For Security Vendors, AI Brings New Twists to Old Narrative
This post is about cybersecurity, but I am going to begin proceedings with a relevant quote from a relatively obscure 1984 film called Flashpoint.
No, this Flashpoint is not the Canadian police procedural television series of the same name, which wrapped up more than a decade ago; nor is it the 1998 “adult film” that starred Jenna Jameson as, and I quote, “a horny firefighter;” nor am I referring to the 1990s Hong Kong action film Flash Point, which, at any rate, has a two-word title.
There have been many Flashpoints, cinematic and otherwise. Be that as it may, the 1984 version of Flashpoint is a decent film, abetted by an engaging Tangerine Dream soundtrack. The film had the potential to be much better if given a bigger budget and a little more restraint, especially toward the end.
In a key sequence in the film, a shadowy government fixer played by Kurtwood Larson Smith, whom some of you will know as Red Forman from That '70s Show, delivers a cynical soliloquy while attempting to engage in a barbed conversation with the taciturn protagonist played by Kris Kristofferson.
I’ve provided a link to the entire scene on YouTube below. It’s a little stagey, but the words are what counts. At one point in the mostly one-way discourse, the government fixer, opining on what he views as the symbiotic relationship between good and evil, says, “When the supply is lacking, we create it . . . . Every morning when I get up, I thank God for drugs and murder and subversion – because without them, we’d all be out of a job.”
That, dear readers, is a textbook example of a remorselessly misanthropic worldview. Still, the scene made a dark impression, burrowing like a sleeper cell into my subconscious.
During my career, I was employed by a few companies active in cybersecurity, and, I must admit ruefully, dear reader, that circumstances in my professional life, summoned recollections of that corrosive Flashpoint monologue.
It’s a Dirty Job, but Someone’s Got to Do It
The relevance of the intrusive cinematic remembrance seemed particularly apt when I was employed by a company that developed a Session Initiation Protocol (SIP) firewall. I worked with the engineers to devise product demonstrations that showed the SIP firewall in its best possible light, thwarting all manner of nefarious incursions, including man-in-the-middle attacks, session-spoofing and other authentication exploits (in the service of fraud), and distributed denial of service (DDoS) attacks.
As we scripted these demonstrations of threats and our subsequent knockout counterpunches of threat detection and prevention, we knew, albeit reluctantly, that we were using scare tactics to generate demand for the product we’d created.
Admittedly, we had mitigating factors on our side. We weren’t engaging in deception or dishonesty. We were simply showing prospective customers what could happen, what was possible. Just because we scripted the attacks for demonstration purposes didn’t mean they weren’t real. So-called bad actors really could exploit SIP sessions for malicious purposes. These weren’t conjuring tricks; nor were they phantom threats.
Still, in demonstrating a succession of threats in all their grisly detail, we were inciting fear as an inducement to action. We were scaring prospective customers – showing them the misfortune that could befall them if they were unwary and unprepared – into purchasing the defense and protection we offered. You could say we were doing them a favor – and we preferred to see it that way – but, in my darkest introspective moments, I asked myself whether our marketing and sales tactics were gratuitously heavy-handed, akin to a protection racket. “It would be a shame, dear customer, if one of these attacks were to victimize your business.”
I know, I know. Neary everybody in the security business does it – and that invariably serves as the always rationalization for doing something that you might not do otherwise – but it felt a little greasy. I didn’t mind working for a company that developed and sold effective security products, but I didn’t want to see myself as a zoot-suited spiv on the front lines of a protection racket.
At a certain point, to gin up sales, there’s an unstated urge in the security racket to embellish the narrative, make the story a little more frightening, the would-be attackers a little more ingenious and destructive. So, you capitulate to the business demand for cheap, exploitative melodrama. After all, everybody likes a good show featuring the timeless battle between good and evil. It's the foundation on which superhero movie franchises are built.
Anyway, early SIP firewalls eventually evolved into session border controllers (SBCs), and we didn’t keep up in the feature race that ensued. The company for which I was employed had other security products, and because the session-layer security space was relatively nascent, the company had to decide how to apportion resources across new and existing products. The latter were paying the freight for everything else.
