Hanging on my keychain is a brass medallion. On one side it says “Trusted Information Systems Inc. – Building a World of Trust” and on the other side it says “TISX – IPO October 10, 1996” Sometime earlier that year, or late in 1995, Checkpoint had also gone public and many other Internet security pureplays would follow shortly. To me, 1996 was really the inflection point from Internet security as a collegial “Make the world safe/Build a world of trust” to a “push the units” business.
That’s not necessarily a bad thing – it didn’t take long for the bad guys to move from “hack the world for fun” to “hack the world for profit” approach. Security had to become business-like to keep up. It takes a lot of investment to develop and or acquire security technologies given how rapidly the threats evolve. However, over the years there have been many good examples of the demands of Wall Street, not the security demands of enterprises, driving the decisions made by security company CEOs in very, very wrong directions. The percentage of acquisition in the Internet security industry that fail are just as high as in IT in general, if not higher.
Of course, security as a religion without a business grounding has a long list of failures as well. Single sign on, PKI, Secure objects, secure enclaves, deperimeterization, borderless enterprises, biological models, physical/information security integration and many others are examples of security fads that ignored business realities in the name of security elegance and went nowhere.
There are a lot of security brand names from 1996 that are long gone. The security companies and technologies that succeed are always the ones that find the right balance of protection and profitability – just like the corporate security programs that are successful. The changes in the way IT is being delivered and consumed, and the changes in motivation and techniques of attackers is perturbing that balance – there will be a new set of winners and losers over the next five years.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.