It's been quite a while since I penned the original "Big is the New Small" piece back in February of 2006. Obviously a lot has changed and happened in the security space since then. So I figure on the first Monday in August, I'd revisit that position and figure out if it was still relevant.

To refresh everyone's memory, Big is the New Small was the moniker I came up with to describe why consolidation was happening in security and why it was going to continue. Customers were increasingly fed up with the idea of having to manage multiple products from multiple vendors to handle mature, somewhat commodity functions. And all things being equal, they want to buy these solutions from "Big Security," the large publicly held companies that have staying power.

Much of this has come to pass. The Big have gotten bigger by continuing to acquire technologies to fill out their product families. Large companies have always acquired smaller companies, that's nothing new. And the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

These ideas also are NOT an indictment of innovation, as many of the small vendors called it. It was a pragmatic view of how the industry is working now. Some choose to fight it, until Big Security swings by with a bag of money. Then they get religion pretty quickly. But even that isn't the point.

The point is that over the last 2 years, customers are looking for security that is "good enough." The main issue is that without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Since security remains an expense and an overhead item, the natural inclination is to minimize cost, and that means to buy solutions that aren't the most expensive, but meet the needs in the most cost effective mechanism. That's this entire drive to doing security in the cloud. Since it's good enough, we may as well have someone else deal with it.

By no means am I saying that our protection is good enough, it's not. But I don't think it's because we have a lack of tools or knowledge. We collectively suck at protecting information not because we don't know what to do. We suck because we just don't do it. If we would actually use half the crap we've bought, and build a strong and credible security program - things would be a lot better.

Not perfect, but better.

But we don't, so it's not. Thus, good enough is here to stay. And as long as good enough is the primary criteria for most product/service purchases, it favors Big Security. They aren't much, but they are usually good enough.

Photo credit: "Good enough" originally uploaded by russelldavies

Good Morning:
Is it Wednesday already? Maybe for you. I'm writing this from the past, and that's one of the amazing things about technology. I can stack up 10 posts before I leave and like a clock, you'll get your daily dose of babbling. So let's all do a prayer of thanks to the Technology Gods. But the reality is that I am in fact writing this post, so at some point I had to get out of my normal schedule to get ahead of my publishing schedule.

My business still needs me to run, and that is an inherent limitation. It's also something that I'm planning on addressing in the very near term. No, I can't talk about it yet - but I've got some super-secret projects underway and hopefully it will contribute to being able to really take time off, as opposed to just paying my work forward.

So that brings up the inevitable question: when you are out of the office, who is holding down the fort? Can they do your job? If not, what do you have to do to get them there? No one is indispensable, and you don't want to be. So think about it. And have a great day.

Incite #3: Best of Breed DOA

As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

Read the original Days of Incite post on this topic.

6-month grade: A

I got a great question from one of my channel contacts a few weeks ago. They asked if they could still get a stand-alone firewall anymore. They'd been looking a bit, but it seemed that every device that was out there was "more" than just a firewall. Some went the UTM route, others have focused on applications, but you actually have to look hard for just a firewall. Clearly this kind of consolidation of functionality is happening and it's what "big is the new small" is all about. But is this good or bad?

Basically, it's neither. I answered the question to my contact by reminding her that UTM devices are still firewalls. You just turn off all that other stuff and run it as a firewall. Yes, kind of like using a Swiss Army Knife as a cork screw. And given the cost economics of the technology business, that's not a bad thing to do as you are migrating from one perimeter platform to another. You incrementally get there and then when you are ready, you turn on more functionality in the UTM box and turn off the stand-alone device.

The same thing is happening in the endpoint security game. Everyone has an AV engine nowadays, if only to take that objection off the table. You know, why go with just an anti-spyware agent when I also need AV? You don't. You  buy a suite that includes all this stuff. And it seems there is no end to the bundling. Symantec is adding backup features (as you'd expect) and Microsoft is bundling Office with OneCare as a subscription. Yep, security is something we all need and something that will be a checkmark or free add-on to something else you are buying.

I kind of laughed 5 years ago when my new PC (yes, when I still bought and used PCs) came with a full license of CA anti-virus. I used it diligently until that machine croaked. Why would I pay for something else? And that's exactly the point. You'll see the endpoint security folks continue to focus on bundling as their main path to market.

Security management is also playing out as I projected. Pretty much all the SIM players have a log management offering and vice-versa. You are now seeing integration with the identity management folks, which makes sense because you want to get down to managing a user's activity - not just a nameless, faceless IP address.

