Part 1: Marcus Ranum on the state of information security

At Information Security Decisions 2009, Marcus Ranum begins his explication of the current state of computer security by taking a look at where it began.

About the speaker:
Marcus Ranum is Chief Security Officer at Tenable Network Security.

View the rest of the presentation:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact  

Part 1: Marcus Ranum on the state of information security

Marcus Ranum: A few things about computer security and where
the industry is going. This is all my opinion, you can filter that
appropriately. I suspect I am right, but I hope I am wrong.
Standard disclaimers apply. Contents may have settled during
shipping and handling. The short form: I think in 5 years,
security will not be an interesting place to be. I just did an
interview a little while ago and one of the questions I was asked
was, 'What would you tell a kid who was coming out of
computer science curriculum, who was interested in computer
security? What would you tell them to study?' My answer was,
'Do not do it.' When I say that security will not be an interesting
place to be in 5 years, I am not saying that it is going to be a
solved problem. I am not saying that there will be no more
hacking going on the internet or anything like that. The
problem is that it will not be an interesting place to be if
what you are trying to do is innovate, create, challenge
preconceptions, or do anything other than the rote
mechanical things that you are going to be required to
do by your auditors and your employers.

What I am going to talk about is an industry view. I am
not looking at this from a research perspective. I am just
looking at this from the standpoint of technology trends
and financial trends, as well as some legal and managerial
trends and how that is going but If you look at the industry as
a whole, I believe that the industry is going to be largely
driven by those trends rather than anything else. It is
completely possible that there is some researcher down in
the field who is getting ready to come up with the next
fantastic idea, an executable run-time control or something
like that. My prediction is that those kinds of ideas will
probably have absolutely no effect whatsoever.

Here is how I can bolster that claim. The reason those ideas
are not going to have any effect is because we actually have
lots of ideas that are really good already, that have resolutely
failed to propagate out into the industry. How many of you
run antivirus on your machines? I do not; I have not for six
years and I have only gotten owned once. I run a program
that locks my machine down so that only the 14 programs
that I run are allowed to run and everything else is not
allowed to run; boom, done. Now it is nice to see that some
of the executives of antivirus companies are going around
saying, 'We are planning on having application white listing
someday really soon now.' What they do not tell you, of
course, is it makes their entire product line completely

In the early days of computer security, back in the late 60s
or early 70s, security practitioners were largely auditors. The
reason that we were largely auditors was because timesharing
involved money, because computers were extremely expensive,
so the auditing facilities of a lot of computers were really for
the purpose of making sure that people paid for the compute
cycles that they were using. The 1980s desktop explosion and
inexpensive computing threw all that out the window and
essentially made cycles free. Now we are at the point, interestingly
enough, thanks to Cloud computing and virtualization, that
cycles are back to something that you might actually pay for,
it is just that they are so inexpensive that they are free, or
they are virtually free, which is a really interesting thing.

When you look at the premise of cloud computing, is that there
will be huge amounts of inexpensive cycles out in the cloud.
One of the first things you should ask yourself; is why on Earth
would you pay for cycles out in the Cloud when you can have
them for free at home? Just a simple thing to think about, there.
Processing is really inexpensive. What you are actually paying
for is not processing out in the Cloud, what you are actually
paying for is rack space in a data center, which is also relatively

In the early days, what we were mostly doing was log
analysis for mainframes to figure out who did what, when, and
how many cycles they burned, and we were often treated as an
accounting function, separate from IT, because you want to make
certain that the IT operators are not burning too many of those
precious expensive cycles playing Net Hack or Rogue, or
whatever it is that they are doing. Of course, now it is World of

The early golden age of the internet security period was
1994, 1995, 1996, somewhere around there; it is hard to be
continuous. Everybody was going online. Firewalls were the hot
topic; we were selling lots of firewalls. We had lots of new
technology coming out and lots of attention being paid to the industry,
but here was the beginning of the end, the last bullet point down
there. We had security IPOs, specifically, Raptor Systems went
public and the stock went from, I think it was $9 on the IPO up to
$40 and hung there for a while. Trusted Information Systems went
public and did quite well. There were several other security IPOs
in the mid to late 1990s, and the venture capitalists said, 'Holy crap.
Here is a way we can exit with a 200 to 1 payoff,' which is what they
were looking at, and that had a huge effect. It caused this gigantic
influx of money into the security industry, and we are still dealing
with the downstream effects of that huge influx of money to this

View All Videos

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.