The information security industry has evolved through a complete cycle of innovation and stagnation over the last 15 years, but now we are entering the second golden age of IT security.
Still, there are forces at work that are inhibiting the current wave of security innovation that we must pay attention to and keep under control.
Failing this, our wave will not develop its full potential and we'll all be worse off as a result.
Remember the 1990s? Al Gore had just invented the internet. Start-up capital was free (dogfood.com anyone?). Business people were America's heroes, and entrepreneurs were even more revered. New business models promised to change everything. “Bricks and mortars” were so 20th century, revenue was irrelevant, portals were the future and it was all about eyeballs.
This Wild West era of the internet, though, also fostered the golden age of security innovation. New categories of solutions emerged, such as firewalls, intrusion detection systems, vulnerability assessment tools, managed security services and many others. Each category had multiple venture capitalist (VC)-funded competitors, and market forces determined winners and losers.
The golden age ended with the near-simultaneous bursting of the dot-com bubble, the crash of the telecoms market and a string of corporate scandals that almost overnight changed America's perception of business people from heroes and risk takers to criminals.
New beasts emerged – strange creatures called Sarbanes-Oxley, GLBA, HIPAA and others. Our vocabulary changed. We no longer cared about security. Only compliance mattered.
In the ensuing years, we would come to know what compliance meant. The compliance-driven world achieved some good, through added emphasis to data archival, encryption in selected situations, and improved governance and accountability. In another sense, it simply meant automated checklists and the nature of checklist-based spending shifted resources from true security-based decision making.
I understood that we had entered a dark age of security the first time I heard a corporate chief security officer tell me, “I don't care how much more secure it makes us. My budget is dedicated to getting us ‘in compliance,' whatever that means. If it is not required for compliance, I'm not buying."
The VCs listened and invested in compliance start-ups. Security people everywhere shuddered and had nightmares that armies of CPAs suddenly became “security” entrepreneurs.
Corporate America stopped thinking about security while in the pursuit of compliance.
However, technology continued to advance, often advancing more in the consumer world than in the business world. Broadband became ubiquitous, Web 2.0 technologies appeared, social media attracted millions, smartphones started replacing laptops, and the cloud emerged as an easy, cost-effective way to deliver IT services. The way governments, businesses and consumers use technology changed.
Information security has been forced to catch up, and as a result, we are now entering the second great wave of security innovation.
We already are seeing the new pioneers beginning to make their mark in critical areas, such as mobility and cloud security, among others. The current wave of security innovation has the potential to surpass the first wave in terms of impact on both corporate customers and retail consumers.
What are the risks that may slow or stop this wave?
The first is the general economic environment,as IT security budgets face increased pressure. A second risk is relative scarcity of angel and venture capital. Start-up capital is still too difficult to raise for too many companies.
A third is the disappearance of independent, publicly traded security companies, such as McAfee and ArcSight.
Companies like these play a critical role in the security market ecosystem as natural acquirers of innovative security start-ups. With fewer potential buyers, fewer “liquidity events” will result, and VCs and other early-stage investors will be even less willing to back security start-ups.
A fourth risk is an ever-increasing role of government in the information security market.
Government spending has increased dramatically relative to corporate spending. Additionally, the normal order of things in which the commercial market leads and government organizations follow in technology adoption was perverted when we shifted priorities to compliance over security.
Unfortunately, too many companies are still too accustomed to deferring decisions that they should be making themselves, to government regulators and bureaucrats.