I continue my discussion of how to trust essentially untrustworthy networks, software, and hardware by addressing what works and what sells in the information security industry. In last week’s post, I outlined strategies we can implement to build customer trust in networked systems. Here I begin to look at the problem from an entrepreneur’s perspective: how does one build and grow a business, and how does that relate to solving real security issues and problems? Obviously, there is no easy way for us to draw general conclusions about such a complicated industry, so I thought the best way to address these questions was to discuss examples of successes and failures in the industry.
There are a few observations that characterize many information security situations:
There are other, more specific concerns to be addressed when developing customer solutions, as is evident in how the information security industry is organized. Below I list the areas of the industry according to their value to the customer (business or consumer):
It is not that easy to classify every information security solution in the market under one of these categories, and some of the classifications I will make almost arbitrarily, but I have found that some classification is necessary for this discussion.
Let’s consider the most successful space in the information security market, virus protection. It is common knowledge that the number of viruses and other forms of malware is growing faster than ever before. All successful products in this space depend on generating and recognizing signatures for known viruses. Such an approach can protect against the infection and spread of these known viruses, but it of course cannot protect against new and unknown threats.