|
|
|
|
|
|
by dsacco
4170 days ago
|
|
|
Yep. Information security is a nonalgorithmic problem. Much as people might like to disagree or pretend otherwise, it is fundamentally at odds with a service that can scale to meet the needs of clientele in an automated manner. The most successful companies in that space are consultancies that can deliver personalized results to every client on every engagement, and while they are very successful, they will never be what venture capitalists want. It feels good to try and form a business model on prevalent security themes like, "Think like an attacker" and "How do we develop preventative measures before we get hacked?" but that doesn't actually stop incidents from happening. There's no perfect security, just good enough security based on what a company can invest and how much risk it wants to manage. This is something I've found most startup folks are really resistant to, because it means that they can't commercialize security services in the same way you can commercialize web hosting. That's understandably upsetting to them, when you see how trendy security has become in the media, and how successful a company could become by capitalizing on it. I think the section any VC or investor has on security potential is going to remain naive for a long time. Semantic desires like "I don't want my mail to be read by other people" simply don't map very well to purely mathematical operations encapsulating privacy and security in software. Organizing security vulnerabilities into neat taxonomies makes security folks sleep well at night and gives the appearance of an ordered checklist you can build a product on, but in practice that's never the case. Personally, I don't think security should be the sole product or service anyone tries to base a startup on. I am really excited about virtual reality and machine learning companies, however. I'd really love to see some hard innovations and improvements in that space. It'd be nice to have more hardware companies in general. |
|
|
As mentioned elsewhere in this thread, it's a very complex problem involving operational, economic, and technical factors, suggesting (as others have mentioned) it's not something that really can be "sold". Watching bugtraq for a while, I saw a lot of pure tech exploits (buffer overflows, SQL injection, other silly things like that) but also quite a lot of misconfiguration -- insecure passwords, lack of an enforced password policy, employees leaving the company without revocation of their credentials, etc.
Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy?