Bruce Schneier last month reported on the RSA Conference and how security exhibitors are complaining that visitors to their stands aren't buying much. 

In respect of selling security in general, he points out that people don't usually buy car safety components, and neither should they buy information security per se. I couldn't agree more -- I believe that security should be sold on a sort of wholesale basis.

In this vein incidentally, for years when PKI naysayers tell me 'nobody will buy digital certificates' I rhave esponded that I agree with them. I agree insofar as very few people buy ferric oxide powders either, and yet somebody buys heaps of this stuff on the end users' behalf and delivers it bundled in credit cards. PKI could be transformed by a different view of the digital certificate supply chain. Instead of selling keys and certificates to end users, let's embed them in devices that are more naturally traded.

But back to the difficulty experienced by security exhibitors. There's a real malaise at work here, not just a wholesale versus retail disconnect.

I believe there is a crisis in the security market. For many years, in my various roles as security consultant, innovator and new product entrepreneur, I've been utterly dumbfounded by the unreasonable difficulty we have selling anything in this industry. Security buyers -- CIOs, CSOs, CTOs, CEOs -- are notoriously reluctant to make positive decisions in favor of anything new. The security sales cycle is long, often longer than the product development cycle, and so in some cases, decisions never get made, since they're being overtaken by events every business cycle. Security indecision is generally worse I find in banking and in government.

I don't have a complete thesis for why this should be so, but one day it might make for an interesting management text book. Part of the issue is that security people are (quite rightly) conservative. They should be hard to convince.

But there are compounding factors too. I think in security there is a perversion of the old adage "if it ain't broke, don't fix it". It becomes "if losses aren't totally killing us yet, don't fix it". In banking for example, it's more acceptable to wear losses (actually, to pass them on) than to risk switching to a new technology.

And instability in the security market makes things worse. Businesses don't like buying stuff from new companies, or newly merged ones, especially stuff like security that is mission critical and needs to be well supported. And there's a vicious cycle, because never-ending security M&A is partly a function of the difficulty many specialist companies are having being profitable.

A related phenomenon is frequent changes to security business models. Some security specialists acquire other businesses to diversify and offer the 'one stop shop'; technlogy companies take on professional services (almost always the real rationale is to create a bigger sales funnel to the more profitable product sales rather than offer full service per se); and product companies find themselves jumping into bed with with managed security service providers, even though the latter will cannibalise product sales, without a decent long term strategy.

All this only confuses buyers, who were inherently reluctant to begin with, and need all the reassurance they can get that everything is going to be alright!