The IT security market is certainly an interesting one, as it’s so big and so fragmented. Forbes posted a story at the end of last year stating the market is at $75 billion, with it expected to reach $170 billion by 2020. Every business and technology leader I talk to tells me how important security is, so I have no reason to doubt that $170 billion number.
In addition to the overall massive size of the security market, another interesting fact is the huge number of vendors that play in it. I believe the 2016 RSA conference had something like over 600 sponsors, with at least 100 being first-time sponsors. No other IT market has that many vendors with start-ups consistently popping up.
+ Also on Network World: Cybersecurity highlights from Cisco Live +
Cisco is currently the market leader in IT security with a little over $4 billion in revenue, giving it a paltry 5.3 percent share while also showing the high fragmentation of this market. At a 5 percent share, there really is no market leader. No vendor has been able to put a strong enough strategy together to grab double-digit share. In my opinion, Cisco is better positioned in security than it ever has been and is poised to take some significant chunks of share over the next five years.
Cisco has been masterful at capturing share when markets transition. VoIP, wireless LAN, power over Ethernet and unified computing are all great examples of Cisco having the right product at the right time to break away from the competition. Cisco’s opportunity comes from the fact that the security market is currently undergoing a significant transition.
Securing the perimeter is no longer enough
Legacy security architectures were built on the concept that securing the perimeter is the most important factor. Build a big, strong and impenetrable wall around the company, and it will never be breached. That seems logical, but it doesn’t work. Hackers always stay one step ahead of the security vendors and constantly find new ways to break into an enterprise. The rise of cloud computing, bring your own device (BYOD), shadow IT and other trends have created many more entry points. That means security professionals need to protect hundreds or even thousands of entry points, and the bad guys need to find only one way in.
Another problem with perimeter security is that most breaches occur from inside the network. In fact, almost all of the high-profile breaches that have occurred over the past few years have been based on an internal breach.
A few interesting ZK Research data points show how mismatched security spending is with the real world. Currently 85 percent to 90 percent of security spend is at the perimeter, but only about 20 percent to 25 percent of breaches occur at the edge of the network. Conversely, only 10 percent to 15 percent of security budget is spent on securing the internal network where most of the attacks are focused.
Legacy security has not worked, is not working and will not work. Things need to change, and this is Cisco’s opportunity.
Changing the approach to security
Security professionals are finally starting to understand that the business isn’t going to be more secure by dropping more appliances from more vendors into the network. ZK Research data points show that enterprises currently have on average 32 security vendors. That’s the average. I’ve interviewed some organizations that literally have hundreds, creating a highly complex environment. It’s important to understand that complexity is the enemy of security (one of ZK Research’s new rules of security in the digital era), so going from 32 to 33 to 34 vendors will likely not make things more secure.
Also, security is transitioning away from security appliances at specific places in the network to being based on data collection, analysis and insight. The thesis being that if there’s a good understanding of what normal traffic patterns look like, any anomaly could indicate a breach and is worth further investigation.
For example, consider a worker who comes to the office day after day and uses the same applications—email, the intranet and a vertical application. That worker then goes on vacation. And being the good employee, he takes the laptop to a café and connects to a network called “FreeWiFi” to get some work done. We’ve all done this. But in this case, the worker really has no idea who owns FreeWiFi. It could be the café, or it could be some hacker who lives upstairs and drops some malware onto the machine. The worker then goes back to the office, and because he is a credentialed employee, the network lets the machine connect to all corporate resources.
In this case, if the computer starts trying to access other systems, such as payroll and accounting, that could indicate a breach. And if it is detected, the security infrastructure could quarantine the device for further investigation. If it is infected, the ability to automatically detect and quarantine the breach can minimize the “blast radius” of the security threat.
Cisco’s big data strategy to securing enterprises
The “big data” approach is the foundation of Cisco’s “Network as a Sensor” and “Network as an Enforcer” strategy. Because of its dominant share in networking, the company has more devices in more places than any other vendor. Also, it has a wealth of information available to it, including log files, NetFlow, DNS information, identity, IP address records and other network-related data that can help it quickly find anomalies and breaches.
Industry-wide, the average time taken to find a breach today is 100 days. Cisco’s senior vice president and general manager of networking and security, David Goeckeler, told me Cisco could find breaches in 17 hours. I challenged him on this point and said 17 hours is still far too slow. He agreed with me and said Cisco’s ultimate goal is to have this number be measured in minutes, not hours.
Another strength of Cisco security is that this is the most open and technology partner-centric Cisco has ever been. It’s fair to say that prior to Goeckeler taking over the security team, the company shunned non-Cisco technology. But now, it acts like a security platform and can take data in from companies such as Gigamon and Ixia. And once a breach is detected, it can leverage a number of best-of-breed partners, such as Radware, F5, A10 and Splunk. The complete list of security vendors shows the breadth and depth of security partners.
Acquisitions support Cisco’s security position
The importance of security for Cisco’s overall growth has not been lost on CEO Chuck Robbins, either. Of the 15 acquisitions made in his first year as the leader of the company, four were directly security-related (OpenDNS, Lancope, Portcullis and CloudLock). The recently announced and highly touted Tetration product has some significant potential as a security tool even though it was initially positioned more for application performance.
I believe Cisco will continue to be aggressive with acquiring security technology. Not big companies, but smaller start-ups such as Illumio and LightCyber that have unique solutions that can scale with Cisco’s channel.
To put an exclamation point of the importance of security to Robbins, on the most recent quarterly call held last week he said, “Security is the number one priority for every customer. As the global leader in networking, Cisco is uniquely positioned to deliver security at scale.”
The security market is moving to Cisco, and the company has its act together with both products and partner strategy. Now it just needs to execute, which few companies do better. Even if Cisco does a mediocre job with execution, it could easily double its security share over the next three to five years. But getting to 15 percent market share isn’t out of the question. Given the overall size and growth in the security market, it could wind up being bigger than routing and collaboration in a few years.