, USC Information Sciences Institute
Pages: pp. 12-13
Abstract—"The value and even the mark of true science consists, in my opinion, in the useful inventions which can be derived from it." —G. Leibniz
During the past 40 years, governments and industry have invested hundreds of millions of dollars into research on approaches to improve cybersecurity. Some of these investments have led to the creation of new products, new companies, or new industries and have changed the operational security practices of IT departments around the world. Other investments have resulted in the creation of papers and prototypes but have failed the ultimate test and fallen short of the goal of producing real products and changing the real security experienced by organizations and individuals.
It often seems that there is an art to successfully crossing the great divide. Why is this? Do cybersecurity-specific issues and challenges make technology transfer more difficult? We think so. Historically, some of the biggest stumbling blocks have included the following:
The net effect is that many research investments lead to security technologies that never see the light of day.
This special issue explores technology transition of cybersecurity technologies through three articles and a roundtable discussion. Getting articles from the private sector proved challenging. While we know that there are successful cases of research prototypes making their way into successful commercial products, we found that the commercial companies were reluctant to talk openly about these efforts or not available to provide articles. The researchers' and product organizations' differing cultures manifested itself here; researchers are accustomed to (and rewarded for) submitting articles, whereas their product company counterparts are not.
One topic that also proved challenging was the question of whether to purchase new technology or to develop technology in house (often referred to as "buy versus build"). What are the factors that lead a company to purchase technology rather than develop it? How much of technology transfer is idea transfer?
The first article, "Crossing the 'Valley of Death': Transitioning Cybersecurity Research into Practice," by Douglas Maughan, David Balenson, Ulf Lindqvist, and Zachary Tudor, presents an R&D execution model developed by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate's cybersecurity R&D program, to increase the success rate of technology transition. In addition to describing the model and its general applicability, the article also describes examples of successful technology transition from the DHS S&T cybersecurity program. This article is written from the perspective of an R&D funding agency seeking to enhance and increase technology transition from its programs.
In the second article, "Building a Bridge across the Transition Chasm," by Anita D'Amico, Brianne O'Brien, and Mark Larkin, an R&D team shares the techniques they used to transition government-sponsored cybersecurity research to operational environments, addressing government-specific obstacles including regulations, certifications, and funding cycles. This article offers the perspective of an R&D team that has transitioned three cybersecurity situation awareness technologies from early research to installations in the DHS and US Department of Defense. The products they developed were done with both government funding and, importantly, company R&D investment to successfully move the technology from research prototype to commercial product. This particular case study was aimed at a sector of the government use market, and the article describes the many economic and schedule-driven challenges in achieving the necessary certifications for use in the government marketplace.
The third article, "Federated Identity Management—We Built It; Why Won't They Come?," by Jostein Jensen and Martin Gilje Jaatun, focuses on one particular market—federated identity management (FIM). The authors study the adoption rate of this technology through a series of semistructured interviews with representatives from the Norwegian oil and gas industry to learn more about the perceived benefits and challenges of FIM adoption. Their results show that some of the benefits of FIM adoption are offset by its challenges, which slows down the adoption process. This article is interesting both because of its interview-based results and because it draws from a specific vertical market.
Finally, we convened a roundtable including a successful technologist who transferred technology from within his own organization (Eric O'Brien), a venture investor (Robert Rodriguez), a start-up company founder who managed technology transfer from his university research to its acquisition by Microsoft (William Arbaugh), and an open source evangelist (John Sebes). This group discussed lessons learned and key questions, including what makes technology transfer work, how to measure the benefits, what the surprises were, and whether they'd do it again. While everyone in the group had a different experience, we found that they were largely in agreement on the key issues of technology transfer and all agreed that they would gladly do it again!
We look forward to building gleaming new highways across the technology transition divide and to the development of new models of technology transition operation, funding, partnership, and cultural change within organizations.