Government IT security managers have plenty to keep them up at night. Not only do they contend with the constantly expanding and mutating threats lurking in the wilds of cyber-space, but they also must worry about the potentially costly errors and abuses of their own employees and contractors - and, it must said, sometimes their superiors. Unlike many of their private-sector colleagues, public CIOs and chief information security officers (CISOs) also face the added problems of negative media coverage or being grilled by a congressional, state or local committee following a security breach.
At the same time, government organizations are perennially pushed, prodded and poked to do more with less. As the pressure flows downhill through an organization, IT security guardians are constantly required to justify security's return on investment, despite the above-mentioned dangers - that is, until something happens and the guardians are put on the hot seat for "not doing enough."
The good news for government CISOs, information assurance managers and IT security directors is there are many solutions to choose from to protect their organization's IT infrastructures. The bad news is there are many solutions - and many companies offering those solutions - to choose from. Security professionals are confronted with the prospect of assessing hundreds of security vendors offering hundreds, if not thousands, of products.
Gaining Top Perspective
To help IT security managers get a little more sleep, Government Insights, an IDC company, recently published A Government Perspective of the Worldwide Top 10 IT Security Vendors, which provides a useful baseline for government organizations when making IT security procurement decisions. The report analyzes government products, services, activities, partners, competitors and customers of IDC's ranking of the world's 10 largest IT security software vendors, as measured by revenue across all industries in 2006. These companies are: CA, Check Point Software Technologies, Cisco Systems, EMC, IBM, Juniper Networks, McAfee, Microsoft, Symantec and Trend Micro.
One would expect to find companies such as Check Point, McAfee, Symantec and Trend Micro on any list of top IT security vendors. However, CA, Cisco, EMC, IBM, Juniper and Microsoft are probably not company names that immediately come to mind. In fact, Microsoft is usually perceived as part of the problem when it comes to security. In the area of packaged security software, that perception must change.
Companies such as Secure Computing Corp. and SafeNet Inc. may have higher security revenues from government customers than some of the companies on IDC's list. However, they weren't included because their overall worldwide security revenues didn't place them in the top 10, as determined by IDC.
There is, as yet, no reliable or credible methodology for determining such a top 10 list. For one thing, most integrators that provide IT support to the public sector, including IT security, generally have only the haziest idea of how much of their government revenue come from security-related work - if they have any idea at all. Most companies don't specifically track security-related revenue either because security is wrapped up or embedded in larger programs or due to definitional issues, such as what is and isn't security related - and often it's a combination.
The 10 vendors sell their security products to government customers primarily through distributors, integrators, original equipment manufacturers and resellers, which is another reason it's difficult to determine their government revenues. Only Cisco, McAfee and Symantec have ventured into the realm of selling software as a service.
The companies' revenues were originally analyzed in the 2006 IDC study Worldwide Top 10 Security Vendor Market Share by Vertical Market, which estimated the market shares of the vendors across 18 worldwide vertical markets, including the government market.
Spending Big for Security
IDC estimates the worldwide IT security software market in 2006 was $18.7 billion, of which the government portion was nearly $1.8 billion - making it the third-largest vertical market after banking and discrete manufacturing.
IDC's IT security revenue estimates cover "packaged software revenue" only. Packaged software is programs or code sets commercially available through sale, lease or as a service. The revenue typically includes fees for initial and continued right-to-use packaged software licenses. These fees may include, as part of the license contract, access to product support and/or other services that are inseparable from the right-to-use license fee structure or this support may be priced separately as software maintenance. Upgrades may be included in the continuing right-of-use or priced separately.
Packaged software revenue excludes service revenue derived from training, consulting and system integration that is unbundled from the right-to-use license, but includes the implicit value of software included in a service that offers software functionality by a different pricing scheme (e.g., the implicit or stated value of software included in an application service provider's or other hosted software arrangement). The total packaged software revenue is further allocated to markets, geographic areas and operating environments.
IDC defines system infrastructure software security areas in the following manner:
· Identity and Access Management: a comprehensive set of solutions to identify system users (employees, customers, contractors, etc.) and control their access to system resources by associating user rights and restrictions with the established identity. Web single sign on (SSO), Host SSO, user provisioning, advanced authentication, legacy authorization, public key infrastructure and directory services are critical components of identity and access management. Federated identity revenue is also included within the identity and access management market.
Federated identity, or federated SSO, is the ability to share a user's log on and authentication data across different Web sites and applications - both internal and external to the organization - using secure, standards-based protocols. The user can sign on to multiple Web sites regardless of provider or identity domain, and organizations are able to separate employees from external parties to better meet compliance regulations.
Another significant area of identity and access management is the hardware token market. It comprises several necessary technologies: token authentication server, authentication client software, traditional authentication tokens, USB authentication tokens and software licensing authentication tokens.
