Most security products are too automated

This is problematic and will lead to most of these products failing

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Photo by Lenny Kuhne on Unsplash

I’ve seen and heard about various security products recently. The market feels very saturated, especially in cloud and application security. What I mean by “saturated” is that there seem to be more products than problems. Some products feel like they are making up problems. Another trend is that the newer products have been focused on improving efficiency by being more turnkey or “working out of the box.” The AI trend is definitely not helping here as there’s a bigger push to increase security automation. I believe this trend has gone too far.

How did we get here?

When companies owned their datacenters, the security team would purchase and maintain the security software and hardware. Although the company would provide updates, the IT and/or security team would manage the software. However, these products would require substantial initial and subsequent configurations as well as customizations to work properly in environments. Many times, doing these would be difficult, so companies would hire consultants or in-house experts. For example, firewalls required substantial effort to configure until Palo Alto Networks came out with their product.

This situation was great for the company providing the product. Having a large number of features and potential customizations heavily benefitted the company. First, they were able to meet customer requirements, which were the primary buying criteria. Second, because of the complexity, customers needed additional services usually from the company itself. Finally, it created a defensive moat, requiring more R&D costs for a competitor to build a similar product.

Eventually, this led to huge software costs because customers were not only paying for the software itself but also the staff and services to configure and maintain it. This was fine and heavily benefitted the security industry when security budgets started increasing. Companies felt exposed given the prevalence of major breaches, especially the companies that are larger targets. As a result, security teams bought expensive software and were able to hire large operational teams, such as analysts, etc., to use and manage the software.