Security-As-A-Feature And The Economics of Abundance
from the a-feature-not-a-product dept
The always insightful Bruce Schneier has a new piece out arguing that the stand-alone security industry is doomed, as security increasingly becomes a feature of other products, rather than a product in its own right. He points out that hardly anybody wants to buy a "security product." They want to buy useful products -- operating systems, databases, web servers, whatever -- and take for granted that the developers of those products have designed it to be secure out of the box. Schneier points out that consolidation in the security industry has not taken the form of large security firms buying small security firms, but of non-security-focused software firms buying security firms to help bolster the security and reputation of their products. This may indicate that developers of other software products are recognizing that better security is one of the key features customers are demanding in their products.
If you'll excuse me for jumping on a Techdirt hobby-horse here, this is another example of the economics of abundance at work. Security products are increasingly becoming commodities. Obviously the software ones -- anti-virus tools, software firewalls, intrusion detection systems -- have a marginal cost of zero, and even many of the hardware devices are built on commodity parts that get cheaper every month. What hasn't gotten cheaper is the expertise required to put the bewildering array of security tools together into a coherent system that's customized for a firm's particular business. Indeed, as security products have gotten more numerous and more complex, it has actually gotten harder to keep track of them all and know which security tools are the best ones to use in any given situation.
And crucially, this isn't something you can outsource to a third party. I've written before (in the context of e-voting) that encryption isn't magic pixie dust that automatically makes a system more secure. The same point applies to security more generally. Having the best firewall in the world won't do you any good if it's not configured properly, or if your network hasn't been designed with security in mind. And because every large organization has different security needs, every organization needs a slightly different security setup.
This creates a huge opening for companies who understand that customers are not looking to buy a security software product, but a suite of software that they can count on to be secure without worrying about the details. We've pointed out that this is essentially the business Red Hat is in: not selling software but selling the expertise of its employees with respect to the software. Security is a big part of that. "Security software" is an infinite good, and the market for it will get increasingly crowded in the future. On the other hand, the expertise needed to build complex software systems securely is as scarce as ever, and such expertise is one of the key ways that software companies can distinguish themselves from the competition.