But it goes far beyond growing disillusionment with Anti-Virus, IDS, IPS, behavioral analysis and other off-the-shelf solutions. There's a growing lack of trust inside the C-suite in the ability of automated solutions to protect key corporate assets. An even more extreme situation exists in India where there's NO trust in private industry by the government. One Indian national security advisor explained it to me this way: "How do we trust a company whose motive is profit to act in the best interest of our country?" And he has a point. There are very few U.S. multi-national companies who calculate national security interest when weighing their investments in foreign states that are potential adversaries to the U.S. unless such an action would also result in higher profits for the company's shareholders. Likewise, how does a CIO know that the sales engineer for XYZ security company is presenting the best solution for the CIO's company or simply a solution that's best for XYZ's bottom line?
The coming backlash against Information Security vendors is just beginning to brew. It's taking place in private conversations among senior executives at events where Chatham House rules are invoked or after NDAs are in place. I don't believe that it'll emerge from under the surface into a full-blown tsunami until 2012 but by then it'll be too late to do anything but scramble for cover and hope that there's something left of your over-valued InfoSec company to salvage afterwards.
UPDATE (07 Mar 2011): Robert Vamosi wrote an excellent article which underscores the point that I tried to make: "Why Cybersecurity Should Focus On Failure".