Reactions to Latest Schneier Thoughts on Security Industry

The March 2008 Information Security Magazine features an article titled Consolidation: Plague or Progress, where Bruce Schneier continues his Face-Off series with one of my Three Wise Men, Marcus Ranum. Marcus echoes the point I made in my review of Geekonomics concerning the merits of open source projects:

Most of us have had a product suddenly go extinct--to be followed shortly by a sales call from the vendor that fired the fatal shot--in spite of the fact that we depended on it and paid 20 percent annual maintenance...

To me, it's the best argument for do-it-yourself or integrating open source technologies into your product choices. Remember: the big argument that's levied against open source is "Who is going to maintain it?" That argument stacks up pretty neatly against, "Is this product going to exist tomorrow?"

I liked that thought, but I became more interested in Bruce's counterpoint on security industry consolidation. This echoed what I reported last year in Response to Bruce Schneier Wired Story. This month Bruce says:

Honestly, no one wants to buy IT security. People want to buy whatever they want--connectivity, a Web presence, email, networked applications, whatever--and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.

It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling. It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.

The critical driver here is outsourcing. Outsourcing is the ultimate consolidator, because the customer no longer cares about the details...

IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it.

This is the future of IT, and when that happens we're going to start to see a type of consolidation we haven't seen before. Instead of large security companies gobbling up small security companies, both large and small security companies will be gobbled up by non-security companies.

I think Bruce has nailed this argument. Now he is saying "the need to buy security will disappear" not because "the IT products we purchased [will be] secure out of the box" -- what he said last year -- but because "IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it." This sounds like the Does IT Matter? argument of a few years ago, and I think Nick Carr and Bruce Schneier are right here.

What does this mean for security professionals? I think it means we will end up working for more service providers (like Bruce with Counterpane at BT) and fewer "normal" companies. Bruce wrote "the security industry will disappear as a consumer category, and will instead market to the IT industry," which means we security people will tend to either work for those who provide IT goods and services or we will work for small specialized companies that cater to the IT goods and services providers.

Bruce ends his article by saying

If I were Symantec and McAfee, I would be preparing myself for a buyer.

I think he is right again. These security companies will end up part of Cisco, Microsoft, Google, IBM, or a telecom. I doubt we will have large "security vendors" in the future.

A subtle point not made in this article is the idea that security folks who work for the CTO or CIO are probably going to stay there. I also think that smaller companies will be the first to see their security staffs go, but the biggest companies will always retain security staff -- if only to manage all of the outsourcing relationships.