Stand-alone security vendors are going the way of dinosaurs.
That was the assessment offered today by president of RSA Security, Art Coviello, at the company's annual security conference, which is being held in San Francisco this week. RSA is EMC's security division.
Delivering a keynote address, Coviello said the trend by vendors such as Microsoft, Oracle, Cisco Systems and EMC to integrate security functions into their core technologies is diminishing the need for add-on products from pure-play security vendors. RSA itself was one such stand-alone vendor until it was acquired by EMC last year.
"Our industry is ripe for a transformation" Coveillo said. "The transformation I am talking about will bring an end to the stand-alone security industry within two to three years." With the exception of two or three vendors, the value of stand-alone security vendor is "over," he added.
Factors driving the trend included the continually changing nature of threats and regulations that required companies to demonstrate better controls and hold them accountable for data losses, he said. "The reality is that we have not implemented information security at all," Coviello said. "We focused on the perimeter around the information but rarely protected the information itself."
In the near future, companies would need to implement more information-centric security models focused on mitigating business risk and financial losses rather than on perfect security, he said.
"The pursuit of 'perfect security' is a waste of time and resources," Coviello said. "I am not advocating products with holes. What I am saying is that the digital world brings with it inherent risks. We need security that aligns with the value of the information we need to protect."
Such a transformation wouldn't happen if we continued using security products that were bolted on top of the infrastructure, he said. Instead, integrating security into products and making them more secure was becoming the norm for IT infrastructure vendors, Coviello said. The pace wa sonly going to accelerate in the next few years.
Coviello's comments came even as the number of stand-alone security vendors exhibiting products at the RSA conference crossed the 300 mark this year -- 100 more than in 2006. A vast majorityof the companies, however, were information infrastructure companies - not pure play security vendors, Coviello said.
"You will see fewer and fewer stand-alone vendors, [in the future]", he said. "If I am proven wrong in the timing, I will not be proven wrong in the need for security to be woven into the fabric of the network."
Enterprise Management Associates analyst, Scott Crawford, said it remained to be seen how extensive any industry consolidation could be over the next few years. But it did seem unlikely that the security industry would see many large pure-play security vendors in the future.