Infosec: Where is Our “Long Tail”?

Monday, February 20, 2012

Dave Shackleford


Chris Anderson popularized the concept of the “Long Tail” in his 2006 book “The Long Tail: Why the Future of Business is Selling Less of More“.

In a nutshell, this concept means that there’s a statistical distribution of products, services, and so on, meaning most people or populations tend to gravitate to the 80% of whatever is available.

The “long tail” concept illustrates the subtle, often overlooked 20% market that tends to be more niche.

For example, using one of Anderson’s case studies, Amazon sells a number of products that are popular across all buyers.

Think hit movies, popular books, new gadgets, etc.

However, there’s a smaller subset of customers that like incredibly unusual products that most don’t consider. This doesn’t mean they’re not profitable – far from it. That group of people that love 1950′s comic strips about hilarious talking farm animals will be incredibly loyal and devoted to the company that can provide them with goods in their space.

What does this have to do with infosec? My thoughts – we are really lacking a proper “long tail”. RSA is coming up soon – what will we see that points to real innovation in the space? I always tell people that I spend the majority of my time on the show floor at RSA roaming among the smallest, least flashy booths.

The reason is that I’m always searching for that next trend or innovator that is doing something new or original. In a few cases, I’ve been rewarded – last year I saw a lot of “cloud” startups that were peddling Identity and Access Management (IAM) solutions.

This space has a lot of growth, based on what we’ve seen in the last year. More often than not, though, you see a rallying cry of buzzwords. DLP!!! Cloud !!! And we all, of course, make fun of this with our usual, lovable snark. But snark only goes so far.

At some point, we have to take a long, hard look at what we’re doing in security, and whether it’s working. Based on the breaches of the past 10 years, I think it’s safe to say that we’re not winning. Hell, I don’t even know that we’re SOLVING any problems, really.

Folks, we NEED a long tail. We need those organizations that are desperate to find unusual, different solutions that are not available at all right now. And we need small startups to provide them. Peter Kuper, a super-smart guy at In-Q-Tel who I love watching present, often gives talks about the lack of innovation and VC investment in security.

His talks are amusing… and depressing. But we need that focus. One of our fellow security wonks in the space argued to me a few years ago that he was “really innovating” now that he was working at one of the biggest vendors. Bullshit. Big vendors typically buy their way to innovation.

The question is – who are they buying? I encourage you all to pay attention to those tiny little booths in the dark corners of the Moscone Exhibit Hall at RSA 2012. And pray you see more of them.

Cross-posted from ShackF00

Possibly Related Articles:
Information Security
RSA Trend Statistics Analytics metrics Innovation Information Security Infosec Conferences Security Solution Dave Shackleford
Post Rating I Like this!
Don Turnblade Small Innovators:

First, we are avoiding VCs using organic growth to fund our R&D and this says something dark about VCs in the small business space.

Second, we are building out suites of security products for a space that is completely missed.

Do you realize that the business case for Information Assurance technical security practices is a wasteland of undelivered work?

To illustrate. Security Scanner, "We have 5 High findings on our server."

Question 1: if this network had more than 200,000 systems in it, this high is not unusual and would fit inside a world class network. So, is this finding even bad?

Question 2: What is the cost of fixing it compared to the cost of the risk exposure of waiting 3 months? Do you know? Do you even have the tools that gave you a hope of ever finding out?

Question 3: Do you even know what the process flaws are a fact on the ground? Am I so focused on an un-actionable metric that I have no idea why InfoSec in my firm is a Royal CF?

Last: we will be at RSA. Visit a talk by Hoyt Kesterson. He is not a lawyer, but certified by the American Bar Association an unusual technical/legal bridge.

If you are not a CEO, CFO, CIO, CISO, it is not likely you will even want to see our booth at RSA. So, we come to them.

Just for public interest. What If I could prove that you really should not use the over simplified Risk * Impact formula for Risk Exposure? And, you really should almost never use it if you use "High", "Medium" or "Low" as your inputs.

A Think Piece about risk exposure.


"Ahh, you see it all and know what to do! No?"

10 Million US dollars/yr

"Ahh, you see it all and know what to do! Not Yet?"

10 Million US Dollars/yr +/- 1 Billion US Dollars per year

"Confused? you should be." No risk exposure number "10", tells you what you need to know.

You need to know what it means in concrete, cost effective terms and how uncertain are you about how likely it is to be true. Then, you need to know if the fix cost less than the problem.

But, can a scanner tell you that? Well, yes. But did anyone ever tell you how?

Don Turnblade What does "Low" mean anyway? Does "Low" mean, "Never Fix This?" Does it mean "Will kill you 10 years from now?" Or does "Low" cost you 100 Million USD/yr but your firm makes 10 Billion USD/yr so it really costs than 0.1% or Revenue and is trace compared to internal Employee Fraud?

What is Low? Maybe "Low" means that PCI DSS does not care about it for now.

But, is any of this what "Low" from a Scanner really means?

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.