The End Of The Security Industry Not So Unrealistic

from the gone-tomorrow dept

Last week, security expert Bruce Schneier caused a bit of a stir when he said that there shouldn't be a security industry. While his comment engendered a lot of debate, it really wasn't a particularly radical statement. As he's made clear in his latest Wired column, all he meant was that IT vendors should be building security directly into their products, rather than requiring customers to purchase security products and services separately. However, even this isn't a particularly strong stance, because it reflects what is already happening in the industry. Microsoft has received a lot of attention for its aggressive security push, while companies like Cisco, IBM and EMC have made a number of security-related purchases. Few expect this trend to abate, as many see a dour future for standalone security firms. Still, there will always be a need for specialized work in areas like malware and intrusion detection, so it's not clear that the tangible effects of this shift will be that significant.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 3 May 2007 @ 10:21pm

    ...so basically, you ripped this off of Wired.

    link to this | view in chronology ]

  • identicon
    viperdesignz, 3 May 2007 @ 10:23pm

    I hate all anti-virus software anyways.

    link to this | view in chronology ]

  • identicon
    Ken, 3 May 2007 @ 11:02pm

    One reason we have a security industry:

    Third party security often costs more than whatever is actually being secured, the people that spend that kind of money will be happy to have a secure product by default.

    However, there's an even larger number of people who want to buy a piece of software for $1000, and are content with it being insecure at that cost. They would not be willing to spend $2000 on the same piece of "secure" software.

    Large corporations that need maximum security would benefit from this, however small startup companies and individual users would have a huge price tag to pay for it.

    link to this | view in chronology ]

  • identicon
    Kilaru Sambaiah, 3 May 2007 @ 11:14pm

    I don't understand what you writing

    Definitely Bruce Schneier is an expert in the field of security. I don't understand what you wanted to convey.
    All the efforts you mentioned are only eye wash, the
    companies like M$, IBM etc are not really implementing
    security.

    link to this | view in chronology ]

  • identicon
    Brian, 3 May 2007 @ 11:16pm

    Not only is it needed, it's the only IT-related field with any job security left.

    The vast majority of 1st-level support remote-admin jobs are already outsourced overseas. That leaves grunt-level break/fix duties for those lucky enough to find them, and even their days are numbered. 5-10 years ago it made perfect sense to pay a technician $30-40/hr to repair/maintain your $2500 computer, but how much sense does it make when today's equivalent only costs $400? How long before that box is in the "disposable" range (sub-$100)? Maybe 3-4 years?

    InfoSec, however, will always remain local. No threat of obsolescence either, at least in the sense that there will always be a demand.

    link to this | view in chronology ]

  • identicon
    Jesse McNelis, 4 May 2007 @ 1:10am

    The computer security industry isn't going anywhere.
    The expertise is required by companies to implement secure software.

    'Security software' has always been useless and has been surviving by creating FUD, hopefully more people will notice this.

    link to this | view in chronology ]

  • identicon
    Adriana, 4 May 2007 @ 4:05am

    security is not a product

    Joe, agreed. The point is that security is not only a technological problem and therefore cannot be a mere bolt-on for a product. To 'build security into products' doesn't mean to 'bundle' it with an existing product as a security feature but to design them as secure in the first place. It is a shift in attitude not just pricing or product sales.

    link to this | view in chronology ]

  • identicon
    haywood, 4 May 2007 @ 5:29am

    Security is a myth

    The best you can hope for is to make breaching it more trouble than it is worth.

    link to this | view in chronology ]

    • identicon
      Charles Griswold, 4 May 2007 @ 11:48am

      Re: Security is a myth

      The best you can hope for is to make breaching it more trouble than it is worth.

      If you build security into your computer system from the hardware up, it is possible to make your system almost perfectly air-tight. The last time I checked (around 2001 or so), there had never been a successful "hack" attack on an IBM AS/400. There had been successful break-ins, but they all involved social engineering, thus highlighting the fact that the main reason that computers are insecure is the same reason that anything is insecure. People.

      link to this | view in chronology ]

  • identicon
    Andy B, 4 May 2007 @ 6:08am

    Not Exactly

    What Bruce has really been trying to say all along is that the IT security industry exists because makers of software are not held accountable for the failings of their systems. There is not enough economic incentive to code secure software. Everybody patches and everybody has security breaches, so anymore there is no real incentive for a company to try and avoid such things.

    Bruce has been pushing for software makers to be liable for insecure software they produce, following his concept of security externalities. I think that is the best thing we could do to make the internet more secure and efficient. Software makers would scream and complain, but they would figure out how to make it work and consumers would learn to accept longer development times.

    When we put our efforts into preventing, rather than reacting to security problems, the market is more efficient and in the end everybody wins.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 May 2007 @ 6:38am

    "Living" Security

    The thought of building software securely is great, but as long as you have people determined to cause damage and circumvent security you need a seperate entity providing security for your box. Something thats sole purpose is to block remove search for threats, with this built in sure it can be updated from the manufacturer but its not as efficient as having a piece of hardware or software whose sole purpose is security. Nothing can ever be 100% secure you can only make it difficult so that you minimize threats you can never truly "eliminate" threats to security.

    link to this | view in chronology ]

  • identicon
    Buzz, 4 May 2007 @ 12:12pm

    security = music

    I just realized I feel similar about the security industry as I do about the music industry. Security really ought to be bundled to something else. I personally have zero desire to enter the security industry and will probably do as this article suggested: I will implement my own security measures into my software packages.

    The only virus I have ever received was through Windows Media Player... ironic considering I never use that program. Now, I'm a whole OS away from that thing... ^_^

    link to this | view in chronology ]

  • identicon
    John, 4 May 2007 @ 12:20pm

    Security isn't a function of technology

    While I have the upmost respect for Bruce Schneier and agree with most of his editorials, I would agree with Charles and further his argument by saying that technology is a function of a larger security program instead of an isolated pocket encapsulated by technology. If you don't address the managerial & operational aspects of security (such as SETA, Policy, RA, etc....) then you don't have a security program.

    There's no danger of comprehensive programs going away in the forseeable future.

    link to this | view in chronology ]

  • identicon
    Charles Griswold, 4 May 2007 @ 2:44pm

    Problems with security

    As I see it, the problem with security on the average PC is that most people run the least secure web browser (Internet Explorer) on the least secure operating system (MS Windows) on the least secure hardware (x86-based CPUs).

    The variable instruction length of the x86 makes it very difficult to audit machine code for potentially dangerous instructions. When you take that into account, and then factor in the fact that Windows is an incredibly tangled mess of kludges that no one fully understands, and the fact that IE does not keep a proper wall between itself and the operating system but instead is an integrated part of the OS, it's no wonder that the security industry is forever playing catch-up with crackers and malware producers.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.