Neil MacDonald, an analyst at Stamford, Conn.-based Gartner Inc., said that as security software such as antivirus, antispam and antispyware tools becomes commodities, they may no longer justify the premium pricing associated with specialized technologies.
Instead, he suggested at Gartner's IT Security Summit in Washington, D.C., this week, the time may be right for companies to consider converged products or services that may not always offer best-in-class capabilities for each individual function but are still good enough.
In addition, MacDonald said, as some threats become well understood and the tools to protect against them mature, it makes sense for security groups to hand over management of these tasks to IT operations groups. For example, antivirus tasks could be handled by desktop support teams while patch management is handled by the software distribution group, he said.
Security shouldn't require dozens of point products, MacDonald said. In the future, "I see reduced costs, reduced complexity, better manageability and better integration being collectively better than best-of-breed," he said. "I would look at desktop security, perimeter security, e-mail security and identity and access management products to see if there are opportunities to go with converged solutions that reduce complexity and save money."
Integrated products make sense, depending on how well the combined functions work and how easily they can be managed, said Sven Doersam, desktop security lead at Johns Hopkins University in Baltimore.
The university is investigating products that combine personal firewalls, antivirus and antispyware capabilities as part of a bid to reduce the number of security products deployed on desktops, he said
"I think we would realize some cost benefits from such products and it will give us a single point of contact" for support, he said. However, the approach will also mean "putting all our eggs in one basket and relying on one vendor" for crucial security defenses, he said.
Marty Wake, senior vice president of IT at Mercantile Safe Deposit & Trust Co. in Baltimore, said he expects more integrated security suites to emerge from vendors as the tools become commonplace and mature. In fact, he predicted that enterprise class antivirus, antispam and antispyware capabilities will soon be "built in as giveaways" in broader security suites.
In addition, as operating systems and applications become more secure and service providers integrate security into their services, expect to see a consolidation among security tool vendors, he said. As a result, at least some products that companies pay for now will be available at lower costs or even for free, he predicted. "I think we will be able to spend less money on security products" in the future, he said.
Microsoft Corp.'s growing presence in the security market is pushing a lot of this change, MacDonald said. Even if enterprises don't start broadly using Microsoft's security products anytime soon, their presence in the market will force other vendors to cut prices to compete, he said.
But Miguel Perez, general manager of Santiago, Chile-based reseller Novared SA, said large companies are still better off using best-of-breed products. Suites of commodity security offerings likely make sense only for small and mid-size business because of the lower complexity and cost.
"For big companies, the cost of best-of-breed technologies is not significant compared to what they are risking" by moving away from them, he said. And this won't change until vendors start delivering better management capabilities for dealing with integrated security products, he said.