VirtSec: Don't hold your breath

After Alan's plea to add some heft to the Black Hat Blogger Network theme of virtualization security, I figured I'd weigh in a bit on the topic. But first, I want to be very clear that I'm not challenging guys that are much smarter than me. Like Hoff and Thomas. Even guys like Greg Ness and John Peterson are correct in their assessments of the number of new attack vectors that virtualization brings to our data centers - even if they are vendors.

So I'm not going to talk about technical stuff. Yet, I do feel compelled to draw the conclusion that despite the dangers, it doesn't matter. All the folks that are trying to make VirtSec into a market are basically just pushing on a rope.

That's right. Now matter how hard you push (or how many blog postings you write), you are not going to make VirtSec into a market for at least 2 years. And that is being pretty optimistic. So for all those VCs that are thinking they've jumped onto the next big security opportunity, I hope your partnership will allow you to be patient.

Again, it's not because the risks of virtualization aren't real. If guys like Hoff and Thomas say they are, then I tend to believe them. But Mr. Market doesn't care what smart guys say. Mr. Market cares about budget cycles and priorities and political affiliations, and none of these lead me to believe that VirtSec revenues are going to accelerate anytime soon.

1. Budget cycles - This is what every optimistic marketer seems to forget. Customers just don't buy stuff. The large ones tend to work in 18 month (at least) budget cycles. Yes, that's too long - but it's reality. Many organizations are still working on that IPS deployment and maybe Web filtering. The idea of something that doesn't have a clear and present danger... not so much.
2. Priorities - Of course, there are exceptions to this budget cycle issue, and that's when something really lifts in priority because of a real high profile attack. Kind of like when anti-spam hit the jets in 2004. It was a big enough problem that demanded a solution. Is VirtSec there? Nope. So most enterprises will buy a VirtSec widget or two, but not go into real deployment until they really have to. But, that can change in an instant if a verified exploit hits.
3. Politics - This is the stickiest issue of them all. Who owns VirtSec? Is it the security guy/gal? Do they really own anything? It's probably a data center thang, but those folks are concerned with other issues (I'll hit that in a minute). What about the network folks, since a VM basically creates a network in the physical enclosure? It's about as clear as mud, and with the lack of clarity, most organizations will opt to do nothing.

Keep in mind how early we are in the adoption of virtualization. Sure, lots of customers are playing around with it. The early adopters are entering massive deployment cycles, but this is not representative of the broad market. Not yet anyway. So we are early, and early markets tend not to worry about security.

It seems the killer need right now for virtualization is VISIBILITY. That's right, increasingly virtualizing your servers creates any number of blind spots that makes operating your infrastructure effectively pretty hard. Now a lot of the VirtSec folks have come to the same conclusion, but like their NBA brethren - they are screwing it up.

Visibility is NOT a security issue - it's a MANAGEMENT issue. Funny how the NBA guys are finally getting there like 7 years later. Security is a tangential benefit, not the customer pain. If you sell a security solution to a management problem, it doesn't work out too well. Why can't these guys figure that out?

It gets back to that ongoing faulty belief that security is cool and that positioning security solutions is the easiest path to success, since everyone is paranoid about hackers and compliance. They are wrong. Very very wrong.

Security is ALWAYS the last thing to get addressed when a new technology hits. The security folks are not consulted when a new application architecture or data center infrastructure technology hits, are they? So why would security be one of the first things to get addressed in the virtualization space? Besides the fact that a bunch of entrepreneurs and VCs want it to be so.

The logical order of things (dramatically simplified) is: innovation -> management -> security (maybe). Pick a new technology and prove to me that the order was different. I dare you!

It will be fun to see yet another generation of folks try to change these universal truths of technology market adoption. Fun for me, but not so fun for the guys that are trying to explain to their investors why the market hasn't taken off.

Photo credit: "David Blaine - no mask" originally uploaded by Mirka23