Data Security: From Paranoia to Necessity

In the post-Sept. 11 business world, information-security freaks have lots of company as the demand for safety skyrockets

Patrick Sweeney's lifeblood is defense. A former commercial real estate executive, Sweeney founded ServerVault in 1999 to cater to businesses in search of the ultimate in data and network protection. Short of a nuclear blast or a meteor strike, Sweeney has you covered. The company places 8-foot wrought-iron fences that can withstand a direct hit from a pickup going 30 mile per hour around its data-center compounds. Armed guards stand at the entrance to windowless, bomb-resistant buildings designed by a former Navy demolition expert. Computers holding customers' Web sites and corporate data sit inside German-made Lampertz vaults that are impervious smoke, water, fire, electromagnetic waves, and infrared pulses, among other threats.

Those computers run on operating systems specially modified to prevent cyber break-ins. ServerVault employees watch the machines with hawk-like vigilance 24 hours a day. To ensure uninterrupted information flows, the company maintains dual fiber-optic connections with two major telecommunications carriers over four separate cables.

To protect against human infiltration, only company engineers, who have passed extensive background checks, are allowed into the data vaults to work on the machines. None of this comes cheap: Monthly costs range from tens of thousands of dollars to the hundreds of thousands.


  Sounds excessive? Not anymore. The destruction of New York's World Trade Center and a large chunk of the Pentagon on Sept. 11 has companies scrambling to reassess their data security. Plenty of them have been calling ServerVault -- including a major Silicon Valley credit-auditing company, which got in touch with Sweeney just after the attack to ask for a complete mirroring of its digital material.

All told, Sweeney says he has seen both a 50% increase in customer inquiries in the wake of the attacks, as well as a decrease in the time it had typically taken to close a sale. "Until a couple of weeks ago, people said our level of security was paranoia," he recalls. "Now they say it's necessary."

That newfound belief may cause a boom -- or, at the very least, a solid uptick -- in the business of making information secure. The enormous interruptions caused by the attacks made security a matter of prime importance on Corporate America's agenda. Add to that the Nimda havoc -- thousands of corporate networks shut down by the combination worm/virus in the days following the terrorists' assaults -- and suddenly, information-technology security and redundancy clearly have new urgency. In fact, the 0.4% of revenues that companies now spend on data security, according to the tech consultancy Gartner, begins to look entirely inadequate.

"People have had it on their to-do list, but it never gets the right priority," says William Mallik, a research director at Gartner. "Now there is sufficient information of the possibility and consequences of an event like this to make it a priority."


  That could mean big sales gains for everyone from the Big Five consulting firms to the software and hardware providers that specialize in security, as well as companies that sell biometric devices and smart cards. Exactly how much revenue growth this could fuel in what experts estimate is already a $12 billion industry remains to be seen. But with the most catastrophic of terrorist attacks as its key selling point, the security industry could soon be bringing in extra hundreds of millions of dollars on an annual basis. "We've seen customers who are sitting on the fence get off the fence -- and we've seen about a 100% increase in calls," says Bruce Schneier, chief technology officer of computer security monitoring service Counterpane Systems.

Positioned to benefit most are managed-security providers, such as ServerVault, which secure and monitor corporate networks and sometimes host their data and servers. On Sept. 10, the managed-security sector was in the midst of a consolidation, with weaker players struggling to convince customers that they should outsource such services. A day later, as the smoke rose from New York and Washington, security seemed significantly more necessary -- and the arguments for outsourcing it began to look compelling.

According to Sweeney, a company that hires him can expect to save around 30% of what it would have cost to do the work itself. And that's before taking into account the increasingly onerous requirements of maintaining security patches on computer operating systems.


  As these companies prosper, so will the various outfits that supply them, such as software providers that build firewalls, intrusion-detection systems, antivirus software, and other network-monitoring tools. The beneficiaries could include firewall supplier Check Point (CHKP ), antivirus companies Network Associates (NETA ), Symantec (SYMC ), and TrendMicro (TMIC ), and intrusion-detection specialist Internet Security Systems (ISSX ).

Business also should pick up for authentication companies that provide the technologies used to limit admittance to key networks distributed across the company and throughout the country. The king of the hill in this business is RSA (RSAS ) and its SecureID technology. The system uses a specially programmed electronic passkey that employees carry, and that generates a new passcode every minute or so to permit access to sensitive portions of computer networks.

Also expected to blossom are biometric companies, which sell devices that use biological measures to regulate access to just about anything. These include fingerprints, hand geometry, iris and retinal patterns, and the shape of a face. One company in this constellation that could profit is Visionics (VSNX ), whose technology has grabbed attention because of its use in airports to track terrorists in Europe and in police-surveillance cameras in Tampa, Fla.


  A Visionics spokesperson confirms that the company has seen a jump in business in the last two weeks. Its shares have nearly tripled since Sept. 11, after jumping 92% on the first day of stock trading after the attack. The stock of another leading biometrics concern, Identix, has risen nearly 250% since the terrorist attacks.

Actual sales growth for these companies is still an open question. With only $228 million in revenues in 2000, according to Cahners In-Stat, the biometrics industry remains a bit player. That will be the case even if its annual revenues rise to a projected $520 million by 2006. Still, biometrics may do better than that if it takes on a larger role at government installations, airports, and other key public facilities, as well as in Corporate America.

Of course, the rising tide in security spending may not lift all boats. Given what's at stake -- and the cost involved -- "for most businesses that haven't looked deeply into security matters, brand will be a powerful indicator of where they'll go to buy," says Gartner's Mallik. That could even imply a quickening of the ongoing consolidation in IT security and services as even more startups get pushed out or bought.


  This may be especially true for suppliers of the software that protects Web sites from intruders, given the wobbly nature of the dot-com business. "Unfortunately, there probably will be some short-term pain," says Israel Hernandez, a senior analyst at Lehman Brothers. But he also sees "an Internet security dividend when all of this is said and done," if only because the breakdowns in counterterrorism intelligence and airport security that led to the Sept. 11 tragedy have focused attention on security of every variety.

According to an IDC study published in August, worldwide sales of security software amounted to $5.1 billion in 2000 and were expected to nearly triple by 2006, to $14 billion. Likewise, spending on information-security services will rise from $6.7 billion in 2000 to $21 billion by 2006. Those are pre-Sept. 11 calculations, however, and spending on security is all but certain to rise faster than that.

Not surprisingly, insurance companies are already increasing requirements for e-business policies that protect companies' computer operations. That means more extensive security audits and measures, including minimum standards such as firewalls, database encryption, and better controls on who logs on to the networks.


  As more companies put operations on the Web, these policies will become more crucial. "Calling your [insurance] broker and saying, 'I'd like to buy this Internet insurance' won't work anymore," says Elad Yoran, a co-founder of managed security company Riptech. "Insurers want more of an assurance that your systems are secure before they will write a policy."

Whether the product is hardware, software, or insurance, for the near term it'll be a seller's market, argues Ted Julian, chief strategist of Arbor Networks, which makes equipment that combats the denial-of-service attacks that periodically crash Web sites, even huge ones. Julian recently met with a top executive from one of the country's leading financial firms. "He told us he had budgeted this for the first quarter of next year, but, given the turn of events, he was going ahead with it [now]," says Julian. "It seemed as if he had gotten a serious directive."

Deadly serious, in all likelihood, as businesses recalculate the need to protect crucial assets.

By Alex Salkever in New York

Before it's here, it's on the Bloomberg Terminal. LEARN MORE