Cool as McCumber

May 23, 2011
Bringing back the good old days

It’s amazing what a decade will do to a market — especially in the ever-changing world of security. Back during the dot-com craze of the mid to late 90s, IT security was a hot commodity. Individual security researchers and developers such as Peter Norton, John McAfee and the team of Rivest, Shamir and Adelman (of RSA fame) gave birth to technology behemoths still featuring their names long after most technologists forgot who they were or what they looked like. Tiny garage and dorm-room startups brought us the network firewall, the intrusion detection system and public-key encryption schemes.

As rapidly growing technology companies of the era such as Cisco, Sun Microsystems, Hewlett-Packard and IBM began shelling out hundreds of millions of dollars to acquire these fledgling technologies, big money flowed into security start-ups by investors looking for their piece of the pie. It seemed as if every creative IT engineer, computer science graduate student and Radio Shack hobbyist was hanging out a shingle to pitch the next big IT security product. Some hit it big — most did not.

New media outlets such as Wired magazine and Red Herring became status symbols for corporate vice presidents as well as commuters and desk-bound computer geeks. Reports of multi-million dollar launch parties in Silicon Valley made headlines all across the country. One day, you are an unappreciated technician hacking around your corporate network; the next, you are hiring the Rolling Stones to play at your IPO party. It was a dream that seemingly anyone could turn into a reality.

Then came the big bust of 2001. It was as if a giant economic vacuum had sucked the life (and money) out of the entire market. The bubble had burst. The handful of visionaries who made it big counted their blessings, and the ones who had carefully managed their money were able to chase other pursuits. The rest of us went back to a less joyous reality of corporate jobs, consulting and managing the pipeline to ensure we had enough work to pay the bills.

It has been more than a decade since the bust. As new opportunities were just beginning to sprout, we were slammed by the recession of 2008. We are still dealing with fallout from the worldwide financial crises and seemingly endless economic bad news. There have been massive layoffs in both public- and private-sector organizations, and even with all the new technology, IT and security people have not been spared.

However, underneath this dreary overcast of despair, there have been stirrings of a revival in the need for new security technologies. Most of the big software, hardware and chip manufacturers that bought up the security start-ups over a decade ago have found it difficult to keep up with that handful of technology companies who have seen dramatic growth: namely, 21st century pioneers such as Apple, Google and Facebook. These companies did not just introduce new technologies — they are revolutionizing the way we interact with information and each other.

Over a decade ago, IT security was mostly concerned with creating, managing and defending the organization’s digital boundaries. All those creative new companies that are rocketing in stock price are busy knocking those boundaries down. My wife’s iPad has become her go-to technology device and is quickly replacing her laptop. My new Android-powered cell phone/PDA is no longer a phone with integrated calendar and messaging. It’s my digital world in the palm of my hand. I use it as a phone, a complete corporate and personal scheduling tool, and my life’s worth of contacts. It can tell me how to get to my hotel in a new city, locate a local sushi bar, recommend a dry cleaner, show me tomorrow’s weather and find me an all-night pharmacy for some cold medicine.

This revolution is happening at the same time organizations are looking to put their data "in the cloud" to cut IT costs while further outsourcing their IT services at an ever-increasing rate. All this dynamism in the world of information technology requires innovative ways to protect, control, monitor and report on sensitive information resources. The large anti-virus, security, and storage companies that saw the future of security as an integrated boundary protection paradigm have been caught off-guard.

Just as this new wave of digital integration is taking off, more sinister and adaptive cyber threats have emerged. Specifically, what are known as advanced persistent threats target energy companies, manufacturers, government agencies and even individuals. Defending against these new threats in this integrated world of data sharing and aggregation requires new thinking. This environment creates opportunities.

I am posting this article from a government IT conference. I walked the vendor exhibit area and notice something I had not seen in a long time. New IT security companies with tiny booths, demonstrating new technologies to help us get ahead of these emerging threats. A couple booths were even staffed by the company founder or chief technology officer. Is this the good old days again? Not yet, but I like the signs.

John McCumber is a security and risk professional, and author of "Assessing and Managing Security Risk in IT Systems: A Structured Methodology," from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].