« Security Deployment Models | Main | That was fast »



Would it be unreasonable to posit that one of the reasons we've seen a "slow" in innovation is because of extra-market forces, i.e. compliance to external risk tolerances?

If external risk tolerance compliance (PCI, NERC, GLBA, as interpreted by NCUA or OCC, whathaveyou) create cottage industries that are only built to solve the problems caused by artificial pressures, then less innovation dollar is spent by entrepreneurs addressing innovation that directly reduces risk to the business, no?


I don't think you can blame compliance per se. Certainly compliance has not really _helped_ in innovation, and to certain extent it hurts because it takes some dollars and focus away. But really I think the main issue is that there is not enough focus on innovation period. Software developers have to deal with regulation and compliance too, but they manage to deal (and/or ignore) and innovate as well. So I would rate compliance as a neutral.

Bob McCormick

I think we *are* seeing market forces in infosec right now. Unfortunately, it's a "market for lemons" (http://www.schneier.com/blog/archives/2007/04/a_security_mark.html)

It seems to me that a lot of the safety features in modern automobiles have been driven by the avoidance of liability. (ie, lawsuits). Either directly or indirectly through pressure from the insurance industry (think of the insurance industry crash tests that are so popular on Dateline NBC).

If your comparison to the auto industry is a valid one (and I think it is) we won't see market driven progress in infosec until companies using software *and* companies producing software start to see real financial losses from their poor security practices.

We need to see lawsuits against major software companies for the security vulnerabilities in their software, and lawsuits against companies for the insecure selection and deployment of the software they use.

Brian Snow

One of the most promising recent occurrences in the insurance industry was stated in the report of Rueschlikon 2005 (a conference serving the insurance industry); many participants felt that, "The insurance industry's mechanisms of premiums, deductibles, and eligibility for coverage can incent best practices and create a market for security. This falls in line with the historic role played by the insurance industry to create incentives for good practices, from healthcare to auto safety. Moreover, the adherence to a set of best practices suggest that if they were not followed, firms would be liable for negligence."

Bluntly, if security-enabled products lack sufficient quality, commercial users will have to pay more in insurance costs to mitigate their risks. How the insurance industry will measure best practices and measure compliance are still to be worked, but I believe differential pricing of business disaster recovery insurance based in part on quality/assurance (especially of security components) is a great stride forward in bringing market pressure to bear in this area! Insurance costs are recurring costs, watched and managed by CEO's and CFO's.

Full text of report available at:


The comments to this entry are closed.