The RSA Conference

Last week was the RSA Conference, easily the largest information security conference in the world. Over 17,000 people descended on San Francisco's Moscone Center to hear some of the over 250 talks, attend I-didn't-try-to-count parties, and try to evade over 350 exhibitors vying to sell them stuff.

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't.

I spoke with one person whose trip was paid for by a smallish security firm. He was one of the company's first customers, and the company was proud to parade him in front of the press. I asked him if he walked through the show floor, looking at the company's competitors to see if there was any benefit to switching.

"I can't figure out what any of those companies do," he replied.

I believe him. The booths are filled with broad product claims, meaningless security platitudes, and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.

Commerce requires a meeting of minds between buyer and seller, and it's just not happening. The sellers can't explain what they're selling to the buyers, and the buyers don't buy because they don't understand what the sellers are selling. There's a mismatch between the two; they're so far apart that they're barely speaking the same language.

This is a bad thing in the near term -- some good companies will go bankrupt and some good security technologies won't get deployed -- but it's a good thing in the long run. It demonstrates that the computer industry is maturing: IT is getting complicated and subtle, and users are starting to treat it like infrastructure.

For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.

No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference. This is the future of IT security.

You can see it in the large IT outsourcing contracts that companies are signing -- not security outsourcing contracts, but more general IT contracts that include security. You can see it in the current wave of industry consolidation: not large security companies buying small security companies, but non-security companies buying security companies. And you can see it in the new popularity of software as a service: Customers want solutions; who cares about the details?

Imagine if the inventor of antilock brakes -- or any automobile safety or security feature -- had to sell them directly to the consumer. It would be an uphill battle convincing the average driver that he needed to buy them; maybe that technology would have succeeded and maybe it wouldn't. But that's not what happens. Antilock brakes, airbags, and that annoying sensor that beeps when you're backing up too close to another object are sold to automobile companies, and those companies bundle them together into cars that are sold to consumers. This doesn't mean that automobile safety isn't important, and often these new features are touted by the car manufacturers.

The RSA Conference won't die, of course. Security is too important for that. There will still be new technologies, new products, and new start-ups. But it will become inward-facing, slowly turning into an industry conference. It'll be security companies selling to the companies who sell to corporate and home users -- and will no longer be a 17,000-person user conference.

This essay originally appeared on Wired.com.

EDITED TO ADD (5/1): Commentary.

Posted on April 22, 2008 at 6:35 AM • 34 Comments

Comments

Clive RobinsonApril 22, 2008 7:33 AM

@Bruce,

You kind of missed an important point,

It's not just the average "potential" customer who does not understand the product, Its those sales / marketing droids as well.

Part of the reason for,

"booths are filled with broad product claims, meaningless security platitudes, and unintelligible marketing literature"

Is that not one of the sales and marketing droids understand what the product actualy does or is capable of. Those in the organisation that do (engineers, designers etc) have had to dumb down the information to the Droids understanding level, because that's what the marketing director has decreed.

The Marketing industry (possibly the largest industry in the world) has an inate belife not just in it's self but that it is the sales "process" not the "content" that sells product i.e. "Bovine excreter baffles brains" methadology. It is also the reason they justify not learning about the product and also ask for outrageous renumeration (and why the rest of the directors etc kowtow to them).

While this might well be true for a large number of similarly specified mass consumer products (like say SUVs) where the consumer just wants to "buy" it is most certainly not true of bespoke or highly technical products. Where there is no imperative to "just buy" but to actualy do a bit of research to get not just the best bang for the buck but to actualy get both understanding and insight and therby get something directly of value to the individual making the purchase which helps them keep their marketability in a downward market.

Failier to communicate effectivly at any level (or at all) in a meaningfull way will always result in lost sales for technical products.

The Droids nead to realise that they need to understand the customers needs, and be able to point out their products advantages from that view point. Otherwise the customer might as well be watching a "chimps tea party" which a lot of these booths do look like.

Once upon a time HP understood this and sent out technical sales representatives with the sales person to find out the customers wants and needs and get them across to the sales droid who then "cut the" deal.

