In late 2007 Bruce Schneier, the internationally renowned security technologist and author, wrote an article for IEEE Security & Privacy. The ominously named article: The Death of the Security Industry predicted the future of the security industry or lack thereof. In it he predicts that we would treat security as merely a utility like we use water and power today. The future is one where “large IT departments don’t really want to deal with network security. They want to fly airplanes, produce pharmaceuticals, manage financial accounts, or just focus on their core business.”
Schneier closes with, “[a]s IT fades into the background and becomes just another utility, users will simply expect it to work. The details of how it works won’t matter.”
Looking back 3 years and having the luxury of hindsight, it is understandable to see why he thought the security industry would become a utility. In part, it has become true. Utility billing is the rage for infrastructure (hello cloud computing) and more and more people are viewing the network as a commodity. Bandwidth has increased in performance and decreased in cost. Continually people are outsourcing pieces of their infrastructure and non-critical IT services to vendors or to offshore employees.
But there are three reasons why I disagree with the The Death of the Security Industry and I believe we are actually going to see a renaissance of the security industry over the next decade.
1. Data is valuable. We can’t think of IT as merely the computers and network resources we use. We need to put the ‘I’ back in IT and remember why we play this game in the first place. Information. Protecting the information (data) will be crucial over the long haul. Organizations do not care about new firewalls or identity management as a primary goal, however they do care about their data. Data is king. Organizations that succeed will be ones that master navigating a new marketplace that values sharing while keeping their competitive edge by safe-guarding and protecting their critical data.
2. Security is a timeless profession. When God gave Adam and Eve the boot from the Garden of Eden, what did he do next? He used a security guard to keep them out of the Garden for good. Security has been practiced as long as people have been people. As long as you have something worth protecting (see ‘data is valuable’ in point 1) you will need resources to protect it. Our valuable data is being transferred, accessed and modified on computing devices and will need to be protected. If people can’t trust that their data is safe then they will not be our customers. The CIA security triad (Confidentiality, Integrity, and Availability) needs to remain in tact for consumers to trust organizations with their data and if that data has any value to the organization, it will be need to be protected.
3. Stuxnet. This could be called the dawn of a new age of hacking. Gone are the days of teenagers running port scans from their garages. Be ready to start seeing hackers using sophisticated techniques that simultaneously attack multiple vectors to gain access on their targets. I am not going to spread FUD (Fear Uncertainty and Doubt) around, but I believe that Stuxnet is just the beginning.
In addition to how Stuxnet was executed, it is just as interesting to see what was attacked. This next decade will prove to be a change in the type of targets attacked. In the 80’s it was all about hacking phones and more physical targets, the 90’s were the days of the port-scanning and Microsoft Windows hacking, the last decade has primarily focused on web and application data. With Stuxnet, we are seeing the revitalization of hacking where it is returning to its roots of hacking targets that are physical in nature such as SCADA systems that control a building’s temperature systems. The magazine 2600 has been publishing a series on SCADA hacking over the last 18 months. What makes it even more interesting is that almost every device you buy these days has a web interface on it, so never fear, the last 10 years spent hacking websites will come in real handy when looking at hacking control systems.
In closing, I think we are a long way off from seeing the death of the security industry. As our data becomes more valuable, the more we will need to secure. Data is on the rise and with it comes the need for security. Additionally as more and more of our world is controlled with computers, the targets become more and more interesting. Be ready for the rise of the security industry.
Let me know what you think on twitter: @wickett