by Michael S. Mimoso
CAMBRIDGE, MA. — On the same day consolidation hit the security information and event management market hard, a group of influential industry leaders was busy talking innovation and telling the entrepreneurs in the room to pick up the pace and bring new products to market that address current threats and adversaries.
Too many great ideas, several speakers said at the SINET Innovation Summit held Tuesday at MIT, smash headfirst into significant roadblocks. Regulators, lawmakers, academia share equal blame in putting the brakes on innovation in security, they said. In the meantime, attackers continue to win the cat-and-mouse game with defense contractors, government agencies and large enterprises and innovate at light speed faster than those tasked with defending corporate data, trade secrets and national security.
“[The industry] needs guidance to move ideas to a point where they can be seriously considered in terms of commercialization,” said Paul Barford, chief scientist at Qualys, Inc., and computer science professor at the University of Wisconsin. “For startups, there is a huge gap between developing a security idea and actually moving it into practice.”
Barford pointed a harsh finger at academia.
“Processes in academia stifle innovation,” he said. “Tenure stifles innovation! With tenure, you have to publish and getting published is accomplished by adding another brick to the foudnation of your particular domain. All of these little bricks end up being narrow ideas, and not the big jump in innovations we need to solve today’s security problems.”
Despite the fact that big tech companies such as IBM, and even large security firms such as McAfee, continue to consolidate the security industry as they did on Monday scooping up Q1 Labs and Nitro Security respectively, smaller companies remain capable of innovating. Heartland Payment Systems CTO Kris Herrin explained how his company reached out to Voltage Security and partnered on an encryption solution following the 2008 breach at the payment provider. Heartland purposely went with a smaller partner and fostered a relationship that required a lot of handshakes and understanding to get past some ambiguities to solve a problem.
“After the breach, we had to reach out to other innovators,” Herrin said. “The risk element involved is about both parties understanding there will be ambiguity and the lawyers can’t shore it up. Where you run into problems is when a partner shores everything up tight and isn’t comfortable with the same level of risk.”
Larger IT organizations, such as Lockheed Martin, have formalized their efforts to seek out innovative security technologies to partner with and invest in. Lockheed VP and CTO Haden Land explained how the defense contractor has built cybersecurity labs in the U.S., U.K., and Australia to foster the development of security tools. There is also an emerging technology fund that has been established in-house that is used for minority investments in startups with unique capabilities, Land said. Then there are collaborative efforts with large enterprises in other industries to meet annually with venture capital firms seeking funding in a handful of companies annually.
“These are good venuues to connect and provide guidance,” Land said.
A Twitter debate on security investments
... but an overblown statement needs to be defended." "Conventional wisdom is on my side UNLESS you are in the small minority that had your budget cut in past 10 years. Or you are are one of those InfoSec guys who think that nothing is ever enough?"