Friday, March 14, 2008

Reactions to Latest Schneier Thoughts on Security Industry

The March 2008 Information Security Magazine features an article titled Consolidation: Plague or Progress, where Bruce Schneier continues his Face-Off series with one of my Three Wise Men, Marcus Ranum. Marcus echoes the point I made in my review of Geekonomics concerning the merits of open source projects:

Most of us have had a product suddenly go extinct--to be followed shortly by a sales call from the vendor that fired the fatal shot--in spite of the fact that we depended on it and paid 20 percent annual maintenance...

To me, it's the best argument for do-it-yourself or integrating open source technologies into your product choices. Remember: the big argument that's levied against open source is "Who is going to maintain it?" That argument stacks up pretty neatly against, "Is this product going to exist tomorrow?"


I liked that thought, but I became more interested in Bruce's counterpoint on security industry consolidation. This echoed what I reported last year in Response to Bruce Schneier Wired Story. This month Bruce says:

Honestly, no one wants to buy IT security. People want to buy whatever they want--connectivity, a Web presence, email, networked applications, whatever--and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.

It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling. It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.

The critical driver here is outsourcing. Outsourcing is the ultimate consolidator, because the customer no longer cares about the details...

IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it.

This is the future of IT, and when that happens we're going to start to see a type of consolidation we haven't seen before. Instead of large security companies gobbling up small security companies, both large and small security companies will be gobbled up by non-security companies.


I think Bruce has nailed this argument. Now he is saying "the need to buy security will disappear" not because "the IT products we purchased [will be] secure out of the box" -- what he said last year -- but because "IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it." This sounds like the Does IT Matter? argument of a few years ago, and I think Nick Carr and Bruce Schneier are right here.

What does this mean for security professionals? I think it means we will end up working for more service providers (like Bruce with Counterpane at BT) and fewer "normal" companies. Bruce wrote "the security industry will disappear as a consumer category, and will instead market to the IT industry," which means we security people will tend to either work for those who provide IT goods and services or we will work for small specialized companies that cater to the IT goods and services providers.

Bruce ends his article by saying

If I were Symantec and McAfee, I would be preparing myself for a buyer.

I think he is right again. These security companies will end up part of Cisco, Microsoft, Google, IBM, or a telecom. I doubt we will have large "security vendors" in the future.

A subtle point not made in this article is the idea that security folks who work for the CTO or CIO are probably going to stay there. I also think that smaller companies will be the first to see their security staffs go, but the biggest companies will always retain security staff -- if only to manage all of the outsourcing relationships.

11 comments:

Paul Schmehl said...

I think Schneier is wrong. Don't lose sight of the fact that Schneier has a dog in this fight - he owns a MSSP - so he's not exactly unbiased about outsourcing.

I think some aspects of security lend themselves to outsourcing - monitoring edge traffic, for example, while others, such as asset management, configuration management and patch management, do not because you have to expose the crown jewels to a third party. Not many are going to be eager to do that.

Outsourcing also comes with its own set of problems. The motivation of an outsourcer is to prove they are doing a good job, so you tend to get alerts for things that are trivial and non-consequential.

When a security employee misbehaves, the motivation of their supervisor is to get rid of the problem before it hurts their career. When an outsourcer's employee misbehaves, the motivation of the outsourcer is to cover it up.

Anonymous said...

@Paul

I really don't understand your disagreement with Schneier. Is asset management, configuration and patch management managed by a security teams? No - or at least they shouldn't be. They are managed by whatever organization manages those assets.

Schneier's argument is simple - the need for bolt on solutions to "secure" whatever you are trying to secure will disappear over time as the applications you purchase come with those solutions already integrated within them.

Will that lessen the requirement for security personal? Not at all but its amazing how defensive some people get over schneiers comments.

Red Pineapple said...

Richard,
I think the article hits the nail on the head. Some time ago I wrote about Infosec not being an island, http://thinkingproblemmanagement.blogspot.com/2008/03/information-security-is-no-island.html.
It is also my opinion that security companies are immature. If we apply Carr's analogy about an electrical utility then they are still selling 5hp standalone home generators, instead of supplying utility power. They upset customers because they slap themselves on the back when a power blackout occurs and their little engines start up. They have missed the point about mitigating the blackouts and have misplaced their efforts.

Dr. Luke O'Connor said...

Richard,

I like your reference to "Does IT Matter?", and in fact last year I prepared a talk on "Does IT Security Matter", adopting some of Carr's arguments to It Security. You xan find the talk here

http://lukenotricks.blogspot.com/2008/01/does-it-security-matter.html

Richard Bejtlich said...