Those companies that still have stand-alone solutions have some strategic decisions to make. It's increasingly clear that having just an IPS or just a secure switch, or just a set of security utilities is not a way to find long term sustainability. But with the macro-economic environment being pretty crappy, you won't see a lot of deals over the next 12 months, unless they are deals done under duress (yes, fire sales). The privately-held category leaders will likely wait for better valuations, which they figure will come back when the stock market strength returns.

This Incite is rather obvious, but still pretty accurate - so I'll bestow an A on it at this half-way point.

Photo credit: "French Army Knife" originally uploaded by Simon Davison

Over the next 3 days I'll be revisiting each of the 2006 Incites, giving myself a grade and putting a close on 2006. This will give all of us the ability to start fresh in 2007. I'll be posting my 2007 Incites on Feb 10, which will start the 2007 Days of Incite - where I'll get out my crystal ball and wax poetic about where things are going over the next 12 months.

Without further ado, the first of the 13 part 2006 Incite Report Card!

Incite #1 - No Mas Box

Users will increasingly revolt about adding yet another narrowly focused security appliance into their network and actively examine new simplification architectures. New Unified Threat Management (UTM) products, using blade servers and virtualization technologies, appear in 2006 putting vendors that license key intellectual property at a disadvantage. Management of the integrated UTM environment will remain difficult through 2007.

Grade: B

Original Days of Incite post: here
Incite Redux post: here

In looking back at this Incite, something very profound occurs to me. The first part of the projection, regarding integration, has happened. Customers are voting with their dollars and continuing to look at integrated solutions to swap out stand-alone technology. That is driving significant growth for UTM vendors, and those that have evolved their technology to serve multiple purposes.

It’s also not as easy to manage these UTM devices, as it needs to be. Customers are still largely looking at solutions that are integrated on the glass. There is value in that from a workflow and administrator experience standpoint, but it does minimize the value that a truly integrated policy could bring.

For example, imagine that you bring on a new trading partner and connect your networks. It would be great to have a wizard that configures the proper VPN connectivity, white lists the partners domain for email, but still scans each packet coming across to prevent the proliferation of malware. Sure you could do that today, and for a skilled administrator – it’s not that big of a deal. But it should be easy for all types of administrators.

Hopefully we’ll see true management integration in 2007.

I know, nothing thus far sounds that profound. But let’s take a look at the middle part of the Incite – detailing UTM architecture. This part is neither right nor wrong. The epiphany is that it really doesn’t matter. Customers don’t care about virtualization; they don’t care about intellectual property licensing. They care about whether the product solves their problems and if they can get it at a fair price. Clearly they want the vendor to stay around, so business viability is important – but gross margins are not.

So you won’t see any more product architecture projections from me because ultimately it’s not important. Not in a rapidly maturing product category anyway.

I can always count on my pal Chris Hoff to tell me when he thinks I'm full of it. Though evidently a Pink Floyd fan, the ever verbose Mr. Hoff weighed in on my frivolous use of their lyrics in the Security is just another bring in the wall post (here).

Since responding to a comment that no one would read wouldn't allow me to debate, let me post Chris' comment and my response.

Is there anybody...out there?

Submitted by Christofer Hoff (not verified) on Thu, 2006-08-24 15:42.

(Keeping in spirit with your Pink Floyd theme...)

How appropriate that the next song after "Is There Anybody Out There" is "Nobody Home" because, sadly, you aren't and yet you left your lights on ;)

I take issue (for obvious reason) that people who choose best-in-breed are doing so merely because they are "...gluttons for punishment." That's as asinine a statement as saying that everyone who drives a Ferrari is an A-hole with a compensation problem...OK, bad example. Umm....

But seriously...

Perhaps they choose best-in-breed because in terms of managing risk, the value they get from using BIB productsis is greater than the cost of stringing together less capable or robust products/solutions - however "integrated" they may be.

Sometimes you want the best coverage for your dollar spent -- and when absolutes count, people aren't necessarily willing to gamble on "relative" security.

It's all scales of economy -- comparing the Fortune 2000 with Joe's Ice Cream and Taxidermy is a stupid exercise. Different strokes for different folks, but BIB is NOT an inappropriate solution for those who can afford it.

Equating BIB as "overpriced" or bloated is simply unfair. You don't have to be a commodity (or even integrate a bunch of commoditized functions) to show value and innovation isn't only derived from non BIB players.

As you know, Crossbeam provides UTM solutions -- but we don't offer $500 perimeter widgets that are "good enough." We are the ONLY Enterprise and Provider class UTM solutions vendor that combines the integration of BIB security functions for large enterprises and service providers. We don't sell one vendor's version of the truth and that flexibility combined with performance and high-availability means that BIB and UTM are not mutually exclusive.

That's a brick in very strong wall.