Conversely, the new product had modest revenue, wasn’t yet earning its way, and might never attain the commercial success of the flagship offering. At the time, too, we faced what we now call macroeconomic headwinds, which can cause companies to err on the side of conservatism and batten down the hatches. It’s a classic conundrum of any company trying to achieve a dazzling encore and escape the vulnerability of being a one-product outfit.
I worked in one other security company afterward, and it used similar scare tactics to incentivize customers. Again, I know that’s the drill in the security space, but I lost the stomach for the game. I longed to get back into a non-scary line of work, where the products were purchased not to avert catastrophe, but because they were capable of imparting positive value that didn’t involve a furtive stroll down a dark alley of human nature.
Symbiosis of Networking and Security
So, it was back to networking for me, at least for a short time, before I joined IDC. The rest, as they say, is history.
All of which brings us to the paradoxical present, simultaneously short-lived and constant. You don’t fully understand the present until it becomes the past, at which point you can study it and consider its implications thoroughly. Time gives you the opportunity to learn from what has gone before. As for the future, well, we’ve already covered that ground; or, to be precise, that ground cannot be truly covered until we’ve gone over it. Sometimes you can discern the approximate shape of the future off in the distance, but the details remain obscured. And the devil, of course, is always in the details.
Those caveats aside, let’s look ahead. It won’t do any harm. What do we see, ahead in the distance, for the purveyors of security products and services? Since AI seems to be the answer to almost everything these days, we might be forgiven for saying, facetiously or otherwise, that AI will define the future of security. Indeed, to the extent that AI introduces new challenges, opportunities, and threats, it appears likely that the market for security products and services, and investments in startup security companies, will be galvanized, like so much else, by AI’s rise.
Not that the security market, including the vendors that serve it, is moribund. For many years, it has been one of the most heavily supported segments of the IT industry, financed extravagantly by venture capitalists, prioritized and budgeted healthily by corporate boards and executives, and served by a seemingly endless procession of established and emerging companies.
For the last several years in networking, vendors were compelled to have a story and a portfolio that addressed network security, and many networking companies that were deficient in security quickly compensated for their shortcomings by acquiring companies that filled security voids.
More than a few SD-WAN vendors, for example, were rechristened with the ungained SASE acronym (it stands for Secure Access Service Edge). Security vendors and network vendors met in the cloud-dominated edge, the former scrambling to add chocolate to peanut butter and the latter seeking to combine a rich dollop of peanut butter to chocolate. It was all about creating a solution that was more than the sum of two or more parts, and some solutions managed to integrate the ingredients better than others. In a few cases, though, the customers were served a compromised dessert, underrepresented by either security or networking.
Similarly, in multicloud networking, an area of growth and vitality in a networking space that desperately needed an injection of adrenaline as the embers of SD-WAN cooled, vendors pivoted to showcase their capabilities in multicloud security, even when their narratives occasionally sprinted ahead of the ability to deliver the goods. It was hard to blame the vendors. They knew that enterprises frequently had budget for security, not always for network infrastructure. If the vendor could position multlicloud networking as multicloud security, a sale would be more likely to ensue.
There’s always a next chapter in the self-perpetuating security tome. You might think you’ve read the final chapter, but then another appears before your eyes. Fear and greed are powerful motives of human behavior, especially in a business context, and the security business is all about responding to and cultivating fear as a renewable resource. Fear and security are close cousins. Fear never goes out of fashion, and security is right there with it, enacting a tragicomic pas de deux that is most keenly appreciated from the plush mezzanine seats where the venture capitalists are ensconced.
Down, Not Out
Speaking of which, deal volume for U.S. venture capital investments in the first quarter fell to its lowest level since 2017, according to PitchBook data, and the picture wasn’t much brighter on a global basis, but don’t count security out. It’s resilient, and it always comes back. Why? Because the bad actors never go away; they seldom retire, and even when they do, the next generation is ready to carry on the sinister traditions.
