Is Security More Resilient In A Down Economy? 10 Perspectives

I think right now overall, we are seeing some difficulty across all technologies in terms of investment from the market. It's not that people are not spending money. It's just that they're being much more specific on their business goals and they're being much more careful in the way they spend money. It has to fulfill a need. They can't buy technology just to buy technology.





With firewall, antivirus, antispam, [and other] infrastructure pieces, we've found those sections are definitely soft compared to previous times. We've found that other components of security have become a much greater focus point -- they're an easier penetration point. Things like application security, security compliance and regulatory type of security measures are put in place to help clients meet and accomplish best practices and be able to effectively show they're doing their due diligence. In the past, those are things we've possibly neglected because it's a little bit more difficult to do the sale.





Many clients have been doing security very manually at the application level, so looking at these markets out there, we are trying to make it more efficient for them in that process. Developing reports, automating reports -- that's the direction security for us has been going. Traditional network plays are great, but unless there's a very clear definition or to a business requirement, they haven't been a very strong compelling driver for us this quarter.

When the economy weakens, the need for security actually becomes acute. Since most security breaches are ultimately financially motivated, we have seen a steady rise in incidents and expect this continue during the economic slowdown. At the same time, the downsizing and outsourcing of IT departments creates more opportunities for the channel to provide specialized security services to organizations. We have seen many of our channel partners move toward a managed services-based model with respect to security, and flourish in the current financial conditions. Via this model, end-users gain flexibility that allows them to focus resources on their core business while maintaining a high level of protection against cybercrime.

Security and backup and recovery are not optional for customers and they continue to invest in these segments. We see two big trends driving customer purchasing decisions: Every company has digital assets that need to be secured and storage needs continue to double every two years. The mission-critical nature of Symantec's security, storage, and backup products combined with the compelling near-term ROI delivered by many of our solutions position us well in this environment.

Although our security products sales have risen, the shift of market share has been dramatic. Virus writing has migrated from nuisance code to crimeware and has emerged as a multi-billion industry, some say approaching $100 billion worldwide. In 2007 alone, Kaspersky Lab identified more malicious software than in the previous 11 years combined. Predictions are for an additional 10-fold increase in new malicious software samples over the previous year.





In the past, antivirus and antispyware was enough to protect the user. This is no longer the case. Traditional end point products like antivirus, anti-spyware and personal firewall markets have been eclipsed by broader "suites" of related security technologies. Along with the rising statistics in crimeware, companies are also increasingly required to address risk mitigation, which grows the security market for us all. Among the evolving security risks are the growing financial costs and penalties that relate to successful attacks on consumer credit card information, not to mention the harm to a company's image and data loss due to lost or stolen computer equipment. Industry research that has estimated 25 percent of a company's intellectual property is held within e-mail. Where's the end users' plan to mitigate that risk?





Technically speaking, our industries' most popular software solutions are capable of providing maximum security against today's malware like viruses, worms, Trojan horses and spyware. Today product difference can be found in the management functionality (ease of use, reporting capability, etc.) along with the agent/module footprint size and consequently the performance impact. These are the issues that will speak to a security VAR's expertise, capability and profitability in 2009 and beyond.

The current economy is forcing companies to make difficult decisions on where to spend their money. Security, more than most other IT expenditures, remains a "must have" investment. If organizations are not vigilant about data security, a breach could occur causing customers to flee, which will inevitably impact the bottom line. Our recent research revealed that 56 percent of large organizations have suffered at least one data breach within the past 12 months and statistics show that cyber attacks are increasing. An opportunity exists for the channel to leverage the current environment by expanding their delivery of database security, risk and compliance solutions and services -- and thereby also deliver much needed peace of mind.

Is security more resilient? It certainly appears that way. I guess I'm at the right place at the right time. There's still a demand for antivirus and security software. I would say there definitely is. Antivirus is definitely going to be more resilient.



