Security vendors - it's payday!

After years of dodgy sales tactics, I think that the market for security products will finally take off. Users are going to demand security -- indeed, they already are. Why? Not because of hoary scare stories -- no matter how justified. And certainly not because of a half-baked connection drawn between information security and America's recent realisation of the existence of global terrorism.

Security will take off for a much simpler reason. Because businesses can finally see some return on investment.

Businesses need to invest in information security before a cyber-terrorist attack hits them, said Art Coviello, chief executive of RSA Security at the opening of the RSA Security conference in Paris on 8 October. But it is not happening quickly enough for him. "Never have so many people talked so long and done so little," he said, at the end of a speech that pulled together over-blown statistics, and over-hyped press articles. He quoted one online source that stated that email and Web abuse is the number one reason for disciplinary action at companies in the UK, something I find hard to believe.

But all this was quite unnecessary. I am very sure that Coviello is aware of the fact that such scare tactics are quite unnecessary. It may not be happening as fast as he would like, but around the bustling conference, business people are getting on with the matter in hand. Not because they are scared, but because it will pay.

Other keynotes at the event were by KPMG, and Cap Gemini Ernst & Young. These suits would not be here if there wasn't business money to be harvested.

Microsoft is involved now. Because, as Craig Mundie put it: "Computers are diffusing into your daily lives. You must be able to trust them, or else the diffusion will stop." In other words, the company now sees trust as the biggest barrier to getting Windows everywhere, and security as the way to remove that barrier. To put it another way, people are finally ready to pay for security.

"We have two approaches to selling security," said Stuart Okin, Microsoft's UK security officer. "We can scare the hell out of them, or we can talk about how the increase in trust will lead to an increase in business."

There are moves for companies to be audited on their security, initiatives such as the Common Criteria mean that it may be possible for you to judge a potential business partner on how secure their systems are, and for directors to be accountable for the security of their systems. Once this happens, putting in security measures is not an insurance against some unguessable catastrophe, but a basic prerequisite for business. "No one would build a building without putting in heating and air conditioning," said Okin.

Microsoft's involvement could mark a big shift in security marketing. Microsoft can't do it alone, admitted Mundie. Partnerships with RSA and others are underway. Up till now Microsoft's much maligned lack of security skills has been the chief source of publicity for the security industry, and much of its revenue has come from fixing the things that Microsoft has left open.

Now with Microsoft promoting security, the industry will have to become a partner to its one-time hate figure. The RSA conference has accepted Microsoft sponsorship -- something that would have been laughable last year.

If companies start to demand security, things will surely change. The growth of Web services and online commerce will demand it, for one thing. Interaction with other companies' IT systems will become the norm.

Whitfield Diffie told the conference that the boundaries of companies are becoming fractal -- so complex that they more complexities emerge, no matter whatever level of detail you are looking at. Outsourcing has added to the complexity, and Web services will multiply this.

Diffie put forward the idea that a firm might outsource its payroll calculation -- to whichever outsourcer offers the best terms that month. A Web service might handle the negotiation automatically. The fact that payroll calculations are based on personal and company-confidential information would make this a security demand beyond most company's current ability.

This kind of set-up is still a fantasy of course, but Web services at every level will distort company boundaries, and increase the need for security.

Relax, security vendors. You don't have to scare us any more. If the industry develops the way it looks like doing, the demand for security, is going to hit the roof.

To have your say online click on TalkBack and go to the ZDNet UK forums.