In January, Kevin Kelly wrote an essay entitled "Better Than Free" that explained which concepts held value on the Internet. This generated a lot of interest, mostly around the question of how best to make money out of these concepts. As a career security guy, I found myself wondering how on earth my field will respond -- how does security need to adapt to support business models based on these values? When we're used to locking everything down, how do we respond when people start calling for openness?
Kelly's essay set out one of those ideas that sound completely obvious once you've heard them: When something that can be copied comes into contact with the Internet, copies soon become freely available. And when copies become free, you need to sell something that can't be copied. That is, of course, a very brief summary of an elegantly stated argument; I urge you to go and read his original essay. It's a great read.
Kelly goes on to explain eight "generatives," things that can't be copied and so still hold value on the Internet: Immediacy, Personalization, Interpretation, Authenticity, Accessibility, Embodiment, Patronage, and Findability. You may not want to pay for that mp3 that you can download for free, but you might pay to be able to have it right now, to have a copy tweaked to sound best on your audio setup, to have the lyrics translated into your language, to know it's the real thing, and so on.
So what do we need to do? How does security adapt itself to these generatives?
The answer is that we need to do more than you might expect. Except for his principles of Embodiment and Patronage, that is: people may pay for a physical copy of something (embodiment), or for the joy of supporting a particular artist or designer (patronage), but there's little that security can do to help there except get out of the way. But in each of the other areas, security has a big part to play, whether to directly help generate revenue or as a supporting role. Let's take them one by one.
Trust. Kelly passes over trust briefly, and doesn't include it as one of his generatives. But he does acknowledge its importance and rightly so, because trust underpins most successful transactions. When buying online, I won't give my credit card details to a company I don't trust, and Paypal made a lot of money out of realizing that people feel that way. When buying financial products, I'll deal with a big bank in a regulated market that I trust rather than a niche company based in a small country that I can't find on a map.
So what creates trust? I suspect the answer is different depending on the person you ask, but three big components of trust for me are trusting that a company will look after whatever I entrust to their care, whether that's my money, my data, or my identity; trusting that if a problem happens on their watch they will do whatever they can to fix it; and trusting that the company will still be around for the lifetime of the deal.
This is, of course, the heartland of security. We understand trust; we understand how to support and nurture it. Perhaps we need to talk more to marketing specialists to understand better how to sell this brand of security-inspired trust to our customers, but this is our strength.