Gartner Blog Network

Thirteen Years Ago Internet Security Became a Business

by John Pescatore  |  October 12, 2009  |  3 Comments

Hanging on my keychain is a brass medallion. On one side it says “Trusted Information Systems Inc. – Building a World of Trust” and on the other side it says “TISX – IPO October 10, 1996” Sometime earlier that year, or late in 1995, Checkpoint had also gone public and many other Internet security pureplays would follow shortly. To me, 1996 was really the inflection point from Internet security as a collegial “Make the world safe/Build a world of trust” to a “push the units” business.

That’s not necessarily a bad thing – it didn’t take long for the bad guys to move from  “hack the world for fun” to “hack the world for profit” approach. Security had to become business-like to keep up. It takes a lot of investment to develop and or acquire security technologies given how rapidly the threats evolve. However, over the years there have been many good examples of the demands of Wall Street, not the security demands of enterprises, driving the decisions made by security company CEOs in very, very wrong directions. The percentage of acquisition in the Internet security industry that fail are just as high as in IT in general, if not higher.

Of course, security as a religion without a business grounding has a long list of failures as well. Single sign on, PKI, Secure objects, secure enclaves, deperimeterization, borderless enterprises, biological models, physical/information security integration and many others are examples of security fads that ignored business realities in the name of security elegance and went nowhere.

There are a lot of security brand names from 1996 that are long gone. The security companies and technologies that succeed are always the ones that find the right balance of protection and profitability – just like the corporate security programs that are successful. The changes in the way IT is being delivered and consumed, and the changes in motivation and techniques of attackers is perturbing that balance – there will be a new set of winners and losers over the next five years.

Additional Resources


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Thirteen Years Ago Internet Security Became a Business

  1. […] Original post:  Thirteen Years Ago Internet Security Became a Business […]

  2. Vic Wheatman says:

    Ah, but Physical/Information Security integration IS taking place in some places, not widely, but on projects, primarily building/network access integration – often government, and sensitive facilities such as R&D labs.

    It’s Convergence that’s happening much more slowly — having physical and infosec functions reporting to the same CSO.

  3. Agree that integration between some physical systems and information security systems makes sense – though the promise has been way overhyped, which is why it doesn’t happen widely. A big issue there is that they technology you put on the door to read an employee ID badge usually isn’t the best solution for dealing with mobile employees using laptops.

    True convergence isn’t happening slowly, it’s just really not happening – because it doesn’t make business sense.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.