Information security spending is thought to be recession proof, but does it have the legs to outrun the current downturn? In-Q-Tel partner Peter Kuper thinks so, but there are still some rough times ahead.
Kuper, who has handled some high-profile IPOs in the security market, told Information Security Decisions 2012 attendees this week in New York City to stop spending on technology that doesn’t work. Investments in legacy security standbys (hello AV, firewalls et. al.) need to be tempered. Maybe Kuper has a vested interest in his remarks, but he’s also right. Signature-based defenses don’t work anymore. Kuper said it; analysts tell you the same thing and so do research firms. The Verizon Data Breach Investigations Report is probably the most sobering barometer of the ineffectiveness of today’s security technology: 96% of the attacks behind the breaches Verizon investigated were not complicated attacks; 97% could have been prevented with rudimentary controls; 92% of incidents were discovered by a third party, and only after months of constant infection.
Checkbox security ran by PCI and other mandates is heavily to blame here as well. Security managers are using compliance as a life preserver and to beg for budget. Budgets, meanwhile, are largely flat to slightly up, yet companies are nearly 100% owned.
“Where is the ROI there?” Kuper asked. “You’re asking for increased budget, yet three-quarters of you get your butt handed to you in minutes or less. How is that a good ROI for a CFO? Try explaining that to someone that doesn’t understand security.”
Couple that with some weak economic indicators that foreshadow another downturn-despite the market being back to pre-recession 2007 levels-and you’ve got a rocky road ahead friends.
Looking for a silver lining? OK. Venture capital firms are looking at security companies, and acquisitions are still happening in security, which are indications of innovation and some areas of strength. SIM vendors were the last market segment in play with Q1 Labs (IBM), Nitro Security (McAfee), LogLogic (Tibco) and ArcSight (HP) getting scooped up by larger vendors. Palo Alto, meanwhile, is going public soon, Kuper said, after booking $200 million last summer alone. Qualys is also perpetually in the IPO conversation. Sourcefire has been public since 2007, and after a rocky start, is trading 113% higher than last year.
“VCs were not investing much in security for a long while,” Kuper said. “But security is looking good again. I know a lot of VCs and they’re starting to call back. VCs are making money in security investing in innovative technology. It’s a good sign VCs are investing. Innovation cycles are up and a lot of good companies are getting funding.”