According to IBM the Security industry is dead and has no future (here)
“The security business has no future,” Val Rahamani, general manager of IBM ISS and of security and privacy for IBM Global Technology Services. Rahamani said the security industry as it is today is not sustainable, and that IBM is instead going into the “business of creating sustainable business.”
“It’s all about putting security into the context of business operations, she said. “Parasitic threats are only a metaphor for the greater issue — there will always be new threats to business sustainability, ranging from parasites to regulations to insiders to global politics. We cannot achieve true sustainability if we continue to focus on individual threats. We can only achieve true sustainability if we design security and continuity into our processes from the beginning.”
“The traditional security industry is simply not sustainable… We have a historic opportunity to change our mindset from IT security to secure business. We have the technology, services, and expertise available today to create truly sustainable business, even in a world where we assume everyone is infected.”
“The security industry is dead,” Rahamani said. “Long live sustainability.
At first read some of you may be taken aback and look at this as an overly provocative stance along the lines of Bill Gates assertion at a Gartner Symposium over 5 years ago that Microsoft would solve security, or John Thompson’s stance 4 years ago that convergence between security and storage were not only demanded they were needed to evolve the industry, or Art Covello’s prediction last year that the security industry would experience wide-spread and massive consolidation with only large, broad-scoped vendors remaining – with hundreds of security start-ups and more on the way, someone clearly didn’t get the memo.
The reality is that the current reactive, ad-hoc security model isn’t working. Val’s statements reflect a growing awareness and acceptance that a significant part of the security challenge must be addressed through pro-active, insightful, management of the infrastructure, in a way that enables security to support the needs of the business. I have spoken about this in numerous posts
1. Why Should We Spend on Security (here)
“There is a dull hum permeating the industry of late – security is dead some say, others think it to be too costly to maintain, others still believe that what is needed is a change of perspective, perhaps a radical shift in how we approach the problem. What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe that would have been avoided if only we had just…well, just done something different from whatever it is we are doing at the time something bad happens.”
“As we go round and round on the never ending hamster wheels provided as best practice guidelines by security vendors, consultants, and pundits, we find ourselves trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents. But to believe one can win, implies that there is an end that can be obtained, a victory that can be held high as a guiding light for all those trapped in eternal security darkness. We are as secure as we need to be at any given moment, until we are no longer so – when that happens, regardless of what you may believe, is outside of of our control.”
2. Information Security Must Evolve (here)
“Security professionals must have a better understanding of the business they are hired to protect, must posses more soft skills such as communication and cooperation, and must evolve their skill against the dynamic threat environment and the evolving business infrastructure…These soft skills will become increasingly important in the coming decade as security programs mature and become an integral part of business success. More importantly organizations structure becomes critical as enterprises must implement an organizational structure that supports cross-group cooperation and workflow.”
3. RSA Themes: Information Security Evolves (here)
“a general market realization that security is evolving beyond a reactive, ad-hoc activity to an integral part of running a business in today’s world. We are increasingly reliant on technology for every aspect of our lives and business is looking to IT to play a significant role in innovation, whether that is to tap into new revenue streams or to achieve new levels of operational efficiency that also boosts the bottom line.”
“It is encouraging to see organizations begin to embrace security as an integral part of how a successful business functions. But we have a long way to go as we evolve from reactive security programs performed in a silo to security and operations convergence, and a level of operational maturity and agility that allows organizations to leverage IT for innovation.”