AnonymousApril 22, 2008 8:06 AM

@Clive:

>Its those sales / marketing droids as well.

Well, yeah, but that's true for any hight-tech industry, not just information security.

gregApril 22, 2008 9:17 AM

So no interesting talks. New theory results? New breaks on current systems?

What about current factoring and the state of the art with EEC. Any patents expired so we can care about some new scheme....

How about "secure" programming languages or techniques? Or even hardware supported solutions?

I miss the math :(

OldTimerApril 22, 2008 9:18 AM

Good essay Bruce. I think you hit the "nail on the head" with this. We are experiencing the evolution of an industry.

I have seen this before in the networking world. There was this little "get together" called Interop, which got its start a lot like RSA. A bunch of engineers and technical folks from small companies got together to talk networking (TCP/IP, OSI, routers, etc.), learn, make sure everyone's products/technologies worked together, and sell their wares. Over time, the little show grew bigger and bigger, became Networld-Interop and eventually got so big it collapsed into itself as all those networking technologies became infrastructure and expectations about the products changed (e.g. companies stopped buying TCP/IP as an "add on" product and expected it to just be a part of the operating system).

Regarding the "talking heads", at first when the conference (applies to Interop, RSA, and I am sure others) was small it was the engineers and technical folks that manned the exhibit booths and talked directly with potential customers. Over time, as the conference gets bigger and the vendor booths get bigger, and companies spend more and more money, the vendor's technical folks get replaced by marketing folks (perhaps because there aren't enough technical folks in the company, or perhaps because the technical folks are now needed back at the office, or perhaps because the vendor decided it was more important to have more sales discussions than technical discussions in their booth).

The RSA conference, and as you stated, the security industry as a whole, is at a crossroads where the expectations for security products/technologies changes from something that is purchased as an "add on" to some product or some part of the infrastructure, to something that is "built in" to the product, system, network, etc. from the start.

RSaundersApril 22, 2008 9:36 AM

Great essay, as usual.

I think you're a little off the mark with "No one wants to buy security. They want to buy something truly useful -- and they want it to be secure." The car example was better.

People want to do things the way that is easiest for them -- and they want it to be secure.

Ages ago I was on the periphery of anti-lock brakes. Car companies had a lot of questions about the technology. Cars can't require training to use. This is not just common sense, apparently it is a federal law. In Driver's Ed you learn all you are ever required to learn to drive on the roads. If all you learned was "Push the brakes to stop", then cars could have added ABS more easily. Alas, way back when, people were taught to pump the brakes to avoid locking them up. Making ABS stop your car when you pumped the brakes is a very hard thing to do. Even though ABS was simpler, it was different, and that was a big problem.

IT security, to be an invisible "built-in" infrastructure, needs to let people surf all over the Internet, even the nasty parts, and click on whatever strikes their fancy. Users need to be able to read emails, and click on the attachments and links therein. Through all these behaviors, no personal data needs to go to those with evil intent and the user's computer needs to suffer no ill effects.

I didn't see anybody at RSA that could sell me that, or even a step in that direction. Frankly, I didn't see much evidence it was possible.

borkedApril 22, 2008 9:58 AM

"Imagine if the inventor of antilock brakes [..] had to sell them directly to the consumer."

They never did. AFAIK Mercedes-Benz invented ABS and gave it away to their competitors, because they thought it was too important for road safety to sit on it.

AnonymousApril 22, 2008 10:11 AM

The other reason people aren;t buying is ridiculous pricing schemes and total costs... I work for a company that makes a fair bit of coin, but there's no way they are going to put out 500K - or even 150K (plus annual maintanence) for a simple log management tool, etc.

ax0nApril 22, 2008 11:02 AM

The problem with (let's call a spade a spade) Trade Shows of this nature is that the people who know what things their company needs
aren't given authority to buy stuff, and the people who are given the authority to buy stuff don't understand what the needs are at such a granular level.

BrianApril 22, 2008 12:07 PM

"Imagine if the inventor of antilock brakes [..] had to sell them directly to the consumer."

Actually they did, and they do. But only in the custom car consumer. You can buy ABS kits for old vehicles.

