Managing information security during an innovation void

Although predictions for the coming year are a staple of the season, I will do more than offer an educated guess. I am going on the record with a guarantee: In 2012 we will see an increase in network intrusions from disparate parties trying to create IT infrastructure chaos for a variety of reasons primarily political, financial and economic. An easy prediction perhaps given the trend and yet while I fully trust CSOs and CISOs and security teams are doing all they can to prevent breaches; I am deeply concerned that they still lack the technology to adequately protect IT infrastructure from malicious attacks.

There are several reasons for this state of unpreparedness. Budget constraints certainly continue to be an issue even as the U.S. economy plods along in recovery mode. However, the more disconcerting limiting factor is beyond the direct control of infosec executives:the scarcity of innovation in the information security industry.

[Also see: Collaboration accelerates security innovation]

Too few entrepreneurs are bringing to market new technologies that are the core building blocks for information security. While I wouldn’t go so far as the say enterprises are bringing a knife to a gun fight, there is no doubt that the industry is not keeping pace with the technology or the ability of attackers. The resulting disparity between available options and the growing challenges faced is what I call the innovation void.

Four factors created the innovation void: Cuts, constraints, consolidation and capital:

Cuts: IT spending cuts during the Great Recession were deep and have yet to recover. US Software CAPEX growth was just 7 percent as of Q2 2011, exactly where it was 20 years ago. Spending is off the lows of 2008 and 2009 but show only modest gains -- especially given those lows, is 7 percent growth really all that impressive? Many software vendors have been unable or unwilling to invest in R&D in this climate. The downstream effect is a dearth of truly new technologies. I suspect this will change as the domestic and worldwide economies -- which are now clearly and highly-correlated -- improve. In the meantime, enterprise customers can anticipate only minor improvements to infosec solutions.

Constraints: The challenge of spending cuts not only affects companies that sell information security software. The innovation void leaves CISOs, CSOs and their teams navigating increasingly complex and treacherous environments. The explosive increase in the use of employee-owned consumer technologies within the workplace -- especially mobile technology, e.g., smartphones, iPhone, iPad, iWhatever -- means information security professionals have to protect a broader plane of vulnerability, and do so with fewer resources.

Consolidation: Acquisitions of independent information security technology vendors by multinational information technology conglomerates often dilutes focus, changes business priorities and slows operational tempo of the acquired companies.

Capital: The final factor contributing to the innovation void is a lack of capital investment. According to The Moneytree Report by PwC and NVCA based on data from Thomson Reuters, venture capital investment in IT security in 2010 was just $400M, up a tick from 2009 but the second lowest year since 1998. Absent adequate funding, research and development cannot happen and we run the risk of critical technology inventions never seeing the light of day. Venture capitalists seem more interested in the latest social media start-up than the IT security market. Ironically, popular social media platforms such as Twitter and Facebook are increasingly popular targets for black-hat hackers, exponentially increasing the need for information security innovators.

So how do we manage this situation and turn a possible crisis into an opportunity? The good news is that the innovation void is a very solvable problem. The solution begins by changing conventional approaches to vendor/customer relationships. Developing a real partnership in which both parties have a stake in mutual success is a critical first step. Information security professionals will have to think and act strategically, not just tactically. There are tremendous opportunities for vendors, startups and end users to thrive in this new environment.

So how do you do it?

Some of the ways you can embrace the new reality include:

• Be the investor! Stop looking for vendors and start looking for partners. Why wait to hear about the coolest thing when you can help create it and have a stake in its success? While the “cloud” may bring even more security problems, it also provides startups with an incredibly cheap and scalable resource for developing and supporting the innovations helping offset some of the reduced capital investment currently available.
• Be the innovator! Look for ways to augment existing tools and make them run more efficiently. Innovation begins at home.
• Be the stakeholder! Dont look for a quick fix, look for a solution. A leaky boat can be patched only so many times before a full-dry-dock rebuild is required. Too many companies look only to the current quarter as a success measure but security is a process, not a product. Getting senior management on board may be the biggest challenge.

The innovation void is real and it will grow in severity and pose a major threat to all of information security if we wait for others to correct the problem. There is no magic fix or killer app coming this time. We will overcome this issue only with creative thinking and true leadership. We need to look within our own ranks. The innovation void can be closed by information security professionals willing to seize the initiative.

Peter Kuper is a faculty member of IANS and partner with In-Q-Tel, a strategic investing firm that identifies, adapts, and delivers technologies to support the missions of the intelligence community.