The traditional approach for security startups is to target line items in enterprise security budgets. This has resulted mostly in “next generation” products of technology that is 25 years old, or UTM-ish consolidation of multiple technologies that are 25 years old. That is all fine and good, but it has been decades since security has offered much that is truly disruptive. There are many disruptive technologies that first found traction in consumer markets before experienced users brought them over to enterprise markets, such as wireless networking (Netgear), social communications (Facebook and Twitter), IP telephony (Skype), e-commerce (Amazon), and handheld-based portable applications (Apple). Regular market disruptions have become a common occurrence in high technology, with the singular exception of security. Perhaps the more effective approach to disrupting incumbent vendors is to deliver security functionality that your children can use based on a completely new modern business model, and let the next generation of users bring the new capability into the business world.
It is an unreasonable expectation to believe that home users can keep endpoint anti-virus up to date, apply patches, upgrade application software, back-up sensitive data, and manage passwords. While it is expensive for IT to perform these tasks, companies have the resources to pay to get these jobs done. Focusing on consumer security can force solutions that are incredibly convenient to use and administer, with a business model that would be unkind to large vendors. For instance, instead of making it easier to apply security updates what if the cloud transparently provided the virtual patch? Microsoft and Trend Micro are two large vendors that are well positioned to change the home security game, with Citrix and VMware not far behind.
The time is right for new ideas. Virtualization and the ever-present cloud means that security vendors can directly reach customers and can transform themselves into security service providers. I don’t know what started me on this mini-rant. Maybe it was seeing IBM research that showed security organizations significantly more interested in business assurance, than in business productivity or expense reduction. It seems to me that the answers to the next wave of security enlightenment are not going to come from host-based software solutions targeting enterprise IT, but are going to evolve from a ground-swell of consumers that introduce a new way of doing security for the enterprise. This may be a more rational approach for new security vendors than trying to drag risk-averse IT kicking and screaming into the cloud.