What is Happening?
Cybersecurity as an industry, and as an enterprise asset/requirement/practice, is at an inflection point. ISG’s research reveals an emerging, significant market migration to cybersecurity services through the next several years – part of a larger, generational switch from security products to services. And after the switch, it’s mostly driven by cyber-services.
Enterprises already find themselves becoming swamped by the convergence of four major „waves“ of IT security, blending traditional technology and perimeter approaches through managed security services to security-as-a-service and, soon, cognitive security services. Meanwhile, most providers must reinvent their own businesses to succeed; they must shed outdated business / delivery models and adopt radically different strategies.
The net result? Migration to security-as-a-service is not going to be smooth, unified, or universal – by solution areas, services, industries, or geographies, nor in time.
Why is it Happening?
ISG Insights has detailed the development and timeframe of four important waves of IT security development, deployment, and management (see Figure 1). Knowing what the each of the major four waves of security are, how they and when they occur, and where the enterprises security profile fits, is the necessary first step to more effective digital security.
Figure 1: Enterprise IT Security Waves, 1987 – 2057. Source: ISG Research.
The first wave of security is a familiar era of perimeter-based technologies deployed on-premises. This includes all forms of software and security “appliances” that automate the technologies of identity, access, asset protection, threat detection, response and recovery.
The second wave of security is also familiar: it is the era of managed security services in lieu of fixed labor costs. We see these managed security services expanding to include most – if not all – of the perimeter-based security technologies of Wave 1, just delivered remotely by a service provider.
The third wave is digital security, and is the era of digital software APIs and digital security services. It is an era of subscription services from the Cloud, where people, data and applications access workloads and data from the Cloud, and where data and workloads are protected in hybrid Clouds.
The fourth wave is also digital security, but is more a cognitive era of security that automates deception / detection / analysis / response phases, extending into the fabric of most every other aspect of IT. Beyond automation, Wave 4 also introduces natural language interfaces, deceptions, information asymmetry, and intelligent bot-enabled predictive decision-making.
The net result through the next several years is a confusing confluence of competing categories of products, services, methodologies and practices that cloud enterprise policies, enable (and enforce) bad investment choices, and overall reduce the ability of the enterprise to provide and manage IT security at a time when exposures and risks are rising faster than ever. In today’s outsourcing-favored, cloud-first IT environment, this rolls over IT services providers in general, and IT security providers specifically, complicating their market vision, their business approaches, their portfolios, and their profitability.
Net Impact
Over the coming 36 months, innovative and early adopter IT leaders and providers will be faced with making sense of Waves 3 and 4 that are commingling and crashing into Waves 1 and 2. Mainstream adopters forced to adopt Wave 3 services should consider planning for an earlier than normal adoption profile for some Wave 3 or 4 digital security services to avoid becoming left behind. Traditional late adopters who remain so risk becoming drowned by the onrushing waves of the new digital security services.
ISG Research has developed a new, global web survey-based research program to help provide data and insight into current and planned enterprise IT security investment, practices, and expectations. The survey itself launches within the next few weeks; we expect to have the initial results by the end of December, and to begin delivering insight and guidance to clients shortly thereafter, in a series of reports, Research Notes, Briefing Notes and blog posts.
ISG Insights clients will receive the most up-to-date insight and guidance that will enable the most effective, least-disruptive, and least-expensive changes for enterprise and provider clients. Those interested in further details of the survey, or in becoming clients in order to receive the guidance that is being developed, can click here.