Blogger: Dan Blum
Much as a galactic black hole sucks matter into its maw, the Crash of 2008 has seized the public’s attention. The media is engrossed with the assessment of losses, causes, blame, and – most importantly – predictions of severity for the recession to come.
Not surprisingly, an interesting survey from a friend in the media turned up in my mailbox this morning. Here is what the survey asks, and this is what I said.
Do you believe the IT security market will continue to grow during the global recession?
I’m no economist, and have little faith anymore in the predictions of those who call themselves economists. With imperfect insight into how severe the global recession to come will be, it’s difficult to say how warm or cold the IT security market will get. Also, Burton Group doesn’t specialize in quantitative research, so we can’t fall back on a lot of impressive looking numbers.
That said, it’s the job of the security analyst to look into the crystal ball – however cloudy it may be – and read the signs. My take is this: If the coming economic winter is moderate the security market will remain relatively flat given the strength of regulatory and business drivers for risk reduction. But if the economic winter is severe (as in a new Depression) all bets are off.
On the other hand, hard times tend to bring on more crime and mischief. It’s likely that new or increased IT security incidents will continue to raise risk drivers for spending.
Which sectors do you believe will continue to invest in IT security during the recession?
If its “only” a recession then stronger sectors with strong risk drivers will maintain spending, weaker sectors with weaker risk drivers will cut back, and others will see mixed results. For example:
Banking and finance may cut back spending due to severe financial losses and M&A activity, however, their tendency to cut back will be mitigated by continuing regulatory pressure on privacy and risk management fronts.
Retail would be affected in any recession and could face pressures to cut back; however, retail’s rate of IT security spending is already low, and PCI/DSS compliance mandates won’t go away.
Government, defence, and health industries will likely maintain spending. Education and insurance may maintain spending, or see mixed results.
What IT security products do you believe will continue to do well during the recession?
Many may not do well. Relative to the others some will do “better,” “worse,” or “average.” Taking the product categories as I found them in the survey:
Encryption: relatively better (strong regulatory mandates)
Biometrics: relatively better (government investments)
Data leakage: average (big problem, but limited solutions)
Mobile security: average
ID & Access Management: relatively better
Gov Risk & Compliance: relatively worse (poorly defined category/solutions)
End point security: relatively worse (cut spending on AV?)
Managed security services: relatively better (lower support costs?)
Physical Security: relatively worse
Email Security: average
Can you provide any growth/decline statistics/predictions for the future of the IT security market?
While we don’t trade in statistics, Burton Group has strong research forecasting IT security technology evolution and IT security market dynamics. The following reports provide a great deal of insight into the broad outlines of the future of information security:
- VantagePoint 2008: Security Vital Signs
- Shifting Defenses: Security Futures for Networks, Applications, and Data
- The Long Tail of Risk and the Dynamics of the Security Market
Do you think that the IT security sector is still a strong one to invest in?
Given risk and technology trends there is and will continue to be relatively strong demand for IT security technology. That said, most of the money in the IT security market will not be made by pure play security companies but by much larger IT “conglomerate” vendors.
Our “long tail” report describes a dynamic where security spending is driven by continually shifting threats, attacks, and risks and the market is “always consolidating, never consolidated.” There is a continual crop of startups whose technologies mostly fail, are acquired, or are replicated by platform vendors such as Cisco, CA, Microsoft, EMC, IBM, Oracle, etc.
Only venture capitalists can invest in startups and there are relatively few “pure play” IT security companies listed on stock exchanges. Most of those are small cap rather than mid cap or large cap.
What opportunities do you think the current climate will open up to the IT security industry?
The two R’s – Risk and Recession – are clearly in conflict. Organizations will be trying to reduce the amount of risk they must mitigate, and to accomplish the reduction at a lower cost.
IT buyers may be ready for disruptive innovations that lower cost even if they provide less performance or functionality in some cases. For example:
- Thin clients (not a security product, but conferring security benefits) come to mind.
- Locked down desktop and application whitelisting may help organizations take the axe to expensive anti-virus budgets.
- Outsourced or managed security services will continue to make inroads where they can deliver adequate capability and control at reduced cost
How long do you think it will take before the IT security sector is affected by the economic troubles?
a. Immediately
b. 6 months
c. A year
d. 2 years
There is clearly already some immediate effect from the financial turmoil. As IT and IT security professionals, however, we shouldn’t obsess over the stock market. We need to stay focused on the businesses we are in and find ways for business to be more efficient, more effective, and (still) adequately protected.
Comments