The Death of the Security Industry

  • Bruce Schneier
  • IEEE Security & Privacy
  • November/December 2007

The hardest thing about working in IT security is convincing users to buy our technologies. An enormous amount of energy has been focused on this problem—risk analyses, ROI models, audits—yet critical technologies still remain uninstalled and important networks remain insecure. I’m constantly asked how to solve this by frustrated security vendors and—sadly—I have no good answer. But I know the problem is temporary: in the long run, the information security industry as we know it will disappear.

The entire IT security industry is an accident: an artifact of how the computer industry developed. Computers are hard to use, and you need an IT department staffed with experts to make it work. Contrast this with other mature high-tech products such as those for power and lighting, heating and air conditioning, automobiles and airplanes. No company has an automotive-technology department, filled with car geeks to install the latest engine mods and help users recover from the inevitable crashes.

IT is heading in that direction: as IT becomes more of a utility, users are buying more services than products. And by their nature, services are more about results than technologies. Service customers—from home users to multinational corporations—care less about the technological specifics and just expect IT to work.

Eight years ago, I formed Counterpane Internet Security on the premise that large IT departments don’t really want to deal with network security. They want to fly airplanes, produce pharmaceuticals, manage financial accounts, or just focus on their core business. Counterpane provided an array of services that took day-to-day security out of our customers’ hands, including: security monitoring, security-device management, incident response. Security was something our customers purchased, but they were looking for results, not details.

Last year BT bought Counterpane and embedded our network security services into its IT infrastructure. BT has customers that don’t want to deal with network management at all; they just want the network to work. They want the Internet to be like a phone network, a power grid, or a water system—in short, they want it to be a utility. For these customers, security isn’t even something they purchase:

it’s one small part of a larger IT services deal. IBM bought ISS for the same reason: to have a more integrated solution to sell its customers.

Already, a small percentage of corporations outsource their corporate email to companies like Google. If you have a new email security solution, convincing Google to embed it in its email service is far more efficient than trying to sell it to users.

This is where the IT industry is headed, and when it gets there, there’ll be no point in user conferences like InfoSec and RSA. They won’t disappear; they’ll simply become industry conferences. If you want to measure progress, look at the demographics of these conferences. A shift toward infrastructure-geared attendees is a measure of success.

Of course, security products won’t disappear. There will still be firewalls, antivirus software, and all sorts of new technologies and products. But users won’t care about them. Instead, the new technologies will be embedded within the services sold by large IT outsourcing companies like BT, EDS, and IBM, or ISPs like EarthLink and Comcast—just like new automotive technologies are marketed to automobile manufacturers, rather than individual car owners.

This is progress. IT security is critical, but there’s no earthly reason why users need to know what an intrusion detection system with stateful protocol analysis is, or why it’s helpful in spotting SQL injection attacks. As IT fades into the background and becomes just another utility, users will simply expect it to work. The details of how it works won’t matter.

Categories: Business of Security, Computer and Information Security

Sidebar photo of Bruce Schneier by Joe MacInnis.