August 16, 2007

The Next thing…

Tickle Me Security

It seems to me that the security industry releases a new “tickle me elmo” every year.Suddenlyits
all that anyone is talking about. Never mind that you have been in business for40
years without one, but suddenly you are asked why you dont have oneby
every auditor and their mother. And of course if thats not enough, every vendor and
“security specialist” will swear up and down how you cant live without it. Suddenly
you feel like the kid without the nintendo….God I hated middle school.

FUD and The Bandwagon

Childhood trauma aside, Its funny but it seems to me thatall these cycles of
hype work the same –

  • 3-4 years out – Funding VC fund several companies in
    the space
  • 2-3 Years out – FUD (Fear, Uncertainty and Doubt) – consider
    this a building year. The “experts” start the commentary. You see articles start appearing
    – seemingly out of nowhere to introduce you to you the problem.
  • 2-1 Year out – The SELL The marketing machine goes into full gear,
    the analysts jump on board, and the trade shows “fill up” with seemingly the same
    story, over and over and over again. The early adopters take the plunge. Shelfware
  • The Year of the “insert blank” – The BandWagon– Sudennly it seems
    to be the only thing the auditors want to focus on. Why you dont have one, and what
    you are going to do about it. By this time everyone is doing it, so you might as well.
    Peer pressure can be overwhelming. You suddenly wish you had more of aspine
    – but then again,whats a couple of drags….
  • See if any of this is familiar to you (the “hype” years below -)
  • 2002 – Patch management
  • 2003 – Anti Spyware
  • 2004 – Intrusion Prevention, HIPAA
  • 2005 – Identity Management, Log management,SOX
  • 2006 – SSL VPNS, The Executive DashBoard
  • 2007 – Data Loss Prevention, Encryption, PCIAnd this is just security! Dont get me started on CRM or VOIP.Ok. So here is the mea culpa – this is our industry, learn to live with it. I rant
    and rave, but it is what it is. Without cool new solutions, we would be out of a job
    as consultants – so there! Thats right. I said it. I want that nintendo!Whats next? -here are my predictions:
    • 2008 – NAC(network access control)- early adopters are
      chewing on it right now – alot of shelves are getting used…… Buy into it
      now and you have yourselve a very expensive thingamabob that ties into thingamiggigies
      and has a great whatchamacalit to boot. Put me down for two.
    • 2009 – HIPS (Host intrusion prevention) – Shelves are being cleared
      for this as we speak! “AV is dead” Read all about it on security blogs including this
      one. Intersting concept to be sure.. I like what I see but too early to tell. Prepare
      for the marketing overload. I predict that the AV vendors will morph into HIPS vendors.
      I dont know that there is much room for outsiders but Cisco will give it a go. Will
      NAC lead to HIPS or will AV lead to HIPS? That seems to be the question of the day.
      I have guess, but I am not telling(unless you pay me of course..)
    • 2010 – BioMetrics.. for sure.. im smellling something about big toe
      scanners… too early to tell but I am washing my feet to be ready…you can never
      be too clean.
    Ray Zadjmool – QSA, CISSP, MCSE, VIP