Manage Learn to apply best practices and optimize your operations.

New information security tools best left to big companies, not SMBs

Adopting new security products too early can be disastrous and expensive for SMBs. Know what makes sense and see which path the big companies take.

New technologies can be intoxicating. Everyone wants to say they have the new iPhone or another cool, state-of-the-art technology.

But when we're talking about information security tools, using the latest and greatest technology doesn't always make sense for small and medium-sized businesses (SMBs). Should SMBs strive to be on the cutting edge in the fight against hackers, spam, botnets and the rest?

The answer is a resounding "no."

Most security technologies are designed and built for large enterprises, with all the associated complexity and cost. Why? That's where the money is. Large companies simply have a lot more disposable IT income. So vendors understandably focus on their needs.

This is evident in emerging markets like data leak prevention (DLP) and network access control (NAC). The products are big, complicated and expensive. They meet the needs of big and complicated customers.

To determine if new information security tools have crossed the proverbial chasm and are ready for SMB deployment, ask yourself the following questions:

  • Is the technology still getting a lot of press attention?
  • Have your value-added resellers (VARs) done many installs?
  • Is the cost within reach, say between $5,000 and $10,000?

If you answer no to question one and yes to questions two and three, you might just have a security technology mature enough for your business.

Antispam tools follow the trend

Consider antispam technology. The first set of products from companies like Brightmail Inc. and CipherTrust were specifically targeted at enterprise customers. Big, expensive and complicated, these products satisfied the needs

Most security technologies are designed and built
for large enterprises, with all the associated complexity
and cost.


of organizations with tens of thousands of employees and had price tags to match. In 2003-2004, you could expect to pay $50,000 or more for these products -- well out of reach for most SMB IT budgets.

But then price and complexity for antispam products dropped seemingly overnight. Within an 18-month period, companies such as Barracuda Networks Inc. and Postini Inc. had emerged and were selling lower-priced (between $3,000 and $10,000) devices and services to customers of all sizes, including SMBs.

Why did this happen? Because spam proved to be such a large-scale issue, vendors started offering antispam products, VARs installed a lot more boxes, and deployment became simple enough that even small companies could afford them. With solid antispam products hovering in the $3,000 range, the technology became a no-brainer.

Technologies to consider

Here's a look at some current security technologies and features. This checklist should help you decide whether you should look into deploying them now or if you're better off waiting.

Security technologies that are ready for your business:

  1. Managed security services: Antispam services and firewall/IPS monitoring are the real deal and well suited for SMBs. Why? Because service providers can do these functions cheaper and more effectively than you, letting you and your IT staff focus on more important things.
  2. Unified threat management (UTM): You pay to maintain your firewall, virtual private network, intrusion prevention system and a host of other devices in your network perimeter. A UTM device allows you to consolidate the management, operations and economics of these disparate technologies.
  3. Endpoint security: Antivirus technology is now included in many broader protection "suites," along with antispyware technology, host intrusion prevention, antiphishing tools, etc. So it definitely makes sense for SMBs to check suites that include antivirus protections.

Take a pass on these security technologies:

  1. NAC: NAC will have a dramatic impact on how you design your local networks in the years to come. But not yet. The products are still too immature, the functionality that you really need isn't well defined, and the cost is just too high for SMBs.
  2. DLP: DLP is all the rage now, driven mostly by regulatory compliance issues and data protection imperatives. Again, the products remain immature and complex, require a lot of time to integrate and operate, and are too expensive (the average sale price is around $400,000). Better for businesses to wait on DLP for a while, until complexity and prices inevitably drop.

Remember, new information security tools can play a big role in how you protect your networks and data, but there are few rewards and many risks for SMBs that adopt them too early. So let the big companies debug and bring down prices on new security products, and enjoy the fruits of their labors in a year or two.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at, read Rothman's blog at, or reach him via email at

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.