As security startups heat up, a reminder that security is not a product or service: it’s a value

In the past thirty days alone, just counting the security funding stories I’ve personally covered, over $192 million has been pumped into security startups. Needless to say, security is hot right now and investors are betting that these new startups are not only going to be the ones responsible for protecting users and enterprises in the web, but they also might generate a buck or two or a billion.
But how can we really be certain that these new security startups are going to prevent future calamities? While their technology looks promising as online threats continue to grow and evolve, remember noted security expert and author Bruce Schneier’s famous saying: “Security is a process, not a product.”
You can be a company that has the latest and greatest security service (or multiple services) set up but if your company doesn’t have security as a key aspect of its culture — from the beginning of the development process to how you run your operations departments — you’re going to find that even the most powerful security tool isn’t going to protect you. When you don’t practice proper security protocols — and that includes tedious work like making sure your server operating systems are up-to-date (sorry, I know that’s a drag), doing basic configuration management and quality assurance and performing security testing throughout development — there’s going to be a lot of holes in your system that even the best security blanket won’t be able to completely cover.
With enterprises still in the early days of cloud adoption, it makes sense that a lot of security startups are getting into the action by developing products and services that cater to the enterprises that want to head to the cloud. FortyCloud, for example, recently released what is essentially a modern-day firewall for companies that have cloud infrastructure and an offering by Okta, which took in $75 million last month, is basically an identity management system hosted in the cloud.

Security is a mindset, not a product

It’s great that there are more and more products in the marketplace that deal with the changing world of computing, but what these services don’t do is address the core aspect of how a company deals with a security breach. Even if you have a service that warns you of potential problems, you need to be able to jump out of your seat at a given notice and take care of business when things go down; and I believe this state of mind comes from having security embedded in your company’s culture. As Gap infrastructure architecture senior director Jeffery Padgett said at Structure regarding Target’s (S TGT) hacking debacle, “Target had this information available to them but weren’t acting on it.”
No one (except a few of the security companies themselves, of course) will benefit from a world in which online retailers or cloud services companies think they can save time and hassles associated with implementing proper security measures because they could always bust out the checkbook for a security startup’s products and services (or maybe the startup itself) to erect a moat around their businesses or patch things up if something breaks. It’s important to note that these security services are not analogous to cleaning services; a security breach is not like the aftermath of a great party, where a few hired hands the next day can make your castle shiny again until the next time you have people over.
I have also been told by several industry experts that there are many startups in this day and age that skimp on testing — where software bugs and potential security holes can be discovered — in an effort to get their products out to market faster than ever. We live in an agile world, as they all say.
Even newish companies that tout how good they are at practicing devops still seem to be in the dark when it comes to instituting security practices in their development process, as Jody Brazil, founder and CTO of FireMon, wrote in a blog post in March: “It is interesting to note that in almost no definition of devops is the security process discussed as a key element.”

Sometimes fear, uncertainty, and doubt are real emotions

The security industry is notorious for amplifying new threats and using scare tactics associated with emerging technologies to sell software, but you’re not being paranoid if someone is really out to get you. There are still plenty of criminals, and as technology changes rapidly security tools that were once useful are not necessarily so. That means we need some new innovation to deal with today’s problems, and that’s a legitimate business opportunity.
Consider the following key findings from a recent Gigaom Research report by Keren Elazari:

Technologies that were once the building blocks of IT security, such as traditional defense perimeter protections and end point antivirus solutions, are slowly losing relevance, as they are no longer effective in stopping data breaches or even employee misuse of corporate information.

I just want to point out that it’s probably not a good idea to think all you have to do is buy a new security product, get it up and running and sit back in your new supposed fortress. Think about it: yesterday’s era of antivirus software is apparently not all that effective in today’s age. With how much technology is advancing, who’s to say that this new era of security services won’t be antiquated in a few more years as hackers figure these new tools out?
If you drive a motorcycle and you buy the best helmet the market has to offer, but your reckless driving causes you to crash, that helmet may save your brain but you’ll still probably wind up worse off than if you didn’t drive carelessly in the first place. I’m also willing to bet the same thing could be said of security.

Post and thumbnail images courtesy of Shutterstock user TZIDO SUN.