Mark Curphey - SecurityBuddha.com

Judging by the blog stats readers have been enjoying my Trends for Information Security and Long Tail of Information Security (Part 1 and Part 2) posts earlier this week.  A few people have mailed me off-line asking for clarifications and suggesting ideas. Having thought about the questions raised and fired off answers (with various degrees of thought) I think they make an interesting follow-up post. 

“If I understood you correctly  the long tail means that products will die and services will rule?” Nice try Monsieur ‘ thinly disguised consultant’ but not so fast! Tools are fundamental to the advance of man and that basic human nature will continue to advance. What it does mean for products are two key things, flexibility and interoperability. These two key properties will be needed for people to be able to build tools that meet their exact needs of the long tail consumers; the majority. Hit products like SecurID tokens or Firewall-1 will continue to happen but will be less frequent and less pronounced; that is unless of course they are highly flexible and high interoperable. There is still mileage for hit products but they will need to look different than those that have gone before. Products will need to become more flexible meaning companies will need to build platforms and not black-boxes. Products will need to interoperate meaning people will choose the best individual solutions and expect to be able to bolt them together. No more half-baked security dashboards that look like Excel charts, or home-grown workflow engines. People want to leverage enterprise dashboarding initiatives and real business process management platforms. Now this is of course 100% contradictory to the strategy of the big security vendors who want you to buy their suites and it is certainly true that people want less not more vendors so it will be interesting to see how marketing forces and market forces interact. My money is on the later.

Can you share a simple non-security example so I can understand the long tail before my book arrives? I sure can. Think about online travel. Every airline has a site where you can book flights on routes they travel and generally little else. Along came aggregators who have captured the Long Tail market, sites like TravelAdvisor.com. Most people don’t just want to travel on a specific route offered by the major airlines; they want to go from their A to B which may include connecting flights to a destination the airline doesn’t cover, a rental car either side and maybe a hotel. People want flexibility to pick and choose, create a schedule that’s perfect for them. This maybe pieced together from various sources. They want recommendations (crowd sourced recommendations) and they want to see aggregated views comparing options in various ways. Just like Amazon recommendations “people who went to Sydney enjoyed a one night stop off in Hawaii, we can offer you that for $150 extra”.

While on this topic of user recommendations I watched a fascinating experiment on a BBC current affairs program last week about the Science of Crowds. You can watch the video online here. The reporter was investigating the power of collective judgement. He went to an open air market in London with a cake and asked people to guess the weight. Of course he had wild guesses at either end of the spectrum but after asking 120 people the crowds average guess was only 6 grams out. Thats 99% accurate!

What’s crowd sourcing got to do with security? Well imagine if there was a platform to analyze vulnerabilities or threats collectively and redistribute them with statistical analysis. Note: I have actually designed this and may well build it as a free app if I ever find time.

The Long Tail explains why I like towns and cities. My wife and I have lived all over the world (Europe, US, Trinidad, Nigeria, Dubai) and in every scenario from city apartments to a country house in the middle of no-where (present).  Cities have enough population density to support unique businesses. This equals choice. I can find my beloved Indian curries (English national dish of choice by the way) and my Victorinoix clothing. Population density makes it all possible. A large population can support the vast number of choices.

So what does population density have to do with security? I was skeptical about security appliances for a long time. What I think now is that vendors like Crossbeam Systems have a potentially winning play with their iBeam strategy. The network (population density) can support a large number of unique solutions and when you aggregate them on a common platform distribution becomes smoother.

“I don’t get what social networking has to do with security. I think you are just jumping on the bandwagon and trying to use buzz-words.” 

Well thank you for the mail ”anonymous for a reason” (static IP address left in the smtp header). Consider the vulnerability analysis and distribution application where the crowd provides accurate analysis based on crowd sourcing. For a new example consider a new application like this. All corporations use services and product companies. All services and product companies want to sell more stuff to corporates. Most people buy or sell based on recommendation. Take a look at this great slide deck on SlideShare about word of mouth marketing. http://www.slideshare.net/kameran/word-of-mouth-marketing-techniques-womm/ 92% of people prefer to buy based on word of mouth recommendations. Now imagine if there was a socially aware vendor management application. Peer groups could share intel about services and product companies and vice versa. Companies could query for a service provider who has done code review on C++ device drivers for an ISV or reviewed a web app and got a 5 star rating from people we trust. Social networking is not just about consumers in the traditional sense although it is true there are few corporate applications to reference today.