Thursday, March 16, 2006


Sharing IT Security Innovations

Several weeks ago, I pinged several industry analysts on an idea that has been running through my head. The IT security industry needs innovation that will lead to more-efficient IT security systems. I know that innovative best practices are often shared by the "bad guys" but us folks that work for large enterprises haven't figured out that sharing security innovations may allow us to keep up. If we don't, any idea we propose to the folks on executive row regarding protecting the enterprise is futile...

The open source evangelism that I am essentially thinks of opportunities to share at every waking moment. I have been noodling three different areas in which I would like to expand knowledge sharing in the security space and will be pitching the notion of open specifications at work. The idea behind open specifications is that sometimes us folks in corporate America all suffer from the same exact problems. We may or may not share what problems we have with the venture capital community, so they can focus their investment dollars towards solutions that we would immediately purchase. Likewise, we may or may not share with industry analysts who maintain great relationships with many enterprise vendors who can give a kick in the butt to enhancements that will protect our enterprises.

Sometimes, the enhancements we desire are to fundamentally closed source products, so there is no opportunity for us to extend them ourselves. It is usual for us folks in corporate America to submit enhancement requests to vendors who for the most part reply back with the canned answer of we have to understand your request in context of other enterprises and their priorities. We never know if this is truthful or just a blow-off answer and it may be a little of both. What if we submitted enhancement requests (aka open specifications) that we not just all about us and our own needs but were endorsed by say fifty other large enterprises. Would we then get a little respect?

I have been noodling the plan of attack to work out the kinks in my thinking. Essentially, I see the following steps:

1. Iterate by making sure enough of the really smart folks at my own employer have found every nuance/discrepancy so as to not embarass myself when making it public. (Finish by end of March)

2. Send the specification to several of my peers within my industry vertical and do iteration two on document. (Finish by end of April)

3. Find a competitor or two that would be interested in winning our business and would be willing to extend their own product to meet our requirements. They would know in advance that it was done in an industry vertical fashion and that any efforts they do for us could become amplified and would be personally introduced to others equally easy sales cycle.

4. Extend specification and now newly developed reference implementation to other enterprises not in my vertical. The vendor who builds the reference implementation again sees their potential marketshare growing.

5. Pay an industry analyst firm or two to create a "quadrant" or similar notation report that outlines the problem space and immediately slots our reference implementation as being the leader. If vendors can pay for analysts to write research reports why can't customers? Of course, this will provide fuel to all the enterprises who allow their architects to not think for themselves and run around their enterprise with research reports in hand pontificating our thinking.

6. We issue tons of press releases, blog and do even more case studies on why we are innovative. I become a keynote speaker at every single InformationWeek and ComputerWorld conference in 2007.

7. The vendors who put us into their "queue" for enhancement requests figure out that they really should start paying more attention to what we are asking for. They throw tons of resources at the problem space and it gets commoditized over time reducing our own total cost of ownership.

There are still several aspects of my idea that need refinement. Minimally, I would love to receive feedback from others as to how to make it better. Some of the things that I have yet figured out:

1. Does it make sense to pay for an analyst firm to write a whitepaper on this subject or will they be intrigued enough to jump in themselves without monetary stimulation?

2. When it comes to analysts, how do we get them to start writing papers we want to read. Some are better than others...

3. What legal things am I walking into?

4. Has anyone tried this before without forming an expensive consortium?

5. Is there a consortium that is focused on the security of products that I can join freely?

6. If I do this under a consortium, is there a way to get the idea out quickly? Don't want to spend years refining to the nth degree. Working software in the hands of those who need it, in a timely manner is more important.

7. I was thinking there is merit in working this idea with several accounting firms. The ability to close security solutions in an industry standard manner especially when they are related to Sarbanes Oxley brings simplicity to their world. If anyone knows who I should contact in the big Four, please let me know.

8. If you happen to be an employee of Sun, IBM, Oracle, BEA, CA, Microsoft or other large software vendor and have tips on how to shortcut the "influence" game so that it turns into a form of open command-and-control, please respond in your own blog via trackback.

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?