Since the dawn of time, IT customers and vendors alike have debated "best of breed" vs. "integrated solution." Preaching lower total costs, simpler management, and ease of use, the biggest software vendors have pushed ahead with their integrated "platforms," sometimes to the chagrin of the competition authorities.

Windows is now crammed with Web browsing, media playing, and other adjunct features. Enterprise application suites pack supply chain and CRM modules. Databases are integrated with analytics tools, and management systems are taking on software distribution, compliance, and other capabilities. Best-of-breed software vendors still compete at the edges, but the platform purveyors are taking charge.

Security is a different beast, however. Although the industry is consolidating, it's still populated by hundreds of small to midsize companies that sell intrusion detection, event management, vulnerability assessment, authentication, identity management, network forensic, anti-spam, antivirus, access control, and other point products. The acquisitive infrastructure vendors now insist that security, too, inevitably will be built into their architectures, but critics warn of the pitfalls of a fully integrated approach.

Art Coviello, president of RSA Security, acquired by EMC last year, told the audience at his RSA Conference in San Francisco last week that security must be built "more and more" into infrastructure to assure active, manageable defenses. He predicted the demise of the standalone security industry within three years. "If I'm proven wrong about the timing," Coviello said, "I won't be proven wrong in the need for this."

Not so fast, said John Thompson, CEO of Symantec, the largest of the "independent" security vendors. Security products and services must continue to be offered by specialist companies, he said in a separate conference address. "Who would entrust one company to do this?" Thompson said. "You wouldn't want the company that creates your company's operating system to be the one to secure that operating system. It's a conflict of interest."

Not that Microsoft or its infrastructure brethren Cisco, EMC, and IBM are conflicted about building the best security they can into their software, networking, storage, and management platforms. But what about interoperability with other products? Independent security vendors will remain critical as long as every last customer isn't a card-carrying Microsoft, Cisco, EMC, IBM, or some other shop. Before his Internet Security Systems was acquired by IBM last year, CEO Tom Noonan argued that big infrastructure vendors such as Microsoft and Cisco have no incentive to work with competitors on security. Doesn't that reasoning also extend to IBM Tivoli, which is now building ISS security into its management infrastructure?

But customers also can't manage 32 separate security vendors and their products--a number cited by Noonan last week as the average these days for a large enterprise. IT security spending continues to grow at three times the rate of other tech investments, he said, "a pretty unsustainable business problem."

Customers are conflicted. When asked to rate their most important criteria in selecting a security vendor, the 966 U.S. respondents to last year's InformationWeek Global Security Survey picked "integration considerations" fifth, behind the technical strength of the product, total cost of ownership, vendor service and support, and pricing. More than half of those companies said the most compelling reason to build their security around a single vendor would be to reduce the complexity of managing the technology, not so much to improve their security. However, in Europe, China, and India, where a total of 1,227 companies were surveyed, superior protection was cited as the most compelling reason to go with an integrated solution.

Built-in security may prevail by the sheer force of the biggest vendors' will, but the independents will remain a force for the foreseeable future.

Rob Preston,
VP/Editor In Chief
rpreston@cmp.com

To find out more about Rob Preston, please visit his page.