BOOK REVIEW: ‘Security Yearbook’ preserves cybersecurity history — highlights tectonic shift

Along with Richard Stiennon, I belong to a small circle of journalists and tech industry analysts who’ve been paying close attention to cybersecurity since Bill Gates curtailed commercial work on Windows to rivet Microsoft’s attention on defending its software code.

Related: The role of PKI is securing digital transformation

That was in 2002. Back then, email spam was a nuisance evolving into a potent attack vector, and the top malware innovators were script kiddies seeking bragging rights.  Much has changed; much has remained the same.

Cybersecurity, which started with antivirus suites, spam filters and firewalls, has mushroomed into a $103 billion industry. Companies today spent vast amounts on incredibly sophisticated defenses, such as next-gen firewalls, EDR, DLP and IDS technologies that generate oceans of threat feeds pouring into artificially intelligent  SIEMs, UEBAs and other analytics platforms.

Yet, catastrophic breaches persist. And that’s why Stiennon and I are among the 45,000 or so attendees of RSA Conference 2020 here at San Franscisco’s Moscone Center. This is my 16th RSA.

I recently had a chance to have a rich discussion about the state of cybersecurity with Stiennon, the occasion being him sending me a copy of his new book: Security Yearbook 2020: A History and Directory of the IT Security Industry. Here are takeaways from our discussion:

Preserving history

Steinnon told me he got inspired to write Security Yearbook one year ago at RSA 2019, as he sat in a booth signing copies of previous book, Secure Cloud Transformation. A lot of folks came up to him and told him they were new to the industry and had been sent to RSA to learn it.

Then as he wandered the exhibits floors, Stiennon ran into startup after startup pitching their great new cybersecurity  innovation. “There were all these great ideas that were going to change the world, but it looked just like stuff that came out in the early 2000s,” he says. “I’d tell them about their predecessors in the field, and they’d look at me blankly – they’d never heard of them.


“So I realized, we were losing history that’s familiar to you and I, because we lived through it. So I thought, ‘If I could only record what I know, then at least the newcomers would have a reference for everything that should be known about the history of the cybersecurity industry.’”

Positive control

One of the unsung heroes who surfaces in Security Yearbook is Barry Schrager, who back in the mid-1970s came up with the concept for Access Control Facility, or ACF, which got implemented by General Motors, the Central Intelligence Agency, the National Security Agency and Britain’s MI-5, among others.

“What I learned from talking to Schrager, is that what he was trying to do, back then, was get 100 percent control over who has access to what resource – and that’s what the entire industry is still attempting to accomplish today; it’s just repeating over and over,” Stiennon told me. “Schrager introduced the idea of a positive security model, where there is a rule for everything. And now we have machine learning and artificial intelligence trying to displace that with ‘learned’ policies, instead of proscribed policies. You see it everywhere.”

Tectonic shift

Digital transformation takes on a more precise meaning through the lens of Stiennon’s latest book. DX began as the simple notion of modernizing daily business operations. Then along came cloud computing and the Internet of Things. Tapping cloud resources and leveraging sensors that can capture and feed data, generated by anything and everything, to an artificially intelligent server suggests vast productivity gains and endless cool new services.

But legacy IT defenses are designed to protect on-premise data centers, and, though seemingly  obsolete, remain in wide use – as evidenced by two massive, teeming exhibit floors here at RSA 2020.

At the same time, a tectonic shift to smarter technologies and strategies is rapidly taking shape. With everyone connecting to the Internet to interact, new security regimes, like Zero Trust and Edge Security are gaining traction. Some other promising new approaches are taking shape. Lines are getting blurred. The cream, presumably, will rise to the top.

In parsing the current crop of innovative approaches for his book, Stiennon made this discovery:

“I started moving people around in different categories, and at the end there were no cloud security vendors left; what’s happened is we have a new infrastructure, and there’s plenty of security, and it’s security for all of these different things companies are doing in the cloud.”

Reading between the lines of Security Yearbook, it is, indeed, possible to come away with the conclusion that there is no cloud security, per se. At the leading edge, there are myriad specialized security services all dealing with locking down different aspects of operating in a borderless digital environment, with the Internet as the hub, accessible to one and all.

We’re obviously very early in this process. I can’t even imagine what Security Yearbook 2025 will tell us. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: