When it comes to advances in the security space, it’s sometimes hard to understand what kind of calculus is being used by security professional to measure innovation. Next week at the RSA conference 2010, the organizers of the conference have highlighted 10 innovative companies that have been selected to compete before an elite group of security industry judges to be the most innovative company at the 2010 show.
While all these companies have merit in terms of their offerings, it’s not clear that there is a whole lot of really meaningful innovation going on in the security space. For example, one of the more technically elegant solutions on the list is a hypervisor firewall. That’s a compelling piece of engineering, but as yet hypervisors have not been widely attacked or even cracked. So it amounts to a remedy to a problem that is still waiting to happen.
The rest of the line includes better tools for vulnerability testing and compliance monitoring, applications for managing the security professionals better, new authentication schemes, and an appliance for managing access control. The most useful of the set in terms of dollars saved is a tool that makes it easier to track what changes were made to what settings that not only makes it simpler to audit what’s going on, but also identify what needs to be fixed.
As good as any of these products are, none of them will illicit major cheers. They're more likely to generate polite “golf applause” in that they solve a point problem. The security industry as a whole seems to have developed a symbiotic relationship with the hacker community in that most of the innovation seems to be focused on providing remedies to security issues. The good news is that application developers are starting to take more responsibility for security, which in turns should help reduce the need for so many security remedies.
The good news, for the security industry at least, is that a recent survey of 137 midmarket IT execs conducted by IT Business Edge found that only 59 percent though that reducing their security costs in 2010 were either a medium or high priority. Almost 78 percent of them said that security was also a high or important priority for 2010. But on the down side for the security industry, only 40 percent said they intended to upgrade or replace their security solutions in the next 12 months. (You can see other details of the survey here.)
The RSA conference is much more of an industry insider confab than it is a tradeshow that attracts droves of actual customers. But as litmus test for the state of innovation in the security industry, it does show that there is a whole lot more focus on selling remedies to security symptoms than there is real focus on curing the illness.