Security Market

It's been quite a while since I penned the original "Big is the New Small" piece back in February of 2006. Obviously a lot has changed and happened in the security space since then. So I figure on the first Monday in August, I'd revisit that position and figure out if it was still relevant.

To refresh everyone's memory, Big is the New Small was the moniker I came up with to describe why consolidation was happening in security and why it was going to continue. Customers were increasingly fed up with the idea of having to manage multiple products from multiple vendors to handle mature, somewhat commodity functions. And all things being equal, they want to buy these solutions from "Big Security," the large publicly held companies that have staying power.

Much of this has come to pass. The Big have gotten bigger by continuing to acquire technologies to fill out their product families. Large companies have always acquired smaller companies, that's nothing new. And the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

These ideas also are NOT an indictment of innovation, as many of the small vendors called it. It was a pragmatic view of how the industry is working now. Some choose to fight it, until Big Security swings by with a bag of money. Then they get religion pretty quickly. But even that isn't the point.

The point is that over the last 2 years, customers are looking for security that is "good enough." The main issue is that without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Since security remains an expense and an overhead item, the natural inclination is to minimize cost, and that means to buy solutions that aren't the most expensive, but meet the needs in the most cost effective mechanism. That's this entire drive to doing security in the cloud. Since it's good enough, we may as well have someone else deal with it.

By no means am I saying that our protection is good enough, it's not. But I don't think it's because we have a lack of tools or knowledge. We collectively suck at protecting information not because we don't know what to do. We suck because we just don't do it. If we would actually use half the crap we've bought, and build a strong and credible security program - things would be a lot better.

Not perfect, but better.

But we don't, so it's not. Thus, good enough is here to stay. And as long as good enough is the primary criteria for most product/service purchases, it favors Big Security. They aren't much, but they are usually good enough.

Photo credit: "Good enough" originally uploaded by russelldavies

This is it. The last Report Card. Overall, not bad for my first year back in the game. But not good either. So I'll be working to make my Incites even more "inciteful" next year. Keep on the lookout, as the new batch of Incite will arrive on January 10 and will kick off even more Days of Incite.

Incite #12 - Battle of the Titans

The big will continue to get bigger in 2006, as frenetic consolidation continues as product line breadth outweighs actual functionality. By the end of 2006, it becomes apparent that the real battle is between Cisco and Microsoft to control the architecture of networks and applications moving forward. As with other huge marketectures, users are caught in the crossfire, but 2007 will see enough additional functionality for those embracing homogeneity to see a wave of infrastructure upgrades. Vendors not strongly aligned with one of the two titans face irrelevance by 2009.

Grade: B

Incite Redux post: here

The big continued to get bigger in 2006, boy did they ever! Some of the super big technology players bought big security vendors (EMC/RSA, IBM/ISS) to remake the face of the security market. Even the biggest of the big security vendors (Symantec, McAfee, Check Point) were the subject of acquisition rumors throughout the year.

Just goes to show that “big is the new small” and will remain that way for a long time to come in our space.

But what about this Cisco/Microsoft battle I speak of in the Incite? If anything, the two technology super-powers are looking more for détente than World War III. What fun is that? Between NAC interoperability and lots of other joint initiatives, it seems that Ballmer and Chambers are singing kumbaya around the campfire.

Don’t believe it. Right now these announcements are all about maintaining thought leadership around security infrastructure until both of these vendors can deliver on their promises. Microsoft has much more to lose since they are still 18 months (optimistic case) from delivering on their next generation security architecture, which revolves around Vista and Longhorn.

Cisco is a bit closer, but they’ve still got a lot of work to do to upgrade customer networks, so all of those fancy new security capabilities will be useful. They also need another 12-18 months of upgrades and refreshes to bundle in a MARS box to drive a lot of the security intelligence that drives Cisco’s plan.

And what about everyone else? Well two of the busiest partner programs are Cisco’s and Microsoft’s, so even if it’s just to put the partner seal on their marketing collateral – pretty much every smaller company makes the pilgrimage and writes the checks to be involved in both partner programs. So everyone is aligned with everyone at this point, which means that it’s all a load of crap.

For those vendors that aren’t Cisco or Microsoft, the biggest business over the next two years will be helping customers position their networks with “tactical” technology to solve today’s problems (like visitor access and leak prevention), while providing a migration path to either Cisco’s and/or Microsoft’s architectures in a couple of years. It’s amazing, but once again we will see a lot of tactical products become strategic. Haven’t we seen this movie before?

