Well, the first day of RSA week is in the books and things are off to a rousing start. My day started early today as I was the moderator of a great panel at the Americas Growth Capital Conference. My panel was on Security Automation. Panel members were Jay Chaudry of Zscaler, Marty Roesch of Cisco/Sourcefire, John Summers of Akami, Marc Willebeek-LeMair of Click Security and Rajat Bhargava of JumpCloud.
You would think it is hard getting people roused up at 8:15 a.m., but the panel was off to a flying start around how and why we automate security. When I asked the question though of whether or not "software will eat the security industry," things got a little testy. Of course, Marty Roesch on behalf of Cisco is not going to say hardware is going away. For that matter, neither was Willebeek-LeMair, who was also one of the founders of Tipping Point. But Jay Chaudry, who always has a futurist's view of the industry, said that security appliances are dinosaurs. Security will migrate to the cloud and will be primarily software. Akamai agreed that more and more functionality will be strictly software but did not call for the end of hardware appliances. Bhargava thought that certainly customers are not going to place appliances in the cloud either.
But this brings up a great point. With software replacing specialized and expensive hardware, what are the implications for the security industry? At dinner last night I was sitting with folks from F5 Networks, Sangeeta Anand, SVP of product management and marketing, and Preston (I apologize I don't have Preston's last name). Obviously, F5 is a company with a vested interest in Big Iron. But even taking that as a granted, Preston felt strongly that while we will be able to do more with software, people will never just give their security needs over to providers. Even if we built more security into the platform, PaaS providers would not be able to set the policies for customers. Customers need to set their own policies, according to Preston. While the day-to-day management of network security could move to cloud providers and other third parties, enterprises would still set their own policies and risk tolerance.
While I agree with Preston that they will ultimately select what they want, I am not sure they will actually construct their policies, etc., rather that they may just pick options offered by providers. Another topic was DDoS protection. Preston said outsourcing DDoS protection to specialized DDoS providers is like "paying for emergency services 24 hours a day" instead of just when you need it. It was actually more cost-effective to have some capacity yourself and only call the ambulance when you need it. I don't disagree with his analogy, but it may be a case of what happens if the provider lowers its rates?
The fact is that not only in security but in IT in general we are, as Marc Andreessen says, seeing "software eating the world." A byproduct of this is that more and more of these software functions can also be outsourced to third parties. The implications of this are game-changing. It will result in both winners and losers.
In security we are already seeing the results of this epoch change. A new generation of companies are filing for IPOs, being acquired for multiples that haven't been seen since the dotcom bubble, and generally given valuations that don't seem to jive with their business fundamentals.
I believe, though, that we have really just scratched the surface of what this software revolution will wrought. Over the next few years we will continue to see software eating more and more. This will result in greater automation, continuous delivery, and better efficiency.