Walking the show floor at RSA last week, I found the perfect metaphor for the state of enterprise security. With 200+ products on the floor, there’s still no holistic solution to the problem of end-to-end security. (I also found out that wearing new shoes to a trade show is not the best of ideas—my feet were aching before I got past the first couple dozen).

Even worse, most of the products didn't even, strictly speaking, qualify as "products"—more like “features”, because each one only tackles a single aspect of security. Tying them all together becomes a daunting task.

Consider what I, as an IT executive, would need to deploy in my enterprise to secure against all these threats:

To protect against viruses, worms, rogue wireless, stolen identity, leaked secrets, privilege escalation, zombie armies, I’d put in 6-7 appliances around every switch, plus a few more in front of my egress routers. Then I’d add a couple dozen servers in the data center to crunch all the data. And of course, each product would have its own associated set of policies, not to mention management consoles. All these boxes send a stream of logs and reports up to maybe a dozen consoles.

After all that, I’d probably only have enough budget left for a single staff member. Guess I’d put that guy (or gal) on roller skates, and instruct him to zip back and forth in front of all the blinking consoles in case they notice something.

The problem is that in the security space, most of the R&D that matters is done by the bad guys. Security innovations are almost always reactive. So as new threats emerge, a dozen startups pop-up to address each threat. After a year or two, companies get acquired and integrated into monolithic security suites. And the cycle continues.

Although this model may work for the industry, it sure doesn't seem to work for the customers: they still report feeling insecure and getting breached despite billions of dollars of spending over a decade and a half.

The missing ingredient, in my opinion, isn’t a “God box” that purports to do everything. It’s interoperability. This industry needs to replace single vendor tightly-coupled integration with multi-vendor protocol-based interoperability. So I can still pick the point-solution that addresses the latest threat or peculiar need, but can plug it into a security infrastructure that is vendor neutral.

A glimmer of hope comes from some of the standardization efforts around endpoint access management, including the Trusted Computing Group's Trusted Network Connect (TNC), Microsoft's Network Access Protection (NAP), and Cisco's Network Admission Control (NAC). Then again, it’s been years since these efforts started, and results are still far off.

In the meantime, what’s an IT exec to do? Some advice: Create a vendor-neutral security architecture for your company. Pick products based on how well they fit into that architecture. Oh yeah, and ... don't wear new shoes to a trade show!

-- AMA