The security industry began the year with some momentum, primarily because of Code Red's and Nimda's wakeup call. Certainly, 9\/11 had an impact on the pundits, who assumed that information security would benefit (a nauseating idea, actually). But we are rolling into the third quarter, and there doesn't seem to be much to be happy about. Two conflicting results are apparent:More than 45 security companies have received over $450 million in venture funding, so the VCs clearly like the space. No knockout mergers or acquisitions have occurred, even though Symantec and Network Associates are sitting on dowries of about $1 billion each, and many other companies would benefit from a fuller product portfolio. Awareness around the need for security is high, but a fundamental question remains: How secure are we? We don't know whether spending $10,000 or $10 million is sufficient or even worth it because we have no clear way to measure security. This is a fundamental problem that must be addressed for this market to really mature.In addition to measuring security, a step in the right direction would be to value our assets and calculate losses, but we can't do that, either. Some companies (like one sore thumb suffering a probably unrelated $4 billion embarrassment) think that hackers should be hugged and thanked for highlighting vulnerabilities, as if there were no loss at all. On the other side, security professionals lose a dime every time they look to the left and calculate losses greater than their company market caps.THE HURWITZ TAKE: As long as security is an art, confusion in market dynamics will exist. Companies are working toward understanding what constitutes strong security and what doesn't, but we need some benchmarks to be able to truly understand the meaning of security. To be sure, we have seen some encouraging trends and concepts gaining momentum in the security space:Perimeter security solutions are being consolidated. This means taking firewalls and AV\/IDS solutions and perhaps throwing in content security, application layer activity, and VPNs to provide a demarcation between trusted and untrusted networks. Seemingly converse to the above, the perimeter is being blurred for users, and it is becoming clear that the endpoints (laptops, typically) need to be secured and scanned prior to allowing connectivity to the trusted network. The common pursuit of a management console to aggregate and correlate all sorts of security events recognizes the need for breadth and support across many platforms. It also changes the dynamics of threat management into a more full-functioning threat analysis tool. The Hurwitz Top Trend for 2002 hasn't gained as much traction as it should. Application layer security in the form of application firewalls (Web, email, instant messaging) and application behavior control solutions are a clear future direction in protecting resources (see Microsoft's recent discussion around Palladium for affirmation). New technology continues to scare us, even though the business value can be significant and security is an enabling capability. PKI is reinventing itself in the face of Web Services. With a modular approach to security, infrastructure solutions win out from all the proprietary blather. Slowly, the market is consolidating products into solutions around the Hurwitz Group Four Disciplines (identity, threat, configuration, trust management) into products with business value that create an environment consistent with the risk tolerance of the enterprise.