Enterprise Architecture: From Incite comes Insight...

Gunnar Peterson posted some great thoughts on market forces within information security that are worthy of further analysis...

Market forces have been instrumental in rolling out lots of good technologies. For example back in the 90s thanks to the web boom, component programming, and J2EE, BEA was the fastest company ever to $1 billion

Hopefully Gunnar is aware that market forces are at work and Oracle is busy with plans to assimilate BEA where from a security perspective, nothing good can come from it. Of course this doesn't mean that they won't attempt to put together a thinly veiled chock-a-block eye candy Powerpoint lacking substance that will only convince IT process weenies who otherwise aren't technical and no one else that security is important.

Market forces have been instrumental in rolling out lots of good technologies. For example back in the 90s thanks to the web boom, component programming, and J2EE, BEA was the fastest company ever to $1 billion

I wonder if Gunnar is aware that RSA doesn't actually have its employees putting out conferences and that this is an outsourced activity.

what we don't really have though is - security companies of scale that help enterprises of scale solve real world security problems

Gunnar probably realizes that security companies will emerge when the right amount of money is placed on the table. Of course this assumes that the enterprise has enough money in their budget left over to do real security and haven't blown it all on identity management provisioning tools and upgrades to their porous firewalls.

The enterprises have a lot of problems, and they are in need of innovation in the security space, but the enterprises have limited ability to develop, and deploy security innovations (their top people are already spread thin), and the market has so far not listened particularly well to the enterprise's problems

The enterprise most certainly has lots of problems and many of them start with the cartoon characters called enterprise architects that are too busy selling a finely polished pile of best practices without focusing on what is truly important. Interestingly enough, I think Gunnar uses the word top in a different way than most and is not referring to the organization chart but is referring to raw talent. The real question is what are the top talent folks actually working on? You would be surprised if the truth were revealed. More importantly is Gunnar's last sentence where he states that the market hasn't listened to the enterprises problems.

For example, I and other bloggers have talked about the fact that having XACML-enabled applications in the BPM and ECM space is invaluable. Do you think you could find a single, solitary developer in one of these companies working on it right now? Even thinking on it? I seriously doubt it. In fact, I can tell you that for one ECM vendor, I arranged for not one but ten different enterprises including but not limited to Pfizer, Merck, Home Depot, Allstate, AIG and others to talk about why we believe collectively that ECM systems should store content and not users and was ignored. Maybe some discussion on how security requirements could get higher priority of feature oriented architectures is in order.

Wait - they listen to customers, innovate new things, control costs, and deliver safety mechanisms to market while growing their business?

I have to disagree with Gunnar in terms of the auto industry listening to customers or understanding their needs. If you were to walk down the street in any city in America, you would see that the width of folks is increasing. The cubicle disease is causing backsides to spread which should translate into making car seats wider, yet nothing has changed on this front and manufacturers instead emphasize legroom. Are American's getting taller or fatter?

It is strange to me that companies like Sun, Red Hat and others, seem to approach security as a game to sell more hw/sw instead of a viable market in and of itself

Sun does this but are they as bad as other companies such as Oracle or CA? For example, should an Oracle database not only be able to authenticate against Active Directory but also support externalization of groups and roles without requiring additional licensing? To be fair, part of me believes that if CA, Oracle and others were to improve security by putting stuff into existing products vs the current approach of thinking about security as a new product, things in many enterprises would get worse. I bet it you could back test the fact that unless you pay lots of money for software, you probably won't use it properly, if at all.

The other aspect of this equation is that many of my industry peers who have the title of enterprise architect are absolutely horrible and outsource their PowerPoint work to software vendors who will gladly do it for them as part of a sales pitch; dog-and-pony show. If security were in existing products and there were no revenue to be had, then it would actually require enterprise architects to keep up with technology, understand risk and most importantly have stewardship over the domain they oversee instead of focusing on perception management...