OK, I got a catchy headline, now what? 🙂 This is another philosophical post about the fate of our beloved domain of cyber.
Specifically, we all remember Dan Geer’s classic quote “Internet security is quite possibly the most intellectually challenging profession on the planet” and most of us doing security read it optimistically (as in “oh yeah, we are pretty damn smart!”)
However, many IT leaders and more senior managers read the same line pessimistically, it seems. They read it as “oh no, security is too hard for us to do” and “security products are too hard for us to use”, which are one step away from the hopeless “we’ll get hacked anyway, whether we do anything or not.”
So, if you recall my post about SIEM futures, I alluded that “SIEM is too hard for many organizations” and they see the answer in either outsourcing (->MDR) or automating (->UEBA). Succeeded with either involves copious amounts of luck, to be sure….
But what if I told you that we are starting to see the same trend for many other security product categories!? For example, we see many EDR deployment fail, and then eventually saved by the managed EDR (a type of MDR) services. One EDR provider (selling tools) essentially became a near-exclusively managed EDR (a sub-type of MDR) provider (selling services with their tools).
This may mean that we are approaching “peak security product” as there are a/ not enough people to use the products and, worse, b/ there are not enough skilled people to use the products that require skilled people. In light of this, I take a VERY (and I mean … VERY!) dim view of many recent security startups. Guys, rethink software/SaaS/appliance selling! There is nobody to use your stuff out there in the real world….
To finalize, I think a revolution is coming. The revolution that will sweep away many security products and replace them with “product-service fusions” where you pay one amount for using the tools together with ongoing help with their operation. Today, the best examples of this trend are various MDRs (including managed EDRs), co-managed SIEM shops and other product vendors that offer tools-with-services.
Notably, this revolution may or may not mean that MSSP are out to make a killing. Many MSSPs are hopelessly stuck in the past, addressing the late 1990s demands like firewall rule changes and super-basic-bordering-on-fake event monitoring (“today only! deep insight from IDS logs! no other data required!”). I think MDRs and smart product vendors will win this one….