Information Security budgets are pretty crufty, they are an accumulation of decisions but the analysis that led to these decisions is rarely revisited, it just snowballs. So the normal Information Security budget is just a legacy artifact of when the network was the greatest vulnerability. Gary McGraw took a pass at reviewing the numbers (*) in software security, breaking down software security sectors like tools and services (note to Gary - I think Aspect does more than just training!). This is great work by Gary to get these numbers to see the real changes occuring in software security. Here were his findings on software security tools:
One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).
...
The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.
On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million.
Network | Software | |
Asset Value | $39.5 billion | $98 billion |
Security Investment | $900 Million | $150 Million |
Security Investment as a percentage of asset value |
2.28% | 0.15% |
I see the outcomes of backwards looking, crufty decisions by Information Security every day - one or two software security sherpas heading out to work with thousands of developers, meanwhile the network security people sit around and read the newspaper and go home every day at 5.
Very good post, again.
However, that 900M x 150M comparison does not seem to be "apples to apples" to me. Organizations buy security to protect the network as a system, not its components. When we're talking about software security and looking at the software numbers we are looking into tools to protect components (software pieces). The security of network and software components (like routers and Windows) is usually out of our hands, I mean, it's provided by the vendors. So, we buy security to protect the network as a single system and security to protect "tailor made" software. It's hard to know if comparing the amount spent on these two different things has any meaning at all.
Posted by: Augusto Paes de Barros | August 26, 2008 at 10:06 AM
Gary credits that he got those numbers from Gartner - you should credit them.
Posted by: anon | August 26, 2008 at 12:04 PM
Augusto,
If I write a web application and stick it front of SAP (which runes my entire business), then I open up port 80/443 to talk to the portal and SAP directly, what security services is the firewall offering my application?
Authentication? authorization? auditing? confidentiality? integrity? availability? Content validation?
From an app standpoint - I think none of these things.
Posted by: Gunnar | August 26, 2008 at 04:47 PM
Hi Gunnar,
I'm not sure how you came up with your total for the space, which is too low. Here's what I said in the original article:
"All told, the software security market for tools and services in 2007 was worth somewhere between $275-300 million. If you factor in application firewalls (probably accounting for $50 million), the number is even higher."
I think your ratios are still interesting, but the space is pretty much larger than your post implies. The reason this matters is that when a space approaches $500M, the analysts start covering it. We can see that now in software security. We're at an important threshold!
gem
Posted by: gem | August 28, 2008 at 11:54 AM
Hi Gary
I got the number from your article on the total tools market. I did not include services because I was comparing to Cisco and Checkpoint which have minimal services
Posted by: Gunnar | September 02, 2008 at 02:56 PM