Service provider takeaway: Service providers learn how to adapt to the integration of security and storage technologies.
John Thompson, CEO of Symantec, dreamed of storage and security folks not only co-existing, but prospering under the common goal of securing the information that runs every business. He put a significant amount of his shareholders' capital and his legacy on the line to chase that dream by buying Veritas back in July 2005 -- a deal that would ultimately end in disaster. Both companies suffered a loss of momentum as integration issues, buying center mismatches and channel conflict plagued the "new" Symantec. However, a similar deal -- EMC's acquisition of RSA -- has been largely a success. It showed that the buying centers are different for security and storage, which can provide an opportunity for value-added resellers (VARs).
Let's look at it from a customer's perspective. Is there any leverage to having an integrated security and storage product family coming from one vendor? The answer has been a resounding no. Data center managers, who worry about storage as a part of their responsibilities, have not embraced the need to secure their data. Either that, or they aren't sure how. But integrated security and storage are on the horizon, and as security eventually becomes a function and feature of the storage infrastructure, your data center customers will need to start learning the vernacular of security.
Customers will still buy storage -- it will just be more secure storage. And security folks will still buy security products to fill the gap where the network, data center and applications don't do enough. It will be a while before the two meet. But when they do, it will have dramatic implications for the entire security business. Without legitimate buying center leverage, these deals don't make a lot of sense.
In the meantime, we'll experience a gradual erosion of the "security team." I've long said security is a feature, and over time each of the operational domains (network, data center, applications) will need to have security as a key facet of whatever they are doing. It reflects the reality that securing data is fundamentally different than securing computers or networks.
The security empire will be subsumed into the operational groups, and likewise the storage team will eventually get a security specialist to ensure that data at rest is protected. But does that mean that a security VAR needs to get smart about storage now?
Yes and no. Basically, the core-buying constituency of the security VAR is going to gradually go away. Maybe not today or tomorrow, but it's very likely that a different buyer will be buying security within five to seven years. In this kind of environment, you adapt or die. Security VARs have a decision to make over the next few years: What do you specialize in?
Whether it's storage, applications or networks, the consistent drive toward integrated solutions like unified threat management (UTM) means the market is voting to buy integrated devices -- that means the days of standalone security opportunities are numbered. (Yes, it seems I'm working myself out of a job.) Those who want to be around in 10 years need to start thinking about how to specialize and decide which vendor partners will provide the most strategic path to continued prosperity.
At the same time, storage VARs need to get smart on security as soon as they can. It's clear that storage (and the wider data center category) will become more security-aware sooner rather than later. Existing manufacturers (Symantec, EMC, et al.) already provide encryption and data leak prevention (DLP) products, making the move easier on you. Other companies to check out include Voltage and Vormetric on the encryption side and Vericept and Reconnex on the DLP side.
There is a great line in Led Zeppelin's "In The Light": "The winds of change may blow around you, but that will always be so." There is continuous change in the air -- how are you as a storage or security VAR going to deal with it?
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.