JosephApril 22, 2008 12:29 PM

This problem isn't unique to computer security. I stopped by ad:tech this year (an industry show for onlne advertising) and couldn't understand what any of the companies did. I've also attended other conferences like NetWorld Interop or NAB and had the same reaction. Trade show booths are not a good way to explain what specialized computer software (or hardware) products do.

For years, I have believed that trade shows are primarily business development mating exercises. They're a good time to meet your partners and size up your competitors. You can also say hi to your current customers if they attend. Maybe you can get someone in the press to say something nice about you. But you'll have a very hard time attracting new customers.

EricApril 22, 2008 12:38 PM

I worked for Mecedes (aka Daimler) when they first introduced ABS in their models.

One of their preparatory steps was to ensure they had lots of spares of the rear ends of their ABS equipped models.

Why? Because they could predict that their better braking would result in may of their cars being hit from behind.

It was progress, of a sort :-)

frog51April 22, 2008 2:17 PM

One of the upsides of Infosec (currently on in London) is that there is still a reasonable percentage of vendors who 'get it' and send techy geek types who can actually answer our questions. It is getting worse though, so who knows how it will be in a couple of years' time...

JohnJApril 22, 2008 2:31 PM

Bruce nailed it with "broad product claims, meaningless security platitudes, and unintelligible marketing literature". I'd walk the floor & glance at the displays (avoiding eye contact wherever possible lest I get harassed by a droid) and just wonder why these companies thought that displays saying "A Full Complement of IT Security Services" or "Meeting your Compliance Goals" or whatever was remotely meaningful when every last vendor on the floor could say the same thing.

Vendors, please! Tell me something about what you actually do, preferably something that's different from the next guy in line, if you want me to stop & talk and let you get that precious badge scan. A 1:17000 chance at an iPod Touch or Wii won't draw me in if I don't know what you offer.

Reader XApril 22, 2008 2:48 PM

"It demonstrates that the computer industry is maturing: IT is getting complicated and subtle, and users are starting to treat it like infrastructure."

I dunno about that. I'm not sure this is a sign of the death of the security industry, or of anything more than an overhyped conference and/or (temporarily) saturated market, into which current economic conditions may also factor.

"No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure."

To a great extent, this is true. But it's always been true, and the larger IT market has always disappointed in this regard. And therein lies the rub. Security is always being folded into enterprise solutions, but 1) threats will evolve as quickly as technology does, 2) bundled solutions will not keep up, and 3) a high percentage of those bundled security solutions will not work.

SamApril 22, 2008 3:04 PM

Here we are hashing over the problems of the IT industry - as true today with this post as they have been since day one. IT is too complicated, this is not criticism, just a fact. Those who buy it, use it, need it, and want it dont understand it. What is the answer? Until this question is answered IT will always be dominated by sales of things that cant be well defined to those buying them. :(

Philip EvansApril 22, 2008 3:13 PM

Interesting that it strikes you like that in the US as well.

I have just returned home from being at day 1 at Infosec Europe in London. We have been exhibiting here for the last ten years (Master's degrees that you have to work for, if you're inerested). The show has changed a lot in these years; there is far less "product" on view and I had to look carefully at several stands to determine what they were actually offering. In fact, most of the exhibitors are providing "solutions" and their stands are filled with sales staff.

Philip

LimnologistApril 22, 2008 3:46 PM

I'm sold on the concept that this is the future direction of security, but this worries me slightly. At some level, there needs to be someone that grasps the concepts behind good security. This is the Applied Cryptography problem in new clothes, even if you assume that the algorithms are in place, people still need to use the systems properly. What worries me is that the people at this conference should have at least been the more competent people within their companies, and they still weren't sure what they were being sold. This doesn't bode well for the industry or security in general, but if I was in the business of generating oil from snakes, I'd be excited.

Clive RobinsonApril 23, 2008 1:47 AM

@All,

Happy St Georges Day, now go slay a dragon of your own 8)

@ Philip,

"I have just returned home from being at day 1 at Infosec Europe in London. We have been exhibiting here for the last ten years "

I did not go to Infosec this year for the reason I posted at the top of this blog that is "the chimps tea party" sales droids.