Cisco announced their Q1 FY2007 results last night. There was rejoicing in the Street (Wall Street, that is). Lots of other folks cover the specifics of their revenue numbers and the like. That's for other Wall Street types to deal with. All I know is that they grew about the size of Juniper year over year, which is astounding growth given Cisco's size and that we have not been tele-ported back to 1999.

Reading the earnings call transcript (here), you see a bunch of interesting quotes from John Chambers. On the quarter: "It is very difficult to single out unique products in Q1 because, candidly, all of our top products did remarkably well." They did mention routers, switches and wireless, VoIP and networked home from the Advanced Technologies group.

But what about security? Interestingly enough, Cisco mentioned security grew in the "high single-digits." It is a bit interesting that security was not part of the spending orgy.

I can already hear the Cisco-haters out there saying it's because their products are not "best of breed" and the NAC Framework doesn't work. Yada Yada. The other security vendors shouldn't get complacent. Why? Because Cisco is proving that "Big is the new small" and that increasingly carriers are embracing Cisco as a "strategic partner" as the enterprise has for years.

To get a feel for what that means in the enterprise, here's another Chambers quote from the earnings call: "Today, I would say in the enterprise customers, especially the Fortune 500 around the world, maybe more than half of them use Cisco as a strategic partner, and a huge number of them standardize on us architecturally." To me "strategic partner" means sole source, or basically you need to knock the champion out to even have a chance to compete.

This is bad news for pretty much every security vendor that is not Cisco. As Cisco increasing controls all levels of the network architecture, that is going to drag along a lot of security products by default. Other vendors won't lose to Cisco because they'll never get the chance to play.

This is happening today. In some recent vendor briefings, quite a few made the point that they don't lose to Cisco if the procurement gets to an eval. But the vendors next sentence is about how they aren't in enough deals. The universe of competitive deals is going to continue to get smaller.

How does this happen? Don't technology buyers know they should talk to multiple vendors? What's in play here is what a former boss of mine called the "secret yearning" back to the days of IBM ruling the world. These folks appreciated when IBM did everything. This miss it because the Big Blue made their life easier and their stuff worked good enough. Until it didn't, and then they had to adapt. They didn't like that adaptation process too much.

Cisco now gives them a feasible way to get back to the days of yore. At this point, Cisco is so well regarded at the CEO/CIO level that it's OK to just buy from them. And it isn't going to get easier to compete, because Cisco plan is to own everything that has to do with the network and then some and integrate it together. More words from Chambers: "I think what more and more people are realizing is that these products will be loosely and then very tightly coupled."

To bring that back to our world, the security products are now loosely coupled with the networking stuff. Very loosely. But if you hear the story and see the roadmap they've laid out - security is everywhere and that's when it's "tightly coupled."

Cisco will sell lots of security products because it's a network after all, and it needs to be secure. And if anything, organizationally the responsibility for network security is increasingly falling back into the hands of the networking folks. Right, that means more Cisco.

Just to be clear, I'm not a fan of sole sourcing much of anything. I think there are risks in getting everything from one vendor. But the pragmatist in me also realizes that integration reduces the cost of operating an environment and makes managing the environment easier. Especially in resource and money constrained mid-market companies.

So what's my point? Basically, Cisco has a controlling position in all aspects of networking, across most customer segments (except maybe SMB) and all geographies. Their early strength in the enterprise is leading to strength in the service provider and the service providers and retail channels will continue to drive Cisco (at least the Linksys and Scientific Atlanta operating units) into the home.

Cisco has replaced Intel as a dominant market maker. There are legitimate alternatives to Wintel now. Of course Intel is still a huge company, but they are much less influential in setting direction and just dominating the mind share of technology buyers. Microsoft is still there, but now it's Cisco as the clear other guy. As I mentioned in my Battle of the Titans Incite from January (Redux here), these two are going to fight over control of the security infrastructure. That's pretty obvious now.

And what does the mean for every security vendor that is not Cisco or Microsoft? It means you better have a good answer as to how you fit in a Cisco and Microsoft world. And that you are fighting for the minority of the market that doesn't want to go end to end with one of the dominant players.

So where are Cisco's blind spots? First they have to execute on the vision. They have laid out a pretty compelling roadmap for security, but it's not even close to being there. Customers will wait, because it's Cisco, but not forever. Interestingly enough, it'll come from one of two places.

As always, they need to be wary of new competitors with disruptive technologies. But given how long it takes to upgrade networks, I don't see that really happening. AMD is making inroads on Intel because the switching costs are low and there is no real performance impact. All of the stuff works together. Routers and switches are a tougher sell. Sure big companies usually have more than one player, but a bulk of the business goes to the leader. This is evident in routers. Juniper has done a good job of becoming the #2 in routers, but it's not like they are threatening Cisco's dominance.

