New Year’s Forecast for the Information Security Industry: Part 1

I hope my cybersecurity colleagues enjoyed their holiday these past few weeks. It was surely well deserved as the year 2013 will be remembered as a whirlwind of activity featuring successful IPOs and scary security incidents. Given this, it’s likely that security professionals spent the last few weeks with one eye of family and holidays and another on emerging details about the massive breach at Target. So what’s in store for the information security industry in 2014? On the surface, it should be a happy new year across the board for security technology vendors, MSSPs, and professional service firms. That said, there is a lot of work ahead as enterprise organizations figure out how to transform an army of point tools and manual processes into a cohesive security strategy. To kick-off my blog in 2014, here is my quick assessment of the strongest information security industry sectors and associated prospects for 2014:1. Network security. Okay, this is an easy prediction as network security is always an active area. FireEye and Palo Alto will ride their momentum and continue to be present in nearly every RFI/RFP and proof-of-concept making 2014 a good year for investors. There will also be a number of market disruptions however. The whole SDN/network virtualization will have a growing impact on network security, opening the door for vendors like Check Point, Dell, Fortinet, and Juniper to push innovative solutions. On another front, Cisco/Sourcefire, IBM, and McAfee/Stonesoft, will gain a lot of attention with updated and integrated network security architectures. The key will be user education and architectural integration but expect a lot of overall spending in the network security realm.2. Data security. As 2013 wound down, a lot of CISOs I spoke with spoke of high-priority security projects around an area ESG calls: “Crown Jewel Security.” Instead of taking on complicated data classification initiatives across the enterprise, these organizations are quickly identifying their most valuable data and then surrounding it with enhanced safeguards like multi-factor authentication, privileged user security, granular access controls, encryption/key management, and continuous monitoring. “Crown Jewel Security” projects will increase in 2013, opening the door to vendors like CyberArk, Lieberman Software, RSA, Vormetric, and Thales.3. Security services. This category includes MSSP, professional services, and SaaS for information security. Security services will likely show the strongest growth rate of all in 2014 for the simple reason that demand for cybersecurity talent far exceeds supply. This trend should benefit the likes of Blue Coat, Dell/SecureWorks, HP, IBM, Proofpoint, Verizon, Symantec, and Unisys as well as their high-priced cousins at Accenture, E&Y, and PWC. Traditional private sector security services firms will also be joined by a wave of traditional public sector competitors including Boeing, Booz Allen, CSC, Leidos, Lockheed Martin, Northrop Grumman, and even Raytheon. Why the public-sector incursion? Federal integrators are looking to shield themselves from future sequestration and cost cutting. On the opportunity side, the Washington crowd could be well positioned if and when the Federal cybersecurity framework gains momentum in the private sector.4. Strong authentication. The information security community has known for years that passwords were a liability but the alternatives were too expensive and complex. Things got worse in 2013 when, password risks seemingly grew exponentially. This problem finally has board-level attention which translates into leadership and money. There may also be some hope on the technology side with innovation from vendors like RSA, standards from the FIDO alliance, and integrated “trusted” technologies from the likes of Apple, ARM, and Intel. Yup, there’s bound to be a lot of money spent in this area but there is plenty of work ahead in terms of industry cooperation and user education. First and foremost, the FIDO alliance has to stop talking, publish a 1.0 standard, and push this into the market. So what about other areas like application security, endpoint security, mobile computing security, and security analytics? I’ll cover these segments in my blog soon.