Revisiting Big is the New Small

It's been quite a while since I penned the original "Big is the New Small" piece back in February of 2006. Obviously a lot has changed and happened in the security space since then. So I figure on the first Monday in August, I'd revisit that position and figure out if it was still relevant.

To refresh everyone's memory, Big is the New Small was the moniker I came up with to describe why consolidation was happening in security and why it was going to continue. Customers were increasingly fed up with the idea of having to manage multiple products from multiple vendors to handle mature, somewhat commodity functions. And all things being equal, they want to buy these solutions from "Big Security," the large publicly held companies that have staying power.

Much of this has come to pass. The Big have gotten bigger by continuing to acquire technologies to fill out their product families. Large companies have always acquired smaller companies, that's nothing new. And the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

These ideas also are NOT an indictment of innovation, as many of the small vendors called it. It was a pragmatic view of how the industry is working now. Some choose to fight it, until Big Security swings by with a bag of money. Then they get religion pretty quickly. But even that isn't the point.

The point is that over the last 2 years, customers are looking for security that is "good enough." The main issue is that without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Since security remains an expense and an overhead item, the natural inclination is to minimize cost, and that means to buy solutions that aren't the most expensive, but meet the needs in the most cost effective mechanism. That's this entire drive to doing security in the cloud. Since it's good enough, we may as well have someone else deal with it.

By no means am I saying that our protection is good enough, it's not. But I don't think it's because we have a lack of tools or knowledge. We collectively suck at protecting information not because we don't know what to do. We suck because we just don't do it. If we would actually use half the crap we've bought, and build a strong and credible security program - things would be a lot better.

Not perfect, but better.

But we don't, so it's not. Thus, good enough is here to stay. And as long as good enough is the primary criteria for most product/service purchases, it favors Big Security. They aren't much, but they are usually good enough.

Photo credit: "Good enough" originally uploaded by russelldavies