Tuesday, December 6, 2011

Rethinking security

Okay, the last few weeks were too hectic for me. I changed job, moved to a new place, and got down with a terrible cold. On top of that, some random dude was trying to scam me out of Craig's list ;-).

I am hopefully back on my feet now, or at least half backed up. And one thing occurred to me. The state of security industry is broken. This may be a big news to you but breaking stuff isn't creating value.

Before the advent of information technology, people build stuffs, actual stuffs such as a house, a block of steel. That creates value. That is something that people in general can exchange for something else. You bring a goat to the market to exchange it for a chicken.

Security, however, does not build stuffs. You don't build security by itself. Security must go hand-in-hand with a more concrete product. Therefore, the value that security creates is absorbed into the value of that actual product.

That brings me to the realization that the security industry is probably not functioning well at the moment. The economic model just does not support it. What it is that security sells? Information. You could probably sell it to one, two, or maybe ten persons but that's probably about it. The scarcity power is drastically diminished the more people you sell  your secrets (exploits, bug details, etc.) to. And that's a sad news. We have not yet found out any alternative to secrecy in security.

Besides, the incentives to work in security is highly asymetrical. The attackers are awarded much more than the defenders. I suppose this could create a conflict with general human nature. We are peaceful at heart and that would only mean there are less attackers than there are defenders. Yet, there are more works to be done in defending, more companies, more applications to be protected than there are attackers.

My minds are not in a coherent state right now so I'll let this thought ponder for a while.

But what do you think about the state of security industry?

No comments:

Post a Comment