All of us Securosis folks will be at the RSA Conference this week, so we figured we’d pre-load some old stuff to get a feel for how our research positions turned out. Mine is really old, digging back into the archives from when I had just started Security Incite. Each year I put together a set of Incites that reflected what I expected to happen that year.

I basically copied the idea (and format) from my META Group days, where each year we obsessed over our 12 META Trends. The idea was to come up with a paragraph for each of our main coverage areas and provide some guidance. No percentages or anything like that.

The innovation that I introduced was to actually go back later in the year and assess how well the projection worked out. We never did that at META. But I figured it would be a hoot to look back at what I thought was going to be big in 2006, so here are the Incites and some more tactical predictions. Some stuff was good. Some stuff was, um, not so good. At least it should provide some laughs.

And if you want to check out the grades I gave myself on each Incite a year later, check out my 2006 report card. I can tell you my predictions stunk very badly.

You can also check out the 2007 report card while you’re at it, which will ensure you never ask me to prognosticate about anything…

2006 Incites and Predictions

(These originally appeared on the Security Incite blog, Jan 9, 2006.)

What are the Security Incites?

Annually, Security Incite will publish a list of the key “trends” and expectations in the security business for the next year. Called “Security Incites” and written from the perspective of the end user (or security consumer), Incites provide direction on what to expect, assisting the decision making process as budgets and technology adoption plans are finalized for the upcoming year. Each Incite provides a clear position and distills the impact on buying dynamics and architectural constructs. Incites also set the stage for Security Incite’s upcoming research agenda.

What’s the difference between a “Security Incite” and a “Prediction?”

Predictions are things we expect to happen within the next 12 months, and tend to be more event-oriented. The Security Incites provide a broader perspective across the security domains and can take a longer than 12 months view.

1. No Mas Box (Less Boxes, More Functionality)

Users will increasingly revolt about adding yet another narrowly focused security appliance into their network and actively examine new “simplification” architectures. New Unified Threat Management (UTM) products, using blade servers and virtualization technologies, appear in 2006 putting vendors that license key intellectual property at a disadvantage. Management of the integrated UTM environment will remain difficult through 2007.

2. Get the NAC!

The increasing number of ingress points into corporate networks (mobile, contractors, VPN) forces users to migrate to a virtual network infrastructure with a secure net and an unsecured net. Network Admission Control (NAC) architectures gain traction in 2006 to facilitate this architectural construct, but do require homogeneity of equipment pushing the pendulum away from best of breed providers.

3. Who are you?

Identity Management (IDM) breaks out in 2006, as ROI-driven password management and single sign-on (SSO) initiatives are deployed en masse. Smart users increasingly figure out that strong and centralized IDM provides “good enough” authentication and authorization for compliance purposes, accelerating market growth in 2H 2006. Yet, identity federation continues to lag in a cloud of useless vendor bickering and standards immaturity until mid-2007. Token-based authentication finally hits the wall, as passwords remain good enough and no compelling alternative appears.

4. Stay Out of Jail

Compliance continues to generate tremendous hype, but largely remains a red herring throughout 2006. Smart users will use the compliance word to get funding for critical imperatives (perimeter redesign, identity management) and sufficiently document their processes to keep regulators happy. Those not so smart users figure encryption is a panacea and buy some; ultimately realizing making encryption work on a large scale basis hasn’t gotten any easier.

5. Losing The Religion

Everyone finally realizes in 2006 that regardless of technical approach (IDS vs. IPS vs. firewalls vs. anomaly detection) it’s all about detecting and blocking malware quickly and effectively. Users expect to see multiple techniques implemented, spurring another wave of consolidation as vendors look to bring complete enterprise-class UTM solutions to market.

6. Endpoint Hostile Takeover

Driven by the prevalence of unwanted applications, internal zombies outbreaks, and documented information leaks enabled by key loggers and spyware, users will increasingly lock down endpoint devices, despite pushback from the business users. Limitations of the Windows XP security model makes lockdown difficult in 2006, but much easier when Microsoft’s Vista operating system is ready for deployment beginning in 2007.

7. Bad Content is Bad Content

Given “innovation” by spammers and fraudsters, keeping content filtering algorithms accurate and timely is proving very difficult for content-focused security vendors. In 2006, heuristics-based detection cocktails fall out of favor, pushing the pendulum back towards signatures that favor entrenched AV vendors. Users increasingly embrace “in the cloud” content filtering for e-mail, IM, and web traffic because it allows them to get rid of another box in the perimeter and stop worrying about exponentially increasing message volumes.