· Secure Content and Threat Management (SCTM): a security-market segment that highlights the increasing unity between previously dissimilar security disciplines. SCTM products defend against viruses, spyware, spam, hackers, intrusions and the unauthorized use or disclosure of confidential information.
Products in this market are offered as standalone software, married to dedicated appliances and hosted software services. IDC tracks the revenue from these product offerings under software to provide a holistic representation of the SCTM product market. SCTM includes four specific product areas: network security, endpoint security, messaging security and Web security.
· Security and Vulnerability Management: a comprehensive set of solutions that focus on allowing organizations to determine, interpret and improve their risk posture. Products in this market include: those that create, monitor and enforce security policy; determine the configuration, structure and attributes for a given device; perform assessments and vulnerability scanning; provide vulnerability remediation and patch management; aggregate and correlate security logs; and provide management of various security technologies from a single point of control.
IDC also tracks "other security software," which covers emerging security functions that don't fit well into these existing categories. This category also covers some underlying security functions, such as encryption tools and algorithms, which are the basis for many security functions found in other software and hardware products.
In addition, this catch-all category include products that fit a specific need, but haven't become established in the marketplace. Products currently in this category will either grow into their own categories or eventually be incorporated into the other market segments. Products in the "other security software" category include, but are not restricted to: encryption toolkits, file encryption products, database security, storage security, stand-alone virtual private network (VPN) and VPN clients, wireless security, Web services security and secure operating systems.
The Top 10 List
Each vendor's revenue represents IDC's best estimate of security revenue in the government-market segment. IDC used the following methodology to derive these estimates:
· IDC began collecting company-level data in mid-2007, using in-depth vendor surveys and analysis to develop detailed 2006 company models. For public vendors, IDC evaluated financial data and adjusted 2006 estimates accordingly. Additional information was provided through an analysis of the companies' financial statements, annual reports, press releases, position statements, vendor interviews, customer case studies and other public information.
· IDC combined this information with data collected throughout the year about each vendor, its customers and comparable vendors, to estimate the industry-specific revenue for each vendor. These revenue estimates were shared with these companies, who were asked to review IDC's estimates and provide feedback about accuracy. Not all companies were able to comment on industry-specific revenue as defined by IDC.
Check Point, McAfee, Symantec and Trend Micro are pure-play security vendors (i.e., they operate only in the security market). The remaining vendors provide a wide range of products and services in many other IT areas.
According to information provided by Cisco for the report, its total worldwide government IT security revenue in 2007 was an estimated $250 million for software and hardware security products only. Cisco also believes its U.S. federal government IT security revenue in 2007 was between $150 million and $200 million (software and hardware security products only), a 20 percent increase over 2006, which was between $120 million and $160 million. The difference between the IDC estimate and the Cisco estimate is probably because Cisco has been progressively embedding security into its products, including both software and hardware.
As the IT security industry continues to consolidate through mergers and acquisitions, Government Insights expects market shares of most of the vendors profiled in this report will continue to grow. For example, EMC created an information security division in 2006, but it became a "player" primarily because of its acquisition that same year of RSA Security Inc. and four other security companies between 2006 and 2007.
We expect EMC and the other "multipurpose" vendors on this list will continue making security acquisitions to broaden and deepen their integral security focus. For these reasons we expect that one or more of the pure-play security vendors will be acquired within the next five years, although possibly by another pure-play security vendor. This trend will be reinforced and accelerated by the ongoing drives for consolidation and optimization in IT infrastructures that are becoming increasingly important priorities for government agencies, especially in the United States and private sector.
Simultaneously more holistic approaches to implementing and securing an organization's IT infrastructure and operations will mean that approaches, such as CA's Enterprise IT Management (EITM) or Cisco's Self-Defending Network, should have greater appeal to government CIOs and IT managers. The EITM approach provides a centralized platform for governing, managing and securing an organization's IT investments, while helping to unify the disparate elements of IT operations. Cisco's Self-Defending Network integrates security into the network, adapts to new and evolving threats, and enables collaboration across all security elements.
Public CIO's Responsibilities
On the government side of the security equation, CIOs and IT directors and managers should mandate that program managers and contracting officers adhere to the following guidelines when choosing security or IT vendors:
· ensure the procurement of a security product or service contributes to the agency's enterprise security and does not create another stovepipe;
- ensure the security product or service conforms to the agency's enterprise architecture;
- study previous vendor performance and its products and services in the agency and in other government agencies; and
- use the available procurement vehicles, which reduce costs, complexity and effort levels.
This is easier said than done, but the effort must be made continuously if government agencies are to ensure they continue to carry out critical functions and provide essential services without breaking the bank - or the taxpayers.