Compliance is like being at all the rehearsals with a sharp pencil and playing your part perfectly – but not showing up to the gig. Being inside a strategic inflection point of change is like waking up during your own murder.
Inside a strategic inflection point of change, the people inside the system are not sure  what is happening and have trouble putting an analysis and a possible solution to their malaise into words. We are seeing a continued rise of data security breaches perpetrated by trusted insiders, competitors and malicious outsiders despite billions being pumpted into compliance and security technology products from companies like McAfee and Symantec. I doubt that during this current recession – we will see many companies look for carpet-bombing technology solutions to their data security issues.
Is the security industry is approaching an SIP – strategic inflection point?

The first sign is a lack of clarity.
When bad things happen, the first response is to find a rational explanation or political excuse. When a PCI-compliant institution loses PII in a data breach – this is the sort of thing we hear:

1. Compliance doesn’t require DLP technology, we need a product from (Verdasys, Fidelis Security Systems, McAfee or Symantec), then we can prevent data breaches in the future, or –
2. Some of the systems that interface with our business partners and payment processors  are vulnerable to exploits (we were compliant but the other guys weren’t) or,
3. Our business process outsourcing vendor violated his non-disclosure agreement or,
4. At the time of our last PCI audit, we WERE compliant – but in the meantime, our marketing team installed a Microsoft Sharepoint application that was vulnerable to hackers,
5. Someone put some nasty spyware in our cash registers that were on the store WiFi network,
6. We’re working on encrypting all our credit card data and then it won’t happen again,
7. We’re upgrading our head office servers to Windows 2007, some of the Service Packs were not applied
8. We’re using an old version of Linux – Red Hat 4 – since our application vendor requires that version – we didn’t realize that Linux was vulnerable to Oracle database exploits

It seems to me that we are at / or approaching a strategic inflection point in the security industry. The compliance model is broken, data security vendors are adopting ERP style implementation models and pricing (pay me $1M for the software and another $1M for professional services for the implementation) but most of all there is a sense of confusion from reading the vendor collateral.  Read what IBM says on their “Data Governance” (Whatever that means) page:

What if you could pinpoint and secure all your critical data, and still have the freedom to collaborate past the perimeter and gain business intelligence to guide strategic initiatives? IT security plays a central role in protecting your data, assets, and ultimately, your brand.

IBM Data Security Services can help you cost-effectively identify and protect your organization’s critical data from internal and external threats. We help you integrate existing data assets and data security capabilities with new security management technologies. IBM’s streamlined approach supports collaboration across the enterprise while protecting data in transit or at rest.

Potential benefits include:

• Insights into your business intelligence that help set strategic direction
• Simplified protection of your valuable, business-critical and/or confidential data
• Controlled data access for collaboration and sharing
• Protection against corruption and interception with advanced encryption
• Reduced risk of regulatory noncompliance

What does BI insights have to do with preventing employees from stealing IP?
Who says protecting valuable company digital assets simple?
Why is controlled data access more effective for a company and its customers than totally open access?
What do they mean: “Protection against corruption and interception with advanced encryption”?? How is encryption going to prevent trusted employees and outsourcing workers from stealing data, accepting bribes or skimming transactions at the point of sale.
Why is regulatory non-compliance a risk?
The marketing messages are unclear to say the least – have the IBM Data security marketing people have cut and pasted marketing collateral from Fidelis Security Systems and a few other vendors and thrown in the word “simplified” a few times to make a statement that IBM can reduce the pain for customers??
As the senior player in the IT industry, IBM is like a senior manager in an organization at a SIP – he’s using 40,000′ strategic industry-speak instead of rolling up his sleeves and understanding what’s really going on and leading the rest of the soldiers out of the trenches.
I cannot say when we will hit the SIP or what will happen afterwards – but for sure something is happening.