The Emerging Security Assumption

Cisco Systems sells more security hardware than any other vendor by a long shot. Each year, Cisco sells more than $2 billion (£1.3bn) in security products – that’s roughly twice as much as either Juniper Networks or Check Point Software Technologies. And it’s about twice as much as Fortinet, SonicWall, WatchGuard and Barracuda combined.

Here’s the funny thing: We don’t hear much about security anymore out of Cisco. Six years ago, Cisco couldn’t talk about security enough. It practically invented the term “network access control” and spent millions of dollars on television commercials promoting self-defending networks. Nowadays, Cisco is talking about collaboration, virtualised data centres, telepresence, and borderless networks.

Embedded security

Fred Kost, director of marketing security solutions marketing at Cisco, says the company is now focused on new emerging technologies that have the potential to propel growth. That’s not to say security isn’t important to Cisco. In fact, he says security is an essential element within the fabric of telepresence, virtualised data centres and borderless networks. If you want to have cloud services, it has to be secure. If you want worry-free computing with consumer-grade devices attached to the network, you need seamless security.

What Kost described is the transformation of security becoming less of a point solution and more of an embedded feature. Over the last decade, security professionals prophesied about security becoming embedded in applications and systems as a seamless – if not transparent – function. Users would happily connect devices to any network without fear of malware, unauthorised access or sensitive data exposure. Businesses would no longer have to buy and maintain expensive security gear and applications since the controls would be part of their everyday security applications.

It’s a nice vision, but not one rooted in today’s reality. Security remains an amalgamation of features embedded in hardware and software products, as well as point solutions such as firewalls, intrusion prevention and data loss prevention that are strategically placed throughout the business IT infrastructure. But vendors like Cisco that sell a portfolio of products and services are increasingly minimising core security in favour of the assumed security.

Cisco isn’t the only vendor taking this approach. At its Worldwide Partner Conference, Microsoft barely mentioned the word security. Instead, it focused on cloud computing and mobility, two of its biggest bets. Like Cisco, Microsoft executives said that they consider security an essential element of its cloud computing and other product plans. As far as core security – in Microsoft’s case, vulnerability management – the executives believe they got that situation under control. And that control is enabling them to reduce security to an assumption.

Assuming too much?

In my discussion with Cisco on this topic, Kost correctly stated that vendors can run the risk of assuming too much when minimising the security discussion. In Microsoft’s case, the lack of security discussions and messaging at its partner conference led some solution providers to wonder if security was no longer important. On the customer side, the lack of security messaging could lead to a false sense of protection or – worse – invulnerability. What a shock it is for Mac users to realise that they are not immune to malware and hackers.

Embedded security shouldn’t be assumed security. Vendors and solution providers need to articulate the intent and limitations of embedded security features. Many of the embedded security measures are designed with the assumption that there will be complementary network-level security protections bearing the brunt of the security workload. Without that level of awareness, some end users – particularly smaller companies – may incorrectly assume that they can avoid spending money on point products.

Embedded security will eventually evolve and displace many of the existing point security solutions. As that happens, vendors will shift their channel attention away from pure-play security integrators to partners that have the capability to sell holistic systems. Such a shift will be painful for some security solution providers, but they will have the opportunity to expand their businesses in new directions. For proof of this, look at the Juniper channel, in which the bundling of security and switching gear is opening many new sales opportunities and increasing the size of deals.

When will embedded systems reach a level of maturity that allows security to be assumed? Not for a while, if ever. And for that reason alone, vendors and solution providers cannot simply relegate security to a footnote in their technology discussions.