Less
I’m looking for less. The standard approach to security is almost always additive: another box to stick on your network (with its own vulnerabilities, of course); another annoying step that users need to take; another background process that somehow manages to consume an entire CPU core; something with AI in it; etc. Obviously, the incentives are to build something, and the incentives for CISOs are to do something, so we always get something added on.
Remember this insane picture from last year? Why is an airport kiosk running Crowdstrike? Why is it running Windows? It (presumably, I hope) doesn’t touch the internet. Its hardware is physically locked away. It’s (presumably, I hope) on some ultra-restricted vlan. Less would have been more here. Better to reduce the possible scope software than can run on such specialized systems than to just paint on more layers and hope for the best.
Subtractive Security
Instead of a product that adds a layer, I want to see solutions that allow IT to subtract layers. As one easy example: if you implement passkeys, you can then remove OTPs. Login goes from three steps down to one. That’s both a security improvement and a UX improvement. An app whitelisting system that allows the removal of some A/V daemons would be another example.
None of this is to imply that we don’t need new security products! Passkeys are far from user-friendly today, and app whitelisting is a pain to administer at scale. There are a lot of problems calling out for solutions, but every additional piece of software creates more attack surface and more “bug surface.”
I’d propose a kind of pay-go but for security: every new product should eliminate at least one other product. While I’m not sure that idea will resonate with big corporate buyers, it is what the industry desperately needs. Less software, less attack surface, fewer bugs and fewer vulnerabilities.
Let’s go small for 2025!
© 2025 Restive®, Inc.
