There are a lot of reasons why NAC adoption is slower than expected -- it's expensive, it's complicated, there isn't always a clear benefit, competing IT projects are taking priority, and there's still a lot of confusion about NAC technologies. Until IT grasps these issues, they won't move forward.One of the hallmarks of a maturing IT market is standards compliance. Certainly not in all IT markets; there are no standards for firewalls, anti-malware, or intrusion prevention, and those markets rose to maturity quite well. But with a technology like NAC, which integrates with disparate IT systems from desktops to infrastructure, the integration techniques and the stability, or instability, of integration is a substantial issue for IT shops. There is no line item on an RFI or RFP for stable, robust integration, but the indicators are evident in requirements definitions and discussions with IT shops investigating deploying NAC.

Alan Shimel posits customers are sick of the alphabet soup of standards and simply want something that works. Sure, there is no value in requiring standard conformance if the product doesn't work as advertised. Functioning products are important. But what I take away from Shimel's point in the context of recent conversations at Interop and our recent 2008 NAC Survey [registration required] is that customers are sick of the NAC alphabet soup because there are three competing "standards" with no clear winner and no real indication of which one will become adopted by the NAC vendors and all the other vendors that can and will integrate with NAC systems like anti-malware, patch management, authentication, intrusion detection/prevention, and infrastructure.

The lack of standards isn't killing the NAC market, but it is changing the decision for IT. Companies are seriously investigating and deploying NAC. But the decision is often coming down to choosing a NAC product from a vendor the company is already doing business with versus a different company. One of the hurdles an unknown vendor has to get over is convincing the prospective company that it can integrate with the prospective companies existing systems and maintain that integration through various iterations of products. That's why most vendors that want to attach to the NAC product space either participate in partner programs and/or offer their own. Customers want seamless integration; therefore, in the void of standards, vendors will spend cycles integrating through one-off relationships.

That just doesn't seem to be a sustainable process. So here is what needs to happen. All you vendors need to get together in a tiny room and be force-fed cold-cuts and potato chips until you decide to actually agree to rally around a standard or a framework and then set a time line to do so. Doing so removes one more obstacle in the sales cycle and might spur adoption similar to how the Wi-Fi alliance rallied the nascent Wi-Fi vendors to a common interpretation of 802.11 and showed through bake-offs that yes, any conformant NIC could talk to any conformant access point. The Wi-Fi alliance, more than anything else, smoothed the road to 802.11 adoption.

Yeah, vendors need to make sales. Customers want products that work. But there is a way to play nice with others and still have room to innovate.