When I want to buy a "particular type of" product I have usually already done some preliminary investigation (where possible) and I realy do want to know the specifics of a product (I guess that makes me a techie ;)

Getting onto a stand and talking to succession of sales droids who (pretend) to pass me up to more knowledgable people who likewise cannot answer the question (but often are better at selling) does not fill me with confidence 8(

Now I do not know what company you are from as the product you alude to is something that I would not generaly consider purchasing from a show (I'd probably go to the Royal Holloway at Uni of London direct for an Infosec MSc http://www.rhul.ac.uk/cpd/ ). So I probavly would not have had you on my "to see" list.

However I will make a prediction that Bruce is probably correct in that the RSA and likewise InfoSec are on their way to the "Emergancy room" for "life saving" care but the prognosis is not good. Just like any doctor can tell you it's the "wrong life style" that cause a good percentage of heart blow outs.

Back in the early days the exhibitors where usually small companies who had the "techies" on stand as their organisation was to small for a full complement of sales droids. And it was usually noticable that the stands with most "interested bodies" on where the small ones.

This was probably because the "interested bodies" where also techies (On a number of occasions the "Big Boys" stands where so empty you could walk across their stands as a short cut they where that unpopular).

However a number of things have changed and the result is that the marketing bodies have moved in.

The two changes with probably most impact were,

Change 1 was the "Big Boys" started developing (or buying in) the technology.

Change 2 was "Regulatory Compliance"

As a number of people have realised small companies tend to develop "focused" or vertical market products, that appeal to buyers who know what they are looking for. The "Big boys" are however looking at horizontal markets for as "larger customer base" as possible (which in general the little companies are not so interested in due to support costs amongst other reasons).

Importantly the small customers and the Big Boys customers are different and respond differently (Tech-2-Tech Droid-2-Suit).

So a simplefied explanation using the "Tech-v-Suit" stereo types.

The Big Boys often get a very limited response in the early stages of a technology market, due to being slow to react and a main interest in horizontal not vertical markets. Their solution when they have the technology is to give it away with either the OS or in a steadily growing package (ie word pro, spreadsheet, presentation, Database, email, accounts etc) therby turning a vertical market into a horizontal one they know, understand and have attempted to remove the small competition from.

The Big Boys thereby get an increased market share by "dumping" the product onto users who may not want or need all the products but get them installed along with the one they do want (think Database and Word processor). In general it used to be the Suits that bought the horizontal market "Office Packages" and the Techs that bought the vertical market "apps". Kind of "Bargin Bucket-v-gormand" outlook (oddly there is an IT related organisation called "Gormand Pty Ltd" in Oz).

Because the "Dumping" starts to lead to user support issues the show clientel slowly starts to change away from just techies.

Often the transition from Techs to Suits as attendies at shows tendeds to be slow(ish) not so fast it is "almost overnight".

However when you have a major change in a market from an external force (Legislation / Regulation) all of a sudden the game changes, and the buyers and attendies change almost overnight.

One reason for this is Suits do not regard the Techs as having the required "Business Knowledge" so the suit needs to be involved in the process...

Suits do not have the time to learn either what they realy need to know or TechTalk, so they need a "solution provider".

If the suit does not know where to find one they tend to do one of two things speak to a "consultant" or the "trade". Depending on the size of the organisation "talking to the trade" translates to "go to a business forum" or "Go to a show the Techs go to" or talk to the last sales bod who sold them a big chunk of software.

For the "go to a show" option the result is that the ratio of "techs" to "suits" starts to change at the show.

When "suits" go to a show as they have no real idea of who sells what they again do one of two things talk to "everybody" or the "names they know". As most Suits cannot talk "technical" they all tend to end up with the people who talk "business" which is usually the "Big Boys", and this tends to get reinforced as the suits cannot communicate with the techs on the small company stands (think "aversion therapy" 8).

As the "Big Boys" get more custom on their stand, the smaller companies think they are getting less of the market (even though they are probably not in their vertical market).

Why do the small companies think this, generaly they realise that both their "walk on" rate and "Hit Ratio" for the show has fallen through the floor, and look for the reason.

