We can’t have enough security products

In recent years I’ve taken the opposite view from the analysts and vendors who have been continually predicting the death of standalone security products. I believe the future will be even more security solutions. And that’s a good thing. We should encourage more innovation, variety and competition.

I can understand why big vendors prefer to imagine a future free from single point solutions. But I find it sad and strange to hear customers complain about the number of security products available for them to buy. Bruce Schneier drew attention to that in his report of this year’s RSA Conference. His observations were correct, though I disagree with his forecast of the death of end user attendance at large exhibitions. In my view these events will go from strength to strength, as products proliferate and security becomes even more fashionable. 12,500 visitors are reported to have attended Infosecurity Europe. Next year’s event will be even bigger.

There are several reasons for the frustration of users. The market is immature and inefficient. Products are improving but marketing is still weak. I know that because I advise many start-up companies and venture capitalists. But inefficient markets present business opportunities. And networks are a powerful tool for improving searches and communications. That will all get fixed over time.

It’s also becoming much easier for customers to deploy new products when offered as Software as a Service. That at least overcomes the complaints of operations staff about the number of different boxes they have to install in their equipment racks.

I’ve pointed out before that acquisition of smaller products by bigger vendors will not reduce the number of standalone security products. The problem space is huge and growing. The solution space is tiny by comparison. What we’re really lacking is imagination. There is plenty of existing academic research to underpin dozens of new security product concepts that would deliver value to customers. I can think of several that are easy to build and that customers would buy. But we keep seeing variations of the same solution. A lack of creative product development is the real Achilles’ heel of the security market.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

In an interview a few years back, Marcus Ranum said: "To really secure systems, everything needs to be done 100% right at application layer, kernel layer, network layer, and at the boundary of the network." How do you see a proliferation of point products doing this? The big challenge is that to be truly innovative, one must forget what he has already learned or else all we get is " variations of the same solution"; it is not enough to just push the boxes around in a different arrangement.
Ah but information security management is much more than designing secure systems. It's also about minimising the risks to insecure legacy systems. About managing security across large IT estates. And safeguarding secure systems from insider threats or accidental breaches by users. We don't have enough solutions to achieve that.
It's true that the conversation has progressed to information-centric security and de-perimeterisation etc., since that interview, but one still needs secure systems as part of a comprehensive approach, to ensure transitive trust and guard encryption keys, passwords, etc.. As far as the rest of the things you mention, scalable multi-level security for business would work. There is a lot of discussion about data classification, DAM and DLP these days. These are the realm of MLS, which is about workflow decisions, not server or silo decisions. MLS is an enterprise discussion. However, consideration of MLS is often rejected due to the heavy administrative overhead of (historically) poor implementations of this technology in the past. Innovation can occur in this area as well as any other. :)
David, I agree with your view on the continued growth of the security product base. For example, the ongoing revolution in voice services alone is prompting the launch of a whole set of products and services for the voice service just the way it unfolded in the data security world 15 years ago. Given the real-time nature of voice the technology challenges are even bigger. Voice FIrewalls, Voice IPS, Usage management, Toll Fraud protection, denial of service protection for a real-time service like voice in a hybrid world of T1, E1, PRI, analog, SIP, H323, SS7, etc is a non-trivial problem set to fix. The operational and security issues for the enterprise regarding voice and data network interconnectivity have been around for years but can no longer be addressed without a significant technology base in place. Voice FIrewalls are the next big consideration for the enterprise.