Roughly every three years, someone steps up and boldly claims the security software industry is going away, and they are probably right—much like there is a strong chance of the cold energy death of the universe. However, neither is likely tomorrow. With all due respect, such claims usually suffer from the recency bias or, put another way, they are the earnest belief of people steeped in other industries arriving on the security scene and not really understanding what is happening in “security” as an industry.
That’s the problem, really. Security isn’t a single industry nor is it a single market. It is rather a collection of smaller markets that affect one another, loosely have common buyers, and solve problems with similar technology. Staring at one part of it and extrapolating to the whole can make for some rather dangerous assumptions and extrapolations.
Now we complicate things with business. We all know that the best ideas don’t usually succeed or fail solely on their own merit. Not only do you have to get the tech right, but you must do things like navigate the vagaries of corporate growth and failure, the landscape of competitors, and the need for marketing and sales execution to succeed. Not only does a company need beautiful tech, they also need beautiful finance and beautiful sales and beautiful marketing execution to succeed.
The result is that the chaotic landscape of security companies rising and failing, sometimes based on the technical merit or poor management, investment issues, market consolidation, or macroeconomic conditions, can make real understanding of what has value and doesn’t hard to determine.
Art Coviello, former CEO of RSA, famously said in his RSA Conference speech of 2007 that the security industry would go away, but we can’t leave out that RSA was in the process of being acquired at the time by EMC. Of course, Coviello did amend his prediction in 2008 to say that the industry would “barbell,” meaning it would be big at the institution end and big at the startup end with little in between, as mid-size companies snapped up the most innovative of the emerging vendors.
And that’s what we’ve seen happen. There’s a cycle for each subsector (whether it’s cryptography, authentication, authorization, incident response, or forensics)—from the moment we see a new type of security emerge to the moment when it becomes truly part of the infrastructure and the rest of IT. This journey or cycle is interesting, and it’s what really savvy security investors should pay attention to:
1. Arrival: almost everything in security started because someone or something didn’t do it right from the start. This was true of authentication and authorization (IAM), managing logs (SIEM), stopping malware (EPP), managing vulnerabilities, and so on. To start, it seems like that feature set there wasn’t quite time for, largely because when addressed or unpacked, the scope kept growing crazily. This might be a manifestation of the Dunning-Kruger effect to some extent, but it’s important to state that like other big, seemingly insoluble issues, security ones always started unexpectedly.
2. Denial: those closest to it tend to underestimate it, and those distant from it tend to ignore it. There is always a phase of denial and denigration, but problems once identified don’t go away. They may simmer a while or get ignored, but once exposed, they tend to stick around until addressed, like world hunger, horrible diseases, and malware and hacking. As long as the problem persists, a market will grow – solve the problem early, and it will stop. In this phase, if people are pooh-poohing a new technology, it’s important to look for the problem, its impact and its likely persistence. All three must be present.
3. Acceptance, Investment and Innovation: there comes a moment when people realize “oh it’s here to stay” and perhaps “oh this is big.” That’s when the investment frenzy starts. Massive growth, innovation, and expansion start, but they can also plateau if a given problem isn’t big enough to persist (e.g., User and Entity Behavior Analytics most recently).
4. Validation and Adjustment: hyper growth companies and markets draw attention. In this phase there’s constant testing and iteration that will lead to hype and will either forge new markets or challenge and disrupt existing ones (e.g., Endpoint Detection and Response and Endpoint Protection Platform).
5. Consolidation: incumbents in a market who are threatened or those in adjacent spaces will start to innovate (unlikely) or acquire (most likely), and numbers will dwindle. We saw this with personal firewall companies being bought up in 2000 by Antivirus vendors. They didn’t get all of them, though, and innovation continued. It’s worth noting that Zone Labs was the last acquired (by Check Point) and for the highest price.
6. Next Wave(s): if the problem doesn’t go away, the market can subside, but like the sea it will come back. Barbelling the industry will cause a new wave of investment and innovation. Go back to step 3 and repeat. Keep doing this until the right conditions are met to go to 7.
7. Ubiquity, Homogeneity, and Resolution: something is a commodity when it is available everywhere and the same quality everywhere. At that point, and only then, will a market “go away.”
Individual security companies will continue to rise and fall, roar onto the scene or dwindle, be acquired or IPO, or follow any number of paths. However, what matters is the persistence of the problem. And the ultimate long-term indication is the growth or diminishment of the market as a whole. Today, the security market CAGR (compound annual growth rate) is still higher than general IT, which means it’s not dying or going away no matter what the localized trends or micro-behavior may look like. We all want a world where security is in the fabric of everything and is just taken care of, but until the problem is solved, fighting the tide is a good way to either miss an opportunity or make the wrong technological and business bets.