In 2002, when Security Innovation was getting established, software was nothing new. For almost two decades, it had been working its way into almost every business and household in America. Microsoft Windows was seventeen years old, and Windows apps were part of the popular consciousness. The world already felt software-driven at the start of the millennium but was primarily driven by the classic“ISVs”(independent software vendors) like Symantec, Adobe, McAfee, and others.
Over the 20 years that Security Innovation has been in business, software has evolved faster and further than it did throughout its entire history before that.
The speed and scale of that advancement are really staggering to consider. Back when we started, companies like Microsoft felt monolithic – they were the big fish in the relatively small pond that was the software industry. Everyone used software, to some extent, but the number of applications and vendors was limited.
Today, software runs everything – even hardware. Try finding anything that doesn’t involve a software component (or dozens) somewhere along the line. It’s something that facilitates every aspect of business operations, supports every part of our personal lives, and we utilize it nearly every hour of every day. Take away software and the world stops working.
Security Innovation has been focused on software security since day one. It has been interesting (and sometimes alarming) to observe software’s upward trajectory. As part of our 20th-anniversary celebration, we are reflecting back on where we’ve been and drawing out some conclusions that are relevant for today and tomorrow.
Not surprisingly, we have a lot to say about software.
Every Company is a Software Company
Every company uses more apps than before. What’s really different is how many more companies develop and customize apps, for themselves and others.
Ford now employs more software engineers than automotive engineers. Bank of America has 40,000 developers on staff–twice as many as Oracle. Even when a company isn’t building apps, they’re building collections of apps that drive everything they do. So, it’s accurate to call every company a software company.
As apps continue to ascend, there will be less and less distinction between “software” companies and those in retail, manufacturing, finance, and beyond. They are all “tech” companies – retail-tech, manufacturing-tech, fin-tech, health-tech, etc. We saw this 10 years ago when FedEx approached us… they didn’t call themselves a logistics company; they called themselves a software company.
What does this mean? Lots of things, but perhaps none more important to realize how vital software security has become. It’s something every company depends upon deeply. The stakes are impossibly high when anything and everything can be brought down by an attack on software.
Security Still Lags Behind
We have seen software skyrocket in importance over the last 20 years. Unfortunately, software security has not kept up – even as companies have taken on software development and selection as core competencies.
Part of the problem is the demand for software. It’s so strong that developers turn to pre-made code that may be hiding vulnerabilities (see the recent Log4J fiasco) or accumulate into such a huge quantity that security issues are inevitable. Companies that want to prioritize software security have less control over systems locked down by third parties. And even if they had control, the rapid evolution of apps through phases of web, mobile, IoT, cloud, and most recently blockchain makes security an elusive goal.
Setting all these challenges aside, however, if companies wanted to emphasize security they could. When we started, it was common for developers to basically ignore security and push that responsibility onto operations and security teams. We still see that today (less frequently, thankfully). More common, though, are teams that simply lack the necessary skills and training to make security paramount. Security Innovation was started to help fill this gap and make security as important as the software itself.
This is a Pivot Point
As we have observed in the previous trends over the years, it has been easy to see the disparity between the demand for software and the demand for security. And it has been easy to see the results as well. Some of the worst cyber-attacks in history have happened recently, and many have involved software (Log4J, SolarWinds, Kaseya, etc.) The situation will get drastically worse if things don’t change soon.
The reason why is because the two trends we highlighted earlier are both accelerating. On one side, the pandemic made companies significantly more software dependent and sped up digital transformation by years. On the other side, cyber-attacks are more lucrative, accessible, and successful than at any time in history and will continue to increase in volume, frequency, and severity. Software dependency and security will continue to diverge with potentially catastrophic consequences unless we see the writing on the wall and treat this moment in history like the pivot point that it is.
Change has been the only constant throughout our history, with one other exception: our belief in the value of software security training. And while Security Innovation as evolved in many ways over the years (more on this in subsequent posts), we have only become more convinced of our core mission.
When every company is a software company, software is their biggest asset and biggest liability. Now as always, Security Innovation helps clients maximize the former and minimize the latter.