When Symantec, one of the grand old dames of security, recently decided to split itself into two separate companies, it raised questions about the entire security market. Indeed, it would appear that Symantec decided to separate security (Symantec) from information management (Veritas, which it bought for $13.5 billion in 2005) because neither is currently showing any growth. Symantec’s security division revenue is down 0.3% year to year.
Ilia Kolochenko, CEO and founder of security firm High-Tech Bridge, is not surprised that even one of the world’s largest security firms is struggling in today’s market, which is perhaps surprising since most business research firms tend to say that we are spending more, not less, on security. The problem, believes Kolochenko, is that there are too many security firms providing insufficient security.
“What we are seeing today,” he told me, “reminds me of the dot-com bubble at the end of the last century. At that time, confidence in the online marketplace, e-commerce and IT industry in general was so high that almost anyone who could switch on a PC could get financing for an IT business. The only problem was that most of these businesses were set up to create artificial problems or boost non-existent demand in order to make quick money. They didn’t actually solve any real problems.” The bubble burst when the reality hit – the market did not want or need all of these businesses.
A classic example in the security market of the time was the rise and fall of Baltimore Technologies. The industry had persuaded itself that large-scale public key infrastructure (PKI) was the solution to all security problems. Baltimore grew in just four years to a valuation of more than $13 billion and then collapsed even faster. It sold a product that the market didn’t either want or need but one that investors were persuaded it needed.
Kolochenko believes that the security market today is in a similarly precarious position as was the online business market during the dot-com boom: too many firms are trying to provide solutions to the wrong problems. “It’s a question of efficiency and effectiveness. Efficiency is about doing a thing right, while effectiveness is about doing the right thing.” says Kolochenko. “After the dot-com bubble, VCs and other investors began performing thorough due-diligence on the companies they invested in. Today, they do indeed verify that the technology works, that it has competitive advantage in the market, and they calculate how many potential buyers may pay for the technology before they invest in it.” In short, they make sure that new security products are efficient.
But where they get it wrong is in not ensuring effectiveness. “Some information security companies today solve problems and mitigate risks that probably have the very lowest priority in the business risk list. In order to sell their solutions, they create artificial demand, quite often misleading or even scaring their customers with false threats or non-existent risks. The worse is resellers, companies who are not capable to create anything themselves and thus resell third-party products and solutions. Quite often they don’t even bother to understand if a particular customer needs a product they propose but instead try to convince them [by all possible means] to purchase it. As a result, many companies purchase [efficient] products that they just don’t need, forget or fail to purchase the solutions they really need in order to mitigate the most important cyber security risks their business face, and get hacked as a result.”
The reality is that business is still getting hacked – in fact, we hear about more and more security breaches every day. The problem is that the security technology is efficient in what it does but not effective in providing security. And that’s because the hackers are also businessmen. “Hacking is about business, money and profit,” explains Kolochenko. “Black hats will not spend their money and time developing expensive custom-made 0-day attacks when companies have pedestrian vulnerabilities and don’t install patches in a timely fashion.”
Today, most breaches are still delivered via “pedestrian” XSS and SQLi vulnerabilities. This is where the security industry is failing. “It promises to recognize a burglar walking down the street but doesn’t show us how to lock the front door and close all of the windows. There are many efficient products and solutions, but there very few efficient AND effective ones” explains Kolochenko.
The danger for the security industry, says Kolochenko, “is that when businesses spend a lot of money on information security but still get hacked (because they mitigated the wrong risks through acquiring the wrong products) they will hesitate to spend at all on infosecurity and lose confidence in the security industry in general.” That is what happened to the dot-com businesses, and it could possibly repeat itself with the security market.
So, will the market collapse like the dot-com bubble? Probably not, but there are too many security companies that are selling too many ineffective products. What Kolochenko foretells is a drastic contraction. Many of the new young companies built by marketers creating artificial threats rather than engineers who solve real problems will probably not survive, and even some of the bigger companies will start to divest themselves of their security divisions. Only the genuinely innovative companies that combine efficiency with effectiveness to serve a genuine security need and solve the real problems will survive.
By Kevin Townsend, High-Tech Bridge
About High-Tech Bridge
Headquartered in Geneva, Switzerland, High-Tech Bridge provides customers in Europe, the United States, the Middle East and across the globe with information security services such as penetration testing, security auditing, computer crime investigation and web application security testing.
In 2012, analyst firm Frost & Sullivan recognised High-Tech Bridge as one of the market leading service providers in the ethical hacking industry. High-Tech Bridge also received the prestigious Online Trust Alliance Honor Roll award in 2012, 2013 and 2014.