I often hear that there is no innovation left in security.
That’s complete bullshit.
There is plenty of innovation in security – but more often than not there’s no market for that innovation.
For anything innovative to survive (at least in terms of physical goods and software) it needs to have a market. Sometimes, as with the motion controllers of the Nintendo Wii, it disrupts an existing market by creating new value. In other cases, the innovation taps into unknown needs or desires and succeeds by creating a new market.
Security is a bit of a tougher nut. As I’ve discussed before, both on this blog and in the Disruptive Innovation talk I give with Chris Hoff, security is reactive by nature. We are constantly responding to changes in the underlying processes/organizations we protect, as well as to threats evolving to find new pathways through our defenses. With very few exceptions, we rarely invest in security to reduce risks we aren’t currently observing. If it isn’t a clear, present, and noisy danger, it usually finds itself on the back burner.
Innovations like firewalls and antivirus really only succeeded when the environment created conditions that showed off value in these tools. Typically that value is in stopping pain, and not every injury causes pain. Even when we are proactive, there’s only a market for the reactive. The pain must pass a threshold to justify investment, and an innovator can only survive for so long without customer investment.
Innovation is by definition almost always ahead of the market, and must create its own market to some degree. This is tough enough for cool things like iPads and TiVos, but nearly impossible for something less sexy like security. I love my TiVo, but I only appreciate my firewall.
As an example, let’s take DLP. By bringing content analysis into the game, DLP became one of the most innovative, if not the most innovative, data security technologies we’ve seen. Yet 5+ years in, after multiple acquisitions by major vendors, we’re still only talking about a $150M market. Why? DLP didn’t keep your website up, didn’t keep the CEO browsing ESPN during March Madness, and didn’t keep email spam-free. It addresses a problem most people couldn’t see without DLP a DLP tool! Only when it started assisting with compliance (not that it was required) did the market start growing.
Another example? How many of you encrypted laptops before you had to start reporting lost laptops as a data breach?
On the vendor side, real innovation is a pain in the ass. It’s your pot of gold, but only after years of slogging it out (usually). Sometimes you get the timing right and experience a quick exit, but more often than not you either have to glom onto an existing market (where you’re fighting for your life against competitors that really shouldn’t be your competitors), or you find patient investors who will give you the years you need to build a new market. Everyone else dies.
Some examples?
- PureWire wasn’t the first to market (ScanSafe was) and didn’t get the biggest buyout (ScanSafe again), but they timed it right and were in and out before they had to slog.
- Fidelis is forced to compete in the DLP market, although the bulk of their value is in managing a different (but related) threat. 7+ years in and they are just now starting to break out of that bubble.
- Core Security has spent 7 years building a market- something only possible with patient investors.
- Rumor is Palo Alto has some serious firewall and IPS capabilities, but rather than battling Cisco/Checkpoint, they are creating an ancillary market (application control) and then working on the cross-sell.
Most of you don’t buy innovative security products. After paying off your maintenance and licens renewals, and picking up a few widgets to help with compliance, there isn’t a lot of budget left. You tend to only look for innovation when your existing tools are failing so badly that you can’t keep the business running.
That’s why it looks like there’s no security innovation – it’s simply ahead of market demand, and without a market it’s hard to survive. Unless we put together a charity fund or those academics get off their asses and work on something practical, we lack the necessary incubators to keep innovation alive until you’re ready to buy it.
So the question is… how can we inspire and sustain innovation when there’s no market for it? Or should we? When does innovation make sense? What innovation are we willing to spend on when there’s no market? When and how should we become early adopters?
Reader interactions
17 Replies to “FireStarter: There is No Market for Security Innovation”
Hi,
Great article, gives pause for thought.
However, I think you miss a couple of points on industry driven innovation. Just because something is new, or can do something useful does not mean it’s any good and that people should adopt it – threats move fast, but immature products create new holes. NAC is a good example of a white elephant… it was new, innovative, but seen by most as superfluous in its own right after a few months of the buzz. Now, you see it as an integrated component within Cisco products or endpoint software such as SEP. As soon as things start to ‘innovate’ they often stop working and cause more issues / complexities than they fix. If you adopted every new technology your network would be unusable, but on the flip side adopting only what’s popular and fails in the mass-market doesnt mean your network is any less good than the next enterprise’s. As you correctly say the key is getting buy-in from the people with the purse strings, but ‘invisble’ threats DO become visible when a breach happens and you’re suddenly charged with finding a fix for the right money. As everyone here knows, there is always a trade off between performance and security and more doesnt always == better.
The example of Palo Alto is a good one – in terms of an innovative product and that of one that’s etching out new markets. The company I work for has been working with Palo for around a year now and have deployed the solution a few times with large customers, although mainly in non-critical areas for the time being. It is a great product and has some scary throughput stats. However, it is currently spread a bit thin to compete directly with any stand-alone products that match-up with the Palo’s multiplicity of features. The main thing it’s doing is making an already slightly lost check point make their licencing more and more complex and lose track of what ‘blades’ it’s put in this week to match the evergrowing ticked checkboxes list that firewalls measure themselves against.
