Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/28/2007
10:00 AM
50%
50%

Innovation's Dead

Vendors excel at fear-mongering, but fall well short where technical creativity or capabilities are concerned

At this year's RSA Conference, Art Coviello, head of EMC's RSA division, made the provocative statements that the security industry has failed, and in fact will not be in existence within three years. In the warmup act for Art's keynote, Bill Gates stated that security has had it backwards all this time and that Microsoft intends to embed security so it can enable a higher level of user connectivity. (See So Long, Security Silos and Microsoft Vision Raises Questions.)

These are profound statements. And they are right. The industry has failed to innovate in any meaningful way, and we should be glad that these executives are calling us out.

One of the factors cited may be the innovator's dilemma phenomenon. In short, this theorizes that leaders in market segments cherish revenues of successful product lines to the extent that they become blind to upstarts sending them into a death spiral. ISS and Check Point immediately come to mind. Both companies have unquestionably been financially successful, and both have utterly failed to use their riches to advance the security of the world’s computing experiences.

IBM recently rescued ISS, while Check Point bumbles along as a dead company walking. Ironically, RSA also fell into this camp with SecurID myopia but is now taking advantage of a perfect-fit lifeline tossed to them by EMC. Give Symantec credit for trying, as Veritas gives Big Yellow a chance to integrate security into corporate systems.

Still, I can't remember the last exciting innovation in security.

There must be something bigger at play here. With all the VC money pumped into "great new ideas," why has there been no significant security advancement over the last five years? Why is every marketing message a variant of "buy our product or else"? Our security landscape is littered with solutions that do not solve business problems. Can you say PKI? SIM? IPS? DRM? Does NAC have enterprise business officers levitating in anticipation? Does regulatory compliance give you shivers of delight?

The answer is that the security culture has been all about blocking people from doing what they want to do. We're like the parent that always says "no." Firewalls want to block inappropriate access, IPS wants to block traffic, NAC wants to quarantine non-compliant laptops.

Check Point is a poster child for this. Positioned as a product to keep out bad guys, its real value has been as a VPN to enable a lifestyle change of remote users and as a connection point to the Internet to allow users to more easily reach out to get the information they need to better do their jobs. You would think that this would lead them down paths for application acceleration, location sensitive security policies, and mobile security. No-ho. They were all finding more ways to sell firewalls for internal usage.

This epidemic of negativity in the security industry prohibits creative thinking for good ideas to enhance business needs. This is why security startups fail to dethrone segment leaders — they are all about better ways to get in the way of business than they are about offering better ways of doing business. I wish I had a dollar for every security company I see that touts security but just stares at me blankly when I ask what's in it for the business managers.

Security needs to wise up. I sincerely believe there is a place in this world for an independent security industry, but I also believe it will only thrive by finding ways to break down perimeter walls and enable safer connections between users, applications and data sources. Security vendors need to remember that our appeal to enterprises is to either save money (displace tired old technologies and processes) or make money (enable new lines of business and reach more customers). Anything less, is simply destined to be a product feature.

Eric Ogren is a security analyst with Enterprise Strategy Group (ESG) Special to Dark Reading

  • Check Point Software Technologies Ltd. (Nasdaq: CHKP)
  • EMC Corp. (NYSE: EMC)
  • IBM Corp. (NYSE: IBM)
  • IBM Internet Security Systems
  • RSA Security Inc. (Nasdaq: EMC)
  • Symantec Corp. (Nasdaq: SYMC)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Commentary
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-29445
    PUBLISHED: 2021-04-16
    jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
    CVE-2021-29446
    PUBLISHED: 2021-04-16
    jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
    CVE-2021-29451
    PUBLISHED: 2021-04-16
    Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
    CVE-2021-29452
    PUBLISHED: 2021-04-16
    a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
    CVE-2021-29444
    PUBLISHED: 2021-04-16
    jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...