I couldn't help but chuckle when I read today's updated report on the Secure Content Management (SCM) market by number-cruncher industry analyst IDC. Having dealt with some of the companies in the top ten of that report, I can tell you that the numbers they report to IDC are not only incorrect but paint a picture of growth and penetration that could not be farther from the truth.

Yet, investors and entrepreneurs use this data to engage in new ventures together. Business partners base their strategic picks on it. Customers bet their careers on it. Even the suppliers (of SCM solutions) use this data to prove to their business unit managers how much progress they've made; what was the last time you got away with writing your own report card?

The problem with the IDC analysis is that it pretends to show what the size of the market is, and the operators in it, by simply adding the sum of finagled realizations. But what about the size of the total addressable market? A top down analysis of the market means nothing if it doesn't intersect with a bottoms up analysis (how applicable this technology is to the market). How many computers could be protected with SCM versus how many are? Is the sum of realizations really equal to the sum of opportunities? I don't think so. There is plenty of opportunity for SCM vendors that think different.

So, not only does the analysis of the opportunity stink, the facts are doctored too. Let's be real, Secure Content Management is a bull market with room for 130 competing vendors, sounds like no-one has cracked the code yet. Entrepreneurs should approach security from a new perspective that crosses artificial boundaries defined by the major players, let us know if you need help.

Tags: Security, Analysts, IDC, Entrepreneurs

Internet security companies are the Jiffy Lubes of the auto industry, they require constant innovation to keep up with the changing product stack they attempt to optimize, but not own. Some companies achieve innovation through non-organic growth (Symantec), others build a set of urgently needed technologies that becomes bigger as customer requirements grow (Trend Micro, McAfee). But keeping up is a challenge, and I expect security companies and the stack owners to aggressively pursue acquisition strategies to round out and secure their own future. Stack owners (Microsoft, Oracle, IBM, Cisco) will become fierce competitors to security companies, if partnerships are not appropriate. Today's Security leaders need to change and look into new business strategies.

Looking at the security marketplace from a fresh perspective, I give the current marketplace a 1.2 grade on the following evolution scale.

Security 1.0: the internet is not secure by any stretch of the imagination, but neither is the conventional world. So, get over it. Security is also not an absolute science. Spam, Viruses, Exploits, Worms, Cross-site scripting etc. deliver a vast amount of opportunities to security companies that provide band-aids to the multitude and severity of security gaps. 83 Enterprise AntiSpam companies battle it out every day. Leaving it up to customers filled with fear, uncertainty and doubt to wade through a plethora of point products to select which one is best, and when. It's a jungle out there.

Security 2.0: a secure enterprise, shielded from some of the garbage on the internet, needs protection in the same way you secure your house. Depending on personal preferences that define the vigor and quality of security, securing the doors without securing the windows doesn't make a whole lot of sense. Security is really a risk management issue, a delicate balance in which no single piece of security, data type or communication channel prevails; the equilibrium of security techniques (AntiSpam, AntiVirus, AntiSpyware, Web Application Security etc.) needs to provides sufficient shelter and trust. Leading security companies need to move towards marketing that equilibrium and scope.

Security 3.0: while internal threats are becoming a force to be reckoned with, many security companies are developing a Security 2.0 strategy that incorporates content compliance and other technologies to protect company assets against the employees themselves. I believe security companies should focus on aggressively protecting against outside threats, yet stimulate and enable the internal exchange of information. Content compliance should be checked but not enforced. The integrity of your business lies in the hearts and minds of people, not technology. Moving on, Security 3.0 is a platform strategy consisting of a framework in which a multitude of vendors can provide plugins that separate threat detection from distribution. It will be a free-market in which the best technology will plug into a framework that allows this technology to be used on any type of information, in motion or at rest. I believe many stack owners and security behemoths will play a pivotal role in defining the key components of this security platform and new security specialists will define the new, and highly specialized, security threat detection capabilities.

Bottom line: plenty of acquisition opportunities continue to exist for emerging security companies as the incumbents and stack owners battle to own a large part of the security framework that is essential to instill trust with customers.

The size of after-market providers like Jiffy-Lube, AutoZone is larger than the market size of the car manufacturers, proving that after-markets will exist for quite some time. Security is still the after-market of the technology industry and I see no vendor changing that paradigm significantly today. New security vendors will continue to reap rewards and the incumbents will slowly move towards owning something they've never had, a technology (or platform) stack.

Tags: Security, Spam, Exploits, Jiffy-Lube, AutoZone

With homeland security as a hot topic these days, LaserCard in Mountain View (NASDAQ: LCRD, formerly known as Drexler Technologies) quietly continues to ship millions of unique memory cards as the foundation for "Green" cards and National ID cards to US, Italian, and Canadian governments and others. In addition to its incredible resistance against wear and tear (we punched holes in it and it still read successfully) and unique security features, the LaserCard stores an impressive 2.8M of personal and biometric data. Fingerprints, retina scans, voice encoding or whatever becomes the prevalent set of biometric verifiers, can be combined with visual authentication to ensure the holder of the card is indeed the one presenting himself. All these attributes can be stored on the card and read offline without the need for centralized databases. So why is homeland security not using this card to it's fullest potential? Why does it waste time on privacy debates with regards to centralized storage? Why, four years after 911 are we still not able to verify a persons real identity?

Tags: LaserCard, Security, Homeland Security, Biometrics, IDentity