Ask VCs, most will tell you that Information Security is, well, old. It has been around for a long time, and a lot of money is flowing into newer, hotter areas. While I cannot fault investors for looking for areas that will have the best combination of future follow-on investment, rapid growth and a high-value relatively quick exit, I believe InfoSec is still overlooked.
When following information security, I feel like I am listening to the scientist who said, at the turn of the century (right around the time that an obscure patent clerk in Bern was writing obscure papers that might have a minor impact on physics), that “Physics is Dead.” Perhaps it is similar to Francis Fukuyama’s “End of History” proclamation.
Information Security is not dead, it is live, it is hot, and it is a great sector to be in. InfoSec is great for the same reason that rifle design or tank design is great: the other side is always getting better. InfoSec is the combat divisions in a war, which, if you want to win, need have the best intelligence, be well-equipped, and always be ready, or the enemy at the doorstep is likely to conquer. Every organization in the world now has significant online activity, including funds and banking. Every one has levels of security behind which hide very sensitive and valuable data. If Willie Sutton were alive today, he wouldn’t go to the banks because, “that’s where the money is;” he would go to the laptop. Given that access is just as easy for a 14-yr-old from a low-level-law-enforcement country as it is for a 20-year veteran in the United States, and that the 14-yr-old likely has a far less developed sense of scruples or morals, the list of people willing to become the “digital enemy” is almost unlimited. Thus, the defenses and weapons (and thus budgets) that legitimate organizations need to deploy is constant and growing. And all this is before one takes into account the various compliance requirements such as HIPAA, PCI-DSS, SEC, Sarbox, BASEL II, etc.
I believe several areas will be particularly hot in the coming years:
- Authentication: Mail accounts, Web logins, cell phones, credit cards, the list of methods of identity theft is growing by the day. I believe that organizations, by desire or by force, will look for much better methods to authenticate each individual and partner than the standards available nowadays. The challenge, of course, is that most better methods available are intrusive and expensive, e.g. authentication tokens like RSA, or sidechannel SMS one-time codes. I find the keyboard typing pattern firms, like BioPassword, interesting. Nonetheless, they can still be spoofed, and are too sensitive to the person’s behaviour, such as typing while eating a burger, or using the left hand because of a cast. I am awaiting a new, better two-factor authentication that is harder to spoof, less sensitive to legitimate divergent behaviour, and relatively inexpensive.
- Transactions: Transaction changing, known as man-in-the-browser (MitB) attacks, (why are these called man-in-the-browser? I am fairly neutral on this issue, but if we are all equal, then it cuts both ways) are particularly nasty and hard to beat. In essence, all of the work we do to secure our transactions – encryption, digital signatures, etc. – all rely on some complex mathematical functions or relatively secured memory tokens like cookies. These are far too complex to perform in our heads, so we rely on our computers (and browsers) to do them for us. MitB attacks is like having the bad guys already in your house; the alarms and bars on doors and windows won’t do you much good then. A better method of securing the browser is one alternative, while authenticating each transaction – which is back to the difficult and expensive if we don’t trust the browser to do the complex work – is another. Neither of these, in its current implementations, is going to take off anywhere near as quickly as the evil they fight, namely MitB.
- Authorization: In small organizations, authorization is easy: either I am allowed to do something or I am not. In large, consumer-facing organizations, it is not that much harder: each person has an account and can do anything to that account, and only that account, that any person can to their own account. Internally to midsize to large organizations, however, authorization is particularly messy. Permissions can be controlled by who you are, your job, your relationship to a particular piece of information, your relationship to someone else, the list goes on. Role-Based Access Control (RBAC) has helped a lot, but still has limitations. These limitations by definition mean organizations put in place workarounds, which open up security holes. I believe we are going to see growth in better user authorization management that is both easier to use and more secure.
- Cloud Security: Cloud services are great: you basically can buy resources on demand and use them. However, they open up security holes that need to be addressed. While some services sweep the issues under the rug (bad), and others tell you what they are (better), for a firm with data and transactions that really need to be secure, whether because of their own internal needs or due to compliance, cloud is not an option. For example, right now, you cannot be PCI-DSS compliant on most cloud infrastructure. I have done lots of PCI-DSS work, and it just is not possible. I foresee much work on security in the cloud, both from the providers like Amazon and Google, as well as third-party providers, to provide compliant security in the cloud. I do not know if this means a new secure cloud provider, or security wrappers to the existing providers, but this area will grow.
- Trust the Untrusted Providers: Right now, if you use Google, they have access to your data; ditto for Yahoo, Hotmail, and all of the others. The same holds for Software-as-a-Service (SaaS) providers. For many people, “trust us” is sufficient, or perhaps a privacy agreement, or some other form of protection. For many, however, there is the same problem as general cloud infrastructure services: they are not willing to depend on the current statements or good will of the service provider, and thus are locked out of these services. I believe that new, secure services will start to appear to allow those organizations to take advantage of the general services like Gmail, Salesforce.com, etc. Once again, I do not know if these will be additional services from the existing providers (more likely) or third-party providers (less likely, especially in the case of those who make their money from knowing the content, like Gmail, but still possible), but there are too many organizations out there who are still doing Exchange/Lotus to ignore.
In sum, InfoSec is still a great area, and, in my opinion, will continue to be for the foreseeable future.