Roy Pereira
  Home   About   Blog   Links   Favourites  

Categories:

blogging california canada cisco dot.com drm energy entrepreneur facebook funding google halfdome hiking hiring leadership marketing media presentations recruiters refresh security social start-up stock-options

Navigation:

i

Adoption Lifecycle in the Security Industry

Date: 2005-03-25 | Tags: marketing, security Bookmark: Digg Facebook Technorati Del.icio.us! Slashdot Yahoo! Reddit! StumbleUpon!
I was once approached by a Scandenavian startup trying to push their new streaming cipher encryption algorithm. I mention this because it highlights a perculiar attribute of the security industry. Its adoption cycle is not based on the market's demand of a new innovation, but simply on the government's mandating.

That makes it hard to make real revenue in this industry if you are trying to innovate and create new opportunities unless you remember who starts the adoption cycle; the feds and only the feds. This makes for a very slow adoption cycle and one that does not often change and any security startup, and their investors, need to understand this.

Luckily, we are at a rare point in time where some of the base security technologies are in flux and being modernized. DES (data encryption standard) has now almost been completed replaced by AES (advanced encryption standard). This was spearheaded by the infamous NSA (National Security Agency) in the US. The once secret federal agency now regularly advises other federal departments as well as industry groups on how security should be done.

I remember when AES was picked as the replacement for DES and how no one thought that we would ever actually replace DES from our products. The problem was that none of our customers had even heard about AES and they really didn't know enough about the issues facing DES to ask for its replacement.

Slowly, demand for AES was created. First in the federal government (who in turn were being mandated by the NSA to move to AES), then in industries that are closely tied to the federal government. Financial organizations quickly followed because of federal regulations as did the large Enterprises a few years after.

The spark that lit the fire was federal regulations and not the fact that AES is faster and much stronger than DES. Regardless of how many security engineers wanted to kill off DES from their products, the customers always had the last say (at least in successful companies).

Now, like AES before it, ECC looks like it will be mandated by the US federal government to perform public key operations (key generation/transport) for use with their AES 256 bit implementations. This should follow on the footsteps of AES adoption, unless intelectual property concerns slow it down and derail it.

But don't look for the mass market to run out and ask their vendors for ECC support in products. You will get early adopters adding it because 'it is better' (kind of like betamax), but until it is mandated and its adoption starts to trickle down from government agencies to financial organizations to enterprises, dont expect to hear customer demands for it.
[ Edit | New ]