During the past 40 years, governments and industry have invested hundreds of millions of dollars into research on approaches to improve cybersecurity. Some of these investments have led to the creation of new products, new companies, or new industries and have changed the operational security practices of IT departments around the world. Other investments have resulted in the creation of papers and prototypes but have failed the ultimate test and fallen short of the goal of producing real products and changing the real security experienced by organizations and individuals.
It often seems that there is an art to successfully crossing the great divide. Why is this? Do cybersecurity-specific issues and challenges make technology transfer more difficult? We think so. Historically, some of the biggest stumbling blocks have included the following:
• Insufficient awareness of the complexity of cybersecurity tech transfer. Tech transfer, while difficult in any field, seems particularly so in the constantly shifting world of cybersecurity. At each stage—from initial research idea, advanced prototype, and early-stage product to widespread adoption—the process can break due to internal factors or sudden shifts in attack methodologies, tools, and strategies. Commercializing security technologies effectively has been, in some cases, largely a matter of chance.
• A scattershot approach to R&D. Governments and businesses around the globe have invested hundreds of millions of dollars in cybersecurity R&D—but only loosely in coordination with one another. Research often was initiated based on a largely reactive model driven by the hot security topic of the day.
• Mismatch between market and threat environment. The market for security technologies targeted at nations' infrastructure is fragmented, narrow, and often heavily regulated. At the same time, the demand for mass market security solutions has become saturated, leading vendors to become very tactical in focus, looking at which innovations would fuel the next business opportunity.
The net effect is that many research investments lead to security technologies that never see the light of day.
This special issue explores technology transition of cybersecurity technologies through three articles and a roundtable discussion. Getting articles from the private sector proved challenging. While we know that there are successful cases of research prototypes making their way into successful commercial products, we found that the commercial companies were reluctant to talk openly about these efforts or not available to provide articles. The researchers' and product organizations' differing cultures manifested itself here; researchers are accustomed to (and rewarded for) submitting articles, whereas their product company counterparts are not.
One topic that also proved challenging was the question of whether to purchase new technology or to develop technology in house (often referred to as "buy versus build"). What are the factors that lead a company to purchase technology rather than develop it? How much of technology transfer is idea transfer?
The first article, "Crossing the 'Valley of Death': Transitioning Cybersecurity Research into Practice," by Douglas Maughan, David Balenson, Ulf Lindqvist, and Zachary Tudor, presents an R&D execution model developed by the US Department of Homeland Security (DHS) Science and Technology (S&T) Directorate's cybersecurity R&D program, to increase the success rate of technology transition. In addition to describing the model and its general applicability, the article also describes examples of successful technology transition from the DHS S&T cybersecurity program. This article is written from the perspective of an R&D funding agency seeking to enhance and increase technology transition from its programs.
In the second article, "Building a Bridge across the Transition Chasm," by Anita D'Amico, Brianne O'Brien, and Mark Larkin, an R&D team shares the techniques they used to transition government-sponsored cybersecurity research to operational environments, addressing government-specific obstacles including regulations, certifications, and funding cycles. This article offers the perspective of an R&D team that has transitioned three cybersecurity situation awareness technologies from early research to installations in the DHS and US Department of Defense. The products they developed were done with both government funding and, importantly, company R&D investment to successfully move the technology from research prototype to commercial product. This particular case study was aimed at a sector of the government use market, and the article describes the many economic and schedule-driven challenges in achieving the necessary certifications for use in the government marketplace.
The third article, "Federated Identity Management—We Built It; Why Won't They Come?," by Jostein Jensen and Martin Gilje Jaatun, focuses on one particular market—federated identity management (FIM). The authors study the adoption rate of this technology through a series of semistructured interviews with representatives from the Norwegian oil and gas industry to learn more about the perceived benefits and challenges of FIM adoption. Their results show that some of the benefits of FIM adoption are offset by its challenges, which slows down the adoption process. This article is interesting both because of its interview-based results and because it draws from a specific vertical market.
Finally, we convened a roundtable including a successful technologist who transferred technology from within his own organization (Eric O'Brien), a venture investor (Robert Rodriguez), a start-up company founder who managed technology transfer from his university research to its acquisition by Microsoft (William Arbaugh), and an open source evangelist (John Sebes). This group discussed lessons learned and key questions, including what makes technology transfer work, how to measure the benefits, what the surprises were, and whether they'd do it again. While everyone in the group had a different experience, we found that they were largely in agreement on the key issues of technology transfer and all agreed that they would gladly do it again!
We look forward to building gleaming new highways across the technology transition divide and to the development of new models of technology transition operation, funding, partnership, and cultural change within organizations.
Terry V. Benzel
is the deputy director of the Cyber Networks and Cyber Security Division at USC Information Sciences Institute. Contact her at firstname.lastname@example.org.
is partner director of program management at Microsoft. Contact him at email@example.com.