Just about an year ago, I started thinking about the last big thing in security. This industry has reached a stage where disruptive technologies have virtually hit the glass ceiling. The market has violently regurgitated from any attempts to shove myopic product solutions down their throat. While industry old-timers sulk at it, I believe it’s a justifiable act. However, there are still a few acid-tripped security startups aiming to sell pure-play product solutions which only solve a part of the problem. I think their belief lies in the fact that there are still a few paranoid clients and pseudo-geek CISOs, who will buy their FUD-mongering and save themselves from the impending security doomsday. I think they are badly mistaken.

On a more calmed down note, customers have realized their mistakes and are suffering from existential angst. They understand the current threat landscape, the actual security risks looming over their business – they see the bigger picture and they know what they want. What customers don’t want are solutions which fragment the security problem into minuscule, mind-numbing, schizoid entities like botnet mitigation, security incident and event management, change control, client-side security, intrusion prevention, virtualization security, spam protection, endpoint protection, network behavioral analysis, identity management, fraud prevention, threat intelligence, compliance management, yada yada yada. Customers have failed to quantify any tangible RoI on such expenditures, they have had a hard-time managing the gamut of deployments over their networks, and above all – they don’t have any god-damn clue on how to gleam actionable information out of these products. They have stopped being carried away by this cryptic industry. So consolidation was a very obvious Darwinian step.

Mind you, the consolidation is happening in two ways. One, the established bigger security vendors are acquiring smaller companies and creating wholesome, turnkey solution offerings which cover everything under the security umbrella (Symantec, McAfee, Cisco). Secondly, enterprise software and solution providers, which are generally exposed to maximum risk are integrating these security technologies right into their very frameworks (EMC, Google, HP, IBM, Microsoft, Oracle, SAP, VMware). Thirdly, the coming innovation will be in the solution offerings and not in the underlying technologies. Fourthly, the security outsourcing industry is lagging by around 5 years.

So now comes the million-dollar question. What about ground root entrepreneurs and Schumpeterian innovators? I think, there are some opportunities on the horizon. The opportunities lie in re-innovating product technologies which failed just due to their higher operational costs and lack of business clarity. A quote from my last post which will help in elucidating this point:

…enterprise security expenditures became more and more justifiable in business terms due to regulatory compliance, cyber-crimes becoming a grim reality and the changing threat landscape. So now, security was not some obscure handy-work limited to network administrators; its need had trickled down towards the pin-striped pants of the management.

Opportunities also lie in security solutions which can leverage the cost-arbitrage. With the ongoing consolidation, security solutions have become more and more service-centric and productized-services is the way to go. When it comes to services, we can definitely exploit the well-proven Indian offshoring model. The case in point being, that although the bigger security players are merrily striving to provide wholesome solutions, integrations of such diverse acquired technologies leads to a lot of quality-loss thus raising the cost of the service offering.

Let me a take a few ideas very specifically. A few months ago when I read this seminal article by David Cowan, my immediate thought was, “Why not try outsourcing+SaaS!!?”. An excerpt from my brief commentary.

Absolutely credible and intuitive assessment of the consolidated and de-productized information security market by David Cowan of Bessemer Venture Partners. David has hit the bullseye here, beautifully explaining the current and underlying bottlenecks ailing the business of information security. Personally, I feel this is a brilliant take on the future of the IT security industry. People have already shunned the idea of another killer security product and information security outsourcing (infrastructure management/MSS – whatever) is going nowhere.

Now, imagine the proven Indian offshoring model combined with SaaS! Companies like Wipro, which has a well-established security consulting services arm, has this whole market for the taking if they can streamline their messy operations. However, this is a tough bet for ground root entrepreneurs as it requires an elaborate operational setup and infrastructure.

And just a few weeks ago, when I read the Challenge to Indian Entrepreneurs posted by Sramana Mitra (written in Feb’07), I became more and more certain.

In the recently concluded Philippe Courtot interview series, we discussed at length the various ways in which India and China could undercut US companies, and Philippe acknowledged that in his business (Qualys is an outsourced managed security service provider, a SaaS play), it is quite possible that an Indian company could come up with a vastly lower cost structure, and customers would switch immediately, if they are convinced about the reliability of the service.

Just to set the economics in perspective, Qualys has invested $65 Million to build an infrastructure that “is at the scale of the planet” to monitor, audit and report network security problems.

Let me throw a challenge in the direction of the Indian entrepreneurs: Go figure out how to build this same business for $30 Million, and I can tell you, you will have an absolute winner in your hands.

There hasn’t been a better time to disrupt the current dystopian order. In fact, a few Indian companies like iViz an Aujas (both backed by IDG Ventures) are trying something similar to Qualys. But they have a long way to go. Their product technologies are in nascent stage, they are trying to re-invent the wheel in solving most of the problems, they lack in technological maturity needed to understand the services model, they don’t have solid sales and marketing channels, and above all, they don’t have the kind of Ãœbermensch team which is needed to pull this off. There are only a handful of people in India which have worked on such intrinsic areas like security product management, so talent is a big scarcity. I think, there is a timeline of about 1.5-3 years – until when the bigger consolidated players fix the rough edges of their offerings – where such startups can still think to leverage this big opportunity.

Okay, one more idea for the taking. I think, service-provider/tier-1/backbone security is one market which is still in the experimental phase. There are some great opportunities lying there. Indian companies like Guavus and others like PacketAnalytics are working on it.

Then, opportunities also lie in capturing the contemporary security services market by transforming them into the fashionable on-demand model combined with offshoring. Example being – Veracode for application security.

That day is not far-off when some Indian entrepreneur will make Sramana and SaaSu-Maa jump with joy. Whad’ya say? 🙂

Happy SaaSu