BTW, I told about this debate to somebody outside of infosec and even outside IT. They made fun of me 🙂 The reason being: even toothpaste makers and dish detergent makers innovate. What do you think is “cooler”, a firewall or a bottle of liquid detergent? If we cannot find innovative ways to build, sell AND use security products, then maybe we suck.
If those people can be innovative, then we definitely can. Maybe we should just collectively stop whining ….
ds-
I don’t see it so much as a failure on our part, it think it’s merely the natural homeostasis to any risk mitigation focused industry. People only invest in fire suppression systems because it’s building code. People only buy car insurance because they have to (well, before their first accident). And don’t get me started on preventative medicine, including diet and exercise.
Time and time again we have proof that people generally don’t want to invest in preventing negative outcomes, and unless someone solicits a fear-based response, humans tend to only make those investments when they are forced to.
@Steve… I think this answer also relates back to your comment. Yes, overselling is a major problem, but vendors often oversell because there isn’t the market if they don’t.
I do agree with the incremental improvements- and there’s been a lot of innovation, some of it more significant, but that innovation almost always struggles to find a market.
Innovation shouldn’t be seen in monolithic terms – it can be incremental, evolutionary or revolutionary. Perhaps we haven’t seen a major innovation revolution funded in security technology in recent years, but we have seen some interesting incremental and evolutionary innovation, like some the vendors you’ve mentioned. But security is not only about technology – it’s about the process, or the craft of ‘doing security – with technology providing the tools to refine and inform the process. And if the process of security is focused on compliance or constantly responding to the development of new threat methodology or attack vector, it never advances beyond linear (or ‘whack a mole’), with the revenue growth and investment attraction quotient to match. DLP hasn’t gotten out of the security ghetto (or attracted more investment) because it’s been either oversold as a panopticon (or a network of panopticon agents), or narrowly focused on a subset of data, as defined by compliance requirements. The fundamental challenge of how information flows in the context of a business process, or engineering a balance between process, transaction, identity and enforcement goes unaddressed. IT as a service (ie cloud computing) is pushing security further in this direction, and this is where I expect to see some incremental and evolutionary evolution that may just start to open up the investment faucet again (especially if this translates into a lucrative exit, which VC investment is by and large predicated on).
“After paying off your maintenance and licens renewals, and picking up a few widgets to help with compliance, there isn’t a lot of budget left”
The above is a symptom of the problem with security as an industry, as is the fact that security professionals are reactive and cannot nurture innovation.
As I see it, most security folks cannot intelligently demonstrate a relationship between a risk and a control absent a clear and present danger. Hence, we are reactive.
Further, we cannot make a business case for implementing security, we cannot demonstrate the value of “being secure”, we cannot prove that what measure we take actually lead to “being secure”, so absent some forcing factor (an actual exploit, or a compliance requirement), we don’t have a leg to stand on.
The real core of the problem is that the people who make up the security industry are ill suited to do the things needed to make it successful. We complain that we don’t have budget, that we don’t have a “seat at the table” and that our arguments aren’t given the proper weight.
We usually do this absent any intorspection (maybe our argument sucks??) because it is easier to blame them than us. But until we recognize that security isn’t firewalls, AV and other bits and bytes issues, that security is a business problem and therefore security people have to be business people and not IT people, we’ll just keep treading water.
Great post and good observations. The security market is a very interesting and complex ecosystem and even companies that have an innovation that directly addresses a generally accepted problem have a difficult road. The reactive nature of security and the evolving nature of the problems to which the market responds is one level of complexity. The sheer number of vendors in the space and the confusing noise created by those numbers is another. Innovation is further dampened by the large established vendors that move to protect market share by ensuring their customer base that they have known problems covered when there is evidence to the contrary.
Ultimately revenue becomes the gating factor in sustaining a growing company. But buyers have a habit of taking a path of risk avoidance by placing bets on establish suites of products rather than staking professional reputation on unproven innovative ideas. Last I checked, Gartner had over 20 analysts dedicated to IT security in one niche or another, which speaks to how complex the task of evaluating and selecting IT security products can be for any organization. The odds of even the most innovative companies being heard over the noise are small, which is a shame for all concerned as innovation serves both the customers and the vendors.
Jim
Really good post on an important topic. Innovation in the security market definitely isn’t easy for a lot of the reasons you mention. However, the reason I love what I do is that security professionals and the security industry must innovate if our networked economy is going to be sustainable, particularly as the threat actors continually bring forth disruptive innovation. To me, the key to innovating is solving a problem customers care about, and then maniacally focusing on the early adopters that can validate your innovation, both with dollars and solving real problems in their organizations. A new problem pretty much by definition won’t be part of a defined market.