More likely, it'll be some type of anti-trust action. You know the old adage: "If you can't beat 'em, they must be a monopoly, so sue 'em." I don't know from where or why someone would bring an anti-trust suit against them, but it's bound to happen. They are getting too big and too successful. In a fit of desperation, perhaps a Nortel or Alcatel move to prove Cisco cleaned their clock because they didn't compete fairly. Stranger things have happened.

You'd hope that Cisco will learn from Microsoft's and now Intel's experience dancing with that Devil, and John Chambers does spend an awful lot of time in Washington hobnobbing with influence peddlers (neither Bill Gates nor any of the Intel CEO's were particularly interested in playing that game). But how else is anyone going to find a chink in their armor?

Seriously, I'm interested in other opinions. Add a comment to the post and we can get a dialog going.

I've had a number of interesting conversations over the past week that has taken me to the conclusion that selling products to the enterprise is not interesting anymore. I get the large enterprise is where the money is, but still. Most folks I know that target large enterprise are frustrated and grumpy. Kind of like I was over the past 8 years. I figured it was just the road rash of spending 8 years trying to develop enterprise markets and my frustrations with grumpy customers that are never happy and take 6-12 months to make up their mind.

Nope. I think we are looking at a secular change in the go2market strategy for security vendors. Why? Because selling to the enterprise is a pain in the ass. First, you have to have a built-out offering with lots of bells and whistles. The enterprise requires complexity because their environments on complex. They require lots of features because they have big problems to solve. And they won't buy anything until it's all there. That's just the way it is.

But a combination of open source, consumer technology, more mature security channels, and the success of some vendors going the small route has given vendors hope that they can actually build a business without catering to the enterprise.

From a historical perspective, Start Up 101 had you building a big software product over about 18 months and selling it for hundreds of thousands dollars to large enterprises. At some point, maybe the mid-market would need it and then you can sell it to them for cheaper (but without changing the product). But the focus was always the large enterprise. Then Barracuda changed everything. By introducing a low-cost, mass market appliance for email security and selling a crap load of them, Barracuda showed it could be done. You also saw salesforce.com and some of the anti-spam service providers (Postini really) also go that route to market and find success, without being reliant on big enterprise deals.

This is something I've seen coming for quite a while. Back in 2002, after we sold SHYM to Authentica - I came up with the idea of a simple, cheap mass market disk-based backup appliance. Disk was getting cheaper by the day and customers hated tape. At that point, I didn't have the financial means to self-fund it, so I tried to get funding and never got it done. 2002 was a hard year to raise money and targeting the SMB was the 3rd rail of VC funding. There are a bunch of companies that do "backup appliances" now. I suspect if I had an analogy like Barracuda back then, I could have just said "I want to be the Barracuda of backup appliances" and walked out of the meeting with a couple of million bucks.

But I digress. I spoke to one former colleague who is contemplating what is next and he wants to "Barracuda" a market. Look at some set of companies selling big fat license deals to enterprises and undercut them with a cheaper alternative targeted at 80% of the requirement for 20% of the cost. That's how you spur mid-market adoption and crush existing enterprise markets.

Another friend told me he wants to start a new company as well, targeting the mid-sized business as well. He'd rather "work in a coal mine" than go after the enterprise market. I was cracking up because that's a funny perspective, but he's right. To be clear, it's not like getting to the SMB market is easy. You need a different sales model and marketing engine. Very different. But it's possible, and that's more hope than we've ever had in this space.

Forbes calls it the "cheap revolution." I call it wake-up time. On the back of large enterprise is not the only way to build a company.

and assholes sleep with super models. I don't make the rules, I just comment on them. By now, you should be sufficiently confused, so let me tell you where I'm coming from.

Shimel just loves to stir it up (here). Says it's good for ratings. And he's quick to rush to the defense of vendor-land when the big bad analyst starts calling everyone names. He's referring to my rant yesterday about Dark Reading's 10 Reasons Security Products Don't Work (here). It seems that he mostly agrees with me, except my unfair and harsh characterizations of vendors. But Alan is off-base here because he fancies himself to be a good and ethical guy.

But this isn't Alan's first trip on the tuna boat, so unless he has temporary amnesia, he's forgetting about the calls we've had discussing those "lying" competitors. Those marketing-driven companies that have no technical chops, but make their products seem like the second coming. He's forgetting that in competitive markets, everything is fair game.

This is a problem the success of the security business has created. There are just too many damn companies. Pure and simple. They are all chasing the same customers with the same limited budgets. This is a zero-sum game. If you win a deal, the other guys lose.