8. Security Management (oxy)Moron

Stand-alone security information management (SIM) plateaus in 2006, as consolidation continues and the need for large-scale system integration makes acceptable “time to value” out of reach for all but the largest enterprises. Closed correlation systems increasingly take root as users swing towards homogeneity and ratchet back expectations on which devices really need to be integrated into the management system, while leveraging the reporting infrastructure for compliance purposes.

9. Services

Managed Security Services provide increasing value in terms of both operational capabilities and content filtering. Users realize that removing threats “in the cloud” provides better bang for the buck for mature technologies (firewalls, IPS, anti-spam, gateway AV, web filtering). The biggest challenge in 2006 will be integrating operational and reporting capabilities across internal and MSS spheres of control.

10. Built to Last (Securely)

As application security functions are further integrated into UTM platforms in 2006, focus shifts to actually building software securely. The high tech vertical will lead the way in embracing behavioral changes for developers, source code analysis tools, and techniques to protect data at rest. New Web 2.0, SOA and on-demand application architectures with better security models increase in importance.

11. It’s Time for “Stupidity School”

Though distasteful, security professionals will be forced to undertake a structured and comprehensive education program to stop employees from doing stupid things. Given the sophistication of attacks and the difficulty in stopping them at the perimeter, educated personnel may be the only defense.

12. Battle of the Titans

The big will continue to get bigger in 2006, as frenetic consolidation continues as product line breadth outweighs actually functionality. By the end of 2006, it becomes apparent that the real battle is between Cisco and Microsoft to control the architecture of networks and applications moving forward. As with other huge “marketectures,” users are caught in the crossfire, but 2007 will see enough additional functionality for those embracing homogeneity to see a wave of infrastructure upgrades. Vendors not strongly aligned with one of the two titans face irrelevance by 2009.

2006 Predictions

(Note: I put my commentary from the report card in here because it’s hilarious…)

  • M&A continues, with small deals to acquire innovative technology being most prevalent. No blockbuster security deals (> $500 million) will happen in 2006.

GRADE: F (maybe a triple F, if that’s possible)

EMC/RSA – $2.1 BILLION. IBM/ISS – $1.4 BILLION. Need I say more?

  • Vendors relying on licensing OEM technology find a world of hurt, as important intellectual property is acquired and licensing terms become increasingly unattractive. The UTM blade architecture makes intellectual property valuable real estate and those with strong IP positions see higher value exits.


Not too good on this one either. Seems that Crossbeam and IronPort did OK in 2006 and lots of service providers (especially in the anti-spam space) don’t seem to have problems relying on OEM technology. IronPort did roll out their own anti-spam technology, but they license lots of other stuff.

  • Microsoft has limited positive impact on security in 2006 (despite the introduction of OneCare), but the AV market is living on borrowed time. Integrated security and endpoint presence for enforcement provides a visible hook for MSFT to catch up to Google.


Microsoft did bring OneCare to market and their rebranded Forefront offerings are in beta. Are Symantec and McAfee taking on water yet? Nope. But it’s clear that stand-alone AV is dead and all of these desktop offerings are evolving into more endpoint security oriented suites. In terms of the Google hook, what the hell was I thinking? Microsoft continues to chase Google, but security isn’t the way they plan to catch up.

  • Increasingly bigger VARs start flexing their muscles and make or break a number of vendors in 2006. Those “made” vendors get big M&A outcomes in 2006.


There was a decent amount of consolidation in the VAR community (FishNet bought SiegeWorks and True North), but it would be a stretch to think that these folks had any influence on making or breaking vendors. Clearly many of the new security start-ups are going 100% channel by design as the introduce their first product, but it’s more to eliminate the pain of transitioning later rather than trying to get a big VAR to make their business.

  • Continued vulnerabilities in AV and spyware products attract the attention of tort lawyers who target AV companies after the resurgence of a well-known attack renders most SMBs defenseless. Larger enterprises with multiple layers of defense escape unharmed and point to the criticality of a layered defense strategy.


This didn’t happen, though there were plenty of problems with AV software. I guess the tort lawyers were too busy suing high tech companies over stock option grants. That being said, this is still a big exposure and it’s just a matter of time before we see this actually happen.

  • Open source security stumbles in 2006, and the changing business models and decreasing effectiveness of Nessus, Snort, and MailAssassin are not well received. Service providers make significant investments to drive a future renaissance in open source UTM software, SIM, web filtering and encryption to dramatically reduce their cost to deliver MSS offerings.


This one is tough because there are folks that are questioning the value of open source in security circles. But this happened more from the standpoint of open source applications (like PHP), which was plagued with vulnerabilities and no one to fix them. Nessus and Snort remain “good enough” for the technical users.

Another thing we didn’t see much of was the service providers doing much of anything relative to security, except maybe buy something. Again, I do think this is something that will happen – but it’s a fools errand to try to pinpoint when.