Some realise it's a "communication issue" (ie the gulf between TechTalk and Business Speak) and some think it's because they lack "Slick Marketing".

Unfortunatly at the next show those that have (correctly) identified a communications issue still see a poor walk on rate unless they have put the "magic incantation" (Solution Provider etc) up on their booth to get the suits to walk on to their stand. However those that incorrectly guessed it's "poor marketing" still get an increased number of booth visits it's just that their hit ratio gets worse a lot more quickly.

Now the bit where it all goes wrong...

A show is generaly judged to be good or bad by two things,

1, Booth/stand visits or walk on rate
2, Sales Conversion or Hit Ratio

As there are no other quick and simple measurands to go by.

However an organisation only gets to see the Hit Ratio for their organisation not the competition.

They do however see the "walk on" for the competition, likewise they do also see the other advertising campains in the press and journals for the competition as well.

Often an incorrect conclusion is made that "were doing something wrong" because "the competition are doing better than us" and so a hunt for the "key ingrediant" starts.

They miss the points that, the show attendance has increased due to the attendance of suits, and they are less likley to sell to suits as the suits are generaly not interested in apps but solutions (it's why understanding and communications is so important).

After examining the percieved oposition the small company conclusion is often "better marketing" is needed. This is for a couple of reasons.

The first is that techs know little or nothing about marketing other than what they have read which the don't realy understand (as the books generaly tends to be couched in business speak not TechTalk)...

The second is that the competitions marketing is percived as looks better, (the "grass is always greener on the other side of the fence" problem).

So the solution is often to get "better marketing", but how do you go about it. Usually by speaking to marketing people, who lets face it are going to re-enforce the attitude that better marketing is needed. It is in their interest after all and they can spot an unknowing client better than a con artist can spot a suitable mark.

Two curious things can occur, the first is an abdication of responsability to the marketing people (they know what they are doing and I don't understand it). The second is as the Marketing people do not know what to differentiate the product by as they don't speak TechTalk they tend to play "follow the leader" which is generally one of the big boys...

The result is usually a downward spiral of "more of the same" marketing that dumbs down. Due often to the less switched on marketing bods not understanding or carring what market the organisation is in and correctly "communicating the product", they belive it's the "process" of "better marketing" that pushes up sales (because they have read the books as well and unlike the techs can "talk the talk...").

The predictable result is what people are seeing with their own eyes at the RSA, InfoSec and other similar technical shows.

Some small companies make the mistake of devoting more and more resources to aimless marketing. Thus taking away resources from their core business, the result can be that they get stuck on a donward spiral. If this happens they usually go under or if lucky get bought up at a bargin price by another company. Even if they don't spiral they often suffer a significant weakening and suffer the same fate. However since the change in the money markets due to bad risk the option of being bought up is going away rather rapidly.

Other small companies stick with what they know and are good at (the technology) and avoid the Marketing Spiral. Often they either bridge the communications gap or develop more specialised much higher end products (ie move verticaly up not horizontaly outwards) .

Usually these small companies stop attending the shows as they realise the returns are rapidly diminishing. As their customer base is not attending the show any longer (but now use other communications means such as the Internet).

For the show this becomes a spiral as other small companies leave or cease to exist the show gets effectivly given to the big boys. So the the flavour of the show tends to change towards the big boys customers even faster and they soon become the only attendies.

Eventually when the Big Boys have converted enough of the market from vertical to horizontal they turn their attention to other markets. So likwise the Big boys see the show in terms of diminishing returns and they stop attending as well.

The result the show as so many before it folds.

averrosApril 23, 2008 4:26 AM

Most "security" products are snake oil and do very little to reduce chances of a breach. Marketing claims are wildly overblown (that's why you can't get the exact description of what products do... because they don't do much). Customers started to figure that out.

Film at 11.

not C uc April 23, 2008 6:06 AM

500% security improvement by using a programing language that works. By using not syntactic sugar to an assembler (aka C) the vast majority of buffer overflows are prevented....

RusApril 23, 2008 7:19 AM

Bruce, thank you for this post. I attended RSA for the first time this year, and even as a hands-on security practitioner who holds a CISSP I had trouble actually decoding what some of these vendors do.

