The SIEM Market: Why Isn’t it Doing Better?
When I worked in the Security Information and Event Management (SIEM) arena, I remember the glowing predictions concerning the likely growth of the SIEM market. In 2005 IDC predicted that this market would grow from 266.6 million that year to $635.5 million in 2009, and I have even seem some more optimistic projections than IDC’s, Nothing I have seen suggests that 2009 SIEM sales will even come close to this prediction, however.
Granted—the world economy is in bad shape right now. Purchases that would have been made a little over a year ago are currently not even being considered. The SIEM market is by no means the only one that has faltered during bleak economic times. But given the great potential value and potential cost savings (especially in labor costs) associated with SIEM technology, one would think that it would currently be more popular. What else is keeping organizations from using this technology?
First, the cost of SIEM technology is in many people’s minds prohibitive. This conception is only partially true, at least when it comes to the purchase cost of many SIEM products. The purchase cost for quite a few of these products is less than $25,000 (installation costs not included), and if somebody wants to obtain a SIEM tool for free, there is always OSSIM, an open source SIEM tool. On the other hand, the cost of SIEM technology can soar when maintenance costs are added in. Adding fuel to the fire is the fact that some vendors are rather unreasonable in their pricing structures—the extra cost per user, per collection device, and more can really add up. But there is also a lot of unreasonable thinking about the cost of SIEM technology.
Another hurdle that the SIEM market faces is the complexity of the technology. Although some SIEM tools are extremely rudimentary and hence easy to deploy and use, others are just the opposite. Most SIEM products require months of tuning after the initial installation—there is no such thing as a fully functional SIEM right after installation. Furthermore, one well-selling SIEM tool can require the installation and maintenance of four separate machines on the network and has so many functions that many levels of menu traversal are required to get to some of the most basic functions. Troubleshooting SIEM tools is generally no picnic, either. SIEM vendors need to address the complexity problem better if they want their products’ sales to grow more.
Another obstacle is that few people seem to consider SIEM technology as a “must have.” This technology is instead often considered to be a “nice to have” technology. Consequently, few infosec professionals include SIEM tools in their requested yearly budgets. If they change their mind and decide that they need this technology midway through the budget cycle, the money needed to purchase and install this technology is very often not available.
Please do not misunderstand me. I am still a strong believer in the merits of SIEM technology. But as I have said so many times before, the availability of good technology is by no means any guarantee that people will buy it. Good luck, SIEM vendors, but somehow life has gotten better now that I am out of this crazy business.