The End Of The Security Industry Not So Unrealistic
from the gone-tomorrow dept
Last week, security expert Bruce Schneier caused a bit of a stir when he said that there shouldn't be a security industry. While his comment engendered a lot of debate, it really wasn't a particularly radical statement. As he's made clear in his latest Wired column, all he meant was that IT vendors should be building security directly into their products, rather than requiring customers to purchase security products and services separately. However, even this isn't a particularly strong stance, because it reflects what is already happening in the industry. Microsoft has received a lot of attention for its aggressive security push, while companies like Cisco, IBM and EMC have made a number of security-related purchases. Few expect this trend to abate, as many see a dour future for standalone security firms. Still, there will always be a need for specialized work in areas like malware and intrusion detection, so it's not clear that the tangible effects of this shift will be that significant.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Third party security often costs more than whatever is actually being secured, the people that spend that kind of money will be happy to have a secure product by default.
However, there's an even larger number of people who want to buy a piece of software for $1000, and are content with it being insecure at that cost. They would not be willing to spend $2000 on the same piece of "secure" software.
Large corporations that need maximum security would benefit from this, however small startup companies and individual users would have a huge price tag to pay for it.
[ link to this | view in chronology ]
I don't understand what you writing
All the efforts you mentioned are only eye wash, the
companies like M$, IBM etc are not really implementing
security.
[ link to this | view in chronology ]
The vast majority of 1st-level support remote-admin jobs are already outsourced overseas. That leaves grunt-level break/fix duties for those lucky enough to find them, and even their days are numbered. 5-10 years ago it made perfect sense to pay a technician $30-40/hr to repair/maintain your $2500 computer, but how much sense does it make when today's equivalent only costs $400? How long before that box is in the "disposable" range (sub-$100)? Maybe 3-4 years?
InfoSec, however, will always remain local. No threat of obsolescence either, at least in the sense that there will always be a demand.
[ link to this | view in chronology ]
The expertise is required by companies to implement secure software.
'Security software' has always been useless and has been surviving by creating FUD, hopefully more people will notice this.
[ link to this | view in chronology ]
security is not a product
[ link to this | view in chronology ]
Security is a myth
[ link to this | view in chronology ]
Re: Security is a myth
If you build security into your computer system from the hardware up, it is possible to make your system almost perfectly air-tight. The last time I checked (around 2001 or so), there had never been a successful "hack" attack on an IBM AS/400. There had been successful break-ins, but they all involved social engineering, thus highlighting the fact that the main reason that computers are insecure is the same reason that anything is insecure. People.
[ link to this | view in chronology ]
Not Exactly
Bruce has been pushing for software makers to be liable for insecure software they produce, following his concept of security externalities. I think that is the best thing we could do to make the internet more secure and efficient. Software makers would scream and complain, but they would figure out how to make it work and consumers would learn to accept longer development times.
When we put our efforts into preventing, rather than reacting to security problems, the market is more efficient and in the end everybody wins.
[ link to this | view in chronology ]
"Living" Security
[ link to this | view in chronology ]
security = music
The only virus I have ever received was through Windows Media Player... ironic considering I never use that program. Now, I'm a whole OS away from that thing... ^_^
[ link to this | view in chronology ]
Security isn't a function of technology
There's no danger of comprehensive programs going away in the forseeable future.
[ link to this | view in chronology ]
Problems with security
The variable instruction length of the x86 makes it very difficult to audit machine code for potentially dangerous instructions. When you take that into account, and then factor in the fact that Windows is an incredibly tangled mess of kludges that no one fully understands, and the fact that IE does not keep a proper wall between itself and the operating system but instead is an integrated part of the OS, it's no wonder that the security industry is forever playing catch-up with crackers and malware producers.
[ link to this | view in chronology ]