Tickle Me Security
It seems to me that the security industry releases a new "tickle me elmo" every year. Suddenly its all that anyone is talking about. Never mind that you have been in business for 40 years without one, but suddenly you are asked why you dont have one by every auditor and their mother. And of course if thats not enough, every vendor and "security specialist" will swear up and down how you cant live without it. Suddenly you feel like the kid without the nintendo....God I hated middle school.
FUD and The Bandwagon
Childhood trauma aside, Its funny but it seems to me that all these cycles of hype work the same -
- 3-4 years out - Funding VC fund several companies in the space
- 2-3 Years out - FUD (Fear, Uncertainty and Doubt) - consider this a building year. The "experts" start the commentary. You see articles start appearing - seemingly out of nowhere to introduce you to you the problem.
- 2-1 Year out - The SELL The marketing machine goes into full gear, the analysts jump on board, and the trade shows "fill up" with seemingly the same story, over and over and over again. The early adopters take the plunge. Shelfware mounts....
- The Year of the "insert blank" - The BandWagon- Sudennly it seems to be the only thing the auditors want to focus on. Why you dont have one, and what you are going to do about it. By this time everyone is doing it, so you might as well. Peer pressure can be overwhelming. You suddenly wish you had more of a spine - but then again, whats a couple of drags....
See if any of this is familiar to you (the "hype" years below -)
2002 - Patch management
2003 - Anti Spyware
2004 - Intrusion Prevention, HIPAA
2005 - Identity Management, Log management, SOX
2006 - SSL VPNS, The Executive DashBoard
2007 - Data Loss Prevention, Encryption, PCI
And this is just security! Dont get me started on CRM or VOIP.
Ok. So here is the mea culpa - this is our industry, learn to live with it. I rant and rave, but it is what it is. Without cool new solutions, we would be out of a job as consultants - so there! Thats right. I said it. I want that nintendo!
Whats next? -here are my predictions:
- 2008 - NAC (network access control) - early adopters are chewing on it right now - alot of shelves are getting used...... Buy into it now and you have yourselve a very expensive thingamabob that ties into thingamiggigies and has a great whatchamacalit to boot. Put me down for two.
- 2009 - HIPS (Host intrusion prevention) - Shelves are being cleared for this as we speak! "AV is dead" Read all about it on security blogs including this one. Intersting concept to be sure.. I like what I see but too early to tell. Prepare for the marketing overload. I predict that the AV vendors will morph into HIPS vendors. I dont know that there is much room for outsiders but Cisco will give it a go. Will NAC lead to HIPS or will AV lead to HIPS? That seems to be the question of the day. I have guess, but I am not telling (unless you pay me of course..)
- 2010 - BioMetrics.. for sure.. im smellling something about big toe scanners... too early to tell but I am washing my feet to be ready...you can never be too clean.
Ray Zadjmool - QSA, CISSP, MCSE, VIP