The former Gartner analyst and founder of security consultancy Securosis outlines seven trends to watch for in the coming year:
- Shrinking security budgets. Even if the economy miraculously recovers this year, companies will still be tightening the belt for all of 2009. Security won't see major cuts, but will see the usual cost-containment pressure, even in organizations with budget increases. Anything not related to a mandated compliance requirement, obvious threat prevention or clear cost-cutting/reduced TCO will likely be put off until next year or longer. This includes non-PCI Web application security, most information-centric/data security (other than compliance driven), virtualization security and most of the remaining things people will predict are hot technologies.
- Party's over for security vendors. Vendors can no longer IPO, and many investors aren't willing to fund indefinitely-unprofitable ventures. This leaves startups four options: become profitable, convince investors to keep up funding, get acquired or shut down. We're already seeing good companies sell for very little investment return (Reconnex/BlueLane), and this will only get worse. It will be a field day for acquiring companies as they wait for desperation. In markets where there are fewer targets than potential acquirers, the early bird will get the worm and we'll tend to see one higher-multiple deal per market as a few buyers join the party late and have to fight it out for the last ugly date.
- The Big One unlikely. Someone will predict an earth-shattering SCADA or cyber-terrorist attack. It won't happen. Unless it does.
- Database security market collapse. The independent database security market will start to collapse and we'll see multiple low-value acquisitions (in terms of price). This is for market/economic/business reasons, despite the tools providing immense value to those using them.
- Data Loss Prevention goes mainstream. In late 2009 DLP will finally go early mainstream due to the push from the big vendors. Content discovery will drive more deals than network monitoring, and provide more value to most users.
- Silver lining in the cloud. People will realize that there are only a few areas of "the Cloud" that provide value, and those services will grow well and actually improve enterprise security. They are e-mail security, Web filtering, Web application vulnerability assessments and pen testing; and DDoS protection.
- The PCI effect. PCI will drive WAF sales, but customers will still be dissatisfied with their performance. 2009 will be an important year for the next round of WAFs that are enhanced with VA and other technologies to make them more useful out of the box.
In summary, anything not related to obvious threat prevention, compliance or cost cutting will really struggle this year. We'll still see innovation, but in terms of what security pros do every day it will be very much like 2008, with yet more budget pressure. The one area that could move faster is Web application security, since that will continue to transition from a quiet threat (the thing that doesn't interfere with the average employee getting their job done) to a vocal threat.