Ilia Kolochenko, CEO and founder of High-Tech Bridge: “Some information security companies today solve problems and mitigate risks that probably have the very lowest priority in the business risk list.”
When Symantec, one of the grand old dames of security, decided to split itself into two separate companies last week, writes Kevin Townsend, it raised questions about the entire security market. It seems that Symantec is separating security (Symantec) from information management (Veritas, which it bought for $13.5 billion in 2005) because neither is currently showing any growth. Symantec’s security division revenue is down 0.3% year on year.
Ilia Kolochenko, CEO and founder of security firm High-Tech Bridge, is not surprised that even one of the world’s largest security firms is struggling in today’s market – which is perhaps surprising since most business research firms say that we are spending more, not less, on security. The problem, believes Kolochenko, is that there are too many security firms providing insufficient security.
“What we are seeing today,” he said, “reminds me of the dot-com bubble at the end of the last century. At that time, confidence in the online marketplace, e-commerce and IT industry in general was so high that almost anyone who could switch on a PC could get finance for an IT business. The only problem was that most of these businesses were designed to create artificial problems or boost non-existent demand in order to make quick money. They didn’t actually solve any real problems.” The bubble burst when the reality hit – the market did not want or need all of these businesses.
A classic example in the security market of the time was the rise and fall of Baltimore Technologies. The industry had persuaded itself that large-scale public key infrastructure (PKI) was the solution to all security problems. Baltimore grew in just four years to a valuation of more than $13 billion; and then collapsed even faster. It sold a product that the market didn’t either want or need; but one that investors were persuaded it needed.
Kolochenko believes that the security market today is in a similarly precarious position to the online business market during the dot-com boom: too many firms are trying to provide solutions to the wrong problems. “It’s a question of efficiency and effectiveness. Efficiency is about doing a thing right, while effectiveness is about doing the right thing.” says Kolochenko. “After the dot-com bubble VCs and other investors now perform thorough due-diligence on the companies they invest in. They do indeed verify that the technology works, that it has competitive advantage in the market, and they calculate how many potential buyers may pay for the technology before they invest in it.” In short, they make sure that new security products are efficient.
But where they get it wrong is in not ensuring effectiveness. “Some information security companies today solve problems and mitigate risks that probably have the very lowest priority in the business risk list. In order to sell their solutions they create artificial demand, quite often misleading or even scaring their customers with false threats or non-existent risks. The worse is resellers, companies who are not capable to create anything themselves and thus resell third-party products and solutions. Quite often they don’t even bother to understand if a particular customer needs a product they propose, but try to convince [by all possible means] to acquire it. In result many companies purchase [efficient] products that they just don’t need, forget or fail to purchase the solutions they really need in order to mitigate the most important cyber security risks their business face, and get hacked as a result.”
The reality is that business is still getting hacked – in fact, we hear about more and more security breaches every day. The problem is that the security technology is efficient in what it does; but not effective in providing security. And that’s because the hackers are also businessmen. “Hacking is about business, money and profit,” explains Kolochenko. “Black hats will not spend their money and time developing expensive custom-made 0-day attacks when companies have pedestrian vulnerabilities and don’t install patches in a timely fashion.”
The reality is that most breaches are still delivered via ‘pedestrian’ XSS and SQLi vulnerabilities. This is where the security industry is failing. “It promises to recognize a burglar walking down the street, but doesn’t show us how to lock the front door and close all of the windows. There are many efficient products and solutions, but there very few efficient AND effective ones” explains Kolochenko.
The danger for the security industry, says Kolochenko, “is that when businesses spend a lot of money on information security but still get hacked (because they mitigated the wrong risks through acquiring the wrong products) they will hesitate to spend at all on infosecurity and lose confidence in the security industry in general.” That is what happened to the dot-com businesses; and it could possibly repeat itself with the security market.
So, will the market collapse like the dot-com bubble? Probably not; but there are too many security companies that are selling too many ineffective products. What Kolochenko foretells is a drastic contraction. Many of the new young companies built by marketers creating artificial threats rather than engineers who solve real problems will probably not survive; and even some of the bigger companies will start to divest themselves of their security divisions. Only the genuinely innovative companies that combine efficiency with effectiveness to serve a genuine security need and solve the real problems will survive.
