I read Ericka Chickowski’s Dark Reading post on Database Security Market Growth today. While I generally agree with the estimated rate of growth, I am mystified by the market sizing. Where did this number come from? Is $755M wrong? I don’t know. But I am certain nobody else does either. I get asked about the size of the database security market every month. Simple question, impossible answer. Why? For starters, even if you agree on what constitutes database security, you would need to distinguish between databases specific products and general-purpose products with some database capabilities? Once you choose the ground rules for what’s in and what’s out, it’s basically a bunch of guesses about what vendors are earning. Understanding how much money a specific product earns is difficult with small firms that only have one or two products; and giant firms bundle many products, services, and maintenance together – making it impossible to assess what goes where. Was that money for the database licenses you purchased, the app and middleware stack, the user training, the professional services for customization, or the security? For an example of what I mean, let’s look at these facets in more depth:

  • Security Technology: What technologies comprise DB security? What’s really in and what’s out? I consider encryption, access control, database assessment, database activity monitoring, auditing, label security, and masking as parts of the database security market. Sometimes I throw patch management in, but it’s really a more general process. Some of these are built into the database but most are third party add-ons. Your first step is to set the ground rules: which technologies will you include?
  • Application of Security: You need to ask, “Is it really database security, or is it generic security applied to databases?” There are many assessment tools on the market. Each has limited database capabilities. However, because they don’t log into the database with database credentials, they cannot perform a thorough scan. These products are not database assessment tools. Encryption is similar to patch management, in that the tools can be applied to more than just databases: ciphers applied to data at the application layer are not considered database encryption, but products at the OS layer are. You need to pull a large percentage of the overall products from your market sizing analysis to reflect reality. It’s like a giant series of Venn diagrams – each security technology forms a overlapping bubble, and part of each applies to databases. You need to determine their intersection.
  • Platform Inclusion: What do we mean when we talk about databases? Is it just the major relational platforms? Do you consider ‘Open’ platforms like MySQL, PostgreSQL, and Derby? Do you include Teradata and mainframe databases? Do you include flat-file ‘databases’ and NoSQL datastores? The lines between relational and non-relational, and between non-relational database security and to file security, are becoming increasingly blurry. The trend is to a data services market, and the term ‘database’ is gradually losing its meaning. This is important because the relevant security technologies are increasingly diverse – file security tools, for example, might now be the best way to secure a flat file database.
  • Revenue Calculations: To calculate revenue from any given vendor you have to figure it out the hard way: ask new customers. Vendors lie about their revenue. Even the ones who have nothing to hide still do it. You can’t believe what they tell you. Ever. Small companies are bad, and large ones are even worse. For example, what portion of a deal was actually for DB security, and how much was for totally different stuff? Large firms frequently tell me about their million-dollar security sales, but I later find out the price was negotiated for database licenses, with auditing thrown in for free. And it’s very hard to contradict them until you speak with customers. You can’t tell from the balance sheet. Software, tools, and services get bundled at a single price; so you don’t really know the percentage spent on security unless the customer estimates for you. Security sales reps will tell you the entirety of such a deal was for database security, which means you cannot pay attention to what they say without corroboration.

Estimating market size is a series of guesses, all added together, which is why we stopped doing it. When a market is small and the vendors are still private, you can get a very good idea of the revenue picture. For example, before the big vendors jumped into DAM, we had an excellent idea of that market’s size. If you are reading market size projections for database security, keep in mind that whoever is making them is guessing, wrong, or both. Our point is that you need a really good reason to even ask this question. If you are looking at market sizing and trends in order to predict revenue, modify your career path, or justify expenses, you need to accept that you just won’t have any accuracy. If you are looking to make investments in a particular firm, understand that some product verticals grow at 20% overall, but the majority of the overall growth is from one or two firms – the rest grow at 8-10%. If you are trying to figure out specific product lines, you will need to dig in and do some serious homework to get answers with any meaning.