Cloud computing is definitely the wave of the future. Any of these manufacturers that don't offer cloud computing, you're going to see some of them die. Why? Purely the cost of manageability. In theory you should have pros managing this stuff. How many people are going to specialize in it? I don't know. VARs or resellers that end up specializing, we should be fine. We should get most of the business because our name and reputations should be out there.





That's where the financial part comes in -- it's just saving these companies money. I've just freed up a server for (the customer). I've just saved him money and freed up a machine, now he has $4,000 he doesn't have to use on antivirus.

The current economic landscape is taking a toll on everyone, with IT being no exception. It comes as no surprise that enterprises worldwide are taking a hard look at their budget allocations, and as critical as information security is, it will not escape scrutiny. Budgets are tightening, security infrastructures are expected to do more with less, and executives will are looking for the maximum return on investment.





However, reducing risk, especially in the form of online fraud, will continue to be a major spending priority. With the state of the economy, stealing intellectual property is becoming an easy way for fraudsters, competitors or even former employees to turn a profit. As internal and external threats continue to evolve and information becomes more fluid (i.e. sensitive information residing on mobile devices), the security risks of conducting business are increasing by the day.





Even in this downturn, our customers are asking us and our partners for direction and are continuing to make investments in security technologies to increase their defenses and focus on protecting sensitive information. By using an Information Risk Management strategy, they can tactically prioritize security projects now while leveraging the same framework to strategically prepare for the day the economy turns around and budgets open up.

I think there're definitely some security projects being stopped. With some of the more important items, companies cannot afford to have their brand damaged, or lose their top rating as their reputations are concerned. You're going to see Web 2.0 issues hit the boardroom in 2009. We've had companies in financial trouble spend money to address Web 2.0 challenges, renewing subscription licenses or looking at data leakage.







We do a lot with content protection and content filtering, in the workplaces going after the Web 2.0 [security market]. Companies are spending money in those areas. We're seeing that a lot of these companies want to outsource (Web security) to a specialist. We've been able to help drive initiatives in these companies to show them ROI. Nobody wants to run naked in the Internet.





We're having one of our better quarters. These companies take this stuff seriously. We've been able to make it a win-win for them. There is definitely some pain right now for everybody, but you can still be profitable from a VAR standpoint. In our case, we're just as profitable if not more.

Of all the sectors within the IT industry, the security market has a degree of resiliency. Years ago, there was a shift from hackers being motivated by ego and reputation that shifted to hackers plying their trade for basic economic gain. When the economy is bad, that motivation goes up, not down. Companies cannot afford to skimp on security as the impact cost of a successful attack can literally put a company out of business.







Also, in a bad economy, the threat from within a company amplifies dramatically. With multiple rounds of layoffs occurring across the nation, it is becoming increasingly common that disgruntled employees are seeking vengeance by stealing or corrupting data to harm their previous employers work. To prevent this, companies must first be aware of the threat and secondly, have the technology and processes in place to prevent this. In conjunction with the rising levels of cybercrime activity that are seemingly spiking at the moment, it will not surprise me at all if the industry continues to see a high demand for security solutions.

Whether you're looking at end point security or data encryption, security has to be the foundation of any organization, one of their primary focuses.



There's going to be additional consolidation in the industry. Organizations are going to see that's where their money can be spent in 2009 and beyond. And states are going to be mandating data security. Businesses are faced with a never ending list of both internal and external threats, whether it's HIPPA or SOX or PCI. Some of [the regulatory agencies] hold their board members criminally liable. As stock holders and business owners, there is a requirement that these companies do everything they can to maintain that security. It's critical that they deploy enterprise solutions that fix or address those threats.





Whether its appliances or applications, it's trying to decide what works best for the organization given the cuts in their budget. It's fundamentally making sure that the IT security is in alignment with the overall goals of the organization, if one doesn't have a visionary CIO or CEO, and are thinking more than the immediate future, then they're going to suffer. Security has to be a holistic plan that addresses everything in their environment. The CEO has to look beyond the recession. They have to. It's not going to last forever.