For people whose job is keeping us safe, security companies are peculiarly unloved. Some of that is unfair: when security works, it's invisible, and the only time it's thought about is when cheques are written or systems have failed.
Yet the security industry does itself no favours by overhyping threats. The latest prognostication from Kaspersky that "ransomware" is going to encrypt our hard disks with menaces will terrify anyone — unless they've backed up their data. Anything and everything has been identified as the next big threat, but from mobile phones to iPods to the Macintosh, they've stubbornly refused to play. We shouldn't be surprised that reality refuses to conform to the marketing diktats of the big security companies, nor that they should try so desperately to convince us otherwise.
We don't need a security industry. Indeed, its existence is a sign of failure. Like the boy in the bubble, it embodies a false hope — that we can cut off reality through an impervious shield. Such a shield can never work: instead, we need to be intrinsically secure, our immunity part of our system.
That is why RSA president Art Coviello should be correct when he predicts the end of nearly every security company currently in business. He rightly berates them for their smug self-righteousness and reactionary philosophy. The answer, he says, is for networks and storage systems to keep data safe through strong encryption and smart usage monitoring.
His model, also known by the unlovely eight-syllable deperimeterisation, is intuitively correct: a threat is no threat if it can do no damage when it arrives. It also works well with our new default way of working — connecting to core business services through random points on the public internet, often from hardware completely outside the control of the organisation. The barrier method is the wrong answer here.
Our main problem in moving forward is the elephantine inertia of the status quo. The tentacles of multibillion companies are firmly entwined with retail channels and corporate budgets, feeding off ignorance and fear rather than logic and experience. It remains within their power to reinvent themselves — to form new alliances, new approaches. If they don't, then they risk becoming ever more marginalised. The industry is evolving — and they are very far from immune.
Talkback
Awareness and education with regards to security is without doubt the most important weapon against threats. However one cannot ignore the strengths private security firms have compared to public bodies and non security related organizations. Yes, the security sector is guilty of hyping security threats and creating an unnecessary climate of fear. However these organizations are better suited to tackle the continually changing environment of IT security and can deliver innovation where other organizations cannot. Instead of looking at the security sector as proof of "sign of failure", perhaps we should create more incentive for this sector to have a proactive approach to their practices. One cannot expect sectors whose core business isn't security to be able to adapt and change to this dynamic and fast paced security environment. Awareness, standards and best practice should stand firmly central in everyone’s security arsenal, this combined with innovative AV and monitoring software, created by a competitive security sector, we stand a better chance of delivering the needed model of "a threat is no threat if it can do no damage when it arrives".