Marcus Ranum: Peter, thanks for taking the time to talk. I know some security people probably wonder why a stock
market/financial analyst's views are relevant, so let's get that out of the way first. Whenever I talk to you, I realize the forces outside our little industry, which most security practitioners never see, are probably more powerful than we realize. Vendors buy each other, products that we love disappear, and there's a whole level of stress to the system that we only notice when it blindsides us. I know this is a huge question, but what effect is the recession we're in going to have on the technology pipeline that's available for security practitioners?
Peter Kuper: The recession has unfortunately further tilted the advantage to the big vendors as they can weather the tough times far more easily than private companies given their sheer size and customer base. They can also access capital in ways completely unavailable to private companies.
Marcus: Well, we’ve certainly seen the trend of “big companies get bigger” even in a tough market. So does that mean the security startups are going to be fewer, and they’ll stay in the garage stage longer?
Peter: Private company options are limited due to their size and structure. Raising capital through debt is sometimes available, but likely at a higher cost. Equity raises are even more expensive as the company must give up ownership to outside investors, thereby reducing their stake. In tough times such as these, the costs are typically higher as investors want a higher risk premium. Going public is another way to raise capital, but the stock market volatility has presented challenges here as well. In August last year for example, 20 companies stopped their plans to do initial public offerings—the most in any month in 10 years according to the Wall Street Journal. An entire month with companies unable to raise capital. That's a very unsettling operating environment for a private company to work in.
Marcus: It sounds like the effect of the economy is to put a great “glass ceiling” in place for the startups.
Peter: When you see this scenario, the larger publicly traded vendors have the advantage in multiple ways. For starters, they can simply use their capital advantage to acquire the less liquid private companies. Add to this scenario a tough IPO market and where else can the private company turn?
Marcus: So you're painting a rather grim scenario in which the big guys will get bigger and the small guys will find it harder to get by. To me, that sounds as if we're going to experience a lull in innovation -- the big companies historically seem to sit back and sell their existing technology base, buying the innovative startups when they come along. If it's suddenly harder for the innovators to get into the market, are we likely to see the innovation happening elsewhere (social media, etc.--- where there's lots of money being spent) and security become a backwater? Or, should I say, more of a backwater than it already is?
Peter: That is the fear; that security gets even less attention as the professional money chases the next Facebook. Unfortunately, the data already confirms this trend, as we've seen a steady decline in security investments. Hopefully, though, the typical rotational cycle of investments will occur here as we may be approaching a bottom to the downtrend. That is not to say we're eyeing a resurgence, but the worst may be over. For security to see a true growth trend we need a number of variables to align and the odds there are not supportive. For example, the classic investment guide is to “invest where folks are spending money.”
Marcus: That sounds like good advice to me!
Peter: But if IT shops keep blowing 50 percent to 60 percent of their security budget on antivirus, a decades-old approach that clearly has minimal and arguably no real defense benefit, how can a critical mass of startups get a seat at the table? So, while it's easy to point the fingers at venture capitalists wanting to own the tweets, the user community has a large part of the blame given their apathy if not reliance on antiquated approaches.The easy charge is to incite the IT users to work more closely with startups, but that's not a simple execution by any means. Many a startup will fail, so there is a risk to be managed and many shops simply can't afford to manage the risk of investing in a technology that dead-ends. Many shops, of course can and -- encouragingly -- are looking at ways to better engage with startups.
Marcus: This all sounds pretty grim, but reality for security has always been grim; are there any positive signs?
Peter: One bright spot on the horizon is that product and services companies, including social media, are starting to take security more seriously. They’re recognizing that ignoring that facet can have dire consequences. "Better safe than Sony," is a phrase I picked up at a security conference and it always gets the same response when I repeat it: an uncomfortable, sheepish grin. That suggests everyone knows the pain from that experience but these same smirkers need to realize they just haven't been targeted yet. So maybe, "better lucky than Sony" is more applicable. All it takes is some moral jihad and your company is toast.
I'm seeing the largest of the new companies take security far more seriously than the old large companies. They’re trying to embed this all-important capability into their core offerings. Google and Amazon, for example, have recently increased their investment in security from both technology development and hiring folks to make their offerings more reliable and stable. Apple, too, is working diligently to improve its security capabilities from both the core product line, but also the App Store/hosted services types of offerings. And yet, this is not anything new, it’s just becoming more prevalent. Microsoft, the poster child for security critics for years, quietly but heavily, invested in security, including hundreds of millions of dollars in acquisitions and an equal amount for staffing and internal development. It is easy to argue Microsoft spent more than $2.5 billion in security-related efforts over the past five years and that estimate may be too low. So, all you Microsoft haters out there may still take issue with "Super Tuesdays," but at least the company has responded and in no small manner.
Marcus: I love the way, in your worldview, that everything is simply driven by money. And, of course, we all know you’re right, but it’s always a bit of a shock to confront. The biggest push for change in the IT economy is being driven by economies of scale and availability of capital.
Peter: Exactly. It will always be challenging for the startup to emerge from the garage or basement from which they dutifully build their wares. If Microsoft is dropping billions, how can a bootstrapped startup’s $100,000 make any impact? The good news here is that they can make inroads into new markets via what is ultimately the largest attack surface given its reach and applicability: the cloud. What the cloud taketh away, the cloud giveth back!
For any tech-type startup, utilization of hosted services offers huge financial leverage. Instead of buying racks of servers and then supporting and maintaining them in a climate-controlled location, anyone with a decent connection and a credit card can access a massive amount of computing power, storage and Web bandwidth, instantly. Of course, the irony here is that given this tremendous economic appeal, we are seeing a classic scenario of “use it now then worry about security later.” Fortunately, this is not as prevalent as the dot-com build out where security wasn’t even an afterthought, but still many companies are racing to the cloud and virtual capabilities with minimal understanding of the security implications. Hence: yet another opportunity for any would-be entrepreneur.
Marcus: As Tom Lehrer once said, “Specialize in diseases of the rich.” I can’t wait to see what happens. Thank you so much for your time!