> 10/ cybersecurity budgets will explode in 2015 as every company, institution, and government attempts to avoid being Sony’d. VCs will pour money into this sector in the same way they poured money into the rental economy. and, yet, the hacks will continue because on the open internet there is no such thing as an impenetrable system.
This seems misinformed. You don't need perfect security to avoid getting hacked. And perfect security is, actually, an attainable goal if you care to work towards it and take heed of current research (see, for example: http://research.microsoft.com/en-us/projects/ironclad/).
Is Fred trying to say that all the money spent on security will be wasted? I could agree with that. IMHO security is a classic case of a lemon market where buyers are unable to determine the security properties/utility of wares before purchase. Buyer sophistication is low and nearly all are beholden to marketing (the same is largely true of VCs choosing investments!).
Or maybe Fred is saying that it will take years for security investments to pay off. I agree with this too. "It can't/won't happen to us" is still a pervasive attitude, even in 2014, and it generally takes a major incident at each and every company to 1) wake them up and 2) inform them about what works and what is snake oil 3) drive adoption of new tech. (related problem: convincing management to divest themselves of old, broken tech that never worked in the first place to free up budgets.)
People talk about the talent gap in security a lot, so we try to train more experts in this field. But the same gap is present elsewhere: I have yet to see many VCs with a sophisticated understanding of security. I'm not sure where they could learn if they wanted to. If I had to predict something, it's that new-money security experts from companies with acquisitions/IPOs in 2014 start funding security tech that actually works. In the meantime, DARPA continues to lead: http://www.darpa.mil/Our_Work/I2O/Programs/
He's not saying it's a market for lemons, though it is. He's saying that even when big companies select the best vendors, the end results aren't meaningfully different.
For a Fortune 500 enterprise, retaining the very best firms in the world and selecting the very most secure products does not foreclose on Sony-style outcomes. To accomplish that, enterprises need to rewire their entire internal IT processes to orient themselves towards security. Nobody does that, for the same reason that most modern software isn't built with processes (immutability, strong typing, pattern matching) that foreclose on bugs.
There's a benefit to selecting security expertise carefully. But that benefit isn't "insurance against the Sony outcome".
I'm unaware of a VC that's intelligent about security, but the expectation that they would have any security domain expertise misconstrues the job of a VC; it's a little bit like thinking that an energy options trader would have a significant understanding of mechanical engineering principles. It's much more important that they know how to evaluate addressable market size, go-to-market plans, and sales management.
This seems misinformed. You don't need perfect security to avoid getting hacked. And perfect security is, actually, an attainable goal if you care to work towards it and take heed of current research (see, for example: http://research.microsoft.com/en-us/projects/ironclad/).
Is Fred trying to say that all the money spent on security will be wasted? I could agree with that. IMHO security is a classic case of a lemon market where buyers are unable to determine the security properties/utility of wares before purchase. Buyer sophistication is low and nearly all are beholden to marketing (the same is largely true of VCs choosing investments!).
Or maybe Fred is saying that it will take years for security investments to pay off. I agree with this too. "It can't/won't happen to us" is still a pervasive attitude, even in 2014, and it generally takes a major incident at each and every company to 1) wake them up and 2) inform them about what works and what is snake oil 3) drive adoption of new tech. (related problem: convincing management to divest themselves of old, broken tech that never worked in the first place to free up budgets.)
People talk about the talent gap in security a lot, so we try to train more experts in this field. But the same gap is present elsewhere: I have yet to see many VCs with a sophisticated understanding of security. I'm not sure where they could learn if they wanted to. If I had to predict something, it's that new-money security experts from companies with acquisitions/IPOs in 2014 start funding security tech that actually works. In the meantime, DARPA continues to lead: http://www.darpa.mil/Our_Work/I2O/Programs/