-Chris

The religion of best of breed (BOB) vs. "good enough" is no longer interesting to me. I believe that a SMALL subset of the buying commmunity will buy best of breed because of the things you mention. That may be a big enough market for someone like Crossbeam to thrive, but then again maybe not. But I know that your positioning is about more than just best of breed, right?

But why should customers have to settle? Isn't your point that it's possible to take best of breed functionality and provide a more effective level of integration and flexibililty with your hardware? Or am I missing what Crossbeam says their positioning is?

I don't think you are telling me (or the readers) that providing hardware to host best of breed software is the endgame. What customers want is the reduction of complexity. That may mean integration. Or it may mean abstraction (so the best of breed is basically hidden and dramatically simplified). But to have to settle for best of breed that is not integrated over time seems like we are giving up. Admiting failure is not one of my strong suits.

My point is that integration/abstraction and as a result, the "another brick in the wall" innovation strategy has passed the tipping point. The perimeter defense aspect of security is a mature market and no amount of wishing is going to change that fact. I know you guys do more than perimeter defense (see I have been listening a bit), but that is still the highest profile part of the market.

It is my belief (and remember I get paid to have opinions) that perimeter best of breed is a dying architecture. Crossbeam even calls what you do UTM. So maybe we are just disagreeing about semantics and words. Ultimately isn't this abstracted "security services" layer that you evangelize more of what customers are interested in.

To get back to my another brick analogy, you could say that every new best of breed application you add to your box is another brick that makes your box more interesting to customers. No?

If we are being honest, what you and Nokia have done is pulled the asses of security software vendors out of the fire. Without Nokia and Crossbeam, CheckPoint would have been marginalized a LONG TIME AGO.

Like everything else, it takes a long time to replace the old boss with the new boss (may as well throw some of The Who in there, while I'm at it). So this will play out over the next few years. But to be clear, I have no doubt as to how the movie ends.

This month's SearchSMB column talks about UTM, within the context of the SMB market. So, that means "small UTM" just to be clear. If the column seems a bit short, well it is. That's because it was, let's say, heavily edited. Is it better? I don't think so because a lot of my informal vernacular has been gutted out. This is clearly not my style, but whatever. The points are the points, and at least they didn't mess with them.

I've got a unique style of writing, and if you couldn't tell I get a bit burned when it's messed with. But that's part of writing for some of the media outlets. So at the risk of getting into trouble, I'm going to post my original version here.

Of course, you can read the edited version here: http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1205017,00.html

The Original:
SearchSMB column/tip – July 7, 2006

UTM is in your future
By Mike Rothman

The network security business has evolved rather incrementally over the years, largely driven by threats – as opposed to thoughtful architecture. First there was the token authenticator, designed to protect all of those crazy employees dialing up into a remote access environment.

Then as direct connections to the Internet hit widespread deployment in the mid-90’s, there was a need to protect those connections with firewalls. But firewalls were rather unsophisticated devices, so products that could detect an attack pattern (intrusion detection) came into vogue. Subsequently we’ve seen gateway anti-virus, anti-spam, web content filtering, anomaly detection, web application firewalls, and a host of other new products emerge to stop very specific threats.

You as a SMB technologist are sick of it. At least the folks I talk to are. All of these products have different management consoles, none work together, and most are marginally effective. We all know that you don’t have extra people or dollars lying around to maintain the status quo. You need to do more with less and you need to do it now.

One of my favorite sayings is “No mas box.” My clients don’t want to see any more appliances; they want integrated solutions or at least the visage of integration anyway. Thus a new product category called unified threat management (UTM) has emerged. Pioneered by folks like Fortinet, SonicWall and Astaro, but more recently being joined by pretty much every security vendor – these devices promise integration, convenience and protection from pretty much every threat out there.

Should you turn off your existing equipment and move to these new platforms? In a nutshell, the answer is most likely yes. Your choices are pretty straightforward, continue to renew the maintenance on your existing device(s) or buy something new. In many cases, given the competitive nature of the UTM market, out of pocket costs may be comparable to upgrade to a new device.

Even if you are talking about a 15-25% increase in year 1 cost for a new box, it’s worth it. You’ll save at least that much time in not having to troubleshoot different equipment when you have a problem and your protection will be broader.

That begs the next question, who do you buy it from? The answer largely lies in your comfort level. Each vendor has strengths and weaknesses. Some are built using mostly open source software; others have proprietary chips to get the job done. Given where the market is now, you should strongly consider your incumbent network security provider. In all likelihood they also offer a UTM device, and you already are familiar with the vendor and the management interface.

At a minimum, you should kick the tires of at least one or two other devices. Only by getting hands-on a few boxes will you figure out what is the best fit for your environment. But for SMB customers, UTM is the shape of things to come.