10 Habits of Highly Effective Security Vendors #1-3
In observance of the hallowed RSA conference going on this month at the Moscone Center in San Francisco, I have crafted some blog entries covering my thoughts on the industry, the market space and the state of affairs in identity security technology. My previous blog explored what it means to be a security vendor or purveyor in the current marketplace. This installment covers what I believe to be the first three of ten top habits of highly effective security providers and their solutions.
HABIT #1: Solve the problem, don't just sell a solution.
Twitter doesn't have to advertise. YouTube does not need to hammer users about why their video codecs are better, or not. But everyone still beats a path to their doors. Why? Because they solve problems - they don't sell solutions. You are always tainted when you have to sell your solution - so be extra vigilant that your solution actually does what it says on the tin as well as solves the customers' problems. If so, they will sell it for you. Sell them a security solution that you'd want to buy. Sell them one they'd get anyway - even if it was free - because its effectiveness is inevitable and incontrovertible. Rethink security as a product.
In case you want to argue with me that Apple still markets and sells their wares - and people clamor to get them - as some sort of causal relationship, I say - whatever. It's Apple. You go figure out how to be the "Apple of security" and I'll send you my resume.
HABIT #2: Stop relying on the user for their security. Nice to meet you (for the first time)!
Reality check: in the modern, social, mobile and long-tail Internet world, chances are your customers will never have met their users before they enter into the first transaction or session with them. These are not banks with branches or mail-order houses with catalog subscribers. Reality check #2: users are naive, and the sites or apps they use are often not much better at security. I don't mean that sentiment to be crass - what I mean is they are not "skilled in the art and science of self-protection when it comes to security, identity and general technology guile." Does that sound better? Either way, we must assume a lower degree of skill than our own (as security vendors) and no pre-relationship between our customers and their users. Why do so many security solutions rely on the user or the site so much? Dongles? Downloads? Tokens? Images? Secret questions? Password management? Come on.
The main failure point in most identity and security offerings is user choice. Educating the user helps, but not very much. Research has proven that identity solutions that rely solely upon user recognition, recall, or custody are simply flawed. Security is like a symphony - just one note can sour an otherwise perfectly executed piece of complex music. Password01 simply becomes password02 when you bother or force users to change it. Relying on the user for security is like putting a championship-winning coach in the Superbowl, and asking him to pick 12 random people from the stadium crowd to suit up, take the field and execute his well-thought out plays against a real professional team (hackers). Fans are not players. Equipment does not equal talent. Knowledge is not the same as skill.
Identity solutions need to "include" or "involve" the user (as well as the site) but not rely solely upon them as a single point of failure in the chain. The traditional shared-secret or 50/50 security puzzle between site and user needs to be reinvented.
HABIT #3 Get out of the browser business. Seriously.
The users deserve something stronger, the hackers are smarter, and we can do better. Moving on.
Stay tuned for habits #4-6 in the next installment...