5 Constraints To Security Innovation

Looking Back, Looking Ahead

“We now have a massive security industry, and hacking and data loss is a bigger issue than ever before”

 

The great thing about the information security field is that it constantly re-invents itself, or at least it tries to. In truth, real innovation is rare, and recyling is common.

Developments in information security are reactive and innovation in the space only occurs when “real” innovations happen elsewhere. To some extent, this is inevitable. Example: there was no anti-virus industry before the microcomputer innovations of the 70s and 80s. Before that time, discussions about any kind of security were generally limited to the provision of usernames and passwords controlling access to dumb-terminals connected to central mainframe applications.

The microcomputer revolution changed everything, putting real power in the hands of the end user, freeing them from the tyranny of the sys admin. Simultaneously, the information security industry was born, offering instant solutions to new classes of problems.

Then the Internet blossomed, joining up the dots. End-users, empowered and on line. The next iteration, and an even bigger security industry.

The cycle is repeating itself, as cycles do. Roll forward a decade or so. AV is yesterday’s discussion, and every one of us is the administrator of perma-connected mobile devices.

We now have a massive security industry, and hacking and data loss is a bigger issue than ever before. Why?

“Technology that is secure but hard to use will fail to make an impact”

The simple answer is that the security industry never actually catches up with innovations elsewhere (not forgetting that innovation happens both legitimately and illegally).  Also, there are some serious constraints that any security technology has to work within:

  1. End-users will resist being functionally restricted.
  2. Ease of use is, and always will be, paramount.
  3. Most end users do not perceive security issues, do not know who to trust and will often make poor security decisions.
  4. About 35% of the World’s population are currently on the Internet, and the figure continues to climb steadily. Solutions have to be capable of massive scaling in the future.
  5. All user-facing technologies have to innovate within the constraints above, or risk becoming niche or irrelevant .

Technology that is secure but hard to use will fail to make an impact. Technology that is easy to use but does not improve security will fail to make an impact. There have been plenty such products over the years.

Which (apart from the Internet statistic) is exactly where we were decades ago. In that sense, the industry has not moved at all, but has merely repeated itself on a bigger scale. It’s easy to become frustrated by this (frustration is a common complaint in the security business) however, there are some positive effects.

“We’re just beginning to understand what doesn’t work in the vital task of establishing trust”

Firstly, now that we’re in this third cycle, we’re past the “we know what we don’t know” phase. Which means that many of the behavioral aspects of human-computer interaction are well understood. We understand the kinds of decisions people make when interacting with technology (the bad guys know this too, but lets gloss over that for now).

Second point. We’re just beginning to understand what doesn’t work in the vital task of establishing trust. Technologies such as SSL are shown to be flawed because of their susceptibility to human error and implementation faults – clearly we need something better. Projects like Convergence seek to replace the flawed certificate authority system which underpins the trust that SSL is supposed to provide. It’s still early days, but this is real innovation.

Third time lucky, there’s every reason to be optimistic.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>