Visiting RSA '07 last week, I tried to embrace the fact that this security conference is no longer an insiders' gathering, and tried to put myself in the shoes of a newbie to figure out what I should pay attention to in a new security job. The first mistake I made as a newbie was to wear new shoes: ouch. The second was to try to take it all in. If you accept the premise that security should be holistic and not about silver bullets, then the RSA show floor was big bucket of silver bullets. Hundreds of features disguising themselves as products, loudly touting the latest scare: "Did you know there are ogres lurking in this obscure part of your infrastructure? Anti-OGRE!" It was difficult to see what the big new theme for security is in 2007.
If I were to take each offering at face value, what would I need to deploy in my enterprise to secure against all these threats? Viruses, worms, rogue wireless, stolen identity, leaked secrets, privilege escalation, zombie armies -- none of these is outside the scope of the threats an enterprise faces. I would put in six to seven appliances around every switch, a few more in front of my egress routers and a couple dozen servers in the data center to crunch all the data. I would have a management console for each product and a separate set of policies. All of the different products would send a stream of logs and reports to as many as a dozen consoles. If I only had enough budget left for one staff member, I would put him on a chair with wheels and instruct him to roll up and down in front of the consoles in case he noticed something.
The security industry is suffering from an innovation model that is driven by an arms race. Let's face it: most of the R&D that matters is done by "them." The security innovation is almost always reactive. So every now and then, as new threats emerge, a dozen start-ups pop up to address that one tiny niche. It takes about a year or two for these smaller companies to be acquired and integrated into monolithic security suites. And the cycle continues.
While this model may work for the industry, it doesn't seem to work for the customers who report feeling insecure and getting breached despite billions of dollars of spending over a decade and a half. The missing ingredient is not integration, but interoperability. This industry needs to replace single vendor tightly coupled integration with multi-vendor protocol-based interoperability.
So I can still pick the point product that addresses the latest threat or peculiar need, but be able to plug it into a security infrastructure that is vendor neutral. A glimmer of hope comes from some of the standardization efforts around endpoint access management with Microsoft's Network Access Protection, Cisco's Network Admission Control and the Trusted Computing Group's Trusted Network Connect.
The hope is that these protocol-based interoperability standards might lead to convergence of agents and policies on the endpoint, even supporting multiple vendors.
Here's my advice: Try to put building blocks in place that create a vendor-neutral security infrastructure for your company. Pick products based on how much they help you converge to that goal and ignore products that diverge. Even if they solve an important problem, they're not worth it if you cannot cost-effectively manage them as part of your security infrastructure. Oh, and don't wear new shoes to a conference.
Andreas M. Antonopoulos is a senior vice president and founding partner at Nemertes Research, a leading independent technology research firm. Reach him at firstname.lastname@example.org.