Friday, May 11, 2007

IT Security Industry

Lots of people (e.g. Gunner Petersen, Pete Lindstrom) are attacking Bruce Schneier for asking Do we really need a security industry?

Obviously Bruce doesn't expect the IT security industry to disappear any time soon. He points to some of the structural reasons for the economic viability of stand-alone products and services for IT security (including legal liability - or the lack of it), as well as the vested interests of software companies.

In some ways, the global security situation is getting worse with the increasing fragmentation of functionality and responsibility, and the increased interconnectedness of human and automated systems. This phenomenon isn't just an IT problem: it exists in other domains as well.

Bruce's argument is that security should be (increasingly) embedded into the infrastructure. This is the logic underlying the acquisition of Bruce's own company by BT last year. (See my comment: BT enters the Blogosphere.)

Pete is scornful, and and there are some similar comments on Bruce's own blog:
"The notion of 'natural' security in the face of an intelligent adversary is so fundamentally ignorant that the whole thing must be a charade. It isn't even a pipe dream - it is an impossibility. Throw in the fact that IT resources are increasing in value and function and there is no doubt of that impossibility."
Gunnar's criticisms are more moderate. He also questions the notion of natural security, but acknowledges the problems with the present situation:
"The way the IT security industry is presently constituted, is not effective, focuses WAY too much on network security instead of app and data security, and is incredibly reactive and tactically focused."
For my part, I think it's always useful to ask provocative questions. Questions like "Do we really need X?" (or the equally provocative "Does Y matter?") shouldn't be dismissed with a simple Yes/No answer. Such questions call for an exploration of the true actual or potential value of X and Y, and perhaps a search for better (more innovative, more intelligent) alternatives to the current state-of-the-art.

Do we need an IT security industry? Probably yes, but not the one we've got at the moment.

No comments: