Audio: Does the Security Industry Have a Future?
Bruce Schneier and Peter Schoof of ebizQ discuss current vulnerabilities, what the future of the security industry will look like, security industry consolidation, encryption, and finally, the time frame for changes in the industry to come about.
First, what threats do you see that companies need to be most concerned with at this point?
The biggest threat right now is crime. About five years ago, criminals discovered the internet in a big way and whether it's identity theft which is fraud or denial of service extortion or other attempts to make money, crime is the primary threat on the net and when we're worried about internet threats, we're worried about crime.
I've read some of your general comments about, essentially, in a perfect world, the security industry would be unneeded. Can you comment on that?
Well, not that it would be unneeded. I mean, security is extremely important and we need the industry to provide the technologies, tools and techniques to make us safer. What we don't need is to have that being sold to the end-user. So, for example, when you buy a car, it contains all sorts of safety features but you don't buy those safety features separately—they're embedded in your car. The reason you're buying a firewall is because you're network's hardware and software isn't secure and that functionality should be embedded in your network. So, the future of security doesn't have it disappear, but it becomes embedded into the products you buy—into your operating system, into your networking, and as you buy larger things, security stops being a separate thing you buy and instead becomes a component of everything you buy.
What about the human element of security on both the security side and the hacker side. Won't that always leave sort of a margin of error where somebody, a third party essentially, is going to have to step in and regulate that or protect it?
Well, of course, right, you know, humans are always the weakest link in security. But, you know, it's only in the computer world that people expect absolute security. I mean, no one has ever provided absolute security against murder or burglary and the weak links are always human. So, yes, there will be residual threats, there will be the need for regulation for law enforcement for all the things that deal with security in the human world. That doesn't magically go away because you're using computers. And that is, right now, the biggest problem and will always be. The human element is what we have to deal with, whether it's honest users making mistakes or getting fooled, whether it's hackers who deliberately manipulating things, whether it's the maliciuos insiders who have access and knowledge and ability—these are problems that are as old as civilization, they're not new.
Now, in this vision do you see consolidation as the answer to gathering all the security resources together?
It's not consolidation as we're used to. In the security industry, there are waves of consolidation, you know, big companies scoop up little companies and then there's lots of consolidation. You've got Symantec and Network Associates that way. And then you have "best of breed" where a lot of little companies spring up doing one thing well and then you cobble together a suite yourself. What we're going to see is consolidation of non-security companies buying security companies. So, remember, if security is going to no longer be an end-user component, companies that do things that are actually useful are going to need to provide security. So, we're seeing Microsoft buying security companies, we're seeing IBM Global Services buy security companies, my company was purchased by BT, another massive global outsourcer. So, that sort of consolidation we are seeing, it's not consolidation of security; it's really the absorption of security into more general IT products and services.
That makes a lot of sense. Now in this vision, do you see still a role for a small security upstart?
Oh, of course. And there always will be just like, again, using the automotive example, there are small companies that build safety equipment. But the thing is they're not going to sell to the end-user. If you're going to be a security start-up five years from now, you're going to sell your products or services to the operating system vendors, the networking vendors, to the large IT outsourcers. Your goal is going to be to get your idea, your product, your service, your patent, whatever your technology is, embedded in these larger product offerings.
Gotcha. Now to switch gears a little bit. I know you're quite an expert on encryption. Do you think the data on laptops and handheld devices—will that ever just be secure?
Again, I mean, we're talking about absolutes again. Will you ever be secure from murder? Of course, the answer is 'No', there will always be some risk. My laptop is encrypted, I use PGP disks, I'm very happy with it. It's a full disk encryption and my data is secure. Is it absolutely, 100% secure? Of course not. Is it good enough for every purpose I can think of? Well, pretty much, yes. So, sure, I mean, these are not hard problems. But yet, we have to get out of the absolute thinking. And that's very much computer thinking. No one would ever imagine saying "But you're still at risk for murder" even if you wear a bullet-proof vest—when are we going to fix that problem. We realize that problem never gets fixed. You know, laptop encryption is no different.
Now what do you see the timeframe on this? I mean, obviously, it's happening right now. Do you think five years in the future or?
I'm sorry, timeframe for what?
This encapsulation of security into the end product.
You know, I'm really hard at timelines. I figured it would happen already. We're seeing the signs of it. How fast it goes really depends on the appetite of organizations for buying larger IT products and services, for buying big contracts, like the kind that IBM Global Services, BT Global Services, AT&T Global Services provide. As those become more ubiquitous, the technology starts becoming embedded and then gets sort of encapsulated away.