Market forces have been instrumental in rolling out lots of good technologies. For example back in the 90s thanks to the web boom, component programming, and J2EE, BEA was the fastest company ever to $1 billion. I am still waiting for market forces to drive better security though. We have companies that are good at producing toothbrushes and toothpaste, we have companies that are good at telling you what brand of toothpaste your neighbor is using, we have companies that are good at producing conferences, and we have companies that are good at helping companies pass audits; what we don't really have though is - security companies of scale that help enterprises of scale solve real world security problems. I think it would be good if we did. The enterprises have a lot of problems, and they are in need of innovation in the security space, but the enterprises have limited ability to develop, and deploy security innovations (their top people are already spread thin), and the market has so far not listened particularly well to the enterprise's problems (or the ones who have a still fairly small) leaving us with a few billion of breached records washed up on the shore.
Instead we can find a better model in the automotive industry, Autoliv (ALV) (incidentally Motley Fool ranks them as a best international stock) is the world's largest supplier of seat belts and airbags. These are component parts that are refined and optimized by Autoliv and sold to auto manufacturers across the globe. Business Week:
Being No. 1 is a long tradition for Autoliv. Started in 1956, it was one of the first companies in the world to manufacture seat belts. It has maintained market share by constantly improving quality and design, spending 6% of annual sales on research and development. It also built up share by acquiring U.S. air-bag manufacturer Morton International Inc.'s Automotive Safety Productions Div., a world leader.
Ok, we have a company with a multi decade track record of leadership of deploying safety mechanisms, and they spend a high percentage of sales on R&D.
Autoliv's early success was helped by close cooperation with Swedish carmaker Volvo, whose marketing strategy has long been largely based on safety. But Autoliv quickly branched out. It now supplies nearly all major auto companies and has factories in 32 markets.
Hmm...close cooperation with customers instead of marketecture and throwing "suites" (in name only) over the wall....
The big challenge is to meet carmakers' increasing demands to cut prices. "The new generation [of products] has to cost less," says Westerberg. The company is moving its production to low-cost countries such as Poland and Tunisia while closing down or consolidating elsewhere. It has bought several suppliers to slash costs and production time.
Being sensitive to cost instead of marking things up by orders of magnitude simply because know that something its on the auditor's checklist.
The strategy is paying off. Sales were up 14%, to $3.8 billion, for the first nine months of 2003, with a 15% profit increase, despite a worldwide slowdown in car sales. Analysts estimate sales for the whole year hit $5.2 billion. Westerberg aims to continue the trend with more sophisticated air bags designed to comply with new U.S. standards. Westerberg can think up quite a storm on those strolls.
Wait - they listen to customers, innovate new things, control costs, and deliver safety mechanisms to market while growing their business? When will Silicon Valley answer the bell on this model?
All snarkiness aside, we do have some reasonable examples in companies innovating in the security space, I would just like to see them scale. And would also like to see companies that are already large scale to meet the size and shape of the problem, we have at least one good example of this. It is strange to me that companies like Sun, Red Hat and others, seem to approach security as a game to sell more hw/sw instead of a viable market in and of itself, why don't they step into the breach (pun intended) and work to solve these problems? Maybe they should fly to Stockholm and learn about side curtain air bags? I mean Autoliv is a $3+ billion business that sells security innovation, maybe its not as interesting to Sun as backup tapes, but that's not chump change either.
**
Gunnar Peterson teaching Web Services Security training, NYC, March 10-11
Would it be unreasonable to posit that one of the reasons we've seen a "slow" in innovation is because of extra-market forces, i.e. compliance to external risk tolerances?
If external risk tolerance compliance (PCI, NERC, GLBA, as interpreted by NCUA or OCC, whathaveyou) create cottage industries that are only built to solve the problems caused by artificial pressures, then less innovation dollar is spent by entrepreneurs addressing innovation that directly reduces risk to the business, no?
Posted by: Alex | March 04, 2008 at 08:22 PM
I don't think you can blame compliance per se. Certainly compliance has not really _helped_ in innovation, and to certain extent it hurts because it takes some dollars and focus away. But really I think the main issue is that there is not enough focus on innovation period. Software developers have to deal with regulation and compliance too, but they manage to deal (and/or ignore) and innovate as well. So I would rate compliance as a neutral.
Posted by: Gunnar | March 04, 2008 at 08:49 PM
I think we *are* seeing market forces in infosec right now. Unfortunately, it's a "market for lemons" (http://www.schneier.com/blog/archives/2007/04/a_security_mark.html)
It seems to me that a lot of the safety features in modern automobiles have been driven by the avoidance of liability. (ie, lawsuits). Either directly or indirectly through pressure from the insurance industry (think of the insurance industry crash tests that are so popular on Dateline NBC).
If your comparison to the auto industry is a valid one (and I think it is) we won't see market driven progress in infosec until companies using software *and* companies producing software start to see real financial losses from their poor security practices.
We need to see lawsuits against major software companies for the security vulnerabilities in their software, and lawsuits against companies for the insecure selection and deployment of the software they use.
Posted by: Bob McCormick | March 05, 2008 at 04:02 PM
One of the most promising recent occurrences in the insurance industry was stated in the report of Rueschlikon 2005 (a conference serving the insurance industry); many participants felt that, "The insurance industry's mechanisms of premiums, deductibles, and eligibility for coverage can incent best practices and create a market for security. This falls in line with the historic role played by the insurance industry to create incentives for good practices, from healthcare to auto safety. Moreover, the adherence to a set of best practices suggest that if they were not followed, firms would be liable for negligence."
Bluntly, if security-enabled products lack sufficient quality, commercial users will have to pay more in insurance costs to mitigate their risks. How the insurance industry will measure best practices and measure compliance are still to be worked, but I believe differential pricing of business disaster recovery insurance based in part on quality/assurance (especially of security components) is a great stride forward in bringing market pressure to bear in this area! Insurance costs are recurring costs, watched and managed by CEO's and CFO's.
Full text of report available at:
http://www.rueschlikon-conference.org/r2002/public/press/56_R_05_Report_Online.pdf
Posted by: Brian Snow | April 04, 2008 at 09:39 AM