Atomic Energy

Many sectors, especially technologically-driven ones, have undergone at least one if not multiple revolutions in the last half century. Much of the technology-driven ones can be laid at the foot of two major technologies, fiber optics (for long-distance high-speed communications) and the integrated circuit, whose children include just about everything on silicon, and, in its microprocessor variant, follows Moore’s Law.

Two areas that have, frustratingly, followed evolutionary, and at times very slow evolutionary, paths are transportation and portable-power.

• Transportation: Transportation has undergone enormous changes since a hundred years ago. In World War II, barely 70 years ago, a major method of moving materiel and men was still horse-drawn, at least in the early years of the war. The first jet engines were invented in 1910-1930s, essentially immediately prior to World War I through immediately prior to World War II. Nonetheless, since the arrival of the commercial jet aircraft  with the De Havilland Comet immediately after World War II and the popular Boeing 707 in the 1950s, essentially jet travel has remained the same. People gather together at major airfields (now called airports), hand their luggage, check in, sit on a plane that may or may not have the range to make it to their destination without refueling, and fly at somewhat under 600mph. The only real attempts to improve on that model – the Concorde series which could reach speeds 30-50% faster than general commercial jet aircraft – went down in flames after one of its models, unfortunately, went down in flames, and after years of unprofitable services to its operators. Other efforts in recent years have included many predictions about private jet taxis or air taxis, which are really structured around resolving mid-range travel issues. Commercial transportation, on the other hand, still gets on boats that ply the same routes as the British Navy in the 1700s and still goes at less than 30 knots (nautical miles per hour). A person still ships from New York to London in 7 hours, while his large-scale cargo goes in a week or two. While information has democratized, decentralized and diffused, transportation remains as slow as ever. I do not know where the next revolutions will come from in transportation, but it is ripe for a revolution. We might be concerned for all of the poor TSA employees who will no longer have the pleasure of smelling our shoes and seeing us naked through full-body scanners, but it is a price we are willing to pay. On the other hand, the increased (and increasingly inane) so-called security measures foisted on the public will only drive innovation in transportation. In that respect, there may be an upside. It is also worth noting that, in most years, airlines have lost money, and lots of it. The number of airline bankruptcy over the years is quite large. A new model may not only improve everyone’s lives; it would also need to be much more economically viable.
• Portable-power: Also known as batteries, this is how we carry around power with us for usage in small and large objects, whether electric cars, iPhones, laptops, or everything in between. While power usage has improved over the last several years (and decades), this is largely due to improving efficiency in the devices themselves combined with minor evolutionary improvements in batteries. Batteries are improving on the order of single-digit to, sometimes, double-digit percentage improvements, over one to several years, in their ability to store power, while demand, driven by the systems that use them, are doubling in accordance with Moore’s Law. A number of researchers and firms are struggling with creating revolutionary battery (really portable-power) systems. Some are focused on hydrogen fuel cells, or micro-fuel cells; others are focused on biologic cells, for example, ones that use sugar or other biological fuel sources; an interesting research project is the air force’s work in betavoltaic cells, which use the decay of certain isotopes to generate power.

I believe both of these sectors are far underfunded and overdue for major revolutions that will affect almost every other sector there is.

Programming languages are an interesting area of technology. On the one hand, they are the indispensable basis for everything that is done in software, the Internet, embedded devices, essentially everything in technology, and thus are invaluable. Advances in languages – from assembler up to the latest high level languages – are what have made possible the creation of portable devices, Google, Facebook, Microsoft Word, and everything else we do. On the other hand, from a business perspective, they are the arcane “language” (pun intended) of techies. From the end-user perspective, all that matters is that it works.

For those aware of the underlying languages, the choice of language and their development is often the subject of fierce debates among technologists. Whether to develop a project in Java or .Net, client-side in Flash or JavaScript/Ajax, can lead to wars that are called religious. The latest trend in Web development is an interesting language called Ruby, developed by a Japanese programmer who was displeased with his choices, and the development tools and framework around it called Rails, developed by a small company called 37Signals, the company behind Basecamp, Backpack and other highly popular Web 2.0 applications. Nonetheless, advances in languages have had a significant impact on the ability and ease with which developers build and maintain applications. Of course, anything that is easier to build and maintain, means less effort, which equals lower cost and less time to get to results. These matter greatly to businesses, who focus on return on investment. The right technology can lead to lower costs, faster delivery, and a much better profile for investment and success.

