At this year's RSA Conference, Art Coviello, head of EMC's RSA division, made the provocative statements that the security industry has failed, and in fact will not be in existence within three years. In the warmup act for Art's keynote, Bill Gates stated that security has had it backwards all this time and that Microsoft intends to embed security so it can enable a higher level of user connectivity. (See So Long, Security Silos and Microsoft Vision Raises Questions.)
These are profound statements. And they are right. The industry has failed to innovate in any meaningful way, and we should be glad that these executives are calling us out.
One of the factors cited may be the innovator's dilemma phenomenon. In short, this theorizes that leaders in market segments cherish revenues of successful product lines to the extent that they become blind to upstarts sending them into a death spiral. ISS and Check Point immediately come to mind. Both companies have unquestionably been financially successful, and both have utterly failed to use their riches to advance the security of the worlds computing experiences.
IBM recently rescued ISS, while Check Point bumbles along as a dead company walking. Ironically, RSA also fell into this camp with SecurID myopia but is now taking advantage of a perfect-fit lifeline tossed to them by EMC. Give Symantec credit for trying, as Veritas gives Big Yellow a chance to integrate security into corporate systems.
Still, I can't remember the last exciting innovation in security.
There must be something bigger at play here. With all the VC money pumped into "great new ideas," why has there been no significant security advancement over the last five years? Why is every marketing message a variant of "buy our product or else"? Our security landscape is littered with solutions that do not solve business problems. Can you say PKI? SIM? IPS? DRM? Does NAC have enterprise business officers levitating in anticipation? Does regulatory compliance give you shivers of delight?
The answer is that the security culture has been all about blocking people from doing what they want to do. We're like the parent that always says "no." Firewalls want to block inappropriate access, IPS wants to block traffic, NAC wants to quarantine non-compliant laptops.
Check Point is a poster child for this. Positioned as a product to keep out bad guys, its real value has been as a VPN to enable a lifestyle change of remote users and as a connection point to the Internet to allow users to more easily reach out to get the information they need to better do their jobs. You would think that this would lead them down paths for application acceleration, location sensitive security policies, and mobile security. No-ho. They were all finding more ways to sell firewalls for internal usage.
This epidemic of negativity in the security industry prohibits creative thinking for good ideas to enhance business needs. This is why security startups fail to dethrone segment leaders they are all about better ways to get in the way of business than they are about offering better ways of doing business. I wish I had a dollar for every security company I see that touts security but just stares at me blankly when I ask what's in it for the business managers.
Security needs to wise up. I sincerely believe there is a place in this world for an independent security industry, but I also believe it will only thrive by finding ways to break down perimeter walls and enable safer connections between users, applications and data sources. Security vendors need to remember that our appeal to enterprises is to either save money (displace tired old technologies and processes) or make money (enable new lines of business and reach more customers). Anything less, is simply destined to be a product feature.