"What's next?" is the question that gives a buzz to seekers of the next big thing. It also seems to be quite an interesting question for Silicon Valley technologists, such as Christopher Allen. Chris has written up his views on the state of security technology five years after he made it big with SSL. Surprised he notices that there had not been any substantial changes in security technology during this time. And brilliantly summarises the problem:
"To simplify, as long as the risks were unknown, we were in a business feeding off of 'fear' and our security industry 'pie' was growing. But as we and our customers both understand the risks better, and as we get better at mitigating those risks cheaply, this "fear" shrinks and thus the entire 'pie' of the security industry becomes smaller. Yes, new 'threats' keep on coming: denial-of-service, worms, spam, etc., but businesses understanding of past risks make them believe that these new risks can be solved and commodified in the same way."
Or otherwise, security has become a commodity.
The question which then lends itself is "what's next"? Chris outlines some solution for security vendors - become insurance house, focus on reliability, focus on technology enabling new business models. First one goes beyond the scope of pure technology, however the other two mark what I see as a clear trend. Application security will be the next.
Application security not as in application firewalls or application hardening, but application security as:
a) implementation of new ways for authentication, access control and audit that are part of applications or application middleware;
b) use of security mechansism in a way which is not neccessarily about security that enable new business practices (e.g. DRM, smartcards, biometrics).
Anyway, what strikes me is the remarkable difference between the old security world and the new one and the skills that the practitioners must posses. Mindset, skills, experience of new security practitioners will be quite different from the old ones. Knowledge of networks and platform will not be critical. Instead, is more likely that they will have to be generalist architects with strong background in application development, databases, integration with reasonable knowledge of business they are working, with a hint of a specialised knowledge in the area of new security technologies.
Posted by Jiri at February 27, 2004 02:38 PM