However, from the side of the language itself, it is interesting to note that very few organizations have actually made money on the languages themselves. There really are only three types:

• Language Service Organizations: These are organizations that build up expertise and then sell that expertise. These are primarily consulting firms and training houses. Every time a new language comes along that has demand, those organizations smart enough to see which one will have broad adoption gain early expertise and a name, and leverage it to sell training and consulting.
• Proprietary Owners: The specific example here is Microsoft, which owns .Net (and various “Visual” languages before it). I cannot think of another firm that has owned a language and made money on it in a similar manner. Even Sun, which largely owns Java, has never made serious money directly off of it. Certainly, it has leveraged its ownership to develop commercial products around it, but little to no direct financial benefit.
• Tools Providers: These are organizations that sell tools to help in development, whether Integrated Development Environments (IDEs), testing tools, debuggers, and similar tools that assist developers.

Proprietary Owners has existed in rare circumstances. Most of the languages in use today have no one getting direct ownership benefit: C/C++, Java, Perl, PHP, Ruby, etc. There is some money in debuggers and IDEs, probably a reasonable amount of money in training and consulting, but nothing in direct language leverage. Further, many of the critical infrastructure elements, like application servers and frameworks – think Rails for Ruby, JBoss or Tomcat for Java, Cake or Kohana for PHP – are open-source. In other words, real money, the kinds of high-growth firms that investors like, are hard to find directly around a language. There have been what would largely be called “arbitrage plays,” where commercial software takes a lead before open-source fills in – WebSphere and WebLogic for Java before JBoss – but they are few and far between.

Given this background, the growth of a new language is important and interesting, critical to understanding where to invest your labour, but it is hard to see how to make scaling money off of them.

Why bring this up now? Arguably, the single most well-known language in the world is not Java, .Net, C/C++, Perl, PHP or even Ruby. Since there are far more Web developers than programmers – Web pages are easier and require less structured engineering thinking, in most cases, than server programs, and developers may sometimes develop complex Web pages – the language of choice on Web pages likely has the single highest knowledge and adoption rate: JavaScript. Until recently, JavaScript was relegated primarily to client-side Web pages, running in your local browser – Internet Explorer, Firefox, Opera, Safari, Chrome, etc. Lately, a concerted effort has been made to put in place the missing elements that would allow JavaScript to run properly on a server. These projects – almost entirely open-source – include CommonJS, NodeJS, SpiderMonkey, Rhino, Jaxer, Helma, mod_js, the list goes on and on, and are spreading at a tremendous rate. Further, serious JavaScript conferences have begun to take place, both focused on a particular set of tools and, notably, general JavaScript, like the JSConf that occurred in 2009 in both the US and Europe.

This leads to an interesting question. A lot of effort is being put into JavaScript as a server-side language, essentially a competitor to Java/.Net/Perl/PHP/Ruby/etc. Clearly much of this effort is in open-source. I am not interested in whether or not JavaScript should succeed, from a technical perspective; lots of technology products that should fail from a technical perspective succeed in the market, and vice-versa (VHS vs. Betamax, anyone?). From a market perspective, having the same language on client and server has enormous financial benefits for Web application developers. I am not advocating for or against this or any other language. I am, however, interested in:

1. Will JavaScript be the next hot language?
2. If it does, other than becoming an expert firm and offering training and consulting, where is there real money to be made?

The answers could be interesting.

Business Insider, in its 18 January 2010 edition, referenced an article from September 2009 in the Washington Post by Bo Peabody, the founder of Tripod, arguably the first social networking site, founded way back in 1995. For those who do not (or are too young to) remember, 1995 was the year the Internet really took off. Morgan Stanley (where I had the great pleasure of working in IT at the time) took public a virtually unknown company, called Netscape. It has been called “the birth of the Web” (although Tim Berners-Lee might disagree). Bo argues in his article that social networking is a bad business. Social networking sites lose money, they always lose money, and so perhaps they should simply be run as non-profits, like Wikipedia.

