Last week, I wrote a blog post summarizing the Day 1 opening keynotes at Forrester’s Security Forum. This week, I’d like to recap the Day 2 opening keynotes. The second or last day at any event is always a challenge; attendees are always tempted to leave early or to stay in their hotel rooms to get some work done or if the event is in Vegas, squeeze in some craps (my favorite) or drop a few coins in a nearby slot. Luckily, we held the event in Boston and the lobsters have nowhere to run, so most attendees were happy to stick around until the end of the day. Not only did we have great attendance on Day 2, but there was a palpable buzz in the air. The audience asked tough questions and no one was spared — Forrester analysts, industry guest speakers, and vendors. While the main topic of Day 1 seemed to focus on risk and overall strategy, governance, and oversight, Day 2 focused on coming up with the specifics — the specific plans, the specific policies. As Andrew Jaquith stated in his keynote, to provide better data security, “you don’t need more widgets, what you need is a plan.”
Below are some of the highlights from the Day 2 keynotes:
Security Forum 2010 is upon us, and the stage has been set. After my welcome remarks this morning, Forrester’s own VP & Principal Analyst Khalid Kark kicked us off with a fantastic keynote: “Maturing The Security Organization.” Next up, Malcolm Harkins, CISO of Intel, spoke about the misperception of risk as “The Most Significant Vulnerability We Face." After Malcolm, Forrester was happy to welcome a quartet of IBM security experts and customers for a panel discussion on “Smart Security." Daniel Barriuso, CISO of Credit Suisse, finished up our morning keynotes with a presentation outlining the essential steps to build a “Holistic IT Security Management organization”.
Even though each of these presentations addressed different security challenges, in the end they delivered many common recommendations. For example, the need for strong governance and oversight and the ability to objectively identify and assess future risks. There were a few other key points that I want to highlight:
Rarely does vendor consolidation reflect such fragmentation of a market.
Picking up on the recent acquisition trend of independent market leaders, IBM today announced plans to acquire long-time GRC heavyweight OpenPages to strengthen its business analytics offerings, including Cognos and SPSS. It's a good fit for both companies and certainly won't surprise anyone who has been following the space... the OpenPages platform leans on Cognos for its reporting capabilities, so they already have a head start on product integration. The two have also proven successful in the past by combining forces on large risk management implementations, so there are already established use cases to reference.
This deal is most interesting, however, when you consider the other acquisitions of top GRC vendors. Less than two years ago, Paisley was acquired by Thomson Reuters to strengthen its tax and accounting business and content delivery, while EMC acquired Archer Technologies earlier this year as a dashboard (at least initially) to pull together IT risk data and processes as part of its RSA security offerings. While OpenPages has historically competed with Paisley in financial controls management and has recently been moving more into Archer's core IT risk and compliance domain, this acquisition will likely turn the company more toward higher-level corporate performance and enterprise risk management. The GRC vendors will still compete regularly, but their unique selling propositions are starting to look more and more unique all the time.
I had the chance to sit down with Credit Suisse’s CISO and Head of IT Risk, Daniel Barriuso, to ask him a few questions about his role at Credit Suisse and his approach to security. Daniel will be keynoting this week at Forrester’s Security Forum, which kicks off this Thursday, September 16th. Here’s a sample of our Q&A below:
Why is a more holistic approach to IT security so important today?
[Barriuso]: Given the complex and fast changing IT security landscape, a holistic approach is key to being able to effectively understand the end-to-end threat landscape and manage it proactively. This entails planning for both current and emerging threats, identifying future trends, and making conscious decisions on the security investments required.
What were some of the most important lessons that you learned over the last several years?
[Barriuso]: A key lesson that I have learned through my career is that governance is the foundation for a strong IT security organization. Often organizations focus on technology and technical controls as the main driver to secure data. Instead, a top-down approach is required, beginning with the policy, governance bodies, and risk management framework.
What advice would you give to other senior security leaders who want to move to this more holistic approach?
This morning, HP announced it was buying ArcSight for $1.5 billion, at a 70% market value premium compared to its value a month ago.
My colleague John Kindervag will probably be blogging on this acquisition in more detail, so I won’t steal his thunder. That said, I do have a few quick observations about the deal. The ArcSight acquisition should be seen against the broader tableau of the consolidation wave we have seen over the past two quarters:
Shortly thereafter, HP bought Fortify for an undisclosed amount, likely not less than about $150m
Two weeks ago, CA bought Arcot, a fraud management and adaptive authentication vendor, for $200m
That is about $10.1 billion in deal-making. All of these deals have a common theme: the acquisition targets are all leaders in their respective markets. That is because we are at the point in the market cycle where the larger potential acquirers have enough cash in the bank to buy top-shelf companies. There is not a lot of bottom-fishing going on. Why have catfish when you can have caviar?
Because the balance sheets of big potential acquirers like Symantec, Microsoft, IBM, Oracle et al are relatively healthy, we will likely continue to see additional M&A activity through the end of the next year and into Q1 2011.
How Authentication-as-a-Service becomes a part of leading IAM stacks and why virtualization is no longer a viable technology without identity and access management.
CA’s acquisition of Arcot signals that partnering with an adaptive authentication vendor is no longer enough to offer a comprehensive access management strategy: you’d also have to have an adaptive authentication product to allow your customers to retire costly physical tokens. But this is not the primary reason CA picked up Arcot. It is Arcot’s thriving hosted authentication and fraud management services that were the most lucrative assets to CA. Adaptive authentication is part of any organization’s fraud management strategy — however, CA’s inexperience here leaves a few questions to be answered. Will CA keep and grow Arcot’s fraud prevention service? If so, how will it integrate fraud management with IAM? The requirement for integration is clearly highlighted by Forrester’s conversations with its FinServ and other verticals’ customers.