Mergers Reflect a Greater Trend in IT-Infosec Synergy
The fact that two major IT vendors are acquiring information security companies - Intel purchasing McAfee and Hewlett Packard buying Fortify - reflects a greater reality: the narrowing gap between pure IT and IT security.
In today's cyber world, everyone and everything has a security component. Here's how Intel put it in its announcement of the McAfee purchase:
"The acquisition reflects that security is now a fundamental component of online computing. ... Providing protection to a diverse online world requires a fundamentally new approach involving software, hardware and services.
HP Executive Vice President Bill Beghte provided similar reasoning when he announced his company's takeover of Foritfy:
"Businesses operate in a world of increasing security and compliance challenges, and the applications and services that they rely on are core to the problem and the solution."
Of course, such mergers have occurred over the years, and many companies have incorporated information security into their IT product. Responding to Intel's move, IBM sent the media a message reminding us that it has had IT security business for decades. And there are other reasons these mergers are occurring, including the fact that IT security is where the big bucks are these days, as Gartner analyst Peter Firstbrook observes:
"They are both diversification/opportunistic plays into a recession proof/high growth industry. ... What does that say about the current technology marketplace? That security is important and becoming more so."
Still, regardless of the reason the chasm between IT and IT security is closing, not all companies may be able to pull it off. Says Firstbrook:
"Embedding security in products is helpful but difficult to manage in a heterogeneous environment. Look at how unsuccessful Microsoft has been in security and how slow they are moving. It is a very different culture. Intel is a dominant player in their market and driven by staid engineering culture with very long development cycles, while McAfee is a scrappy west coast sales/market driven company."
Still, it's a trend that is likely to accelerate. Here's how Kate Borten, president of the IT security consultancy The Marblehead Group, assesses the environment:
"A trend to blend security with IT makes sense and is a sign of maturation of both industries. Security pros have long preached that security should be built in from the beginning... whether it's hardware, software, etc."
That's part of the rationale behind McAfee's agreement to be acquired by Intel, according to the blog posted by McAfee Chief Technology Officer George Kurtz:
"Intel to date has focused on energy-efficient performance and Internet connectivity. Today Intel, a name synonymous with innovation, has added security as a third pillar of focus. While you may ask 'Why?' It makes perfect sense to me. Given the current challenges in dealing with the proliferation of virulent malware, bringing software closer to silicon will provide a real advantage for consumers and businesses. Beating back the tide of malware proliferation by changing the game on the bad guys is an exciting proposition.
The merging of IT and IT security isn't just about companies getting together, but people, too. You can't create an application or architect a network without security being a major component, thus developers and architects also must be IT security specialists. That point is made in a recent report by the Commission on Cybersecurity for the 44th Presidency that defined nine key cybersecurity roles, many sounding like traditional IT jobs such as programming and systems administration. Says the co-author of the commission white paper, Franklin Reeder:
"When we talk about cybersecurity professionals, we're not necessarily talking about people who are typically identified as cybersecurity types. ... Systems administrators, network administrators, those who write code are typically not identified as cybersecurity types. But what they do or the manner in which they do it is critical both to deploying technology that is to the extent that we can make it safe and given that there is no such thing as absolutely safe technology, having the skills necessary to protect it and defend it and ultimately recover when bad stuff happens because bad stuff will happen."
As securing IT becomes more critical, look for an amalgamation that goes beyond IT and IT security, but to include functions and people that use the systems that need to be safeguarded. The hype about security awareness - aimed at users - will go further than encouraging the practice of cyber hygiene, and involve knowledge workers being the enablers of IT security, as well.