It's time organisations consider switching from best-of-breed to best-of-need products when it comes to security, as vendors realise their offerings are becoming commoditised and start pricing them accordingly.
Such was the assessment of Neil MacDonald, vice president and distinguished analyst with Gartner, who spoke at the opening panel of Gartner's IT Security Summit last week. The summit attracted 2,000 IT professionals and more than 100 exhibiting vendors.
"It's time the security industry grew up and acted like the rest of the information technology industry," MacDonald told the audience. For example, if he buys a laptop for US$1,500 this year and does the same next year, he expects to get more for the same amount of money, thanks to Moore's Law, which says computing power doubles every 18 months even as costs decline. However, an antivirus vendor will sell the same product year after year and expect customers to pay more. "The security industry shouldn't be immune from Moore's Law," MacDonald said.
Often an emerging security threat, such as phishing, will grab headlines and create some panic, resulting in a new breed of offerings to protect companies. But that won't necessarily be the case going forward, as vendors realise they can use much of their existing threat-protection technology to ward off new concerns. By 2010, Gartner predicts that only 10% of emerging security threats will require deployment of tactical, best-of-breed offerings, down drastically from the 80% of threats that required such products in 2005, MacDonald said.
Vendors are starting to get the picture. For example, some of the big antivirus companies such as Symantec and McAfee are adding antispyware to their antivirus packages at no additional cost — and customers are benefiting.
"With antispyware, we were waiting for it from Symantec and deciding whether to go with a standalone product," says Richard Childers, manager of IT program management with Canadian Blood Services, a non-profit blood management organisation based in Ottawa with 5,000 employees. Childers chose to wait for Symantec, and he's glad he did. "It simplifies management to have one console" for the antivirus and antispyware products, he said.
Why should customers buy two engines that do largely the same thing to scan for viruses and spyware, MacDonald asked.
"There's a trend of security protection convergence, where you can get more functionality for about the same price," MacDonald said. "We can't continue to pay and get nickled-and-dimed to death" for so-called best-of-breed products, he said.
That's where best-of-need products come into play, he said; companies are beginning to offer a number of products or services that are related with better pricing and easier management because they are integrated. MacDonald warned this bundling shouldn't be considered a suite approach, in which vendors shrink-wrap a number of often unrelated products together. What's happening in the security industry is the leveraging of common technology to combat different threats.
And it's not just happening on the desktop. MacDonald pointed to the convergence of firewall and intrusion-protection system products and of email security offerings such as antispam, antivirus, antiphishing and compliance.
As security companies add protection from additional threats to their offerings, customers are taking this path of least resistance. About 80% of the customers who use ScanSafe's managed web filtering services opt for both virus and spyware protection, said Dan Nadir, the company's vice president of product strategy.
Also pushing security prices down is the emergence of open source tools, MacDonald said, because they offer more features at little or no cost. Even customers who don't choose to go the open source route benefit, because it makes vendors of closed source products think twice about pricing their offerings too high.