HP Shakes Up Security Market

While HP has caused a furor with the uncertain future of its PC business--something pundits are calling part of its "IBM-ification" strategy--what is clear is the company's desire to be a player in the enterprise security market. The world's largest IT vendor is making a number of announcements around its Enterprise Security Solutions portfolio that will provide the required protection combined with access to the right assets without compromising risk.

Gartner reports security software revenue totaled $16.5 billion in 2010, a 12% increase from 2009 revenue, with Symantec and McAfee in the top spots with 30% combined market share. The next three largest vendors--Trend Micro, IBM and CA--accounted for another 14%, leaving HP with every other vendor competing for the remaining 56%.

IDC forecasts the worldwide security services market compound annual growth rate at 15% over the 2010 to 2015 forecast period with revenues exceeding $39.5 billion in 2011 and growing to almost $63 billion by 2015, says Chris Liebert, senior analyst, security services, IDC. She adds that HP is making a strategic bet based on the movement of the enterprise market to outsourced business services.

"This shift can be attributed to enterprise mandates in a few key areas: reducing infrastructure and network overhead, reducing capex and opex, and outsourcing manual processes like network security, storage and business applications for better efficiency and employee productivity. Key to this shift in enterprise outsourcing is security, as security is a market driver and pushes other sales now, not the other way around, and may be a bright spot in [HP] CEO [Leo] Apotheker's software strategy."

HP reports more than half of senior business and technology executives believe that security breaches within their organizations have increased during the last year, with nearly a third saying they experienced a security breach by unauthorized internal access and 20% reporting an external breach. The company also released its semi-annual HP Digital Vaccine Labs' (DVLabs) Cyber Security Risks Report, which found that the number of web application attacks in just the first half of 2011 has already surpassed the total number of attacks tracked in 2009 and is also 65% higher than the total attacks measured in 2010.

A new study, Norton Cybercrime Report 2011, puts the cost of cybercrime at $114 billion annually. Throw in time lost as a result of these experiences, and the total cost is $388 billion, the report says.

According to HP's Second Annual Cost of Cyber Crime Study, conducted by the Ponemon Institute and released last month, the median annualized cost of cybercrime incurred by a benchmark sample of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization, an increase of 56% from the inaugural study published in July 2010. During a four-week period, the organizations surveyed experienced 72 successful attacks per week, an increase of nearly 45% from last year. More than 90% of all cybercrime costs were caused by malicious code, denial of service, stolen devices and Web-based attacks.HP's new risk and security-related offerings include ArcSight Express 3.0, called the first Security Information and Event Management (SIEM) product powered by the new Correlation Optimized Retention and Retrieval Engine (CORR-Engine); Fortify Software Security Center application security testing solution; TippingPoint Web Application Digital Vaccine (WebAppDV) 2.0; Information Security Management (ISM) services; Enterprise Cloud Service (ECS), Security Information and Event Management (SIEM) services; and Application Security Testing-as-a-Service. The one-day Enterprise Security Discovery Workshop is intended to help clients assess their risk tolerance profile, compliance and operational requirements, and organizational capabilities.

Liebert thinks ArcSight is probably most relevant for a single product/service that stands out in the security services market for threat management protection against zero-day and APTs (advanced persistent threats), a hot topic in the security services market. She says enterprises demand a predictable operating expense to maintain security posture as emerging Web-based threats are increasingly targeted at the private commercial sector.

"While we don't know HP's exact strategy, we can make an assumption on the business opportunities they are going after, based on their relevant security acquisition strategy to date. There is a strong emphasis on services readiness, and security services in particular, when reviewing their acquisition strategy."

Ed Ferrara, principal research analyst, security and risk, at Forrester Research, agrees with HP that it is the breadth of the announcement, rather than a single component, that is most significant. "HP with this announcement shows they realize that the integration of their security consulting, managed services, technology and technology partners will allow them to serve enterprise customers more effectively with an integrated portfolio. The integrated offerings proposed in this new announcement will have strong appeal to enterprise customers. The challenge will be to achieve this integration at a sufficient level of sophistication and execution to provide a true end-to-end security solution for enterprise customers. This is certainly doable based on the considerable resources HP can bring to bear on this effort."

Like Liebert, Ferrara says enterprise clients are looking for one security consultant and service provider to help manage the rising complexity seen in information assurance today. "The ability to have a tier-one player like HP provide such a vision puts other tier-one players on notice."

See more on this topic by subscribing to Network Computing Pro Reports Strategy: Security via Compliance (subscription required).