Daily Archives: August 21, 2006

The Security Industry’s Illicit Triangle

Just as law-enforcement officers and criminal lawyers would be out of jobs if there were no miscreants on the streets, security vendors and the security professionals who justify and buy their products would be forced to pursue different livelihoods if it weren’t for the malignant presence of hackers and malware creators.

It’s one of those timeless paradoxes. Those who defend against and combat malicious parties also depend on them for their careers. Without online malefactors, well, what would we need with antivirus software, intrusion detection and prevention systems, anti-spyware software and services, and the entire growth industry that has been constructed around the threats to online communication and commerce? Answer: Not much.

Fortunately for the security vendors and the professionals who buy from them, there doesn’t seem to be any end to the creativity, determination, ingenuity, and perseverance of the Internet’s criminal community. They are endlessly inventive, these bad guys, and they always find a way to get around the latest barriers, bulwarks, defenses, and locks that the security community throws in their path.

In makes you wonder, as Tim Wilson of Dark Reading has done, about the actual dedication of the security industry — both the vendors and the corporate-security gurus who buy their products and services — to shut down, or at least meaningfully mitigate, the dangers and threats posed by the bad guys.

Admittedly, these are cynical questions that lead ineluctably to tenebrous ruminations about human nature, as well as about the business of security technology, but I applaud Wilson for leading us down this gloomy path. These are questions we should ask, questions that should be posed and pondered by the trade press, market analysts, and corporate customers more than they have been.

Here’s an excerpt of Wilson’s commentary, The Real Threat to the Security Industry:

It’s a harsh reality, but the fact is that every security pro’s livelihood – indeed, the very growth of the security industry itself – depends on the threat increasing, not decreasing. The greater the danger, the more money allocated for security staff, technology, and pay raises. If the danger ever decreases, security will become less important, and those dollars will begin to go away.

Indeed. If you follow the logic, then – and this gets so twisted it might damage your brain — it is always in the interests of the security industry to portray the threats and dangers as growing in breadth, depth, and severity. Implicitly, then, security vendors must admit that they’re been waging a losing battle, that they have failed to successfully thwart and contain Internet malefactors. Yet, they want to be rewarded for failure — perennially and into perpetuity.

To sell more of their products and services, they must somehow convince corporate purse holders that, even though they have failed continually in their fight against the online criminal class, somehow investing in their products and services represents a good investment because, well, the alternative (not investing in said products and services) would be worse.

It’s not exactly an inspiring message, is it?

As Wilson writes:

What I am saying, however, is that the security industry itself has a vested interest in making the threat seem as scary as possible. Want to get enterprises to buy security technology? Publish a survey that demonstrates a growing threat in that area. Want to get your CFO to buy off on a large security project? Show him a report that demonstrates a high cost per incident. Vendors and IT people both need big threat numbers to justify their growth.

So, in the end, the security guardians can choose one of two arguments. Either they can tacitly concede that they have been ineffective in combating and defending against online threats, and will continue to lose ground against them in the future, or — and this probably is nearer to the truth — they can exaggerate and overstate online threats to gild the lily and make marketing and selling of their products and services easier. They certainly cannot claim to have been successful in their war with the dark side, or we would be facing an increasing escalating and more sophisticated array of threats, would we?

Security vendors are the drama queens of the technology industry. I am sometimes surprised that they don’t hire directors of horror films to run their marketing departments. Like those horror-film directors, security vendors benefit from scaring their audience. Unlike those horror-film directors, though, security vendors purport to be representing reality. As such, they a case to prove, and far greater responsibility is incumbent on them in that regard.

If you set budgets at a major corporation or service provider, ensure that you understand the motivations of security vendors and their decadently symbiotic relationship with your security IT professionals and the malevolent parties on the Internet. Force them to justify the investment in their products on the basis of actual need rather than on the basis of exaggerated and misplaced fear.

In other words, keep them honest. Some of them don’t seem capable of following that course of their own volition.


Dog Days of Summer for Technology Industry

The last few days have seen an acute paucity of newsworthy developments and events, unless one likes to cover the industry’s Web 2.0 social scene. Perhaps everybody is having a final couple weeks of vacation before getting back to newsworthy endeavors.

Whatever the reason, meaningful news has been conspicuous by its absence.