Every company has something for which it is particularly known. For Apple, it is design and entertainment. For Google, it is mostly copying Apple reasonably well and making stuff cheaper. For Microsoft, it is integration with Office and Microsoft’s cloud. And for BlackBerry, it is BBM and security.
I flew to the East coast this week to hear BlackBerry talk about this focus. It represents a strategic advantage for business and enterprise buyers, who are increasingly concerned about the level of security threats that are sweeping across the world as governments move to attacking our theoretically secure networks and devices and helping us discover the broad difference between theory and fact. Many of us went from good-enough security to answering questions from our CEOs and boards about our competence after a breach that may not have even been reported.
BlackBerry is hearing the call and this event is about its focus on these needs.
By the way, John Chen, BlackBerry’s CEO, is a ton of fun to watch. As an opening speaker, Chen actually sets a nice tone for these events because he is so great on stage.
Connected Cars and Security
Before we got into the meat of the event, Chen drifted into the Internet of Things, and particularly the connected car, and I had one of many “oh crap” moments at the event.
One of the platforms that I’m particularly interested in is QNX, which is used as a primary platform in the Internet of Things, and particularly in nuclear power plants. But the part of most interest to me is that it has around 50 percent of the automotive market. Why would I be concerned about security in cars? Well, with cars increasingly being driven by wire and wirelessly connected, it creates a frightening future where our cars could get hacked and our lives put at risk. QNX, because of its secure roots, is arguably the most secure of the automotive platforms. You and I might want to favor Audi and other vendors that use it in their cars if we want to remain safe. QNX is also the platform that BlackBerry runs on. While this topic was covered to kill time before the announcement of the acquisition below, I thought it was worth mentioning because the idea of a car driving off a bridge because it was hacked kind of scares the crap out of me.
Secusmart, which BlackBerry is acquiring, is located in Germany and its most famous solution is anti-eavesdropping technology. When it comes to engineering, Germany is considered a world leader and security technology has a very high engineering component.
The Secusmart team reaffirmed that you can’t secure a phone by adding security to it; you have to design the phone from the ground up to be secure and then enable communications. Otherwise, exploits like root kits and applications can get underneath the secure layer and compromise the phone.
The combination of Secusmart and BlackBerry, according to the Secusmart executives, results in the most secure solution from data to voice. We often forget that the voice component of a phone needs to be secured as well. With this addition, BlackBerry will be the only smartphone platform that secures both data and voice. The exec demonstrated the exposure of not having this protection by playing a Russian intercept of a U.S. call in which a U.S. diplomat is on record telling the EU to get screwed (using another word). The call was released to the media with some fanfare.
The execs maintain that if you are traveling and don’t have a solution like this, you need to assume your calls are being monitored. With improvements in voice recognition and unstructured data analytics, calls can be mined years after they are made for government and industrial intelligence.
Forrester’s Scary Security Panel
BlackBerry brought up Forrester’s head of mobile and security, who pointed to the speed of technology distribution. Apps, many of which may now be compromised with malware, can spread to 50 million or more users in less than a month. It won’t be long until we measure this in single digit days. Mobile device management, when you add security, becomes massively complex unless it is a unified mobile platform.
A panel of security experts from health care, banking and government indicated the attacks on their networks are becoming more varied in nature, more innovative and more frequent. A brokerage CSO indicated that hackers are particularly interested in what brokers are saying and doing so they can get an illegal investment edge. Health care execs reported that they are facing a nightmare of massive technology change with massive increases in connected devices and, thanks to the Affordable Health Care Act, the databases are being forced to connect rapidly. Hackers want access to this information because, when it comes to identity theft, these databases have virtually everything they need.
The panel indicated that they can’t find a single vendor that can provide a single security solution that covers all of their needs. They tend to favor holistic solutions; they don’t want to manage a bunch of point solutions that may or may not work together; and they want simplicity because the complexity they all are facing is stretching their resources past the breaking point.
The government security expert spoke of a plane trip during which a person sitting next to him wanted to charge a phone off his laptop. How many people realize that if you allow that, you open the laptop to anything that is on the phone, and the phone to anything that is on the laptop? I wonder how many attractive spies get government functionaries to let them charge phones off laptops. It never occurred to me that bad battery life (they kind of made a big deal that iPhone battery life sucks) was a security risk. It makes me wonder how many public USB charging stations are compromised.
The financial industry CSO argued that his industry’s regulators are aggressively moving to standard security tests. One is on ease of use, with the belief that if it is hard, users will bypass it. The health care expert expressed a similar concept, suggesting that the technology must not only be comprehensive but easy to use. The panel expressed that up to 90 percent of their voice and data traffic may not be secure because the secure solutions are simply too hard for the users to use regularly.
One interesting comment was that underwriters for security insurance are starting to look at the security implementations, particularly with regard to mobile devices, to assess risk and set premiums. This suggests that if your security solution isn’t very good, the premiums for this insurance could increase exponentially.
The final speaker was from Skadden, a global law firm that stood as the primary advocate for BlackBerry. When a law firm gets breached, it could lose all its clients. The breach potentially compromises all of the litigation, and business clients have no sense of humor with regard to violations of attorney-client privilege by their attorneys. The speaker attested that he can’t afford to use anything else because the personal and company risk would simply be too great.
Wrapping Up: Security as a Strategic Advantage
As you would expect, BlackBerry had a series of executives come up to take each of the problems identified by the industry panel and point to a BlackBerry solution that would mitigate it, not only on BlackBerry hardware and software, but on competing platforms like Android, as well. They represented that the reason they have a sustainable security advantage is that they kept their code simple. Rather than millions of lines of code, their security and operating platforms are measured in thousands of lines. As a result, they are massively reducing the attack surface on their products, including those that secure the platforms. They reiterated that to address the comments from the security panel, you have to design security in from the start. You can’t successfully layer a security solution on top of an unsecure platform any more than you can build a robust fort on sand.
In the end, the execs conveyed their security advantage: For others, it is an afterthought. For BlackBerry, security is its killer app. In today’s hostile world, at least for enterprise CSOs, that is a compelling advantage.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+