In a recent IDC study, Australian CIOs and IT managers representing medium and large organizations were asked to rank their IT-related concerns in order. While security ranked 16 in 2001, it jumped to sixth position in 2003. This data validates security as increasingly a top-of-mind concern for CIOs. These results also indicate an increase in corporate awareness surrounding security threats, which has led to a more mature understanding of the role technology can play in combating threats.
This change in perception is having a direct impact on levels of investment in security technologies and related services that are intended to facilitate appropriate and sustainable security solutions for each enterprise. In too many situations, the existing security environment has been exposed as limited. The absence of broader architectural approaches is also becoming evident. These issues are leading to direct expenditure on security solutions, across the hardware, software and services elements.
Total spending on security solutions in Australia amounted to an estimated $786.7 million in 2003. This is forecast to reach $1.387 billion by 2007, representing a compound annual growth rate of 15.2 percent over the forecast period. Of this total 2003 expenditure, services accounted for the largest portion (50 percent) of the total security solutions market. Organizations are realising a growing need for services around consulting, assessment and management to address the security threat. Software was the second largest portion at 35 percent of total expenditure. While hardware was the smallest contributor (15 percent), IDC is seeing more organizations purchasing security appliances. This should lead to hardware¡¦s portion of the overall security solutions market rising by 2007.
While the security market appears to be on the verge of a pivotal change, IDC believes too many organizations remain complacent about security. Many businesses incorrectly assume they are safe with the simple deployment of antivirus software and a firewall. This is not the case. Worse, organizations often remain unaware of data and network breaches until events are long passed. In some cases, they may never know they were breached. Examples of these include data modification such as a virus that replaces Excel spreadsheet data, cell by cell, over a period of months. This kind of breach is very hard to detect. The inhibiting factor here is reminiscent of the ¡§chicken and egg¡¨ conundrum: how do you know you are breached unless you have technology to tell you this? And how are you going to feel the need to deploy such technology if you are blissfully ignorant that such breaches are occurring?
An IDC survey conducted in February 2003 reveals security adoption trends in Australia. Not surprisingly, most (96.8 percent) organizations have deployed antivirus software, followed closely by firewall software (89.2 percent). These are clearly mature markets and historically have been a first line of defence against IT security threats. Yet, investment in security related technologies have continued to grow year-on-year, with no sign of slowing down.
Security technologies are typically reactive, with a need for constant management and upgrading. As security threats become more serious, organizations are requiring more sophisticated solutions that address security at multiple layers. As such, a growing number of organizations are investing in solutions such as intrusion detection and prevention or authorization and authentication technologies, as can be seen in the figure below. While 65.2 percent of organizations in Australia claim to have intrusion detection systems in place and 17.2 percent of respondents plan to implement the technology sometime in the near future, IDC believes this market is in transition. The historical intrusion detection technology providers are moving toward intrusion prevention systems that take a more proactive approach to intrusions moving from watching to actively blocking traffic on systems and networks. New technology and offerings in this space will likely result in a spike in the market in the next 12 to 24 months, particularly in the intrusion prevention appliances. The authorization and authentication markets are showing signs of strong growth. These technologies are critical to identity management solutions, an area where IDC has seen strong growth in the last six months.
Another area IDC expects to see strong growth further down the track is in security management software. While organizations are still getting their head around security management and are doing this with varying degrees of success, it is inevitable that as the complexity of security infrastructure grows, so too does the need for effective security management software. While tools to deliver management of the IT security infrastructure are still immature its an area where we will see more offerings and higher demand in the future.
The prominence of these trends in driving security investments points to a significant change in the dynamics influencing or driving investment in IT security solutions. Historically, investment in security has been reactive. Just two years ago, IDC research showed major security breaches were the primary driving force behind investment in IT security. This can be attributed to a lack of awareness and maturity among users at the time, as well as a lack of data and models to assist in justifying business cases and planned security investments.