Bo’s proposition is interesting. I have always found social media very interesting, but primarily from an operational perspective. Quite simply, they need to burn oodles of cash getting very big – and thus taking advantage of the “network effect” as it is know to economists – running massive bandwidth and server operations, along with significant (and expensive) expertise. The challenges inherent in growing a business to that scale at that speed are fascinating. Nonetheless, I have always largely avoided getting involved with them from an equity perspective. I love using social media: Facebook, LinkedIn, Twitter, they all provide invaluable services… but not necessarily valuable services. I am skeptical that anyone would use them if they had to pay, which is why they rely on advertising, which does not pay off in the majority of instances. The exceptions are those sites that provide niche services – nice in terms of either target audience or purpose – like LinkedIn. Thus, these sites are a social good, but an investment waste. The challenge, of course, is whether or not anyone would have gone to the trouble of founding these sites and inventing the ideas – and sometimes the technology – without the hope of serious payoff (a.k.a. exit).

In some ways, this is similar to work I have been doing on ice skating rinks. I spend a lot of time in Israel. Israel, a tiny (about 20,000 sq km), semi-arid country, with hot summers and mild winters, has a population of 7MM, and exactly one regulation-sized ice skating rink. Over the last decade, an enthusiastic hockey and figure skating movement has grown in Israel, comprised of US & Canadian expats, Russian emigres, and some natives. Indeed, Israel is about to hold its third international ice hockey tournament, with six teams, half of whom are traveling from overseas. The tournament is being covered by European and North American news networks, including the Canadian Broadcasting Corporation (CBC), and will include two NHL Hall of Famers, Darryl Sittler and Paul Henderson. The problem is that 70% of Israel’s population lives in the center of the country, but the one regulation-sized rink is at the country’s near-northernmost point, the town of Metulla, on the border with Lebanon.

It is clear that ice sports will not take off substantially in Israel until facilities are built within a reasonable driving distance of the 70% of the population, somewhere around Tel Aviv or between Tel Aviv and Jerusalem. As such, over the last 5 months, I have explored the economics of building and managing a facility. The net result is that building an ice rink is good for society, but bad for business. Because of economies of scale, no commercial rink is built with fewer than two sheets of ice, i.e. two facilities in one building. The cost of such construction, fully loaded, is $8-10MM USD. In the best of years, such a facility will generate around $2MM in revenue and incur around $1.3MM in operating expenses. Essentially, $10MM in investment leads to pre-tax free cash flow of $700,000, or a 7% return on investment… in the best of years. Most sane investors can find somewhere else to put their money, and do. This is why most facilities in the US, Canada and Europe are built as single sheets by a municipality, which is in the business of providing social goods that don’t make sense for businesses to provide. They view the investment as a community investment, not a financial one, and as long as the facility does not lose money each year, or at least not too much, they are satisfied (and the mayor gets re-elected).

From this perspective, social networking may be very similar to ice rinks: they provide an important social good, but are financially a waste.

As for the Israeli ice rink? I am still looking for a group of investors who love Israel, love ice sports, and are willing to donate to both at the same time.

Most businesses – and non-profit and government organizations, for that matter – fiercely protect their turf. In the case of business, it usually means not doing anything that might jeopardize the core income stream. For example, Microsoft has been loathe, at various stages in its history, to move towards the Web, cloud computing, or anything that might put a dent in its core operating system, desktop software and business server businesses. This is understandable. If your business made $58 BN in revenue from these core products in the last year, anything that would reduce dependence on your products, and thus that number, by providing more cost-effective solutions to your customers, would feel like suicide to you. The beauty of our market-based capitalist system, is that even if the incumbent players or regulators cannot (or do not want to) see a better way, someone else can, and can successfully sell it. It is probably fair to say that the only reason Microsoft released any such products is due to competitive threats, at various times, from Netscape, Yahoo, Google and others.

Clayton Christensen, in his brilliant Innovators series of books, calls this disruption of the market. In simple (and overly simplified) terms, you cannot beat a large incumbent at their own game, but if you can disrupt them in a way that changes the rules of the game, provides compelling benefits to customers, and moves in a way that the large player cannot – due to perceived gross margins, cultural inability to shift, existing relationships, or protection of a core market – the underdog can and often will win. Christensen recommends that incumbents can avoid this trap by disrupting themselves out of business. Essentially, they need to become their own competitors. In business terms, we call this a type of cannibalism: you cannibalize your own market-share by selling a product or service that is better for customers than the existing ones, by creating your own internal (or external) disruptive start-up. Of course, the devil is in the details, and few firms can succeed at doing so.

