IAM market consolidation looms in 2017
I predict that 2017 will be a year of market consolidation in the Identity and Access Management (IAM) market, driven by organizational changes rather than revolutionary improvements in technology. Consequently, niche vendors will resort to increasingly desperate discounting schedules, funding rounds, or mergers to stay solvent as the year progresses.
Traditional IT departments have struggled for years to react to the changing threat landscape and the introduction of regulations that influenced their purchasing decisions. It has been fifteen years since the introduction of Sarbanes-Oxley and thirteen years since the first iteration of PCI-DSS. External and internal audit teams drove reactive and often short-sighted cyber-security purchases by IT during this time. Many IT organizations partially implemented many vendor solutions to achieve checkbox compliance, as the costs and potential reputational damages of a failed audit were frequently more expensive than selecting and deploying the minimum required functionality of the lowest-cost point solution across only those systems subject to the auditor’s scrutiny.
The other trend from the past decade was that internal business departments became frustrated with the incomprehensible compliance requirements and budgetary cycles of the traditional IT department and thus independently selected and deployed low-cost SaaS solutions. These shadow IT solutions are often not centrally managed and were commonly initiated to bypass compliance controls required by IT. The risk of breaches to customer data and intellectual property has consequently increased as more business-critical data and credentials have moved to the cloud.
Our fifteen-year legacy of organizations implementing the relevant regulatory standards and still suffering cyber security breaches has led forward-thinking organizations to focus on risk management rather than compliance for compliance’s sake.
In response, I predict that cyber security organizations will become independent corporate entities from IT organizations. This may be under the office of the Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Chief Compliance Officer (CCO) or an entirely new entity. Corporate IT can focus on the business of serving end users, providing infrastructure and critical business applications but not security services across an increasingly diverse landscape of services, apps, and user identities. This newfound cybersecurity organizational independence will allow for an enterprise-wide view of risks and risk mitigation planning. Unfortunately for existing vendors, all new organizations need to set operating budgets for their fiscal year, and these new cyber security organizational entities will not be working from the larger IT budget or staffing levels.
New security buyers will seek to reduce the number of vendors to negotiate favorable licensing and subscription deals. Panic-driven (whether by breach or by audit) solutions will be scrutinized with a view towards eliminating feature overlap. For example, a business with an existing MDM point solution, a separate 2FA solution, and an IAM suite that provides MDM and MFA will be hard-pressed to justify the costs of the standalone solutions, even if they each have one or two additional unique features over the broader security suite. As these new corporate entities will also initially have to set their staffing levels, expect an emphasis on predictive analytics and machine learning rather than event-driven reactive log reviews, which require a significant number of trained personnel to interpret the events from the SIEM or auditing solution.
Ultimately, businesses and consumers will benefit from this emphasis on managing risk rather than reacting to incidents. Vendors stand the most to lose, as does their staff as maintenance renewals fall. Point solution vendors will need to either rapidly innovate or consolidate in mergers and acquisitions.