The security industry began the year with some momentum, primarily because of Code Red’s and Nimda’s wakeup call. Certainly, 9/11 had an impact on the pundits, who assumed that information security would benefit (a nauseating idea, actually). But we are rolling into the third quarter, and there doesn’t seem to be much to be happy about. Two conflicting results are apparent:More than 45 security companies have received over $450 million in venture funding, so the VCs clearly like the space. No knockout mergers or acquisitions have occurred, even though Symantec and Network Associates are sitting on dowries of about $1 billion each, and many other companies would benefit from a fuller product portfolio. Awareness around the need for security is high, but a fundamental question remains: How secure are we? We don’t know whether spending $10,000 or $10 million is sufficient or even worth it because we have no clear way to measure security. This is a fundamental problem that must be addressed for this market to really mature.In addition to measuring security, a step in the right direction would be to value our assets and calculate losses, but we can’t do that, either. Some companies (like one sore thumb suffering a probably unrelated $4 billion embarrassment) think that hackers should be hugged and thanked for highlighting vulnerabilities, as if there were no loss at all. On the other side, security professionals lose a dime every time they look to the left and calculate losses greater than their company market caps.THE HURWITZ TAKE: As long as security is an art, confusion in market dynamics will exist. Companies are working toward understanding what constitutes strong security and what doesn’t, but we need some benchmarks to be able to truly understand the meaning of security. To be sure, we have seen some encouraging trends and concepts gaining momentum in the security space:Perimeter security solutions are being consolidated. This means taking firewalls and AV/IDS solutions and perhaps throwing in content security, application layer activity, and VPNs to provide a demarcation between trusted and untrusted networks. Seemingly converse to the above, the perimeter is being blurred for users, and it is becoming clear that the endpoints (laptops, typically) need to be secured and scanned prior to allowing connectivity to the trusted network. The common pursuit of a management console to aggregate and correlate all sorts of security events recognizes the need for breadth and support across many platforms. It also changes the dynamics of threat management into a more full-functioning threat analysis tool. The Hurwitz Top Trend for 2002 hasn’t gained as much traction as it should. Application layer security in the form of application firewalls (Web, email, instant messaging) and application behavior control solutions are a clear future direction in protecting resources (see Microsoft’s recent discussion around Palladium for affirmation). New technology continues to scare us, even though the business value can be significant and security is an enabling capability. PKI is reinventing itself in the face of Web Services. With a modular approach to security, infrastructure solutions win out from all the proprietary blather. Slowly, the market is consolidating products into solutions around the Hurwitz Group Four Disciplines (identity, threat, configuration, trust management) into products with business value that create an environment consistent with the risk tolerance of the enterprise. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe