Information security – are we experiencing a Pax Romana?

My last startup was an information security company — SiteAdvisor — that was acquired by McAfee, where I then worked for a while. I am no longer working in security, but have many friends that do and I try to stay in touch with what’s going on in the area.

The widespread sense I get is that we are going through a period of unusual calm, especially on the consumer side.   Instead of repeating the historical pattern where new types of threats emerge every few years, we’ve seen the opposite: threat types have actually gone away or been seriously mitigated. Spyware/adware is basically gone, as most of the businesses that were pushing it (yes, it was mostly driven by legal, US-based businesses) have gone bankrupt.  Spam has been mostly controlled, at least if you use Gmail or a good spam filter like Postini.  If you use a Mac you don’t have to worry about viruses or malware.  Mobile security hasn’t ever really become an issue, mostly because the telecom carriers (and now Apple) carefully screen the installation of 3rd party apps.  Identity theft is a real issue but not really something consumers can do anything about – most of it happens offline or through enterprise data center breaches.

On the enterprise and government side, things are more turbulent.   Distributed denial of service attacks using botnets remain almost impossible to defend against. There have been a number of breaches of sensitive consumer information and those will likely only get more common, especially as more information gets centralized in the cloud. Military and terrorist computer attacks also seem to be a likely future threat.

All in all, though, the good guys have been keeping the bad guys down.  This relative calm is generally great news for the computer users, but – let’s be honest – bad news for the computer security industry and venture capital investors.  As an investor, I’ve only made one security investment in the last few years — in a cloud security startup called Vaultive. Everything else I’ve seen seems to be trying to solve non-problems or rehashing solutions that were developed years ago.

Inevitably, the calm will end and new classes of threats will emerge. But for now we should enjoy the relative peace.