Now I don't feel so stupid! :-\

To any vendors reading this thread that haven't figured it out yet, here's the secret of marketing to techies: Have a techie there that can actually describe the product. Better yet, have a developer/engineer there that can *really* describe the product. FWIW, after reviewing one or two "Solutions Providers" I ignored the rest of them... all zeros no ones.


I got some good value out of the sessions, but I must say the show floor was a disappointment. I expected better.

But it was fun watching the protesters at the Gore keynote!

Rus

DarrenApril 23, 2008 9:27 AM

Security Engineers will evolve much like the web developers did. I remember when companies had "webmasters", then this turned into dynamic teams and eventually into divisions. It became an application. However using the analogy of cars is interesting....you miss the point of policy. See companies want users to be able to " do anything " yet be secure as some "box" will look out for them. That is never going to happen. Like driving, we have responsibilities and rules...much like security policies. The real problem is enforcing these policies.....and its probably the biggest problem...

DarrenApril 23, 2008 9:33 AM

P.S most aren't buying at present as companies just don't have the money!...

tuomoksApril 23, 2008 11:30 AM

Bruce is correct. As are persons who mention that this is not a new development in any technology - I have seen other useful conferences turn to dog&pony shows over years.

And seeing security from corporate infrastructure point of view is much more than products. Compliance is of course one and needs often many changes in whole infrastructure, not just one or more "miracle" products. Many other problems, what kind of performance and capacity problems the product will cause. How much planning, education, training, new computer and human resources will be needed, does it support all of the infrastructure of just a part, does it create new AA management nightmares, is it just a stopgap or something which can be used next 3-5-10 years, and so on? Problems at least I see every day!

So, you can see why companies have to have more information than just marketing speeches and nice brochures. The unfortunate truth is that this started a long time ago - there used to be time when any and all new products, internal or external, had to have all the aspects in plan but then it changed by "specialists" who didn't have the whole picture and really didn't care of it. Of course the marketing targets them, much easier!

JohnDApril 23, 2008 1:02 PM

The idea that security will eventually become a part of the infrastructure makes sense, but it misses one important point.

As the telephone wiretapping, and governmental eavesdropping stories continually show, your data is not really secure unless you secure it yourself.

Do you doubt for a minute that the government has a backdoor for many (most?) infrastructure based encryption programs?

We have seen over and over that the government, the insurance industry, the healthcare industry, etc., could care less about an individual's information security. Moreover there have been several widely publicized instances of allegedly secure data being publicly revealed by stolen computers, bungling, etc.

I think those who are most attentive to safeguarding their information will continue to want that protection to be local.

Dave BellApril 23, 2008 2:08 PM

Isn't the big problem that security has many different, though overlapping, elements.

For instance, physical security of the building, to stop unauthorised access, does nothing to stop you hiring a crook.

Securing the connection to the internet, both against physical wiretaps and the myriads of malware, doesn't secure a USB port.

And security has no chance when the boss drops a CD in the mail.

gregApril 24, 2008 4:56 AM

@Dave Bell

Great food for though. There is a element of security that must make up company policy and check compliance...

But right now the problem is much more fundamental....

supersnailApril 24, 2008 5:24 AM

@not C uc
"500% security improvement by using a programing language that works. By using not syntactic sugar to an assembler (aka C) the vast majority of buffer overflows are prevented.... "

There is more to security than preventing buffer overflows! Indeed taking about buffer overflows on a contemoary security blog is a bit like discusiing which armor plate is the best protection against arrows at a contemorary arms show.

Two of the currently most succesful and pernicous classes of attacks are a result of the power and flexibility of modern programming language combined with lazy programming practices. SQL injection allows an attacker to use all the power and glory of SQL on your database (and often non databse resources as well!). Cross site scripting enables an attacker to use the elegance and flexibility Javascript to impersonate a trusted user inside hos own browser.

