I often hear that there is no innovation left in security.
That’s complete bullshit.
There is plenty of innovation in security – but more often than not there’s no market for that innovation.
For anything innovative to survive (at least in terms of physical goods and software) it needs to have a market. Sometimes, as with the motion controllers of the Nintendo Wii, it disrupts an existing market by creating new value. In other cases, the innovation taps into unknown needs or desires and succeeds by creating a new market.
Security is a bit of a tougher nut. As I’ve discussed before, both on this blog and in the Disruptive Innovation talk I give with Chris Hoff, security is reactive by nature. We are constantly responding to changes in the underlying processes/organizations we protect, as well as to threats evolving to find new pathways through our defenses. With very few exceptions, we rarely invest in security to reduce risks we aren’t currently observing. If it isn’t a clear, present, and noisy danger, it usually finds itself on the back burner.
Innovations like firewalls and antivirus really only succeeded when the environment created conditions that showed off value in these tools. Typically that value is in stopping pain, and not every injury causes pain. Even when we are proactive, there’s only a market for the reactive. The pain must pass a threshold to justify investment, and an innovator can only survive for so long without customer investment.
Innovation is by definition almost always ahead of the market, and must create its own market to some degree. This is tough enough for cool things like iPads and TiVos, but nearly impossible for something less sexy like security. I love my TiVo, but I only appreciate my firewall.
As an example, let’s take DLP. By bringing content analysis into the game, DLP became one of the most innovative, if not the most innovative, data security technologies we’ve seen. Yet 5+ years in, after multiple acquisitions by major vendors, we’re still only talking about a $150M market. Why? DLP didn’t keep your website up, didn’t keep the CEO browsing ESPN during March Madness, and didn’t keep email spam-free. It addresses a problem most people couldn’t see without DLP a DLP tool! Only when it started assisting with compliance (not that it was required) did the market start growing.
Another example? How many of you encrypted laptops before you had to start reporting lost laptops as a data breach?
On the vendor side, real innovation is a pain in the ass. It’s your pot of gold, but only after years of slogging it out (usually). Sometimes you get the timing right and experience a quick exit, but more often than not you either have to glom onto an existing market (where you’re fighting for your life against competitors that really shouldn’t be your competitors), or you find patient investors who will give you the years you need to build a new market. Everyone else dies.
Some examples?
- PureWire wasn’t the first to market (ScanSafe was) and didn’t get the biggest buyout (ScanSafe again), but they timed it right and were in and out before they had to slog.
- Fidelis is forced to compete in the DLP market, although the bulk of their value is in managing a different (but related) threat. 7+ years in and they are just now starting to break out of that bubble.
- Core Security has spent 7 years building a market- something only possible with patient investors.
- Rumor is Palo Alto has some serious firewall and IPS capabilities, but rather than battling Cisco/Checkpoint, they are creating an ancillary market (application control) and then working on the cross-sell.
Most of you don’t buy innovative security products. After paying off your maintenance and licens renewals, and picking up a few widgets to help with compliance, there isn’t a lot of budget left. You tend to only look for innovation when your existing tools are failing so badly that you can’t keep the business running.
That’s why it looks like there’s no security innovation – it’s simply ahead of market demand, and without a market it’s hard to survive. Unless we put together a charity fund or those academics get off their asses and work on something practical, we lack the necessary incubators to keep innovation alive until you’re ready to buy it.
So the question is… how can we inspire and sustain innovation when there’s no market for it? Or should we? When does innovation make sense? What innovation are we willing to spend on when there’s no market? When and how should we become early adopters?
Reader interactions
17 Replies to “FireStarter: There is No Market for Security Innovation”
To say that there is no innovation left in security is an extreme exaggeration but on the other hand I think that the security industry and the security market is inherently conservative and prima facie opposed to innovation whether disruptive or not.
I would argue that relatively speaking, the information security community is less innovative than other communities. It is also a community mostly narrowly focused on addressing the practical problems of short term futures and as such the room for disruptive innovation isn’t big or interesting enough to accommodate more than a handful of initiatives. In addition to that as a whole the infosec community is quite unforgiving, it severely penalizes failure although not necessarily financially which in turn fosters risk aversion among would-be innovators and their backers.
There are always exceptions of course but such is the case in every other industry.
To answer your question: We should inspire innovation by demanding resilient products and development environments. Creating innovation in response to the lack thereof seems inefficient. If major buyers band together, opportunity can be quantified and innovation will follow.
