Security is not a solution

Way back in 1993, Chuck Stuckey, CEO of Security Dynamics with a $10M run rate, asked me to pull together a product strategy that would get the company to $100M in annual revenues within 5 years. A lot of extremely talented and dedicated people executed like crazy and the company went on to become the RSA Security division of EMC. The point is that Chuck had a sense of urgency to reach a critical mass where customers would expect the company to solve hard problems, and the company would have the strength to ride out market disruptions.  

I bring this up because the security industry spends a lot of energy creating narrow market segments with "must have" features as mandated by compliance security specialists. But these companies cannot possibly attain revenues of $100M in 5 years. My rule of thumb is that the top three vendors in a segment have to exceed $200M in annual revenue for the segment to be a viable market, otherwise the technology is doomed to be merged into other products. NAC, database security, and DLP are three easy examples of segments that are features with niche appeal, but are unlikely to become viable sustaining markets. (I would have included SIEM in here, but ArcSight rang up $101.5M in its most recent fiscal year so the verdict is still out even though the first SIM manuals were printed on scrolls and tablets.) One law of marketing is that customers vote with their dollar: if a market segment cannot sustain revenues, then it is not delivering competitive value. There is a message there.

If you are a vendor and the big three in your segment tally less than $200M, then you have some soul searching to do. Create a vision where the best features become an imperative in a business process, and position your products on the path to that vision. For example, database security vendors are doing fairly well in this compliance-driven economy as they inspect SQL statements for malicious actions. But this has to be part of something bigger - perhaps combined with messaging and SIEM systems it can become a transaction auditing function which every public company requires, or perhaps combined with application servers, browsers and virtual desktops it can become a more strategic end-to-end application security capability. Broaden your vision before dreams of dominating a market segment fade away after years of hard effort.

If you are in enterprise IT, try to wait until one of your preferred vendors offers competing features. It's always nicer to deploy mature features with a vendor you have a working relationship that you can leverage if something doesn't work out. Of course, if you need to have the capability or the business justification is compelling, then buy it now with all the proper checks. But be sure to structure the deal so you can switch vendors if the security segment doesn't evolve like the vendor promised.

Remember: security is not a solution; security enhances the real solution.