I found another page of notes I took at Techno Security 2006. These were from Marcus Ranum's talk, and I listen to Marcus. He observed that small vendors tend to sell products designed for sophisticated users, because large companies tend to sell products for unsophisticated users. Which market is bigger? The unsophisticates vastly outnumber the sophisticates. Therefore, start-ups usually chase a very small market and tend to be weak.
Marcus said "security ROI is dead" and "legislation has made security a cost." He predicted "we will be competing with legal for money (or working for them) in the next five to ten years." To hammer the point Marcus then said "there never was a security ROI." Amen.
For a way forward, Marcus offered two paths. Path A sees multi-level security rising from the ashes. Marcus claimed this is not likely, although papers like The Path to Multi-Level Security in Red Hat Enterprise Linux (.pdf) might beg to differ.
Path B involves the death of general purpose computing. Everyone will own appliances, perhaps even disposable ones like cell phones. All data will be on a backend somewhere. It's a return to mainframe computing that reverses what Marcus called the "Satanic bargain" of general purpose computing. What's the bargain that was made in order to rid the world of mainframes? "Everyone becomes a system administrator." Clearly that has not worked. Marcus said "distributed data equals distributed vulnerability," and the recent public laptop thefts make that clear.
Marcus told his audience to watch for a day when they can no longer buy software. Instead, people will rent and lease "capabilities," not applications. We're already doing this with anti-virus, intrusion detection and layer 7 firewalls, etc. What's next?