Christopher Allen on the constance of Fear
We don't often get the chance to do the Rip van Winkle experience, and this makes Christopher Allen's essay on how he returned to the security and crypto field after exiting it in 1999 quite interesting.
He identifies two things that are in common: Fear and Gadgets. Both are still present in buckets, and this is a worry, says Christopher. On Fear:
"To simplify, as long as the risks were unknown, we were in a business feeding off of 'fear' and our security industry 'pie' was growing. But as we and our customers both understand the risks better, and as we get better at mitigating those risks cheaply, this "fear" shrinks and thus the entire 'pie' of the security industry becomes smaller. Yes, new 'threats' keep on coming: denial-of-service, worms, spam, etc., but businesses understanding of past risks make them believe that these new risks can be solved and commodified in the same way."
The observation that fear fed on the unknown risks is certainly not a surprise. But I find the conclusion that as the risks were better understood, the pie shrunk to be a real eye opener. It's certainly correlated, but it misses out a world of causality - fear is and was the pie, and now the pie buyers are jaded.
I've written elsewhere on what's wrong with the security industry, and I disagree with how Christopher's assumptions, but we both end up with the same question (and with a nod to Adam's question): how indeed to sell a viable real security product into a market where statistically, we are probably selling FUD?
Addendum: Adam's signalling thread: from Adam: 1, 2. From Iang: 1, 2
Posted by iang at March 18, 2005 11:39 AM
It depends how broadly one defines the industry and the pie. When there is unknown risk, for example, insurance is incredibly difficult. Once we understand the risk, actuaries can do their thing and create a market. Many people have argued that premium control will motivate better security practices, which may have a positive effect on the size of this pie.
When in doubt sell since the perfect product will never be developed by the un-funded. FUD should have one more letter added Un-funded because thats what makes the wheel keep turning. As long as realistic solutions never get to the table snakeoil will be the dressing of choice. In the unlikely event an educated consumer or security products arrives they will find no product because of the lack of funding for the rational approach. At some point down the road FUD will become FUDU and when the dirty tales are told the FUDU really funded the hackers, crackers, and all sorts of attacks. This will prompt another letter "C" for Conspiracy. In the end it will take a systemic break down to create a market to compete with FUDUC. FUD leaves no room for any valid attempt to create a product to fill a need. Why would you need a CIO or and Information Security Staff if a product really worked. Even idiots like myself could purchase it. Idiots buy emotions not rational needs based approachs thats why they buy FUD faster than a reall product. So sell like the snakeoil folks get down and dirty there is no answer other than compete at whatever level it takes. Sorry but you must sell like the FUD folks to sell a real product.