4. Security Prediction 2007: The year security becomes irrelevant! (here)
“So does security become irrelevant? well not exactly, but it is the year security goes main stream and becomes just another function performed by an increasingly taxed IT organization. Security will become less and less silo’d and more operationalized. Security and operational convergence will drive more technology convergence as vendors scramble to address multiple constituencies in the operations, security and compliance domains. The bottom line is that information security will begin to mature and evolve”
5. Rational Fear vs. Irrational Security (here)
Security must be agile, we must be able to quickly adapt to changing threats and we have to be careful to balance security of the unknown vs. securing against the known. Zero-days are scary, yet they are relatively infrequent compared to the thousands of known vulnerabilities organizations face annually, we certainly need to adapt to zero-day threats, but we can’t do this at the loss of security against the more frequent but less exotic MSFT or browser vulns. What’s scary is that most organizations, even after years of dealing with vulnerabilities, still have not implemented effective vulnerability management programs (here), (here), and (here)
6. Information Survivability vs. Information Security (here)
Bottom Line: you cannot stop all bad things from happening, this is not the goal of security. The goal of security is to limit the probability of bad things from happening and when they do happen to limit their impact. It really is that simple.
Not to minimize any of your well expressed thread of thought here, but for some odd reason a quote I have on an old stack of Post Its I once found kept popping into my head:
Out of confusion comes chaos.
Out of chaos comes anarchy and fear.
Then comes lunch.
Just like last year’s argument that “IT doesn’t matter” – we’re still working through the chaos of both IT itself and security. Perhaps when we reach the world of the Starship Enterprise IT and Security will be done and done and defacto, but we’re certainly not there yet.
Your reference OODA loop reference is timely for me – working through Chet Richards’ “Certain to Win” which is a thin version of Boyd’s philosophy applied to business. Trying to see if I can put a new tool or two in my security pocket. Nicely written so far…
Good points. I think one of the key take-aways for me was that the current frustration with the lack of continued evolution within the industry is shared by many in the industry. It was also nice to see that industry/vendor leaders finally acknowledge that none of the tools that they flog so aggressively will actually “solve” security problems.
Let’s face it: security is really a hybrid between business management and IT management+operations. How we synergize the two has very little to do with technology and infrastructure, but with how you manage each area, and the people with them.
I always thought out of chaos came order. I remember sitting on the balcony of the the American Hotel in Amsterdam and looking down at the traffic, a chaotic mix of people, cars, trucks and bicycles – many, many, bicycles. Through the chaos was order, there was no honking, no yelling, and yet everyone just seemed to know there place and what to do next. Something like that in NY or CA would end up with someone shot dead and complete anarchy.
As for IT it seems like we do just enough to sustain a level of availability, up and until the point that we do not and then something bad happens. The trick will always be predicting when and what or at least noticing in time to limit the impact.
Great points, I think that is the evolution we are undergoing in IT and Security specifically. The realization that what we do and how we do it must be seen in terms of the business – a combination of people, process and technology to enable business to function at its most effective, as opposed to what we have been doing which is assuming that security can function independent of the business and within the confines of technology only.
Any way you cut it, Val Rahamani’s RSA keynote is not a watershed and does not mark a new awareness on the part of vendors. First, because this is hardly the first time a platform vendor (except, Val’s the GM of Global Services, right?) has said that security needs to be baked in to platform/infrastructure. And secondly, IBM brought nothing to the table in terms or products or tactics. So this could merely be Val as a talking head, far afield of any actual initiative at IBM. Like she’s been having lunch with Oracle’s Mary Ann Davidson or something.
Thanks for your comments. Your jaded pessimism is, unfortunately, well founded, in that IT in general has shown an inability to connect high-level positioning statements with real-world implementations and actions.
Progress takes time and what we should be looking for is progress, not perfection. The more we discuss the foundational elements of change, the more awareness it drives, the more likely it will impact change.
I don’t see anything profound in Val’s statements. I find it to be shallow marketing-speak mixed with manager-speak; basically words that make sure his department is relevant and has vision. Ultimately, it really means little more to me than a Coca-Cola commercial convincing me my life will be better with a Coke in hand. Play semantics with the words until it feels good.
This field really all boils down to two things: economics and the constant, quick pace of technological change.
Yes, of course you are right – out of chaos comes order is the way – although my Post Its have unfortunately been fairly accurate in my previous company.
I didn’t follow through on my intent to circle back via the Star Trek reference – that our chaos turned into their order where technology is nearly commoditized.
I’ll attribute my failing to post preschooler bedtime decompression syndrome.