Is security vendor lock-in harming the industry?

By Darren Pauli on Nov 28, 2011 11:25 AM
Filed under Security

Schneier: Vendors in a race to the bottom.

The information security industry is losing out from a war between vendors, according to Bruce Schneier.

BT’s chief security officer, also a renowned cryptographer and security commentator, said expensive and well-designed security products were being killed off by dud “lemon” copycat technologies.

Others had revenue sapped by “parasites” that produce initially inferior but much cheaper products.

In this war of vendors, customers were being forced into lock-in environments in which the cost of switching to a competitor was designed to be exorbitant.

“If you drink a Coke today, you can drink a Pepsi tomorrow - the cost [of switching] is zero,” Schneier said, adding that by comparison swapping security solutions can be expensive.

Citing a US economist, he said the “net present value of an IT company equals its switching costs”.

He added that the “higher your switching cost is, the less you need to care about customers”.

Tenable Security chief security officer Marcus Ranum said he would love to get rid of his Windows machines but can’t justify replacing about $3000 worth of kit invested in the platform, including 8TB of photos stored on a Windows formatted drive.

He said switching costs will become onerous in cloud computing if customers need to buy additional services and later choose to move to another provider.

“Organisations are doing incredibly dumb things – they are moving all of their stuff out to Amazon and then firing the guy in house who manages the RAID array.”

Meanwhile US Government agencies had lost their most “technically savvy staff” to lucrative contract work.

“The people left in the US Government just know how to run PowerPoint and write proposals for contractors,” Ranum said. “How do you come back from that?”

Ranum takes an all-in approach to cloud computing: Organisations willing to commit can make savings and gain leverage if they outsource sales, human resources and the IT shop.

But those that “think they will continue business using cloud computing as they do it now will find they still have the burden of an IT department – but one that will suck”, he told SC.