Mark Curphey – SecurityBuddha.com

My last post The Long Tail of Information Security (Part 1) described why I think information security exhibits Long Tail economic characteristics, outlined the three forces of long tail markets and discussed the first, democratization of tools for production. The intent is to provide an insight into what the future of information security may look like. Part 2 discussed the Democratization of Tools for Distribution and The Connection of Supply and Demand.

Democratization of Tools for Distribution

We all know there is no shortage of security information on offer. Mailing lists, BBS’s, blogs, community sites and professionally authored content is abound. There is also no shortage of technology with open source and commercial tools competing for security dollars produced by professional teams and hobbyists alike. In today’s economy the distribution of information is key. Making information relevant is a primary objective and one of the key forces behind the success of Google, iTunes and Amazon. This is especially true in a world where the blur between what was traditionally called professionally authored and amateur created content is not clear.

For a long time I have been dropping reading articles in the like of eWeek. Why?  The press generally writes articles so they can sell more advertising. Bloggers generally write articles so people will read them. That is a subtle but important difference. If I read an article in the press chances are there is commentary from an “industry insider”. Usually these are people who tell the reporter what they want to hear and almost always they aren’t people that I want to hear the opinions of. Blogging allows people to filter their views to the people they trust. 

This trend is of course prevalent throughout the new economy and will become more and more important to information security. A practitioner at the heart of the industry is better at reporting (more knowledgeable and more in tune) than an observer.

 The Connection of Supply and Demand

Perhaps the biggest changes we will be in how “security next.o” connects people, process and technology. Search, ontology (information architecture)  and communities will all play important roles.

In 2000 I started the Open Web Application Security Project OWASP. Today it has half a million page views a month and several thousand people meet up all over the world every month to exchange ideas. This “crowd sourcing” will play a big part in the future of information security. The advice from the Long Tail is that people will tell you what they like and don’t like.  Don’t predict, measure and respond. 

Of course recommendations, reviews and ranking are key components of what is called the reputation economy. These filters help people find things and present them in a contextually useful way. Today few information security tools attempt to provide contextually useful information. What we will likely see emerge are tools that combine these techniques. A code review tool that finds a potentially vulnerability may match it to crowd-sourced advice which is itself ranked by the crowd and then provides contextual information like “50% of people who found this vulnerability also had Y vulnerability”. Filters like ratings and ranking will help connect the mass supply of information with the demand.

Long tail markets rarely are bound by geography and perhaps the biggest changes may come when someone finds a low cost distribution method for services. Today when you call a 1800 number you may well find yourself talking to a call center in Bangalore. In the future low cost distribution and technologies that connect supply and demand may automatically route the IDS alert of the vulnerability alert may be automatically routed half way across the world to an analyst based on cost, speed or quality. A system may process a code vulnerability and determine that Heinz in Germany is the highest ranked user in the world for providing code workaround for esoteric issues in .NEt 6.5 code.

These two posts have been somewhat thrown together. My apologies. I simply don’t have the time at present to organize my thoughts. They also only touch upon what the future may bring. Long Tail economics has gripped me for a few weeks and I wholeheartedly recommend you read the book. I think it has compelling theories and may have a significant impact on the future of the information security industry.

Again don’t forget to link to these posts to create a long tail!