One of the things in IT that baffles me is the intense emphasis on security.  Don’t get me wrong, I can understand the psychology of it.  We, as human beings, fear loss more than we appreciate gain. 

But security seems to be one of the primary overriding concerns of networking, with entire magazines, trade publications, etc. devoted to the subject of locking down your network tighter than a snare drum.  It’s not surprising that these things exist.  What is surprising is the sheer number and percentage of “mindshare” that security takes up in IT. 

And even security professionals are beginning to notice this – and the “security fatigue” which is settling in.  Bruce Schneier at Wired writes about his experience at the RSA Conference, the largest information security conference in the world, in “Prediction: RSA Conference Will Shrink Like a Punctured Balloon.”

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying….

No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference. This is the future of IT security.

There are something like 800+ IT security vendors out there, and they fill the market with gobs of confusing variations of messaging.

I asked him whether he walked through the show floor, looking at the company's competitors to see if there was any benefit to switching.

"I can't figure out what any of those companies do," he replied.

The people making purchasing decisions are less interested in the details and more interested in what the product will enable them to do.  It doesn’t mean security isn’t important to buyers.  It just means that they don’t want to have to think about security as a separate idea.  They want products with utility – that are also secure. 

There are many other industries where security is a big part of the business – and yet, security remains taken for granted.  Banking – the walk-in kind, not the online kind – is one of them.  When you deposit money in a bank, you know that they’ll keep your money in a big safe that presumably can’t be picked with a bobby pin.  (If the bobby pin is being wielded by a spunky team of “spunky girl adventurers,” however, all bets are off.) 

But what you’re not interested in who made the lock, how many pounds of pressure it can withstand, whether it’s steel, titanium, an alloy, and the component makeup.  You’re interested in what it can do – interest.  The bank is interested in what it can do with your money – lend it out and charge interest. 

You can have an extremely secure network that doesn’t actually do much, and focusing on security without focusing on the core competencies and getting more done with the information you have seems to be a bit of a  “biggest lock on an empty chest” mentality.