Gartner IT Security Summit: Good enough security may be just fine

Security products are becoming commoditized, says Gartner.

WASHINGTON, D.C. -- It’s time organizations consider switching from best of breed to “best of need” products when it comes to security, as vendors realize their offerings are becoming commoditized and start pricing them accordingly.

Such was the assessment of Neil MacDonald, vice president and distinguished analyst with Gartner, who spoke at the opening panel of the Gartner’s IT Security Summit here Monday. The summit, which is becoming known as a platform for Gartner analysts to make bold proclamations about the security industry, attracted 2,000 IT professionals and over 100 exhibiting vendors.

“It’s time the security industry grew up and acted like the rest of the information technology industry,” MacDonald told the audience. For example, if he buys a laptop for $1,500 this year and does the same next year, he expects to get more for the same amount of money, thanks to Moore’s Law that says computing power doubles every 18 months even as costs decline. However, an antivirus vendor will sell the same product year over year, but expect customers to pay more. “The security industry shouldn’t be immune from Moore’s Law,” MacDonald says.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

WASHINGTON, D.C. -- It’s time organizations consider switching from best of breed to “best of need” products when it comes to security, as vendors realize their offerings are becoming commoditized and start pricing them accordingly.

Such was the assessment of Neil MacDonald, vice president and distinguished analyst with Gartner, who spoke at the opening panel of the Gartner’s IT Security Summit here Monday. The summit, which is becoming known as a platform for Gartner analysts to make bold proclamations about the security industry, attracted 2,000 IT professionals and over 100 exhibiting vendors.

“It’s time the security industry grew up and acted like the rest of the information technology industry,” MacDonald told the audience. For example, if he buys a laptop for $1,500 this year and does the same next year, he expects to get more for the same amount of money, thanks to Moore’s Law that says computing power doubles every 18 months even as costs decline. However, an antivirus vendor will sell the same product year over year, but expect customers to pay more. “The security industry shouldn’t be immune from Moore’s Law,” MacDonald says.

Often an emerging security threat, phishing for example, will grab headlines and create some panic, resulting in a new breed of offerings to protect companies. But that won’t necessarily be the case going forward, as vendors realize they can leverage much of their existing threat-protection technology to ward off new concerns. By 2010, Gartner predicts that only 10 % of emerging security threats will require deployment of tactical, best of breed offerings, down drastically from the 80% of threats that required such products in 2005, MacDonald says.

Vendors are starting to get the picture - for example, some of the big anti-virus companies such as Symantec and McAfee are adding anti-spyware to their anti-virus packages at no additional cost – and customers are benefiting.

“With anti-spyware, we were waiting for it from Symantec and deciding whether to go with a stand-alone product,” says Richard Childers, manager of IT program management with Canadian Blood Services, a non-profit blood management organization based in Ottawa with 5,000 employees. Childers chose to wait for Symantec, and he’s glad he did. “It simplifies management to have one console” for the anti-virus and anti-spyware products, he says. “When you get into best of breed, there’s the cost of manageability, it’s easier to consolidate.”

Indeed, why should customers buy two engines that do largely the same thing to scan for viruses and spyware, asks MacDonald.

“There’s a trend of security protection convergence where you can get more functionality for about the same price,” MacDonald. “We can’t continue to pay and get nickled and dimed to death” for so-called best of breed products, he says.

That’s where “best of need” products come to play, he says; companies are beginning to offer a number of products or services that are related with better pricing and easier management because they are integrated and share a common interface. MacDonald warns this bundling shouldn’t be considered a suite approach, where vendors would shrink-wrap a number of often unrelated products together; what’s happening in the security industry is the leveraging of common technology to combat different threats.