Every now and then I come across a business, large or small, that successfully cannibalizes its own business and grows because of it. Yesterday, I met a small Web design shop, just a handful of employees, that nonetheless cannibalized its own business, at least partially, and impressed me.

In most respects, Web Design Insight is like every other quality custom Web design shop out there. They have design talent, programmers, and provide high-quality service. However, unlike most such shops, they saw a pattern, saw a competitive opportunity, and decided to grab it themselves. WDI does a lot of work with synagogues. Synagogues are, as most readers know, Jewish houses of worship that also function as community centers. In general, they use the Web to publish information about themselves, whether static “we are Congregation So-and-So,” or more dynamic weekly updates. In addition, they have the usual activities of most non-profits, especially religious ones: keeping in touch with members, raising funds and membership dues, etc. Finally, they have the unique needs of a Jewish house of worship: language, as most Jewish ritual is in Hebrew and English; calendaring issues, as Jewish ritual revolves around the Hebrew calendar, distinct from the Gregorian one in common civil usage; unique lifecycle events, such as birthdays on the Hebrew calendar, bar/bat mitzvahs, etc.; times of prayer that vary weekly based on season and location; and many others. Thus, what a “normal” non-profit might be able to purchase for $15-20k, a full-service Web site for a synagogue would require significant amounts of custom work, boosting prices to multiples of that, perhaps as high as $50-60k. (These prices are my estimates; I have no actual pricing information from WDI). For a Web design shop, this is a book: lots of custom work means lots of consulting, with gross margins on each hour sold. Yet the husband-wife proprietors of WDI decided to cannibalize their own business. They built a product called Synagogue Launcher, which likely sells for a fraction of what a custom solution would. They took the common work in all of the synagogues, did it once in a generic fashion, and sell it as a synagogue platform. In doing so, they have robbed themselves of their own consulting revenue, i.e. cannibalized their core business, to create a new one. They disrupted their own business, took a big risk, and hopefully are reaping the benefits. They deserve credit… and if only the larger businesses could do so as well. At the same time, that would leave little opportunity for all of the entrepreneurs out there, so we should be grateful.

On the reverse side, I heard Esther Dyson speak 3-4 years ago. Esther is a fixture in the tech community. She also sits on the board of the advertising conglomerate WPP Group. As part of her address, Esther noted that WPP had recently acquired a small, brash interactive media player (whose name escapes me at the moment). When asked about the rationale for the acquisition – to be blunt, large companies tend to smother the creativity of smaller dynamic firms that they acquire, making acquiring a small firm whose success depends on its culture highly questionable, see in dictionary: IBM and _____ (you fill in the blank) – she said openly that they acquired the firm for it to be a catalyst for change in WPP. The world was moving rapidly towards dynamic, interactive, hyper-local advertising, and WPP needed to change. She (and assumedly the WPP board) viewed this acquisition as the kernel of change, the grain of sand that irritates the oyster leading to the pearl. In essence, WPP was trying to acquire a disruptor, rather than create one, but in doing so, it actually wanted to disrupt. I found two points very notable:

• WPP recognized it needed cultural change, and openly admitted it could not do so on its own. Whether or not it had tried and failed, they didn’t say. This public openness is refreshing, and is good.
• WPP’s board is incredibly naive in believing that some small, recently acquired group could effectively change the culture of a company with 140,000 employees across 107 countries. This naivete is bad.

So we have three examples:

• Microsoft, who refuses to disrupt itself until forced to, and poorly at that, and only then after it fails to crush the disruptors.
• WPP, who recognizes the need for change, yet tries to buy it from the outside, and shows naivete.
• WDI, who openly and willingly cannibalizes its own young business to serve its customers.

The world is always changing. The smart players are, like Gretzky, going to where the puck is going to be, not where it is.

