Well, the first day of RSA week is in the books and things are off to a rousing start. My day started early today as I was the moderator of a great panel at the Americas Growth Capital Conference. My panel was on Security Automation. Panel members were Jay Chaudry of Zscaler, Marty Roesch of Cisco/Sourcefire, John Summers of Akami, Marc Willebeek-LeMair of Click Security and Rajat Bhargava of JumpCloud.
You would think it is hard getting people roused up at 8:15 a.m., but the panel was off to a flying start around how and why we automate security. When I asked the question though of whether or not "software will eat the security industry," things got a little testy. Of course, Marty Roesch on behalf of Cisco is not going to say hardware is going away. For that matter, neither was Willebeek-LeMair, who was also one of the founders of Tipping Point. But Jay Chaudry, who always has a futurist's view of the industry, said that security appliances are dinosaurs. Security will migrate to the cloud and will be primarily software. Akamai agreed that more and more functionality will be strictly software but did not call for the end of hardware appliances. Bhargava thought that certainly customers are not going to place appliances in the cloud either.
But this brings up a great point. With software replacing specialized and expensive hardware, what are the implications for the security industry? At dinner last night I was sitting with folks from F5 Networks, Sangeeta Anand, SVP of product management and marketing, and Preston (I apologize I don't have Preston's last name). Obviously, F5 is a company with a vested interest in Big Iron. But even taking that as a granted, Preston felt strongly that while we will be able to do more with software, people will never just give their security needs over to providers. Even if we built more security into the platform, PaaS providers would not be able to set the policies for customers. Customers need to set their own policies, according to Preston. While the day-to-day management of network security could move to cloud providers and other third parties, enterprises would still set their own policies and risk tolerance.
While I agree with Preston that they will ultimately select what they want, I am not sure they will actually construct their policies, etc., rather that they may just pick options offered by providers. Another topic was DDoS protection. Preston said outsourcing DDoS protection to specialized DDoS providers is like "paying for emergency services 24 hours a day" instead of just when you need it. It was actually more cost-effective to have some capacity yourself and only call the ambulance when you need it. I don't disagree with his analogy, but it may be a case of what happens if the provider lowers its rates?
The fact is that not only in security but in IT in general we are, as Marc Andreessen says, seeing "software eating the world." A byproduct of this is that more and more of these software functions can also be outsourced to third parties. The implications of this are game-changing. It will result in both winners and losers.
In security we are already seeing the results of this epoch change. A new generation of companies are filing for IPOs, being acquired for multiples that haven't been seen since the dotcom bubble, and generally given valuations that don't seem to jive with their business fundamentals.
I believe, though, that we have really just scratched the surface of what this software revolution will wrought. Over the next few years we will continue to see software eating more and more. This will result in greater automation, continuous delivery, and better efficiency.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.