The race to be the first lemming

Yesterday I was thumbing through Cisco's annual report for FY2007 and I lit up seeing their security revenues had increased by $240 million. There are few security companies that bring in that much in total annual revenue - many many vendors would love to have that as an accumulated lifetime revenue figure! - and here comes Cisco racking it up as a ho-hum yearly delta. Impressive. Cisco attributes their market success due to being able to embed security modules in switches and routers, providing end-to-end integrity, and offering an attractive TCO. Notice they talk more about the business benefits of their approach more than the quality of their security.

One of my take-aways from last week's Computerworld NAC discussion is that Cisco successfully markets security as intrinsically belonging to the network infrastructure. Enterprises that accept that premise necessarily have a hard time entrusting their security infrastructure to a small security vendor. The network security vendors fall in line with the NAC story and then fight amongst themselves to be the first in a line of lemmings. IT loses because they are not getting compelling choices for their security problems, and when IT loses you can be sure the vendors lose also.

Let me offer a few ideas to the security vendors for the sake of blog discussion:

Attack Cisco's strength. Cisco adores the concept of Self-Defending Networks, empowering the network to ensure complete policy compliance, and taking out costs via integration of security into switches. Whining about a product such as NAC Appliance is not helping your cause, nor is bickering amongst yourselves over who is number 5. Your common competitor is Cisco's network security vision and you will only survive by attacking its strengths.

Create a compelling vision of your own. Erase NAC from your corporate wiki, and describe in your own simple terms how your customers will describe your terrific values in 3 years. Open enterprise eyes to alternatives with where you're going. This may be as a more cost-effective switch to free IT of the Cisco stranglehold, easy to deploy software, independent security policy enforcer, or operational security layer between applications and the network fabric. I'm sure there are better ones - I just made these up in 5 minutes. Have just enough NAC fineprint to touch touch customer budgets, but no more. The important thing is to start defining yourself in market terms, not Cisco's.

Find 3 things that you do better than most, and make it insanely simple for prospective customers to try them out. Your choices will depend upon your technical capabilities and business ability to execute. If you cannot find a way to attack Cisco's strengths, then look into specialized opportunities in areas such as applying network security to information governance (including identities), management of virtual data centers and virtual appliances, optimization of security for connected home and branch offices, or securing SAP and Oracle enterprise applications complexes. Again, this was stream-of-consciousness. Call your banker immediately if you cannot find 3 areas you do better than most.

A good number of network security companies will die in 2008; even more will be kept on life support. In the last 5 years network security has only given us NAC and UTMs. Not so good. Let's hope that some of these folks break out of the pack of lemmings with something excitingly differentiated before its too late.