COMMENTARY--Security like other vaguely defined segments stalked by industry analysts, is subjected to cyclical patterns of fashion and scorn. Are we in a security-fueled investment bubble, or are organizations still sitting on their IT wallets? Much of the answer depends on your assumptions and definitions.
In his now (in)famous January 2000 essay, "Terror Versus Security", Salman Rushdie offers a working definition: "Security is, after all, the art of making sure certain things don't happen: a thankless task, because when they don't happen, there will always be someone to say the security was excessive and unnecessary."
This and others pieces are republished in Rushdie's book, "Step Across This Line: Collected Nonfiction 1992-2002." Mr. Rushdie is something of an unwitting expert on security matters, at least at the receiving end. While his insights are keen, this definition is part of the problem.
If you think of security in purely negative and restrictive terms--preventing attacks, denying access--it's hard to be optimistic about the industry. After all, restrictive security places a burden on the many legitimate transactions in an attempt to prevent the few unauthorized ones.
This is practically a Sisyphean undertaking. Too much restrictive security and the economy grinds to a halt while people proclaim that "the terrorists have already won". Too little and you're accused of being negligent. Rushdie's punch line is that any security you decide on is by definition the wrong amount. What fun.
However, there's a different way to look at the industry. Instead of thinking about security as just negative and restrictive, think of it as active and enabling. Active security is not just about stopping the bad guys; it's about making the normal lives of the good guys better. Instead of just intercepting a few illegal transactions, active security aims to make the vast majority of legal transaction faster and more efficient.
There are new security technologies that allow people to do more and to do it quicker. Think of ATM machines, trusted traveler documents and digitally signed mortgage forms. All of these applications make life easier for legal users and, by extension, make it easy to catch the illegal ones. Also, since active security deployments focus on speeding legitimate transactions, they can have a net positive effect on the economy. The more active security you have, the more it pays for itself. This is the exact opposite of the negative feedback cycle of restrictive security economics.
A great example of a large active security program is the Common Access Card (CAC--bad name, different topic) of the U.S. Department of Defense.
The CAC is a smart card issued to every member of the DoD and is intended to be used for many applications including logical and physical access, secure e-mail, document signing and payments. These are applications that people want and that were largely unavailable before the CAC program. Of course the system is built on cryptographically strong technology, so even though people will use their cards for convenience, they'll be getting security.
Towards the end of his essay, Salman Rushdie adds a cautionary note: "In the past, security didn't save President Reagan, or the pope. Luck did that. So we need to understand that even maximum security guarantees nobody's safety."
Certainly this conclusion is correct. Security isn't about guaranteeing absolute safety. It's about letting people undertake both important and pedestrian actions with a reasonable expectation of a speedy, safe and correct outcome.
It's easy to make a case for security if you get the definition right.
biography
Phil Libin is president of CoreStreet. Check out his blog at http://www.vastlyimportant.com/.