Now I’m off to go see what the jericho forum is up to these days…
Hi Rich,
Interesting post. Innovation is what sets us free from the tiresome la brea tar pits of the mediocre which are unrepentantly spoon fed to the masses (individual consumers and organizations alike), by large; bloated, overly commercialized vendors who, rather than innovate, homogenize and dilute emerging markets with substandard, and often times, inappropriate solutions. This type of intellectual dishonesty is even more intolerable when served up on a sizzling hot platter by a start up. Innovation is, as you pointed out, by definition almost always ahead of everything else out on the market.
best,
Will
Security innovation is harder because security is applied to something else, it doesn’t exist by itself. The security innovation happens to deal with innovation from other fields. I wrote a post about it at that time when Hoff was talking about it too.
http://www.securitybalance.com/2008/03/disruptive-innovation-and-security/
David,
Not sure I understand your question- one of the roles of academia is to conduct research that would not otherwise be supported by commercialization. Pure research, which can focus on practical problems for which there isn’t a market yet.
Some of these eventually become products, some don’t. But the commercial sector definitely won’t engage in this higher-risk research.
Rich,
Good post.
“After paying off your maintenance and licens renewals, and picking up a few widgets to help with compliance, there isn’t a lot of budget left. ”
As we’ve discussed, this is one of the reasons I am concerned over myopic focus on PCI/Compliance mandated spending. I talked with dozens of security professionals who DID want to buy and deploy innovative stuff, but had budgets cut at the “Will I be fined if we don’t do it?” line…
I’ve been reminding people that the current market and compliance myopia is economically punishing innovators. Vendor roadmaps are steering toward the Compliance as their North Star – as opposed to Evolutions in threat or technology or business needs.
If we want anyone preparing the solutions we will need tomorrow, we need to be more careful and deliberate as an industry.
This alleged Einstein quote about bees comes to mind when I talk about this:
“If the bee disappeared off the surface of the globe then man would only have four years of life left. No more bees, no more pollination, no more plants, no more animals, no more man,” said Albert Einstein.”
Clearly strecthing a point – to make a point… but we are in an eco-system.
I’m keenly watching the bees – our VCs and the Innovative start-ups…
Did anyone else notice there was no Greylock party at RSA this year?
On the one hand you say there is no money buy innovation and on the other hand you say academics are not working on practical problems. Which is it? Are there practical problems that need to be solved for which you’d pay money? Perhaps you should point them out to the “academics sit on their asses.”
“I love my TiVo, but I only appreciate my firewall.”
This exact sentiment led to more than a few of my friends who are (well, were) security product developers to go into Facebook games instead 🙁 I tried to convince them them that security is more fun, but they said “there are no delighted customers in security” – and they wanted to delight, not just solve the pain.
However!
“how can we inspire and sustain innovation when there’s no market for it?”
Not true! If you nicely predict the security pain of now+2 years and start building now, you win. Basically, the same as in any other high-tech business: predict or create the need, and you are done. We can’t create need in infosec, but surely we can try to predict it.
“academics get off their asses and work on something practical”
Unlikely. Few of the people who ignore the outside world [of infosec] can predict what it would be like in 2years.
“Most of you don’t buy innovative security products”
IMHO, this one is different – lacking metrics, it is hard to tell innovative but useless product from the one that innovatively solves your exact problems!
Nice analysis Rich.
I think there’s an even deeper problem. What market there is for innovation, it’s only for technology innovations to newly important threats (reactive response, as you point out).
But it’s well known that the most serious problems in security are not purely technical and don’t yield to technology “point solutions”. For example, I was at the IT Security Entrepreneur’s Forum last week (http://www.security-innovation.org/itsef/) and heard a good panel on Identity, Authentication, and Attribution. Several of the panelest enumerated the non-technical challenges and problems, and complained that the industry keeps lobbing tech-only solutions at it.
I see this as both a market demand problem and also as a solution creation problem (i.e. the R&D value chain). On the market side, customers don’t know how to translate their non-technical needs into demand for products and services. On the supply side, the R&D value chain is very heavily biased toward technical point solutions because that fits the education and culture of most engineers and entrepreneurs, and it also fits the business model of venture capital.
Putting these two failures together, it pretty much guarantees that the “good guys” will *always* be behind in the InfoSec arms race — both lagging behind in time and also lagging behind in solutions capability (innovation).
Good blog post Rich.
I think folks get confused in discussing the term “innovation”. I think that most people when they think of “innovation”, they are referring to “disruptive innovation” (as you mentioned above). This is that new product/service/process that just leaves the old way of doing things in the dust.
There’s also other ways of innovating. For example, combining existing technologies in some sort of unique way that creates a new type of new value. I think this is the type of innovation that happens most in our infosec world.