Will Companies Stop Paying For Security?

As business technology changes, how will companies pay for their security? There are a couple of separate revolutions going on in IT at the same time, but could the cloud and consumer devices change the shape of the security market?

The role of the chief security officer has only recently emerged, but has already changed massively. Ten years ago, it was possible to secure the virtual perimeters of a company but mobile devices and the cloud have punctured that surface, so it is no longer clear what is inside or outside the company.

Security vendors have shifted to endpoint security, where every laptop or phone is individually secured – but there are problems there, since new attacks emerged all the time.

We have often talked about these issues with Mikko Hypponen, chief research officer of F-Secure, but this time we met his business colleague Christian Fredrikson, who is CEO of the security firm, to find out where he sees the security industry going next.

Securing the cloud

“We have moved from protecting the devices, to protecting the content,” he said, “and with that we have moved into the cloud.”

He’s very clear on the new requirements for security created by mobiles and the cloud. “The threat landscape is getting bigger with Android,” he said. “And people are using mobile phones differently – 75 percent of us use them for more than voice.”

Along with Linux-based Android, F-Secure has a security product for smart TVs running Linux. This might seem exotic, but Fredrikson predicts that 2013 will see the first malware specifically targeted at TVs.

Alongside its business offerings, F-Secure has secured deals with service providers for the consumer space, including the security component of BT’s consumer cloud service, and similar deals with Orange in France and AT&T in the US.

Both consumer devices and cloud services increasingly have security bundled in, he says.

Is consumer privacy safe?

If that is the case, is there a danger, we ask him, that the security services bought by a corporate IT security officer will erode away?

Users will bring their own phones in, already running the mobile operator’s anti-malware, and they will access services on the public cloud which will likewise have security bundled in. Will there be anything left to sell to the corporate?

“Consumers expect to get security bundled for free, but in the end nothing is free,” he said. “You tick the box of terms and conditions – which no one ever reads – and you realise you have given away quite a lot of your rights. You and your information have become the sales item. You will either get adverts, or be used in analytics for profiling.”

Anti-virus gives very little scope for presenting adverts to consumers (most of the time it runs in the background). But the move to securing content in the cloud is a much greater opportunity, he said. Potentially, all the information about your folders might be available, and there will be plenty of chances to show adverts. “”the cloud gives you a lot more options.”

That might sound like a threat to privacy, but Fredrikson is a big believer in “pseudonymisation“, where data is made available to third parties in a pseudonymous, rather than anonymous form with all the details present – except the identity of the customer.

“No one can find your data,” he said. “It is spread into so many areas, even our own personell can’t find you. We can do analytics, but we can’t target any individual.”

Will companies pay?

What about companies though? If all the devices and services a company consumes already have security built in, what will firms buy?

Companies will still want to add more layers to their security, said Fredrikson. “The enterprise will pay for security as a service. They will want devices and information to be secure. A lot of the security will be there, but there have to be many layers.”

In that world, security never disappears as a visible item, and both consumers and companies will choose the providers they trust, he told us: “Our deals with service providers are co-branded, and for the enterprise we need to be a leading brand.”

That’s something of a relief. We like talking to Mikko Hypponen, and we are well aware that his availability is part of F-Secure’s brand.

Love security? Try our quiz!