Security Savvy
The good news is that market conditions offer plenty of opportunities. VARBusiness' State of the Enterprise survey reveals that more than three-fifths of all enterprise-size customers and two-thirds of the largest enterprises (10,000 or more employees) rate security as a top priority in 2004. That number is likely to increase if the industry gets hit with more of the high-profile virus and worm attacks that ran rampant last year. But customers are even more judicious in their spending habits than in previous years. That means vendors need to demonstrate "proof of concept:" Just like organizations that began to rebel against overpriced and ill-performing ERP installations a few years ago, customers are tired of spending big bucks on stopgap security technologies that don't deliver what they promise.
Unfortunately, a foolproof security tool that solves all of an organization's problems doesn't exist, and never will. But the sector does support more than 400 companies, each working on their own best-in-class solutions. Some vendors, obviously, do a notably better job than others, and customers, often with the help of services-oriented VARs and solution providers, are getting much better at finding them.
Not long ago, the IT department was solely responsible for locating the right product at the right price. That was especially true in the enterprise. Security-related questions very rarely reached the boardroom unless there was a full-blown crisis. That security issues are now discussed at the highest executive levels is exemplified by the rise in the number of C-level executives whose jobs are devoted almost exclusively to security in their organizations. Enter the chief security officer.
"The enterprise is typically the early adopter of new security technologies, and the majority of our enterprise customers now have CSOs or CISOs [chief information security officers]," says Greg Smith, senior director of product marketing for Teros, a maker of application-level security products in Santa Clara, Calif. Those positions are typically filled by people who started out in IT, but came up through the ranks because of their business perspectives, he explains.
The CSO or CISO is often the liaison between his or her company and the systems integrator on the project. Solution providers would be wise to get to know the CSO at their customer organizations sooner rather than later.
According to Glenn Hazard, chairman and CEO of NetSec, a managed services solution provider (MSSP) in Herndon, Va., the new officers add a welcome expertise to the process of selling and implementing security tools to clients.
"Customer maturity and demand awareness around security is much different today than it was two years ago; for the past 12 to 14 months, we've seen more titles like CSO, director of security, or vice president of risk management and compliance," he says. "Prior to this, even in large corporations, the top security person had a more removed role, but we're seeing a lot more centralized control. Companies are assigning IT responsibilities to individuals, and people are much more concerned with whose signature is going on which piece of paper."
These security officers, who may have had only advisory input into past technology purchasing decisions, now are playing a crucial decision-making role at their companies.
"The CSO used to be the 'corporate Cassandra' who sounded alarms but didn't get much attention; now they're getting the ear of the CEO and other high-level executives," says Trent Henry, an analyst with the Burton Group, a Midvale, Utah-based consultancy.
Christofer Hoff is part of that new breed of CSO. Hoff is director of enterprise security for WesCorp, a $24 billion corporate credit union in San Dimas, Calif. While increased security concerns have naturally made his job tougher, Hoff notes that improvements in security technology have helped elevate the awareness of his professional needs in the eyes of his board.
"The newest tools provide real metrics and show the reduction of risks instead of just the return on investment, and our board is much more receptive to this," he says. "We have a wonderful management team that recognizes the value of a purchase. We communicate effectively without being adversarial, so I don't have to fight for my budget."
While it's true that companies have generally had some type of security officer in their ranks, elevating that position to C-level status is a relatively new development. One of the biggest reasons for that promotion is the security requirements brought on by new regulations such as Sarbanes-Oxley and HIPAA.
"The huge jump in senior-level positions and boardroom awareness of problems is due more to the new regulations than to the increase in attacks," says Mike Higgins, managing director of Tekmark, an MSSP in Edison, N.J. Companies want to ensure they are in synch with rules to avoid trouble later.
But while it's commonly assumed that companies not in compliance with regulations run the risk of significant fines, that's not always the case. Burton Group's Henry says some security vendors go overboard, using the threat of regulatory penalties to scare customers into purchasing unnecessary technologies.
"Vendors might lead you to believe you have to comply, but, in fact, the regulations stop just short of a mandate," he says. "For many customers, the technology they've had in place all along should be enough to comply with most regulations." Henry isn't suggesting that companies forgo upgrades to their security, but he advocates more measured purchases. "There still are companies--mostly SMBs--that don't even have firewalls deployed," he says.
You Know the CSO--Now What?
Brandon Dunlap is not unlike many IT customers. Dunlap is head of IT security for Constellation Energy Group, a supplier and wholesaler of electric power in Baltimore. In the past year, the company underwent a massive change in its security infrastructure, a change brought on by a seemingly simple incident.
"Our CIO couldn't call another building on our campus without dialing 10 digits, and he wondered why," Dunlap says. "We had all kinds of fragmented information, but in the past year we've consolidated all of our IT from each business unit into a more centralized structure, and it went pretty well. We should be well-covered on the reactive side, but we're always looking to extend our preventative side."
He adds that the new regulations have been a positive force behind the change. "They've been a good thing for us because they're a tool to motivate change and to get all the departments to speak the same language," he says.
Successful VARs are fluent in just what that preventative side ought to offer. Some clients may need a specialized system with products from different vendors, while others may benefit from an end-to-end solution. But while an end-to-end solution is always inviting, systems have generally become too complex to make that a reality.
"A lot of vendors' solutions require you to go down their path only, so the problem becomes integrating it all together with everything else you have," WesCorp's Hoff says. That's where VARs come in.
"There's far too much technology available, and it's creating a mass of confusion for customers, so they call us to come in and sort it out for them," says William Crombie, CEO of BMD Solutions, a security solution provider in Simi Valley, Calif. "A couple of years ago, it was the security vendors that were driving customers; now it's the VARs who are driving them. The consulting business is growing because customers don't trust big vendors to give them what they need."
If there is a consensus about any one area of security spending, it's that there's plenty of room for new technologies, and customers are awaiting them with bated breath.
"Event correlation is the Holy Grail for us: to be able to correlate our data against a vulnerability management system to see which machines are at risk and how to mediate them," Hoff says. "But we're a couple of years and hundreds of thousands of dollars away from being able to do it as extensively as we'd like." Dunlap says he'd like to see more antivirus technologies that extend beyond desktops, as well as more monitoring tools and certification services.
Tekmark's Higgins, meanwhile, sees a big opportunity in improving the way customers secure their mobile workers.
"Some companies are working on the management of road warriors' machines, creating automated tools that put guys into quarantined zones until they get up to date," he says. "Whoever does that first will see a huge increase in sales." He adds that improved firewalls, intrusion-prevention systems (IPS) and services for antispam and mobile devices also are coming into play.
Henry says vendors are bolstering their old intrusion-detection systems with new IPS tools that improve on the false positive problems many IDS users have complained about in the past. He also says vendors are scrambling to develop technologies, such as protocol or behavioral anomaly detectors, rights-management solutions and ID-management tools, such as smart cards or tokens. Even the old standby, strong authentication, continues to garner R&D attention.
As these new technologies come and go, inevitably so will some of the vendors that developed them. However, one positive development is that, unlike during the dot-com boom, the competitiveness of the security sector is forcing companies to solve actual problems and not just hang out a sign that says, "Security Sold Here."
"A lot of companies are coming out with technologies that are filling needs instead of just randomly throwing technologies at problems," BMD Solutions' Crombie says. As this trend continues, it should provide ample opportunities for VARs and solution and services providers willing to creatively satisfy their customers' needs.