Last week, Ars Technica had a great in-depth article on ENUM. For those who do not know, ENUM is a standardized method to use Internet technologies to translate your old, staid, telephone number (e.g. +12125551212 or +442076555555) into an Internet device connection. That connection could be simple voice, such as allowing you to use a VoIP connection rather than going through the PSTN (public switched telephone network) that we all love/hate, or even identifying a Skype user ID or email address based on the telephone number.

ENUM really has two purposes, which are related but are not exactly the same. The first is evolutionary, the second more radical.

1. Free from the carriers: If you enter a telephone number, you are essentially telling your phone company or carrier, “go to this country, this area code, lookup this number, find out which carrier holds the number, then connect to them and through them to a particular phone.” You are connecting through carriers, the same way you always have done. But now, you have VoIP phones. You are no longer directly bound to a traditional carrier; you may not even be bound to a carrier at all. There are well-defined ways of publishing your VoIP phone contact info over the Internet. ENUM allows you to publish a number and say, “hey, connect to me through the Internet at this VoIP address, which is how you would get to me.” You are setting yourself free from the carriers (at least to some extent). In the (almost) words of Sting, “if you love some(ph)one, set them free.” This is evolutionary, it assumes phones are pretty much the same as they always were and serve the same purpose, but we want to have a better, freer, cheaper route to get to them.
2. Universal identifier: Somewhere down the line, Internet people began to realize that we have a lot of identifiers. We have one or more email addresses, Skype IDs, Gmail IDs, Yahoo IDs, the list goes on and on. Wouldn’t it be great to have a single identifier that is me but can access all of the other parts? In essence, we are looking for something like a really smart email list. Just like I can set up an email list mygroup@atomicinc.com and have it send the email to 5 different email addresses, I want a single identifier that will allow anyone to reach me, and is smart enough to say, “I am trying to reach you via email, tell me which way to go,” or “I am trying via Skype, which way?” Since everyone has a phone number, the theory goes, why not use the phone number as that unique identifier, and have a system, let’s call it something really catchy, say, “ENUM,” to translate from the person’s unique identifier to the various methods of reaching them.

The first method is slowly gaining some ground, but not very much. e164.org, probably the largest and most well-known Public ENUM provider, says it has just under 47MM allocations. Considering that the total possible numbers under current numbering schemes is just under 100BN, and the US alone is estimated to have close to 300MM phone lines, these numbers really are tiny. e164.org does not publish how many are actually in use. There are two great challenges to adoption, one from the user side, one from the carrier side. From the user side, it is useful for dialing in, terrible for dialing out. Let’s explain why. If I am calling you, I don’t need to publish my ENUM, I just need yours. In having yours, I can get a much cheaper route to you. But you gain nothing from it. Similarly, when you try to call me, it is really useful to you if I have published my ENUM, but I gain nothing; you are the one who saves on all the carrier interchange fees. The net result is that the only real incentive to publish ENUM is, well, none. Who is left? The carriers. The carriers, who probably provided you with a telephone number, like these interchange fees. Sure, it would be nice if someone contacted them directly, but in the interim, everyone is getting a small piece of the pie, with the whole pie provided by the call originator. All in all, not a great recipe for them to publish ENUM either. Finally, as pointed out in the Ars Technica article, ENUM explicitly puts control of the number in the hands of the end-user, i.e. the phone subscriber. Needless to say, the carriers are not exactly going to be thrilled about relinquishing control.

From a universal identifier perspective, I do not believe ENUM will take off, due to sheer usability and control issues. From the control perspective, most numbers are still controlled by carriers. Unless and until it becomes easily possible for someone to purchase (not lease, rent or otherwise) a telephone number and directly control it, carriers will be the gateway for telephone numbers, which means users will not view them as their own. Yes, you can buy low-cost DIDs from many forwarding and ITSPs, but these are still owned by them and they remain the gateways. As long as this holds true, people will not view them as their unique identifier, but rather tied to whatever phone line they have, not to themselves. Additionally, in many countries and especially the United States, people do not want to be globally identified by a number, with apologies (but not too many) to former New York State Governor Eliot Spitzer. People would prefer obscure email addresses over even more obscure telephone numbers. Finally, it is easier to remember steve@apple.com than some long-winded telephone number. And while it is true that .com implies (but does not insist) on a US focus, +16055551212 is very clearly a US number. People are more global nowadays. On the other hand, steve@apple.com is a work address, and people change a lot. Further, people don’t want some material going through work, whether because it is a waste of work time, personally sensitive or any other reason.