While it is true that a particular popular operating system written in a dialect of C++ does still suffer from numerous buffer overflow vulnerabilities, this is more to do with the culture of the company and poor programming practice. The same company's products suffer numerous security breaches due to SQL injection, cross site scripting which allows any javascript to manipulate local OS objects, "script injection" attacks which allow attackers to send malicious programs inside innocent looking documents etc. etc.

Choice of programming language is probably the least important security choice. A culture of security awareness and "program hygiene" is more effective than a language switch.

Philip de LourailleApril 24, 2008 9:34 AM

Having been an Information Security head for quite a while (since early 90's) I have given this subject quite a lot of thoughts. People want to be secure but they do not want to modify their behavior to get it. In Corporations, the Security guy is seen as a disabler. He gets in the way of other people's projects, the people who see themselves as enablers. Worse, the upper management, when asked, will state forcefully that security is upmost important, but won't want to be affected by it: they do not want to have an password keyfob to log in from China onto the Corporate network "just in case it won't work." So the security guy is always at odds with everyone in Corporations.
So I agree with the writer. Security has to be enabled, woven into products and not added on later by customers. (Of course, how is that to be done is another universe of discussion.)
In summary, people's view on security is that it is someone else job to make it happen and it needs to be transparent to them. Like Big Brother but without the Big Brother.

Geert VandenbrandenApril 25, 2008 6:03 AM

Interesting analogy with the automotive industry. Especially the customer dimension is very similar.

In both situations (IT - automotive) the customer is not interested in security. If it wasn't for the regulations, cars would never have installed the security features they have today (seatbelt, ABS, impact zones...).

Also customer's responsibilities are very similar. All security features in the world cannot provide security if the user doesn't behave secure. If the automotive sector is something to go with, information security still has a very long way to go, I am afraid ....

Gordon RapkinMay 5, 2008 1:08 PM

I read your post on the RSA conference with interest, and in particular the prediction that the conference will shrink like a punctured balloon. I had the opportunity to walk the show floor, and I shared your frustration with vendors incomprehensible product claims. Security has become a fashion industry. Whatever is in fashion is what every vendor prints on their booth. This year the fashion item was Data Loss Prevention (DLP). It did not matter what a vendor actually did, if there was the thinnest thread of connection to DLP, it was all over their booth.

What is causing this movement toward a fashion industry? You presented it as a mismatch between buyers needs and vendors abilities to communicate. I think it is a reflection of vendor maturity being mismatched to buyer maturity.

The security industry is geek heaven. The uber-geeks who invent the latest security offerings do not speak the language of business people. As security and compliance have become more mainstream business needs, buyers have changed. Instead of IT technical buyers who speak the same language as the developers, the new buyers do not speak geek and are focused on security as a means to compliance and ROI and protecting corporate assets. Lacking a common language vendors spout jargon rather than communicate. It is frustrating and confusing for everyone concerned.

You struck a real chord when you said the industry is moving in the direction of the infrastructure players. I heard this theme a few times during the week, and it makes some sense. Infrastructure big boys are mature organizations that know how to bolt together components to deliver real business value. They are used to speaking to senior business people, and they share a common language.

The problem with this outcome is reflected in your analogy to buying a car. Consumers want to buy the car from a manufacturer (the infrastructure player) and do not want to have to buy brakes and air bags and seat belts from independent safety vendors. However, the threat model for cars is well understood, and not changing. Cars bump into things. All the safety features are aimed at protecting against one constant threat. It makes sense that safety features have matured to the point where they are built into the car infrastructure.

In the security market, the threat model is diverse and constantly evolving. As we continue to develop new ways to communicate and interact, we are also opening new ways for hackers to attack. The hackers are constantly dreaming up new methods. The minute the security industry closes one threat the bad guys open a new one. The pace of innovation on the dark side is frightening, and it requires an exceptional pace of innovation on the good side. Are the big infrastructure players up to this challenge? Can we afford to turn security over to a few slow moving companies? Has Microsoft managed to make Windows secure yet?

The RSA show floor is a warren of innovators responding to changing threats. You are right; this show is becoming more of a vendor-to-vendor partner-fest. But I hope the big guys do not completely absorb the space, like the Borg assimilating another planet. We are better served by a security world made up of a plethora of independent companies working hard to innovate solutions that meet business needs. Innovation and choice create a vibrant ecosystem -- limited choice in security always results in easy-to-exploit attack vectors. I am not alone in wanting choice, and I doubt the RSA Conference will deflate quite as fast as a balloon.

