Thursday, March 20, 2008


Market Forces and Information Security

Gunnar Peterson posted some great thoughts on market forces within information security that are worthy of further analysis...

Hopefully Gunnar is aware that market forces are at work and Oracle is busy with plans to assimilate BEA where from a security perspective, nothing good can come from it. Of course this doesn't mean that they won't attempt to put together a thinly veiled chock-a-block eye candy Powerpoint lacking substance that will only convince IT process weenies who otherwise aren't technical and no one else that security is important.

I wonder if Gunnar is aware that RSA doesn't actually have its employees putting out conferences and that this is an outsourced activity.

Gunnar probably realizes that security companies will emerge when the right amount of money is placed on the table. Of course this assumes that the enterprise has enough money in their budget left over to do real security and haven't blown it all on identity management provisioning tools and upgrades to their porous firewalls.

The enterprise most certainly has lots of problems and many of them start with the cartoon characters called enterprise architects that are too busy selling a finely polished pile of best practices without focusing on what is truly important. Interestingly enough, I think Gunnar uses the word top in a different way than most and is not referring to the organization chart but is referring to raw talent. The real question is what are the top talent folks actually working on? You would be surprised if the truth were revealed. More importantly is Gunnar's last sentence where he states that the market hasn't listened to the enterprises problems.

For example, I and other bloggers have talked about the fact that having XACML-enabled applications in the BPM and ECM space is invaluable. Do you think you could find a single, solitary developer in one of these companies working on it right now? Even thinking on it? I seriously doubt it. In fact, I can tell you that for one ECM vendor, I arranged for not one but ten different enterprises including but not limited to Pfizer, Merck, Home Depot, Allstate, AIG and others to talk about why we believe collectively that ECM systems should store content and not users and was ignored. Maybe some discussion on how security requirements could get higher priority of feature oriented architectures is in order.

I have to disagree with Gunnar in terms of the auto industry listening to customers or understanding their needs. If you were to walk down the street in any city in America, you would see that the width of folks is increasing. The cubicle disease is causing backsides to spread which should translate into making car seats wider, yet nothing has changed on this front and manufacturers instead emphasize legroom. Are American's getting taller or fatter?

Sun does this but are they as bad as other companies such as Oracle or CA? For example, should an Oracle database not only be able to authenticate against Active Directory but also support externalization of groups and roles without requiring additional licensing? To be fair, part of me believes that if CA, Oracle and others were to improve security by putting stuff into existing products vs the current approach of thinking about security as a new product, things in many enterprises would get worse. I bet it you could back test the fact that unless you pay lots of money for software, you probably won't use it properly, if at all.

The other aspect of this equation is that many of my industry peers who have the title of enterprise architect are absolutely horrible and outsource their PowerPoint work to software vendors who will gladly do it for them as part of a sales pitch; dog-and-pony show. If security were in existing products and there were no revenue to be had, then it would actually require enterprise architects to keep up with technology, understand risk and most importantly have stewardship over the domain they oversee instead of focusing on perception management...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?