Cybersource, Norkom, etc.)
    • Consumer security in the areas of identity and privacy. Consumer security concerns have moved off the desktop. The big worry for consumers isn’t malware on their machines, it’s that their identities and identity data can get compromised in other ways. Another big issue is privacy of their web activity: sites visited, items bought/browsed, and search terms entered. Unlike PII, this is information that is not given with consent, but gathered surreptitiously; and consumers are a lot more concerned about this information than much of their PII or other personal data.
    • Cloud-based security. In 5 years, there will probably be a few big companies that are fairly or very small today.  Four of those five will have cloud-based solutions. That is to say, cloud (or SaaS, if you like) will be the delivery model; it’s not that they will offer security of the cloud, but in the cloud.
    • Homeland security / physical security. Physical security is now IT-enabled: it’s no longer just gates, guards and guns. Video analytics, event monitoring and management, managed services, provisioning, and many other areas are ripe for opportunity. Then there’s  the whole homeland security area: billions of dollars are being spent on IT-based security systems that have nothing to do with “IT security” in the classic sense (ie, security of an organization’s IT systems). TWIC and CIP efforts, border control, anti-terrorism efforts, etc. The IT security market is dwarfed by this activity; just as a gauge to what IT security folks are missing, I recently attended the ASIS conference in Anaheim, and estimate that the size of that show was about 5x-8x bigger than the RSA Conference.
  3. Consolidation in the IT security industry will continue through 2010. Valuations are historically low (or at least back to historical normality). Big vendors are sitting on lots of cash. Everyone is eyeing the market and there are some good opportunities. Also, smaller companies with unproven technologies are having a harder time getting market traction. I’ve written about this in my report “VC Trends In IT Security”, which analyzes about $700m of investment activity in the IT Security market during 2008.

The obligatory first entry: “Why?” October 5, 2009

Posted by jonathanpenn in uncategorized.
add a comment

Why my own blog outside of Forrester? Two reasons.

First is that Forrester’s existing team blogs don’t offer me the best forum to speak to the diverse kind of audience that I seek to engage. The topics will fairly consistently be about security and privacy issues; but the role of the audience to whom I address these posts will shift between IT security practitioners, IT vendors, and even the IT users (both corporate and consumer) who are affected by both security and privacy risks as well as by the measures designed to mitigate those risks.

Second, having my own blog both protects Forrester and liberates me at the same time. These opinions are my own (unless otherwise specified). And my own blog gives me greater license to express views that may be less developed, may be more controversial (both externally and internally to Forrester) than would otherwise appear on Forrester’s site. The opinions may even be against a narrow reading of what constitutes Forrester’s  interests. It also gives me a place to damn – and to praise – practices and companies at my leisure, without getting Forrester involved in the fallout. At the least, that’s the theory…and hope. If someone takes issue with what I or others say here, please start by taking it up with me.