Hi Paul,

Notice what you said:

I think some aspects of security lend themselves to outsourcing - monitoring edge traffic, for example, while others, such as asset management, configuration management and patch management, do not because you have to expose the crown jewels to a third party.

When you outsource your IT infrastructure to a third party (Google Apps, whatever) the business doesn't care about those bolded items. They are the service provider's problem!

Furthermore, what are the "crown jewels"? It's the data, not the hardware and software.

Richard Bejtlich said...

Luke,

I really like your summary posted on your blog. I suggest those reading this thread at least read Luke's post and if you have time download the .ppt too.

Dan Weber said...

I think Schneier is wrong. Don't lose sight of the fact that Schneier has a dog in this fight - he owns a MSSP - so he's not exactly unbiased about outsourcing.

It's not just limited to outsourcing. He also loves to talk about programmer liability. Can you imagine what would happen to his personal net worth if that happened? (I assume that he would lobby for some sort of exemption that would exclude the boxes that Counterpane sold back in the last 90's, which were built on stock Redhat distros with stock vulnerabilities.)

If I were Symantec and McAfee, I would be preparing myself for a buyer.

The problem with Symantec and McAfee isn't that they're product companies. It's that their products are horrible.

Bruce Schneier is valuable to our industry since he able to get folks like Congress to listen to him. But don't think that he's any less susceptible to personal aggrandizement than other people.

Dr. Luke O'Connor said...

Richard,

I made that last post too early in the morning - I really can spell normally. It seems that quite a few bloggers and opinion makers are asking the question, in one form or another, "Does IT Security Matter?". The main points I made in my post and talk were

- There is a dependency between IT and IT Security but not a strategic relation

- IT and IT Security are good neighbours but not good friends

- IT Security is one area competing for attention and funding, amongst many

- If you don’t make IT security matter, it won’t

- Focus on securing business processes not the process of securing

Michael Janke said...

I'm not seeing how 'the need to buy security' will disappear'. If the argument is that security will be embedded in products and services, either insourced or outsourced, that doesn't mean that we are not buying security. It might mean that we will not buy security as a separate line item or budget cost center and account for it as a separate expense. But we are still paying for it.

In some sense, for the really small players (home, soho), some of this is already happening via ISP's who offer free anti-spam and anti-virus and/or a securely configured home router/wifi access point. This is effectively outsourcing part of your home desktop security to your ISP. Small businesses who outsource document management, payroll e-mail are already embedding security expenses into the outsourcing contracts for those services, whether they know it or not.

And of course, one could postulate the existence of software with embedded security, making current AV/firewall software obsolete, but presumably the cost of that enhanced software functionality will get added to the cost of the software in some form.

Perhaps, in this scenario, the corporate in-house security function will be more like internal auditors, or perhaps they'll be an office full of legal types who contract for services that exist to assure the corporation that contracted services are delivered as contracted.

Richard Bejtlich said...

Michael Janke,

I agree with your assessment -- since nothing is "free," the customer will still be paying. It will just not be a line item, unless there are various security choices like "response time" and so on.

LonerVamp said...

I'm still wondering if Bruce is correct, but will be incorrect in the long term. Same with Carr.

I don't like the idea of IT as a utility like electricity. I think this works in a 25,000 feet view of IT, but once you get down to it, the nuances of so many IT shops is disturbingly large. Will a service provider be able to accomodate all the home-grown crap that glues a company's information systems together? Will a service provider be able to move beyond the demarc and accept responsibility satisfactorily for an organization that gets pwned?

I'm skeptical how far this trend can go.

But I do think that's where it is going for now. IT depts are sick of the costs of security and making sure everything works when most employees really do see it like electricity, either on or off. Annual software costs, keeping up to date with the latest threats, gluing disparate reports together, swallowing the jagged pill that a big suite of products presents, finding good staff....the idea of an MSSP for security and even IT infrastructure really is compelling right now. MSSPs may be less concerned for the welfare of the company, but should be much more effective at the things they offer.

But I would question how long that can last. The closer you get to the data, the less like a utility the IT service becomes. The data is unique, the systems managing that data is almost as unique, and so on. Once you get far enough away from the data into the network, the 1s and 0s flying by, it does look more utility-like. Or the desktops.

This might be why web services are still growing. They move a data-close application one more step away from the data-distant desktop systems, taking advantage of the utility-like browser that is in every OS.