Disclaimer: The analysis, views and opinions expressed in this publication are those of the author and they do not necessarily purport to reflect the opinions or views of Alphabet Inc. or its entities. 

True industry disruption is rare. Most of the simple changes we see in society and industry could be described as moderate disruptions at best. The academic definition of disruption sheds light on the need to search for insight as a key anchoring element. Insight, new information that provides context and increases the understanding of a situation, could result in drastic competitive advantage and a total realignment of a particular market. None of this has happened in the security industry. 

The emergence of dual-use technologies and sophisticated threats have led to a “refreshed” version of the security industry. These changes have been particularly evident in technologies and processes that leverage cloud computing, artificial intelligence, data analytics and cybersecurity, to name a few. However, these adjustments have been incremental and haven’t necessarily re-shaped the security market as we know it. The question then becomes: can these advancements be categorized as true industry disruptions? I don’t believe so. 

In the context of innovation, the word “disruption” is often used without a proper understanding of its nomenclature. A true disruption of industries and market segments requires a drastic and irreversible alteration of three essential elements: the customer, the value chain and technology.  

The majority of changes we have seen in the security industry relate to the use, not necessarily the creation, of existing technologies and, in some cases, the emergence of a new set of customers. Examples include global security operations centers or intelligence platforms where advancements in cloud infrastructure and big data analytics have increased systems reliability, access, collaboration and data integrity. Another example could be schools and the business ecosystem we’ve created around active shooter scenarios. Schools may only represent a new customer segment, but the security services are just a readaptation of existing ones. No true industry disruption has occurred. 

On the other hand, other industries have seen the emergence of companies that are changing their markets forever. An interesting example would be the food industry where there is:

  1. Development of new technologies and novel research in bio-sciences.
  2. The discovery of new customer segments.
  3. A radical disruption to the value chain (e.g., how food is produced, stored, etc.) are radically disrupting the food industry as we know it.

Changes like these have long-standing effects and create the perfect conditions for new players to enter the market.  

So how do we incentivize innovation in a fairly archaic industry? Recently I heard someone say, “In interviews, people have the tendency to say they have twenty years of experience when, in reality, they only have one year of experience repeated 20 times”. This accurately represents where the security industry is currently and where we’ve been in the past few decades. I am still waiting for someone to get some serious VC funding and send the cost-quality frontier of the industry on a downward spiral.

Another aspect worth pointing out is that disruption is not an issue of generations or age. While it is true that the so-called “On-Demand” generations have real-time access to more and better quality information, the innovation principles still apply to everyone. Rewind sixty years and read about Project Mercury and what it took to put a man in space. Even better, go back eighty years and read about the Manhattan Project. One will quickly realize that innovation is a mindset. It’s embracing curiosity, brainstorming and letting go of what we know as the norm. Innovation is unapologetic trial and error. 

Industry leaders must be relentless in their quest for innovation. In order to self-disrupt their organizations, they should seek ideation, brainstorming and problem-solving, as the catalyzers for radical change. One example would be establishing dedicated innovation units within their security departments to drive ideas and promote the “fail fast, fail cheap” approach. Another would be a more aggressive approach to learning and development. Establishing partnerships with academic institutions or consulting firms could help engrave innovation within existing governance structures. A deliberate exposure to creativity and arts by inviting speakers, writers, thinkers and folks you wouldn’t necessarily see at a security conference is another way to promote creative thinking. 

As Albert Einstein once said, “The important thing is not to stop questioning. Curiosity has its own reason for existence. One cannot help but be in awe when he contemplates the mysteries of eternity, of life, of the marvelous structure of reality. It is enough if one tries merely to comprehend a little of this mystery each day.”

Searching for the security unicorn will require a collective effort and a new mindset. While plotting competitive positions and drafting logic maps are good for understanding an industry’s current state of affairs, these tools have some limitations. Our industry leaders are responsible for moving innovation to the top of their agenda and taking the leap of faith. Solving for sustainability, DE&I, and other societal issues, for example, will require a new approach and unconventional ways of thinking. The payoff will be so high, any investment in innovation will be well worth it. 

This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.