Part 5: Marcus Ranum on the state of information security

At Information Security Decisions 2009, Marcus Ranum offers his predictions on what's next in information security.

About the speaker:
Marcus Ranum is Chief Security Officer at Tenable Network Security.

View the rest of the presentation:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact  

Part 5: Marcus Ranum on the state of informtion security

My take is that security is going to become increasingly specialized. 
Most of us who are pure security practitioners, who are not technical 
researchers, are going to just report to lawyers. I already spend way too 
much time talking to lawyers. There is always going to be a few mercenaries, 
that is another possibility. If you want to be one of the mercenaries, aim for 
the disaster-du-jour. There is a career path there and the career path would be, 
as soon as people start talking about Cloud computing, jump on cloud computing. 
Figure out the security problems with Cloud computing and be one of the 
15 experts in Cloud computing security problem. Please do not create 
problem security problems with Cloud computing and then be the world's 
experts in the problems that you create. If you are going to go down the 
mercenary specialist rout, you need to be a brilliant technical 
wizard and stay there.

What is still hot? Sim/Siem is still hot right now,
that is a big deal, that is what you are going to be
doing next. That is a market that is going to consolidate.
I am guessing that the Sim market will be gone in
5 years because all the big players would have
gotten acquired. Data leakage is going to be the next big thing.
There is already data leak vendors out there.
Did you see what happened with that? We had
Vontu, Veracept, Verticom, and all these, for some
reason they all started with V because the venture
capitalist appear to be running out of ideas. There
were 8 or 9 companies that were specializing in data leakage,
they all came on the radar screen, and then they all
pretty much vanished. A couple of them got bought,
Symantec bought one, and they are already gone.
That market went from immaturity to senescence without
actually passing go, very interesting. It is a big thing.
My prediction is that it is not going to work. It is another
reason why a lot of these guys disappeared. The only way
to prevent data leakage is to know where your data is,
what your data is, how it is stored, and who has
got access to it. That is really painful.

I think, in the next 5 years we are going to start to see
a ramp of interesting new work which is going to be
damage control on intellectual property hemorrhaging
brought on by outsourcing and other forms of data leakage,
there is going to be a huge market there. If you can speak
legalese, start getting in with law firms that are going to be
doing intellectual property litigation, and I think you are
going to eat very well for a long time.

I think outsourcing is going to be a fantastic job.
One career path would be to be a project manager
overseeing outsourcing, because you will be able
to be a consultant and re-insource things again in
another 10 to 15 years. I know you are laughing because
it is true. That is a big problem. I think consistently,
in all security areas the next big area of security is
always fixing the dumb stuff that the previous generation
of security practitioners allowed to happen.


View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.