Peter Kuper posted an interesting article on fudsec.com claiming that there is an "Innovator's Crisis" in IT Security. I disagree. There are several new, innovative solutions coming from start-ups that do mitigate the new risks created by the explosion in "web 2.0" applications.
Large enterprises are facing huge challenges though. First, capital investments made in security during the last several years must be written down because the technology is obsolete. For example, stateful inspection firewalls have become essentially useless.
Second, the new solutions require these enterprises to reorganize their security staff. For example, most large enterprises have separate groups to manage firewalls and intrusion prevention systems. The "next-generation" firewalls which can reduce the risks associated with the employee usage of "web 2.0" applications, combine the firewall and intrusion detection function and also integrate with directory services, which touches a third security group – Identity and Access Management.
Separately, while this may be obvious, there is a good reason why these large diversified information technology manufacturers are not acquiring security start-ups. They have gotten so large that security revenue does not significantly move the revenue needle. Cisco and Juniper come to mind. Peter mentioned IBM's botch of ISS. We'll see what HP does with TippingPoint.