Today, there is a very different landscape emerging. While major security breaches and the threat of malicious damage still rank as a driver for IT security investments, their importance is declining. Instead, organizations are adopting a more proactive mindset and designing security architectures that address longer-term business objectives.
What is driving spending on security?
IDC research indicates the following key trends are driving demand for security solutions by Australian organizations:
Increased Internet/intranet usage.
The number-one factor driving increased activity in security is a growth in Internet and intranet usage. While early Internet usage centred on information sharing and Web site access, the Internet environment now provides the platform for many e-business activities. Suppliers, customers and employees are blended into an integrated IP-based business fabric supported by a growing array of data sources, applications, transaction types and resources. This evolution of network usage has expanded security requirements exponentially, making it a key driver in the growth of the security market in Australia.
As consumers and companies look for better ways to transfer data and conduct transactions, the mobile environment will become increasingly attractive. IDC believes security will be paramount in this area. As mobile Internet expands beyond early adopters and rolls into the enterprise and general-consumer markets, mobile security will become an increasingly hot issue. Enterprises need to weigh the benefits of mobile access for employees against the potential threat of opening yet another channel to the sensitive data contained on their networks.
Looking forward the largest market opportunity in the security hardware, software and services markets lies in providing end-to-end security solutions. While security solutions have been purchased primarily as point products in the past, moving forward customers are looking for easy to manage and straightforward solutions to their security requirements. Providers with an end-to-end offering either by partnering, bundling solutions or acquiring technology to fill in gaps in their offerings, will have a clear advantage over those that do not.
Business requirements will drive spending on IT security, because of the importance of data and highly available systems and networks rather than security breaches or virus attacks. Therefore, offerings should answer a business concern rather than a technology concern or the fear factor that malicious attacks induce.
Intrusion detection and prevention opportunity.
The intrusion detection and prevention market has growth potential especially in the appliance space. Effective end-user education around the enhancements made to this kind of technology and its important role in an effective security strategy could lead to considerable growth in this market.
Identity Management opportunity.
IDC believes the Identity Management market is a growing segment in the security market. We will see a number of different vendors vying for dominance in this space. As of yet, there is no clear market leader as there are a number of different inroads and drivers promoting adoption of this technology for Australian organizations and government departments. At present, there seems to be enough market to go around for the diversity of players in this space and thus consolidation has not yet begun.
The Antispam market will grow extremely fast in the next two years and then quickly become highly saturated. IDC believes enterprises will likely deploy best-of-breed antispam technology at the outset and quickly realise an integrated mail and messaging solution including content and e-mail filtering, antivirus and antispam is more cost effective, easy to deploy and manage in the long run. As for consumers, Internet service providers are working out ways to provide their customers with antispam protection. Telstra recently launched an offering in this area for both consumer and business customers. Within in the next year most Australian ISPs will follow with offerings if they have not already done so.
Despite the heightened focus on security and the growing investment dollars being directed at addressing the security dilemma, there still remains significant challenges facing IT professionals. The following list highlights some of the more common challenges IDC hears from the market:
- Preventing unauthorised access by ensuring valid credentials while widening access to formerly "inside-only" content.
- Integrating the security infrastructure, such as ensuring that a wide range of security products work together seamlessly and without excessive administrative overhead.
- Controlling the availability of sensitive data as it is replicated across Web servers.
- Protecting assets from hacking to avoid embarrassing Internet exposure and maintaining an unsullied reputation.
- Ensuring security supports e-business openness. This includes ensuring that security does not block key business objectives with, for example, "ease-of-use" issues for external users or "time-to-market" delays for e-commerce managers.
Clearly when it comes to security, organizations are facing more complexity and challenges. This is resulting in major changes to the IT landscape in Australia, particularly when it comes to how security is perceived and the role it plays within the enterprise. The result is that as organizations develop a deeper appreciation of the breadth of the security challenge ¡V in increasingly complex and interconnected environments ¡V and as a result their security spending is increasing.
Megan Dahlgren is a market analyst, software, IDC Australia