So every vendor has to try really hard to differentiate and sometimes they take liberties with the truth to do so. It happens in the form of outrageous claims that seem to surface during the sales cycle. It's something as little as "we handle zero day attacks with no false positives." Of course that isn't the case, but that's what customers want to hear, so that's what the rep says.

Alan is right. Sooner or later the truth is going to hurt. But if your competition has told the customer they can do it, you have a choice. Do you tell them the competitor is wrong? Hmm. That's mudslinging and bad form, the customer thinks you are a schmuck. Do you say you can do it, but with lots of caveats to stick close to the truth? Well, that doesn't work either. The customer heard no caveats from the other guys. Your product must suck.

If you don't join the "fun," you will lose deals because the uneducated customer won't know the difference. By the time they figure it out, the other rep has cashed the check and made the payment on his damn 911. Sure he'll have to clean up a mess, but the ride will be nice to get there with 450 horses under the hood.

I had this problem big time when I was a marketing guy. We had a very aggressive competitor that wasn't constrained by the truth. They'd lie about what they could do, and make up stuff about what we couldn't. I tried to take the high road for a while, but it wasn't working. If the other guys were in the deal before us, we had to spend countless hours unwinding the web of lies. If we were in first, the other guys would show up and start the fabrication engine and we'd again be playing defense.

Just like in poker, you don't necessarily have to have the best cards to go on the offensive. Our best reps were always on the offensive. They would sit with the customer and say, "this is what you will hear from the other guys and this is why it's wrong." They would do pre-emptive strikes. It's a brilliant sales strategy, and when you have the truth on your side, you win more often than not. But reps that can stand in that kind of fire are few and far between. Maybe 15% of them. That's not enough to scale a business.

The sad truth is that the other 85% get scared and fold when faced with a very aggressive competitor. They stumble over their words, can't compete, and lose. Then they get fired. It's very sad.

The purists out there will say, "what goes around comes around." And in fact, in some cases is has. But as products mature, technical differentiation becomes less noticable. The vendors more successful during the early land grab phase will maintain market share because their product will get better. They figure out how to pacify those grumpy customers and they've successfully cut off the competitor's oxygen.

So what does this have to do with the managing expectations? It's that there is a HUGE incentive for vendors to grab market share in an early market. And that means a lot of folks will bend (or outright break) the truth to get the box in there. Since the typical lifespan of a start-up that gets positive exit is maybe 3-4 years, and a bulk of their boxes are sold in the last year - it's usually the acquirer that gets to clean up the mess.

Most importantly, what does this have to do with super models? By the time the users figure out it's Medusa lying next to them, the vendor has probably sold out to Cisco or Symantec for a crapload of money. They buy big boats, hang out with super models and then do it again. The virtuous cycle starts over.

For customers, the reality is unfortunate. We are going to continue to see this behavior because there is too much money at stake. And maybe there are some folks that do the right thing and in a few cases you can point to the nice guys finishing first. But that's the exception, not the rule.

It's interesting that I am always stumbling across interesting non-security perspectives that are very relevant to our little corner of the world. In this post (here), by Seth Godin - he basically says there are three ways to gain more market share. First, get new customers by having them switch from the competition. Second, grow the market (by having new customers adopt your stuff). Finally you need to keep your existing customers from leaving, which is a commonly overlooked aspect of growing market share.

But what tactics can be used to achieve these ends? Again, Godin has great perspective on this. One path (another brick in the wall) has you adding more capabilities to an existing platform, and over time customers will get adopt the product if only not to have to continue integrating. The second is a true innovation, which would make switching too painful for customers, so they've got no choice.

So what? In the security space, we can certainly come up with examples of true innovation. SSL VPN is a good data point. It's so much harder to manage an IPSec environment, that most customers have moved to SSL VPNs. Vendors figured that out and started supplementing their existing IPSec boxes with easier to use technology to stop the bleeding. But bleed they did.

I'm betting we see a similar (but much larger) adoption of security switches over the next 5-7 years. As volumes kick up, there won't be much of a pricing distinction between security-aware switches and traditional Layer 3 gear and the pain of having to overlay and integrate access control into the campus will drive folks to overhaul their campus.

But those examples are few and far between. For the most part, Big Security has just continued adding stuff until the best of breed provider has no where to go - but away. Or into the arms of a big acquirer (ISS anyone?). UTM is very much about that nowadays. Sure there are some folks that choose best of breed because they are gluttons for punishment, but in the lower ends of the market and the larger enterprises where they have better stuff to do - for the most part they are looking at UTM boxes to provide better integration - so the customer doesn't have to.

So as you look to figure out what your security architecture looks like ahead of every budget cycle, keep in mind that all in all you're just another brick in the wall.