Why do companies buy security technology? It seems like a harmless enough question, and the obvious answer would seem to be that companies buy security technology to protect themselves and their users.
But the larger question of when companies buy security technology is tougher to answer. This week, security vendor FireEye reported its third-quarter fiscal 2015 earnings and during a follow-up conference call with the financial community, CEO Dave DeWalt provided interesting insight into what motivates buyers.
Part of FireEye’s business comes from its Mandiant incident-response division, which has been involved in some of the biggest breaches in recent memory, including those at Sony and Anthem. Apparently, there has been a bit of a slowdown in breaches lately, and that’s leading to a slowdown in security orders for FireEye.
“After 18 months of elevated—what I call emergency—spending on advanced cyber-security, we’re seeing customers take a more strategic approach to upgrading their security infrastructures,” DeWalt said during his company’s earnings call. “In years prior, it was this—I hate to call it an [oh, no] moment, but it’s kind of an [oh, no] moment—and when it happens, they [customers] open up wallets and they change a little bit and the behavior changes.”
Basically, DeWalt is saying that organizations have been reacting to threats after they have been disclosed and reported in the media.
DeWalt’s comments are not all that surprising, are they? Reacting to threats is built into the DNA of all living creatures as the fight-or-flight response. That is, when encountering a threat, an organism will either fight or run away in order to survive. Given that organizations can’t run away, the only real choice is to fight, and the knee-jerk response to fighting cyber-threats often is to acquire new technology and tools to combat cyber-risks.
I have long held [and publicly stated many times] that fear is a primary motivator for the security industry as a whole—fear over being breached and fear of being the next company in the headlines.
The constant stream of breach reports in the media (including here on eWEEK) has had an impact on organizations’ sense of fear and impending doom, and apparently that is a business driver for security spending. No one wants to be the next victim, and that drives security spending.
Or, at least, fear has been driving security spending, as DeWalt blamed the recent detente between the United States and China on cyber-security for a slowdown in his company’s orders. News of the detente means a potential reduction in risk and perhaps less fear, too—at least for a period of time.
While there is currently a small window of security optimism, the optimism will not impact the continued growth of the security business as a whole.
“Cyber-security will continue to grow; I know it will,” DeWalt said. “I think there is some change afoot, and we’ll see how long that lasts. Maybe it’s just 30 days until the next big headline changes it.”
Fear Shouldn’t Be the Fuel for Security Industry Growth
FireEye isn’t the only vendor that benefits from security breaches as there are myriad vendors that organizations are likely to consider when evaluating technology to help defend their enterprises.
Put simply, while breaches are bad for the victims, they can be a good thing for the security vendors that build new forms of security technology.
A better choice for organizations is to take a more proactive approach and not just simply to react to fear instinctively. This, too, is an area where vendors like FireEye can profit.
Much of the technology in the IT world today is sold on a subscription support basis, meaning there are recurring revenue opportunities, and purchases are not just point-in-time capital expenditures.
As long as there is fear and the potential for being breached, security and support spending will remain solid. Just as there is likely no future utopia for civilized society, where there is no crime, there is likely no end game in sight for the IT industry where security is no longer needed and the risk of attack is no longer a clear and present danger.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.