The End Of The Security Industry Not So Unrealistic

from the gone-tomorrow dept

Last week, security expert Bruce Schneier caused a bit of a stir when he said that there shouldn’t be a security industry. While his comment engendered a lot of debate, it really wasn’t a particularly radical statement. As he’s made clear in his latest Wired column, all he meant was that IT vendors should be building security directly into their products, rather than requiring customers to purchase security products and services separately. However, even this isn’t a particularly strong stance, because it reflects what is already happening in the industry. Microsoft has received a lot of attention for its aggressive security push, while companies like Cisco, IBM and EMC have made a number of security-related purchases. Few expect this trend to abate, as many see a dour future for standalone security firms. Still, there will always be a need for specialized work in areas like malware and intrusion detection, so it’s not clear that the tangible effects of this shift will be that significant.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The End Of The Security Industry Not So Unrealistic”

Subscribe: RSS Leave a comment
Ken says:

One reason we have a security industry:

Third party security often costs more than whatever is actually being secured, the people that spend that kind of money will be happy to have a secure product by default.

However, there’s an even larger number of people who want to buy a piece of software for $1000, and are content with it being insecure at that cost. They would not be willing to spend $2000 on the same piece of “secure” software.

Large corporations that need maximum security would benefit from this, however small startup companies and individual users would have a huge price tag to pay for it.

Brian (profile) says:

Not only is it needed, it’s the only IT-related field with any job security left.

The vast majority of 1st-level support remote-admin jobs are already outsourced overseas. That leaves grunt-level break/fix duties for those lucky enough to find them, and even their days are numbered. 5-10 years ago it made perfect sense to pay a technician $30-40/hr to repair/maintain your $2500 computer, but how much sense does it make when today’s equivalent only costs $400? How long before that box is in the “disposable” range (sub-$100)? Maybe 3-4 years?

InfoSec, however, will always remain local. No threat of obsolescence either, at least in the sense that there will always be a demand.

Adriana (user link) says:

security is not a product

Joe, agreed. The point is that security is not only a technological problem and therefore cannot be a mere bolt-on for a product. To ‘build security into products’ doesn’t mean to ‘bundle’ it with an existing product as a security feature but to design them as secure in the first place. It is a shift in attitude not just pricing or product sales.

Charles Griswold (user link) says:

Re: Security is a myth

The best you can hope for is to make breaching it more trouble than it is worth.

If you build security into your computer system from the hardware up, it is possible to make your system almost perfectly air-tight. The last time I checked (around 2001 or so), there had never been a successful “hack” attack on an IBM AS/400. There had been successful break-ins, but they all involved social engineering, thus highlighting the fact that the main reason that computers are insecure is the same reason that anything is insecure. People.

Andy B (user link) says:

Not Exactly

What Bruce has really been trying to say all along is that the IT security industry exists because makers of software are not held accountable for the failings of their systems. There is not enough economic incentive to code secure software. Everybody patches and everybody has security breaches, so anymore there is no real incentive for a company to try and avoid such things.

Bruce has been pushing for software makers to be liable for insecure software they produce, following his concept of security externalities. I think that is the best thing we could do to make the internet more secure and efficient. Software makers would scream and complain, but they would figure out how to make it work and consumers would learn to accept longer development times.

When we put our efforts into preventing, rather than reacting to security problems, the market is more efficient and in the end everybody wins.

Anonymous Coward says:

"Living" Security

The thought of building software securely is great, but as long as you have people determined to cause damage and circumvent security you need a seperate entity providing security for your box. Something thats sole purpose is to block remove search for threats, with this built in sure it can be updated from the manufacturer but its not as efficient as having a piece of hardware or software whose sole purpose is security. Nothing can ever be 100% secure you can only make it difficult so that you minimize threats you can never truly “eliminate” threats to security.

Buzz says:

security = music

I just realized I feel similar about the security industry as I do about the music industry. Security really ought to be bundled to something else. I personally have zero desire to enter the security industry and will probably do as this article suggested: I will implement my own security measures into my software packages.

The only virus I have ever received was through Windows Media Player… ironic considering I never use that program. Now, I’m a whole OS away from that thing… ^_^

John says:

Security isn't a function of technology

While I have the upmost respect for Bruce Schneier and agree with most of his editorials, I would agree with Charles and further his argument by saying that technology is a function of a larger security program instead of an isolated pocket encapsulated by technology. If you don’t address the managerial & operational aspects of security (such as SETA, Policy, RA, etc….) then you don’t have a security program.

There’s no danger of comprehensive programs going away in the forseeable future.

Charles Griswold (user link) says:

Problems with security

As I see it, the problem with security on the average PC is that most people run the least secure web browser (Internet Explorer) on the least secure operating system (MS Windows) on the least secure hardware (x86-based CPUs).

The variable instruction length of the x86 makes it very difficult to audit machine code for potentially dangerous instructions. When you take that into account, and then factor in the fact that Windows is an incredibly tangled mess of kludges that no one fully understands, and the fact that IE does not keep a proper wall between itself and the operating system but instead is an integrated part of the OS, it’s no wonder that the security industry is forever playing catch-up with crackers and malware producers.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »