Just Like Everything Else In The Enterprise Space, Security Is About To Be Disrupted.

Editor’s Note: The following is a guest post by OpenDNS CEO David Ulevitch. OpenDNS is web-based DNS management software, offered as an alternative to using a given ISP’s DNS servers. 

Disruption doesn’t happen in a vacuum, it happens in context. And there is no greater example of disruption than what’s happening to enterprise technology market right now. Much of this is largely thanks to changing enterprise landscapes (consumerization of IT, cloud apps, mobility), new sales models and innovative go-to-market strategies (SaaS, Yammer d’état, land-and-expand) that leave the entire space ripe for disruption.

We’re seeing it happen right now in a number of business-critical spaces: CRM (SFDC), Storage (Box), Compute (Amazon), Collaboration (Google Docs) and others. Security, one of the largest budgeted areas in enterprise IT spend, is next.

The enterprise worker of 2012 looks wildly different than she did in 2005 (which isn’t so long ago!). Today, her applications are Salesforce, Google Apps, Box, and many other cloud-based services – the latter two didn’t even exist before 2005. She uses these services on myriad devices like her iPhone, iPad and laptop. Moreover, she does this from her office, her home, cafés, airport lounges and more. She is a digital nomad, fully embracing the idea that work is a thing you do, and not a place you go. Unfortunately, enterprise security missed the boat.

Much of this change has created a void that enterprise security vendors have ignored. When the work happens outside the network, on consumer devices, and the applications live in the cloud, the expensive legacy security appliances with no traffic running through them act much like the silent tree felled in the forest. This is happening, and as it turns out, this has created a massive window of opportunity for disruption.

Enterprise security today is at a crossroads. CSOs have been outflanked by the proliferation of mobile devices and cloud services, whereby many security best practices are being ignored in the interest of embracing access and collaboration. Simultaneously, the threat landscape is becoming increasingly more sophisticated and nefarious. The security market leaders (Cisco, Symantec, RSA, Checkpoint, Blue Coat, etc.) are having a hard time staying relevant as their historical “speeds and feeds” style of security ceases to address market pain. In fact, a Gartner report recently pointed out that while the overall security market is growing nicely, the share of the pie held by the big 5 security vendors is shrinking year over year, a scary thought for their long-term shareholders.

So if the paradigm of forcing all Internet traffic through an appliance at HQ doesn’t make any sense when the employees are out of the office, working on personal devices the company doesn’t control and using cloud applications, then what do we do? Where do we go from here? Companies have compliance, fiduciary and regulatory requirements to protect their employees, their data, and often their customers from security breaches and threats. Should every company ban iPhones? Facebook? Dropbox? Should employees be required to use a VPN to headquarters just to use Salesforce.com? None of those sound good, but there is a path forward.

First, companies need to recognize that a firewall and a VPN no longer cut it for security. To paraphrase The Matrix, there is no perimeter. Second, organizations need to embrace reality – I still see debates about whether or not employees should be allowed to “Bring Your Own Device” into work. It doesn’t matter if BYOD is a right or a privilege; that’s the wrong question. BYOD is a reality. Smartphones are here to stay. Cloud services are only becoming more and more entrenched.

The security company of the future will focus on how to help these new nomadic workers securely access data and how to do it while protecting employee privacy and allowing them to get work done.

So why are the legacy vendors screwed? In order for a big security company like Cisco or Blue Coat to offer a service that actually provides protection for an enterprise, across all of their machines and devices, they’d first need to have a fundamental business model shift from selling boxes to selling services. Sales goes from selling boxes to selling subscriptions. Engineering goes from shipping metal to running a 24×7 service. Finance changes revenue recognition models. Everything changes, and that’s really, really hard. That’s a shift no enterprise company I know of has successfully made to date, which is why other enterprise markets are disrupted by new players like Box and Yammer – nimble startups that built cloud- and mobile-first solutions from the ground up, and aren’t bound by their legacy business models.

So is this happening? Yes. Security companies that have historically owned the lion’s share of the enterprise market are losing deals to newer players like ZScaler and my own company. These new companies aggressively target the big guys’ banner customers and have a lower cost to serve and easier onboarding which enables them to pass a savings on to customers. Additionally, because today’s threats are becoming more sophisticated and the incumbents are proving ill-equipped to provide sufficient protection, we’re seeing very large companies taking chances on startups’ services, a trend we haven’t seen often in the past. For enterprises, it’s simply a question of risk versus reward, and the risk of betting on a startup far outweighs the risk of not maintaining a secure enterprise.

Here’s what I predict that we’ll see happen: Each of the big security players will soon reveal its strategy for staying relevant. Some may go to market with some frankenhybrid cloud solution that sticks their boxes in the cloud. Some may try to build a network of their own to offer cloud-based security services. Others may stick their heads in the sand and deny that the world is changing, just as Siebel did for years as Salesforce gained increasing amounts of market share. Though, true to the nature of disruption, it’s unlikely that any of those approaches will be very successful as the changes in the enterprise landscape are simply too dramatic to just iterate a product to cover. We will also see a major catalyzing event in mobile security – something on the order of magnitude of the Melissa worm, or Code Red. Something that forces companies to realize the exposure they have created by enabling such open access to their most sensitive information and requires them to quickly adapt to the new reality.

I may be the biased CEO of a security company competing with the likes of Cisco and Symantec, but industry experts are taking notice of this trend, too. Just last month Gartner, the analyst firm whose opinions dictate many tech buys in the enterprise space, published its Magic Quadrant for security. Websense, a current market leader with a long-standing relationship with Gartner, was – no surprise – positioned in the top right corner. But in the “threats” section about Websense, Gartner calls out just one company that critically threatens the industry giant: OpenDNS, which has no current or past financial relationship with Gartner.

Security is always a moving target, so the good news for customers is that the shift to cloud-based security solutions that operate as a true, ongoing partnership between vendor and customer will be far more effective than the one-time security appliance purchases of the past. But change is coming, and it’s going to be ugly for the old guard.

Image: Getty /Gary S Chapman