The real question, then, is whether any unique global identifier would work. The answer, in my opinion, is a qualified yes. I think many people would be happy to have a unique identifier, that I can simply give someone my ID, whatever it is, most likely in email format, and they can use it to get everything about me. It is qualified, because I believe people want to maintain control. I don’t want every spammer to have my email address, I want business associates to have my work email and phone but not my mobile, and I may not want my home contractor to have my work number. I believe that if someone came up with a unique identifier system that could be used for real-time lookups across systems, while providing reasonable and non-burdensome access control for the owner of the data, it would likely be successful. Whether or not it can make money, and how it fits with existing social networks, is an entirely different topic.

Ask VCs, most will tell you that Information Security is, well, old. It has been around for a long time, and a lot of money is flowing into newer, hotter areas. While I cannot fault investors for looking for areas that will have the best combination of future follow-on investment, rapid growth and a high-value relatively quick exit, I believe InfoSec is still overlooked.

When following information security, I feel like I am listening to the scientist who said, at the turn of the century (right around the time that an obscure patent clerk in Bern was writing obscure papers that might have a minor impact on physics), that “Physics is Dead.” Perhaps it is similar to Francis Fukuyama’s “End of History” proclamation.

Information Security is not dead, it is live, it is hot, and it is a great sector to be in. InfoSec is great for the same reason that rifle design or tank design is great: the other side is always getting better. InfoSec is the combat divisions in a war, which, if you want to win, need have the best intelligence, be well-equipped, and always be ready, or the enemy at the doorstep is likely to conquer. Every organization in the world now has significant online activity, including funds and banking. Every one has levels of security behind which hide very sensitive and valuable data. If Willie Sutton were alive today, he wouldn’t go to the banks because, “that’s where the money is;” he would go to the laptop. Given that access is just as easy for a 14-yr-old from a low-level-law-enforcement country as it is for a 20-year veteran in the United States, and that the 14-yr-old likely has a far less developed sense of scruples or morals, the list of people willing to become the “digital enemy” is almost unlimited. Thus, the defenses and weapons (and thus budgets) that legitimate organizations need to deploy is constant and growing. And all this is before one takes into account the various compliance requirements such as HIPAA, PCI-DSS, SEC, Sarbox, BASEL II, etc.

I believe several areas will be particularly hot in the coming years:

