In this list of Ten Tech Companies that are more Profitable than Facebook, there are two infosec representatives. Facebook has 40% Operating Margins, very respectable even by tech company standards. However, not to be outdone, infosec's 1995 innovation outperforms even the latest buzzworthy names like Facebook. Checkpoint sports 56% Operating Margins and the other tech tha's more profitable than Facebook tha happens to be an infosec company? You guessed it - Verisign at 42% Operating Margins.
All for companies making profits for doing good work, but would be nice to measure innovations in years not decades. Companies continue to spend on security, but what we can see from margins like these is that the security market itself is not demanding that security companies innovate, so they churn out the same stuff every year with a scintilla of improvement - now your Firewall box comes in the color red for 2012!
Sadly the biggest problem in security isn't attackers or complexity. Its the lack of market forces in infosec, the buyers (Infosec teams) don't demand innovation and so the vendors don't provide it. What you get is a very small toolset for a very high price. Think of what you would have got for a database from Oracle in 1995 (infantile capabilities comapred to today) and at what cost, what you would have bought for a database even 7 years ago is freeware at this point, database buyers are discerning and demanding. But 15+ year old innovation is still getting top dollar in infosec.
Firewalls and SSl play a vital role in our day to day life in internet!!!
Posted by: sabrina | February 01, 2012 at 04:36 AM
^^^ Even the hackers love SSL. Their exploit code is now encrypted when they hack the websites, keeping those pesky Intrusion Detection Sytems guessing.
Posted by: CraigMunson | February 02, 2012 at 12:32 PM
I'd like to hear some examples of innovative tools or vendors not getting enough attention that have compelling products that add to or change the game of network security, or the space that firewalls/SSL provide for.
It's fine to say these technologies are "old" in tech terms, but what are they lacking? What should be used instead of them? Are any new things even close to as elegant as these older tools?
If I tell my CSO that his firewalls and SSL are old and antiquated, his rightly first response is going to be, "Ok, what do we replace them with?" And he's not going to be happy if the response requires more work from more expensive staff to glue complicated tools and suites together and manage it all. :(
Posted by: LonerVamp | February 03, 2012 at 09:11 AM
Craig - nice!
@LonerVamp - "if the response requires more work from more expensive staff " not sure I understand the cost argument for spending top dollar for 1995 technology. why not demand product improvements instead? Infosec does nto demand innovation and the vendors don't provide. Perhaps that is okay (even though it probably isn't) but in any case why in the world would infosec pay any *more* than ten cents on the dollar for 1995 technology? Moore's law anyone? as it is these vendors have among the highest margins in the business. If its really about controlling infosec cost (for the sake of discussion let's assume that this is the goal and not providing security) that is a logical argument to make, but then it should be about driving those costs down instead of subsidizing vendors to non-innovate. As it is now- infosec gets the worst of both worlds - 1995 technology that's priced like a latest and greatest bleeding edge product.
To me, we should either stay the course as you suggest but demand much lower costs, or pay the price to innovate
Posted by: gunnar | February 03, 2012 at 01:10 PM
I guess another way of phrasing the question is, what's wrong with 1995 technology? Or, what should they be adding/innovating/selling?
There's a pretty big difference in the management ability of firewalls 15 years ago and those of today. I'd much rather manage an ASA than a Pix these days. Not because of such huge steps, but because the device is incrementally better/easier.
I guess I've heard you bring up the old net sec technology before, and I'm just not buying why it's a talking point or what we should be doing instead.
Posted by: LonerVamp | February 06, 2012 at 09:45 AM
@LonerVamp - I think network security is necessary but nowhere near sufficient. I propose more focus on appsec, identity and monitoring
Posted by: gunnar | February 06, 2012 at 10:17 AM