Don’t get me wrong. I’m not blaming security vendors for serving a palpable need. The demand for robust security is real. Malefactors are looking for vulnerabilities and weaknesses to exploit for economic gain, geopolitical advantage, or sadistic pleasure. It’s an unfortunate and lamentable aspect of life as we know it. We might not look fondly on such egregious misbehavior; we might wish it were otherwise. We might even entertain visions of a world where criminality, malice, and treachery are rare. Inevitably, though, no matter how sunny our dispositions, grim practicality bursts through our psychic doors, squats on our consciousness, and refuses to leave.
What can you do in such an ethically compromised, imperfect world? Well, some folks go into security, and many of them, like their nemeses, never leave. They make a comfortable living fighting a Sisyphean, though sometimes lucrative, battle against the forces of darkness. If they do their jobs well, they play the Roadrunner to a limitless cast of Wile E. Coyotes.
Many people today look ahead and see a shimmering AI horizon replete with glittering lights and an idyllic landscape. They see radiant sunshine and joyous parties, good times for all. A muted version of that reverie, for some people, might even come to pass, at least briefly. Still, to quote the admonitions in subways and train stations: Mind the gap.
The next wave of security startups must be prepared to match wits against an ancient adversary, human iniquity, wielding new tools. For a good number of security startups, as soon as the VCs decide that it’s time to put their money back to work, AI ensures that the next chapter in the story of cybersecurity will be eventful. Some tidy fortunes will be made amid next-generation chicanery, exploits, and exposures.
Let’s consider, if only in general outline, some of the threats with which the next wave of security outfits will have to contend.
Security will find that AI will giveth and taketh away. AI advances will bring intelligently automated threat detection, faster and more effective incident-response enforcement, unprecedented capabilities in malware diagnoses and prevention, and sophisticated forms of AI authentication and identity-based access. For customers, benefits likely to derive from these advances could include better protection of intellectual property, increased operational efficiencies, reduced threat exposure, and, if all goes according to plan, an array of cost savings.
Same Game, New Equipment
But you’ll notice the contingent wording in the preceding paragraph. At its best, speculation about what has yet to happen must trade in probabilities. Nothing about the future is certain, and just as AI will advance the state of protection and security, the bad guys will leverage and apply AI just as creatively in pursuit of new frontiers of mayhem, plunder, extortion, and digital vandalism. In other words, it will be business as usual, but with new trappings and variations – the same in character, but new plot twists. People still drive the narrative, and the technology is an accoutrement.
Harmful uses of AI are inevitable, and they are also likely to be more intelligently automated, sophisticated, and shrewdly deceptive than anything we’ve seen before. Any reasonably effective defense against these depredations will need to be comprehensive, ubiquitous, and ceaselessly adapting and learning. If the solutions are well differentiated from competitive offerings, they’ll be sold at a premium. Those that don’t meet that standard won’t fare as well.
This is one reason why VCs are warily reviewing their existing portfolios of security companies and thinking carefully about which ones will be viable as the AI transition plays out. Not everybody will make the cut; some will get the wrong kind of cut. The security solutions that were prioritized not that long ago by investors and enterprise buyers will not necessarily be the ones that get prioritized in the context of AI.
The winners will emphasize capabilities in areas such as detecting and disarming digital disinformation (there will likely be a lot of that, and it will be a problem for all of us), new systems of identity-based authentication (sans password), detecting and proactively thwarting malicious traffic. A more general offering might involve the provision of preventive operational playbooks and continuous data-based counsel to security professionals. We’ll see a new wave of security automation that is intelligent, adaptable, and targeted. At the same time, of course, the malefactors will be using the latest and greatest AI, too, and the Manichean struggle will be continuous and vigorous.
Again, the only new ingredients will be the latest technologies and associated tooling. Technologies might continue to advance at what seems to be a breakneck pace, but human behavior, on a fundamental level, remains stuck in an evolutionary rut.
Like the shadowy government fixer in Flashpoint, security vendors and their investors might be perversely, secretly grateful for the malefactors that sustain their businesses. But they needn’t worry about ongoing demand for their services, and they should have no concerns about AI putting them out of business.