Cranking up the Hype Machine for "On-Demand Security"

Being out at the annual RSA show is always interesting. You try to get a feel for what is "hot" and what is actually selling. Over time, it has been amazing to track the hype and watch carefully for the signs of adoption.

Hype began in earnest a couple of weeks ago for "on-demand" security, driven by the formal announcement of Microsoft's Windows One Care and Symantec's Genesis. You can read the analysis of Genesis here. At the show, expect big thought leadership messages from the RSA keynotes, specifically VeriSign's Stratton Sclavos and ISS' Tom Noonan.

Noonan hit the circuit last week to start building up momentum for ISS' on-demand strategy. Check out eWeek to get the news. The article starts off with:

"Tom Noonan is fed up with the security industry. He's tired of seeing every new point solution touted as the savior of the Internet, and he's had it with the hodgepodge of security technologies from various vendors not working together and causing administrators more headaches than the threats they're trying to protect against."

Amen brother. That's awesome. I'm fed up too, and we are largely on the same page about too many narrowly focused products trying to solve every minor security issue. That's what "no mas box" is about and it's right. Something has to change. Best of breed is fine, as long as it fits into the existing infrastructure.

Is ISS the right company to be driving this change? They have a good a claim as any, I guess. But success will require more than fancy slides at RSA. To be clear, I have not spoken to ISS about their strategy (even though they are right down the street) and am planning to do so right after RSA. But let me give a couple of early impressions:

1. ISS needs to do something - Clearly the company has seen a bit of a renaissance driven by the move to Proventia appliances. But, in order to convince folks they are a security player with longevity (as opposed to waiting for Cisco or CA to buy them out), a big story demonstrating this is critical. Of course, executing on this over time is pretty important too.
   
   
2. On-demand security is nothing new - You get anti-virus updates on your machine every couple of days. Your anti-spam gateway may update signatures every 10 minutes. It seems every Tuesday you are getting patches for Windows. What is different about "on-demand?" Basically nothing. The idea of linking your asset base to a vulnerability scanner to get relevant updates is not novel (we tried to do that at TruSecure and Tenable and Sourcefire do it today). Packaging and pricing as a service is kind of novel. Moving to the razor blade model probably makes sense over time.

"But the security community has been slow to adopt the software-as-a-service model, in large part due to the concerns that many enterprises have about putting the security of their networks in the hands of outsiders."

This is actually wrong. Have companies TOTALLY outsourced their security? No, but how can you do that unless you've totally outsourced your infrastructure. But the adoption of targeted services is happening right now. Lots of folks have their ISP or outsourcer manage their firewalls and IDS devices. That is increasingly becoming the purview of the carriers and that trend will continue. And services for vulnerability scanning and email security tend to have as great (if not greater) market share than their on-prem counterparts. Check out the MSS Incite for more detail.

So, there will be lots of stuff announced this week at RSA, much of it aimed at driving hype to usher in the "on-demand" age of security. Much of this will be re-branding of the existing stuff, so we will see some innovative marketing to make the old stuff seem new. But, the short-term impact is minimal.

Yet, the idea of leveraging the "network" where it makes sense to increase security and speed reaction is right and this will happen. The question is just when. You know I'll be watching closely for when it becomes real.