The Business of Security

Tonight, I had a very interesting chat with one of the most forward thinkers on IT strategy but also a good friend. This was an off-paper business chat, like the ones that good friends have over wine or coffee instead of the stifle presentations and discussions that take place in a meeting room or conference setup.

We quickly transgressed into the topic of Information Security, top of the agenda list of all IT senior guys around the world. We tried to foresee where the next big waves of change will take place or what kind of future will Big-data companies like Google, Facebook, Linkedin, Twitter, and the like, are designing for all of us, internet users of all races, ethnicities and ages alike.

We clearly saw that Information Security is currently a competitive advantage tool for any company that safeguards its data more effectively and outruns its competitors in the number of least successful data breaches and/or vulnerabilities in its information systems.

CISOs around the world compete on the best mix of technology, strategy and partnerships with external security experts as well as Information Security bodies that ultimately deliver the largest degree of risk mitigation in relation with the protection of data.

However the game of security can be viewed from quite a number of different perspectives. A few years ago, it was sufficient to protect the data hosted in an internal data-center. Later on, hosting securely on multiple and remote data-centers for production and disaster recovery purposes, seemed sufficient enough to deal with data protection and service uptime. However, after the dawn of Agile Provisioning over the Cloud, the business model was severely disrupted and new players that understood it early enough, gained tremendous advantage over the rest of the more “non-adaptive” (as my friend often quotes) slow-moving “IT dinosaurs” that fail to accept the reality and ultimately, implode under their own weight.

The term which emerged naturally through the night, was that of the “Business of Security”. I was using that term lately to describe how large businesses can be built on the basis of information security per se. For instance, the largely successful models of free-use social platforms, that share their users’ custom profiling to interested third-parties, is known to be one of the biggest businesses of our time, despite a number of arguable ethical issues that fall under the category of data privacy and consumer protection.

To my understanding, everyone in the “Business of Security”, is competing to gain the maximum juice from the massive chunks of data that are gathered through multiple sources and put together to form a real-time understanding of the Internet as a whole as well as of its individual constituents – be it an IP address representing a physical person accessing the internet or a device of some kind interacting within the IoT mass-up.

Going a step further, we realized that the serious players in Cybersecurity are both buyers and sellers of byproducts of this “Business of Security”. These players fund the emergent technologies that can best design and develop the security toolkit that can win on a large-scale Cyberwar. To do that, they share some of their strategy as well as a “sanitized” portion of the employed technology that is to be developed further. At the same time, Cybersecurity players buy-in company partnerships that have managed to pull-in a significant mass of end-user data. This data is of particular interest to more than one Cybersecurity buyer and , thus, the original Company is already positioning itself on both sides of the map.

It would be interesting to see one day, actual Cyber-attacks taking place against the top providers of Big-Data that are secured by the best in-house Cybersecurity toolkits, as a means of both declaring a world war won on the digital space instead of exterminating half of the earth’s population to make one’sr point. Along the same track, Big-Data Providers can attract the best and the largest funding to build and maintain the top Infosec Thinktanks and develop the best of breed platforms for such “War Games” to take place. It may seem a bit naïve from an Army’s General point of view, but from a business point of view, it makes much more sense as Zero-Sum game. Arguably in such a scenario, all IT security funding ultimately benefits all payers and all competition raise the stakes for everyone participating in the game.

It would be nice, wouldn’t it be? I hope this chat of our has made some new synapses connect in your brains. That would be more than enough for starters…