Sincerely,

Gordon Rapkin
CEO
Protegrity Corporation

Stephen WilsonMay 16, 2008 3:14 PM

I couldn't agree more that security has to be sold on a sort of wholesale basis, like car safety components. As you say, end users don't buy anti-lock brakes, and the time will come where they don't have to buy anti-virus protection as such, but will enjoy essentially the same functions as part of a greater whole.

But your report that visitors to security exhibitors' stands aren't buying anything also reflects a different malaise. For many years, in my various roles as security consultant, innovator and new product entrepreneur, I've been dumbfounded by the unreasonable difficulty we have selling anything. Security buyers -- CIOs, CSOs, CTOs, CEOs -- are notoriously reluctant to make positive decisions in favor of anything new. The security sales cycle is long, often longer than the product development cycle, and so in some cases, decisions *never* get made since they're being overtaken by events every business cycle. Security indecision is generally worse I find in banking and in government.

I don't have a complete thesis for why this should be so, but one day it might make for an interesting management text book. Part of the issue is that security people are (quite rightly) conservative. They *should* be hard to convince.

But there are compounding factors too. I think in security there is a perversion of the old adage "if it ain't broke, don't fix it". It becomes "if losses aren't totally killing us yet, don't fix it". In banking, it's more acceptable to wear losses (actually, to pass them on) than to risk switching to a new technology.

Jade Zhang BaoDecember 4, 2008 4:17 PM

The RSA Conference isn't addressing the real issues at hand. That being education and Intellectual Property Rights and Restrictions...

The more you crack down on society, for whatever purpose in mind, like stating security, your really only enforcing censorship. Because, everyone knows, when you use RSA tokens, RMS, DLP and all the sorts, your only really taking about is who gets access and who doesn't, just like IPR.

Do we really want a world of two classes, those that have and those who have not? Permissions and Restrictions?

Why should all the effort be given to technical means, while education of morality is completely avoided?

In fact, how many corporations are really ethical these days? Certainly NOT those selling out human rights, the environment and "people"...

Bruce stated, "Commerce requires a meeting of minds between buyer and seller".

So does it make a lot of sense to restrict and limit commerce, just as denying individuals from building upon prior innovation?

That is unless you are one of those businesses (corporations) who controls the market as a monopoly. Why else is Microsoft integrating RSA DLP into it's products?

If we really want security, it starts with people, first and foremost. Stop the greed and corruption, give people their dignity and honor. Allow everyone to participate so there is no need of cheating and lying...

As the Dalai Lama knows, without morality, you don't know the difference between what is good and bad or right and wrong...

The technical means is just the knowledge. Knowledge to do what? Knowledge can be applied to crack down on "democracy" or anything else for that matter.

That's the same can be said about the problems with IPR, which doesn't address fair use of rights...

The more I hear, see and learn about how "people" are building barriers to people, it just makes me sad that is has to come to all this...

Jade Zhang BaoDecember 4, 2008 4:39 PM

Bruce wrote, "The single biggest threat is the technology itself. Technological systems, especially newer ones, are exceedingly complex -- and complexity is the worst enemy of security."

How about what will happen to your "data" once this security solution becomes obsolete?

Who's going to be able to work with or add to your "data" when encrypted?

What happens when something goes wrong?

What's the recovery policy or does such a method even exist?

Who gets to backup all this up?

What hardware will be needed to purchase to insure all this encryption overhead?

And worse, why in the world, would anyone want to buy into any proprietary technology that forbids you to review the source code?

How secure is it to be made dependent upon someone else for your security?

I would point out, that the U.S. certainly has a lot of technologies, the technical means, even during world war II, and yet there were very little if none at all, of the U.S. agents in Russia during Stalin's regime, while he had many informers. The same can be said of the CCP today. So it is any wonder why Osama (one individual) was never found despite the world's most technological military power in the world even with a bounty on his head of many millions of dollars?


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..