I was traveling a lot lately meeting many customers, presenting at 3 4 different events and hosting our quarterly customer advisory board meeting. After talking with dozens of peers, customers and other security industry leaders I came to a conclusion that the landscape is changing. The marketing folks would use the term “paradigm shift”. Yes, ladies and gentleman, we are moving from a compliance-drive world into security.

Years ago, Rich Mogull (still at Gartner) explained to me why organizations in the US buy security. According to his theory (which I verified many times since then) US organizations buy security to

1. Comply with some regulation,
2. Address a security event (in their organization or in a similar institute) Or
3. ...because it is the right thing to do.

If you analyze the reasons, you’ll find that the vast majority tries to comply with different mandates, then they act to fix a problem and only a small part are “doing the right thing” and initiating projects.  Well, it looks like this is changing. More and more organizations are focusing at doing the right things. Even if they are using the compliance budget as the line item.

From a security stand point this is very encouraging.  Goldman Sachs Independent Insight on Technology (Software Security Spending Survey):

“Total security spend grew 12% in 2008, according to IDC, and we expect growth to normalize in 2010-2011 at around 5% after a flat year in 2009.”

 In my opinion the growth will be directed at vendors that will be able to demonstrate how they are helping to “do the right thing” in security.