Mark Curphey – SecurityBuddha.com

I have just finished reading the Long Tail by Chris Anderson (editor of Wired). It is brilliant and the best book I have read in several years. Its in the same class as Freakonomics and The Tipping Point.  I highly recommend anyone who reads my blog reads the Long Tail if they haven’t already done so. I think it is extremely important when its theories are considered along-side the information security industry. It presents an insight into opportunities for the future, product strategies and opportunities and even presents a glimpse of what the future itself will look like.

In this post I am not going to summarize the theory beyond an amount needed to explain the context to information security. There are many sites that provide good summaries including Chris Andersons own blog The Long Tail, Wikipedia’s Page, and the original article that appeared in Wired. I want to instead highlight some of the books key points and suggest ways they may explain or influence information security trends.

The Long Tail theory suggests that a distribution curve for products and services looks like the image to the left. It shows there is actually a greater total demand for products and services considered to be niches and not main stream (the yellow)that hits (the red). This explains iTunes, blogging, YouTube, social networking and many other Internet economy trends. Again I recommend reading the book cover to cover.

I fundamentally believe information security is a long tail market. Three facts support this statement;

- every business has multiple processes

- processes that are similar in name between business are actually highly customized (i.e no two businesses are the same)

- there is a large number of processes unique to small clusters of users

One focus of the book is the notion that there are three main forces that explain long tail markets, there are;

- Democratization of Tools for Production

- Democratization of Tools for Distribution

- The Connection of Supply and Demand

Part 1 (this part) covers the introduction and Tools for Production and Part 2 covers Distribution and Connecting Supply and Demand.

Democratization of Tools for Production

Like blogging tools have democratized publishing  and Garage Band has democratized music production, tools will democratize information security. In fact blogging tools already have a significant affect. Just today I read a blog post from the Matasano Chargen folks about the facts of the Black Hat debates over rootkits which provided a much clearer picture than an article in eWeek quoted a so called security analyst who was claiming they hadn’t done their homework. 

Tools differentiate mankind and new types of tools have the power to advance the information security industry significantly. What will they look like? First lets consider the key characteristics of other tools that have have democratized production in long tail markets.

Microchunking is a term used where products are designed to be delivered to the user in the way the user wants them. The book uses the example of music that used to be delivered in CD form only. These days its CD, online, ringtone and re-mixes.  Microchunking is at work in security tools today. In tomorrows world users will of course want to be able to run software online or installed but will want to be able to remix. They may want the best scanning engine from vendor “A” combined with the best set of signatures from Vendor “B”.

Customers are looking for “And” not “Or”. An underlying trend for tools is that one size does not fit all. This is a common theme from almost all corporate security people I talk to today. Lets take a hypothetical threat modeling tool. The key to mass appeal will be to support all types of threat modeling methodologies right up to and including the users own. Tools that force a user to do something a very specific way will have a very limited appeal.  Plotting geo-data overlaid with vulnerabilities and processed with visualization tools might help us see hotspots in a complex virtual world; “the wood from the trees”.  Alexa type tools overlaid with vulnerability information may help us make better risk decisions based on business performance data. In an industry with a  notoriously high noise and low signal ratio we will likely see tools that can better produce high signal strength information faster, cheaper and more efficiently than ever before.  I have been dreaming up an idea to build a security advice distribution tool that can help analysts process information from the mass sources more efficiently for instance.

What this says is that the key to tools will be platforms. By definition a “platform” is a system that can be reprogrammed and therefore customized by outside developers and users and so it can be adapted to countless needs and niches that the platform’s original developers could not have possibly contemplated, much less had time to accommodate. A security platform will allow people to build the tools they want to solve the problems they have.

If you link to this blog post you will be creating a Long Tail about Long Tails. Please do! Ironically if you buy the book which you should you will be further creating a best seller or “hit” which is partially what the book is about dispelling!