Baking In Security
Do you think that vendors should be doing a better job of baking security into the products as opposed to security being a separate industry? Take EMC, for example, we are building our encryption technology into our PowerPath storage management software. So it will come with the software. If you want to encrypt your disk and storage arrays you'll be able to do that. We're also doing something ... for tape, we've got partnerships with Cisco [Systems] that we're developing and with Brocade to do encryption in the SAN [storage area network] switch itself and things like data loss prevention technology where we have discovery and classification technologies for finding out what your critical and most confidential information is.Some people say the security industry is dead because of that, or that it is going to die. Do you agree with that? Well, there'll always be a requirement for security applications, but those applications will get embedded into the infrastructure. So it's not like security technology is going to go away, or security people are going to go away, but all of this stuff needs to be automated and worked more cost-effectively within the environment itself. Another thing that I didn't talk about in the keynote but in other research we have seen is that the percentage of spending on security products and services as a percentage of overall IT spending was 1.5 percent in 2001. By 2006, on a much higher IT spending number, that percentage had grown to 3 percent, and at its current trajectory, that percentage will be 5 percent by the end of next year. And generally, I'll ask an audience, do you feel safer in 2008 than you did in 2001, and they'll say no. So here we are spending more and more as a percentage of our IT spend, and we're not necessarily feeling any safer. So what's wrong with this picture? It's because we keep doing security reactively, we keep trying to bolt on security after the initiative has been started, and as a result, we're a day late and a dollar short. We're solving yesterday's problems and it's costing more and more to do it. From RSA/EMC's perspective, what are some of the ways you guys see this playing out, and how does this affect your road map? Well, I think for the foreseeable future we'll still have a lot of stand-alone product, but what you'll see is our professional services practice getting more and more absorbed into EMC's business risk practice, which is more broad-based than just security. You'll see things like discovery classification not only being used in security applications but also being used across the entire enterprise. You'll see things like virtualization be more and more of a factor in IT infrastructure, and you'll see things like, and we're already doing this, SecurID is already qualified for virtual desktop applications. So if you want to download a virtual image of your desktop you can authenticate to get that virtual image with SecurID. We have that qualified with VMware software. You see what I mean? I don't know if you remember that Prego spaghetti commercial about the ingredients-'It's in there'? It will just be there.
Well, that same discovery/classification engine can be used in a content management space for things like legal discovery. So you can repurpose these technologies and have them [be] infrastructure. This isn't one of those things that it's going to happen overnight, but over time. Even stand-alone security applications are going to need to get more and more absorbed into the infrastructure.