• Authentication: Mail accounts, Web logins, cell phones, credit cards, the list of methods of identity theft is growing by the day. I believe that organizations, by desire or by force, will look for much better methods to authenticate each individual and partner than the standards available nowadays. The challenge, of course, is that most better methods available are intrusive and expensive, e.g. authentication tokens like RSA, or sidechannel SMS one-time codes. I find the keyboard typing pattern firms, like BioPassword, interesting. Nonetheless, they can still be spoofed, and are too sensitive to the person’s behaviour, such as typing while eating a burger, or using the left hand because of a cast. I am awaiting a new, better two-factor authentication that is harder to spoof, less sensitive to legitimate divergent behaviour, and relatively inexpensive.
• Transactions: Transaction changing, known as man-in-the-browser (MitB) attacks, (why are these called man-in-the-browser? I am fairly neutral on this issue, but if we are all equal, then it cuts both ways) are particularly nasty and hard to beat. In essence, all of the work we do to secure our transactions – encryption, digital signatures, etc. – all rely on some complex mathematical functions or relatively secured memory tokens like cookies. These are far too complex to perform in our heads, so we rely on our computers (and browsers) to do them for us. MitB attacks is like having the bad guys already in your house; the alarms and bars on doors and windows won’t do you much good then. A better method of securing the browser is one alternative, while authenticating each transaction – which is back to the difficult and expensive if we don’t trust the browser to do the complex work – is another. Neither of these, in its current implementations, is going to take off anywhere near as quickly as the evil they fight, namely MitB.
• Authorization: In small organizations, authorization is easy: either I am allowed to do something or I am not. In large, consumer-facing organizations, it is not that much harder: each person has an account and can do anything to that account, and only that account, that any person can to their own account. Internally to midsize to large organizations, however, authorization is particularly messy. Permissions can be controlled by who you are, your job, your relationship to a particular piece of information, your relationship to someone else, the list goes on. Role-Based Access Control (RBAC) has helped a lot, but still has limitations. These limitations by definition mean organizations put in place workarounds, which open up security holes. I believe we are going to see growth in better user authorization management that is both easier to use and more secure.
• Cloud Security: Cloud services are great: you basically can buy resources on demand and use them. However, they open up security holes that need to be addressed. While some services sweep the issues under the rug (bad), and others tell you what they are (better), for a firm with data and transactions that really need to be secure, whether because of their own internal needs or due to compliance, cloud is not an option. For example, right now, you cannot be PCI-DSS compliant on most cloud infrastructure. I have done lots of PCI-DSS work, and it just is not possible. I foresee much work on security in the cloud, both from the providers like Amazon and Google, as well as third-party providers, to provide compliant security in the cloud. I do not know if this means a new secure cloud provider, or security wrappers to the existing providers, but this area will grow.
• Trust the Untrusted Providers: Right now, if you use Google, they have access to your data; ditto for Yahoo, Hotmail, and all of the others. The same holds for Software-as-a-Service (SaaS) providers. For many people, “trust us” is sufficient, or perhaps a privacy agreement, or some other form of protection. For many, however, there is the same problem as general cloud infrastructure services: they are not willing to depend on the current statements or good will of the service provider, and thus are locked out of these services. I believe that new, secure services will start to appear to allow those organizations to take advantage of the general services like Gmail, Salesforce.com, etc. Once again, I do not know if these will be additional services from the existing providers (more likely) or third-party providers (less likely, especially in the case of those who make their money from knowing the content, like Gmail, but still possible), but there are too many organizations out there who are still doing Exchange/Lotus to ignore.

In sum, InfoSec is still a great area, and, in my opinion, will continue to be for the foreseeable future.

Everyone appears to have analyzed the Google and China issue to death, both from the China perspective and the Google perspective. One of the best comments I have seen is from Fred Wilson’s “A VC” blog, where he focuses on the reported fierce disagreements between Eric Schmidt, the hired gun non-founder CEO, who wanted to continue doing business in China and sweep the issues under the rug, and Sergei Brin, the founder born under Communism, who insisted on pulling out. Fred goes on to expand to the general differences between founder CEOs and non-founder CEOs. I suspect the late great Akio Morita of Sony fame would agree. When I was in business school at Duke, we looked at Sony under the wave of MBAs who ruled the roost after Morita-san, and the lack of innovation therein, in a company that invented and successfully marketed many of the great innovations of the second half of the 20th century.

I suspect, however, that there is more to the story than either the realists or idealists (or Jacksonites vs. Wilsonians, if you prefer foreign policy) may be seeing.

In its early years, Google was not only a much better, faster and more accurate search engine than Yahoo (or MSN, AskJeeves, Excite, AltaVista, and many of the competitors in the digital dustbin). Its motto was “Don’t be evil.” After some of the DoubleClick and other privacy debacles – some of which are laughable today – as well as the debate in the United States about government intrusion into calling records from major telecoms providers, there was great hunger for a company whose entire personality seemed to be, well, “behave.” Google’s foray into China, with its self-censorship, has definitely damaged its image in that respect. However, Google is too big and dominant to care that much.

Now, however, Google’s growth has slowed, other competitors are moving into the market, and, most importantly, mobile is the hot new area. Google wants its android, and possibly its HTC-partnered phone, to be major elements in its future growth plans. However, privacy in the old Web 1.0 or even 2.0 is child’s play compared with privacy in mobile. Your phone operator – and likely operating system provider, especially an online one like Google – knows who you called, where you are, where you were. It could probably even figure out if you were linked via Bluetooth to a car and the speed and route the car took; any local law enforcement would love to be able to boost revenues issuing tickets that way.

If Google really wants to dominate in the mobile area the way it has on the Web, it is desperately in need of regaining its “Don’t be evil” image. While I have great respect for Brin, and he undoubtedly does remember life under the Communists, Google’s plans for future growth are likely a major factor in its China decision.