One of the things I enjoy doing is talking with IT about the problems they are trying to solve with certain vendors, and where they want to be within the next two years. It provides nice balance to the messages the vendor is giving throughout a briefing. One vendor customer check I did last week was on a manufacturer of advanced thin client devices. The customer had a few points on thin clients that I thought were worth sharing.

While the publicly held security companies are posting surprisingly good numbers in the face of a dour economy, privately held VC-backed companies are finding a tough time closing new rounds. This is not necessarily a bad thing - if a company is not getting market traction after a couple of years there is no reason to throw good millions after bad to keep the vendor on life support. Still, there are areas that look interesting even in this economy.

The long road of Sana Security as a privately held HIPS vendor ended with last week's acquisition. AVG, a leading endpoint security vendor specializing in Web threats, will embrace Sana's behavioral logic to help protect consumer data.

Microsoft announced that they will be retiring their OneCare security service in favor of a free product presently called “Morro”. The commoditization of anti-virus is exactly what AV vendors feared when Microsoft entered the business years ago. Starting in the middle of 2009, the cash cow subscriptions schemes will start to wane … and it is about time!

Challenging economic times provide motivation to try new approaches to solving old problems. This is never more true than it is for security, where the traditional brute-force methods that were invented 30 years ago need help securing use of the Internet.

The technology behind Google's Android and Apple's iPhone is spectacular (and Windows Mobile is none too shabby). The vendors will tout security features, but the reality is that these will need to be added in as the phones become commonplace within the enterprise. There are a couple of opportunities to fundamentally change the way IT secures and supports application access via these devices.

There have been some nice movements in the security space over the past couple of weeks that show large security vendors separating from the smaller tactical players.

PCI DSS would be a stronger standard specification if it allowed for responsible innovation by its affected members. There are a couple of practices that can be added to PCI that would help make it a living security standard.

It makes sense to relocate virtual storage structures (e.g. data, applications, VMs) and to occasionally move virtual applications as a best practice to keep centralized data centers as up to date as possible.

If you are looking at virtualization capabilities, then you need to look at Citrix, Microsoft, VMware, and check out Symantec. Ask each how their approach will bring more effective, and cost-effective, security to your organization. They all have good security stories and their answers may help you decide.

Streaming applications to endpoints makes compliance easier, lifts administrative burdens from the shoulders of end-users, and simplifies IT processes.

The security industry spends a lot of energy creating narrow market segments with "must have" features as mandated by compliance security specialists. If you are a vendor and the big three in your segment tally less than $200M, then you have some soul searching to do. If you are in enterprise IT, try to wait until one of your preferred vendors offers competing features.

Most security companies tend to take a horizontal approach looking to capitalize on the finance, service provider, and federal government markets that traditionally lead the way for security spend. A few companies are doing well in the education vertical, finding momentum with configuration control features specifically tuned into universities.

Players of the World of Warcraft will have the option to protect their accounts with the use of a $6.50 one time password generator. Perhaps the time is right to re-examine secure identity services to drive down administrative costs to make deeper penetration of two-factor authentication a reasonable business expense for organizations. If World of Warcraft can find a way to support strong authentication at $6.50 per user, why can't enterprises?

For the first time in 30 years, there were no public offerings from a venture backed company. Look for more VC-driven boards of privately held companies to more readily accept smaller acquisition flips, and to lose patience with entrepreneurs of stumbling companies that want to hold on for a few more years.