The financial industry drives a lot of what happens in security. They have had a lot of money, and lots of people try to steal from them their customers. They did drive some good stuff, but only from one vertical's perspective. I have advocated for awhile that software security look to other verticals to understand their security needs. Now that we're watching these behemoth financial firms vanish before our eyes, we will see the needs of insurance, manufacturing, healthcare and other verticals take on more precedence. If you want some ideas on what is important, start here. FWIW, here are some key themes that i think will emerge.
Standard Support
Take a difference I've noticed between financial services and government. I have encountered situations where a financial services customer may say "what if we just forget about using all those standards and make all these messages simpler", as they have optimization hard-wired as a goal. A government customer is (in my experience) more likely to focus on standards support for interoperability, and also to support directives that certain standards are used (e.g. XACML, let's say).
If the vendor was to build their product based solely on either customers needs, they would assume, as you say, that "the client just doesn't get it". It would be either "These government people are crazy, the people back at the bank told us those standards were not important", or else "these financial services people are crazy, we show them all the complex support for standards we have and they do not seem to care at all, they just want us to strip all that out".
In that case, the trick would be to build something down the middle, with the standards support and the optimization. But, just focusing on one sector is bad.
The financial people have been optimizing for so long and they had so much money they didn't need to worry about standards, they were the standard. But you don't need standards for standards' sake, you need...
Interoperability
The financial people didn't worry about this, the pot of gold was so big people would pay to play and build their own adapters. Architects at other companies need to figure out how to cost effectively knit things together and get authN, authZ, and audit too.
Fuzzy Edges
Take something hideous like the FIX protocol. Everyone knows its broken but they just built stuff all around in terms of accountability and other controls. they could do this because there was a living breathing audit log of transactions - a hard edge. So the financial industry drove lots of poor plumbing and compensated with hard edges. It worked well enough I suppose, but as any protocol plumber knows, you need to fix the pipes eventually. Especially if you want to...
Scale
Need to scale across domains, locations, geographies. Its not one little closed trading floor loop. Its wheels within wheels. You might say its federated autonomous nodes.
its not just technical run time scale. Its people scale. You can't assume that your tool is supported by several security people per project. The tools have to scale for one security person and a hundred developer type ratios. Better automation, better reporting, faster integration. Raise the floor one inch, but raise the whole floor.
Smaller Overall Security Budget
I saved the best for last. When the financial people wanted software security, they kept spending on network security and they added dollars to support software security tools and processes. The rest of the F500 can't or wont be able to, this means that for the software security vendors, they will need to
take market share. Its not just competing against each other, its making the business case for software security over other types of security that have
ossified technically but still command a rosy price, like *cough* network firewalls.
Side note, I know three financial firms that did excellent work in software security. really dug and invested time and money to make sure they are world class in that space. Strangely enough with all these firms melting down, the three I am thinking of that took a conservative approach, addressing software security in a root and branch mode,have not been named as a target for the next meltdown. Coincidence? We report, you decide.
Comments