The Nasdaq is at record highs. Internet companies are trading at multiples that would have been called insane two years ago. The phrase "new economy" is being used without irony in the financial press.
From inside the security profession, the bubble is producing strange effects. Worth writing about briefly, off the cadence, before the topic becomes the consensus and the observations become hindsight.
What is being funded right now
A short, partial list, drawn from job adverts and from conversations with people I know in the recruitment space.
Anything with "e-business" in the title. Security consultancy positioned around supporting online retail is getting funded heavily. Specific roles: PCI-equivalent compliance, web-application penetration testing, CGI auditing. The day rates have roughly doubled in the past 18 months.
Anything that sounds like infrastructure for the new economy. SSL deployment consultancy. Hosting-platform security. Trust services. Certification authorities. Domain-name security. The marketing language sometimes verges on parody — "trust enablement" appeared in a job description I read this week — but the underlying work is real.
Vendor security products. ISS RealSecure, Cisco PIX, Check Point FireWall-1, Symantec NetProspector, and many similar are all expanding teams aggressively. The product cycles are short and the marketing budgets are large.
Anything blockchain-adjacent. No, that is jumping ahead. Anything digital-certificate adjacent. Trust infrastructure for online commerce. PKI consultancy. Code-signing infrastructure. The work is genuine and the funding is real.
What is not being funded
A correspondingly short list.
Defensive infrastructure for non-internet sectors. Manufacturing, healthcare, public sector, traditional financial services — any business that is not branded as internet — is funding security at roughly the same modest rate as before. The contrast with the dot-com end is stark.
Long-term research. Honeypot work, formal verification research, fundamental cryptography research — all proceeding at modest budgets. The dot-com money is not flowing here. It is flowing to deploying known techniques into commercial products, not to advancing the techniques.
Open-source security tooling. Snort, OpenSSH, Nessus, OpenSSL — all running on volunteer labour and small grants. The commercial security products that depend on these tools, indirectly, are flush with cash. The tools themselves are not.
Practitioners who do not look like consultants. People who actually run security functions for organisations are under-paid relative to the consultants advising those organisations. The structural incentive to leave operational roles for consulting roles has rarely been stronger.
What this is producing
A few observable effects, several of which concern me.
Skill drain from operations to consulting. Several people I know who were running excellent in-house security functions are leaving to take consulting positions at three to five times their previous compensation. Their employers are then hiring replacements at the original salaries. The replacements are typically less experienced. The net effect is to drain operational skill from the places that need it into the consulting market that pays for it.
Marketing-led product development. When a vendor's revenue is growing 50% a quarter, the pressure is on shipping features and capturing market share, not on engineering excellence. Some of the security products being shipped right now have quality issues that would not survive a slower market.
Defensive-only tooling underdeveloped. The funded space is heavily skewed toward preventing attacks (perimeter products) and recovering from attacks (incident-response services). The middle layer — detecting attacks in real-time — is funded but less so, partly because it is harder to sell to an executive who wants a clear ROI story.
Open-source projects strained. The volunteer maintainers of widely-used security tools are increasingly stretched. Snort's community is keeping up. The various smaller projects are starting to show signs of maintainer burnout. The dot-com money is not finding its way to the foundations it depends on.
What this might mean if the bubble pops
My personal financial position is not at risk from the bubble — I have no exposure beyond a few index-fund pension contributions. The relevant question is what happens to the security profession if the dot-com economy contracts.
A few guesses.
The consulting day rates will normalise downwards. Many of the current rates are sustained by the easy money. When clients become more careful about what they are paying for, the rate inflation reverses.
The flight from operations to consulting will partly reverse. Operational roles offer stability that consulting, in a downturn, does not. Some of the people who left operations will return.
The vendor consolidation will accelerate. Many of the security product startups are unprofitable; in a downturn they will need to consolidate or fail. The survivors will be larger and more conservative.
Open-source projects will become more important. When the commercial budgets shrink, organisations that have been buying products will start using the freely-available alternatives. Snort's market share will probably grow. So will OpenSSH's.
The structural problems of the field will remain. Egress filtering will still be unevenly deployed. Mass-mailing worms will still be a problem. The economics that produced Mafiaboy will still apply. The funding climate affects what gets built and at what pace; it does not change the underlying threats.
What I am doing about it personally
Very little. I work for an employer who is not in the dot-com economy directly. My income is modest by the standards of consultants in the bubble, and would be unaffected by a contraction. The notebook continues for the same non-financial reasons it always has.
The one practical change I am making: I am paying more attention to which projects I want to support over the next several years. The volunteer-funded projects that produce the tools I rely on — the Honeynet Project, Snort, OpenSSH, Phrack — are operating with thin margins. Contributing to them, with code or with money or with bug reports, is something I can do at modest cost and is, I now think, actually important.
The dot-com money will not last. The volunteer infrastructure of open-source security tools will. Investing attention in the longer-lasting layer is, I think, where defenders should be putting at least some of their professional time.
More in two weeks. Back to the regular cadence next.