Infosec: Where’s our “Long Tail”?

Chris Anderson popularized the concept of the “Long Tail” in his 2006 book “The Long Tail: Why the Future of Business is Selling Less of More“. In a nutshell, this concept means that there’s a statistical distribution of products, services, and so on, meaning most people or populations tend to gravitate to the 80% of whatever is available. The “long tail” concept illustrates the subtle, often overlooked 20% market that tends to be more niche. For example, using one of Anderson’s case studies, Amazon sells a number of products that are popular across all buyers. Think hit movies, popular books, new gadgets, etc. However, there’s a smaller subset of customers that like incredibly unusual products that most don’t consider. This doesn’t mean they’re not profitable – far from it. That group of people that love 1950’s comic strips about hilarious talking farm animals will be¬†incredibly loyal and devoted to the company that can provide them with goods in their space.

What does this have to do with infosec? My thoughts – we are really lacking a proper “long tail”. RSA is coming up soon – what will we see that points to real innovation in the space? I always tell people that I spend the majority of my time on the show floor at RSA roaming among the smallest, least flashy booths. The reason is that I’m always searching for that next trend or innovator that is doing something new or original. In a few cases, I’ve been rewarded – last year I saw a lot of “cloud” startups that were peddling Identity and Access Management (IAM) solutions. This space has a lot of growth, based on what we’ve seen in the last year. More often than not, though, you see a rallying cry of buzzwords. DLP!!! Cloud <insert term here>!!! And we all, of course, make fun of this with our usual, lovable snark. But snark only goes so far. At some point, we have to take a long, hard look at what we’re doing in security, and whether it’s working. Based on the breaches of the past 10 years, I think it’s safe to say that we’re not winning. Hell, I don’t even know that we’re SOLVING any problems, really.

Folks, we NEED a long tail. We need those organizations that are desperate to find unusual, different solutions that are not available at all right now. And we need small startups to provide them. Peter Kuper, a super-smart guy at In-Q-Tel who I love watching present, often gives talks about the lack of innovation and VC investment in security. His talks are amusing…and depressing. But we need that focus. One of our fellow security wonks in the space argued to me a few years ago that he was “really innovating” now that he was working at one of the biggest vendors. Bullshit. Big vendors typically buy their way to innovation. The question is – who are they buying? I encourage you all to pay attention to those tiny little booths in the dark corners of the Moscone Exhibit Hall at RSA 2012. And pray you see more of them.