By Michael Fitzgerald

Another day, another e-commerce break-in. So it goes in the new economy, where cyber highwaymen and digital caravan raiders seem to rampage at will -- despite the more than $3.5 billion dollars in security spending expected this year. The problem, argue a number of new startups, isn't products. It's people.

"We have the raw technology to solve most of the fundamental problems that businesses face as they try to put their e-commerce strategies together. What's missing is the smart people," who can actually integrate these technologies, says Ted Julian, the director of business development for @Stake. His company is collecting smart people so it can make money from the deficit.

NEED BRAINS...MUST HAVE BRAINS

Long-time security consultant Bruce Schneier puts it more bluntly: To do security right, "you need a human." Mr. Schneier slipped off his consultant's hat and doffed his entrepreneur's hat this April, when Counterpane Internet Security launched.

The opportunity for these startups and a myriad of others was underscored by February's denial of service (DoS) attacks, which knocked Yahoo, Ebay, and other large sites offline. The security gap was then punctuated by the "I Love You" virus and its siblings, which took out corporate email servers. Most observers felt that the DoS attacks could by and large have been avoided and contained, as could most of the high-profile system hacks that have happened in the last two years.

"The technology exists today to stop 99 percent of all the current commercial break-ins we see," says Simon Perry, a vice president at Computer Associates (NYSE: CA). But the flip side is dark: Mr. Perry says CA has "never, ever failed to penetrate" a customer's environment. And CA isn't exactly a household name in security.

Security building blocks

Security is a highly fragmented business. But many of the key developments, and the biggest growth, could take place in these five broad categories.

Public Key Infrastructure (PKI) Encryption, digital certificates, and other security technologies used to certify online transactions.

Firewalls Software and hardware designed to help companies and consumers keep out the bad guys.

Anti-virus software Melissa doesn't love you.

Application/authorization security Protecting databases from unauthorized access.

Managed security Integrating security products into a cohesive, effective strategy.

source: Bear Stearns

THE SERVICE INDUSTRY

Surprisingly, security services startups remain few and far between, despite projections that the services side of the market will grow from $7 billion this year to $14 billion in 2003. That's a much larger market than the $7.4 billion expected for the security products market in 2003, which would include things such as firewalls, monitoring tools, and public key infrastructure (PKI). But of 30 private companies listed in a June 2000 Bear Stearns report on Internet security, only four --@stake, Counterpane, MyCIO, and RIPTech -- were cited as having services form a significant part of their business.

"From a startup point of view, it's easier to do a software company than a services company," says Bob Lam, who analyzes the security market for Bear Stearns. Mr. Lam argues that services firms need to develop infrastructure, often including a data center.

There's also plenty of competition from the increased focus on security services by the Big Five consulting firms: Andersen Consulting, KPMG Peat Marwick, PricewaterhouseCoopers, Deloitte & Touche, Ernst & Young. In addition, security stalwarts such as Symantec (Nasdaq: SYMC) are expanding into services.

John W. Thompson, chairman, CEO and president, says that he wants to see Symantec's new services arm go from 10 to 12 active consultants as of May to between 60 and 80 by year's end.

SECURE AND DEPLOY

"For the corporate market...we're building a services organization because many of the breaches in companies occur not because they don't have the technology, but because they haven't necessarily deployed it properly," Mr. Thompson says.

"Security is a process, not a product," says Mr. Schneier at Counterpane. Stuart McClure, a Big Five consultant who started Foundstone, echoes that when he says, in a separate interview, that security "is a process, not a goal."

Semantics aside, security appeals to VCs and appears likely to intrigue the public markets, too. @Stake drew $10 million from Battery Ventures, Foundstone $3 million from Olympic Venture Partners, and Counterpane $7 million from Accel Partners and Bessemer Venture Partners.

WHO'S DRIVING?

To the VCs, it's pretty cut and dried. "E-commerce is on everybody's mind," says Tom Crotty, the Battery Ventures partner who led funding for @Stake. "It's not just a business issue anymore, it's a mainstream issue that transcends technology and business. Security has done the same thing."