Yesterday security pundit and all around nice guy Mike Rothman unleashed a Special Incite called: “VirtSec: Don’t Hold your Breath.”
He mentioned a few of us security bloggers and talked about how long it will take before virtsec takes off and why. I think our “pragmatist” has really confused vision and tech strategy with market sizing.
Most of the larger netsec players argue that “size equals significance”, while startups usually correlate significance and innovation with growth potential. The truth is probably somewhere in between, although the last few years have been rewarding incrementalism more than innovation.
By falling into the “size matters” camp, Mike ends up becoming a perhaps unwilling metaphor for today’s numero uno problem. I’ll call it the netsec quicksand rationalization, which goes like this: “every move you make causes you to sink even further”. Whether it’s the thousands of new attack permutations a day, the knowledge of an increasing population of vulnerabilities, or the no rest posture of waiting for the next attack, I think Rothman represents a common perspective shared by many in the security industry.
For years netsec has become a land of incremental innovations, driven mostly by past decisions, regulatory events and exploit publicity dynamics. Every new security category looks a lot like the airline industry as it starts, with more funds going out than coming in. Under those kinds of pressures a few survivors emerge, and fewer yet find exits for their investors.
As IT teams evaluate new technologies they hold them against a higher standard than those already installed. As Andy Kyte said at a recent Gartner keynote covered by Network World:
“We see people putting money into products and solutions that are clearly dying. Instead of investing in them, they should be investing in migrating off of them.” - Andy Kyte quoted in Network World
Most large enterprises have made an attempt to protect themselves from the negative effects of bad decisions by establishing a multitude of committees to approve purchases. They collectively evaluate new technologies, placing more emphasis on analyzing innovations than the value of what they’ve already installed. The result: innovation faces disproportionate scrutiny versus the scrutiny placed on the negative effects of obsolete legacy decisions.
That environment of “selective persecution” puts a substantial burden on anything truly new, while rewarding incremental innovations which are complementary to five or ten years of past product decisions. No wonder Mike has advised repeatedly to go to the midmarket when launching a new netsec product.
Last year I was chatting with my cousin the IT guy, who has spent close to 20 years working for a large IT consulting firm. We were talking about various hot new technologies and he commented: “My frustration is that it takes us about two years to evaluate and deploy a new, innovative product; and that’s if it’s hot.”
That brings me back to Rothman’s hold your breath rant. Taking any new discussion and waving the “it’s two years guys” flag just exacerbates the quick sand mentality. Everyone knows that new markets start slow and the first 50 customers are the hardest; but virtualization is already established and spreading like gangbusters, VMware is openly declaring their intentions to permeate the data center and the cloud, and security is clearly a new challenge for platforms developed within the confines of devtest. The strategic importance of virtsec has indeed drawn a great deal of attention as plans are made.
Virtualization is an opportunity to examine the possibilities of the old and the new and to make network security and IT strategic. As enterprises deploy virtualization-lite as a first step, let’s use this opportunity to rethink what is working and what isn’t, and to plan a more proactive future. Let’s place equal scrutiny on yesterday’s decisions as we do on tomorrow’s innovations.
That is why it is important for people like Hoff and Rothman and others to keep the conversation looking forward, beyond the beer already spilled. It will take innovation on multiple levels to help us get ahead of the game, so let’s not get distracted by the bureaucracy that won’t jump until it’s too late. We’ve seen that story play itself out many times before.
There is also a considerable consensus that the requirements of virtualization security are different than those of fixed physical servers; and that most of the security players, including Cisco, Juniper and Symantec, may not be ready for the demands of elegant hypervisor layer visibility and enforcement.
I think the coming collision between virtualization and security in the data center gives us plenty to talk about. Or we could just sit still and breathe slowly while waiting for someone to hand us a vine.