Wias Issa
May 11, 2021

Why Hasn’t the Security Industry Embraced the API-first Revolution?

How the security industry fell a decade behind the broader tech industry

I’m not going to sugarcoat it; the security industry has fallen way behind the broader tech industry in the last decade in a really fundamental way. While much of the tech industry has started to pivot away from hardware and software-based solutions – which dominated the 90s and early 2000s – and towards the use of API-first SaaS services, most of the security industry has not.

Now, this reluctance to embrace a new way of delivering security outcomes means that customers are overburdened with acquiring, deploying, and managing security tools in a legacy model. A painful, not to mention expensive, way to defend against threats.

It’s time for the security industry to wake up and deliver security via APIs.

The API Economy

Around a decade ago, we saw the emergence of the “API economy” giving birth to (what are now) massively valuable tech companies. Stripe simplified the complex and painful world of payment processing. Twilio did the same for messaging and communications. Both simplified what would’ve taken customers and developers literally months of effort, cost, and tons of trial and error to build, down to a set of API calls and a few hours of integration work.

Yet, despite the emergence of so many API-first tech companies, the security space has yet to get into the game in a material way, with a few minor exceptions – kudos to Auth0 for being one of the first to do so. The (security) industry as a whole seems to be sticking with the hardware/software model and, to a certain extent, it’s working.

Customers are generating and storing more and more sensitive data and cyberattacks are on the rise, so they’re left with no other option but to continue to buy security software, which means stock prices continue to rise and shareholders are smiling. Meanwhile, (most) security vendors are heads down, working hard to adapt to evolving threats and haven’t lifted their heads to consider the larger shift in how customers want to consume technology.

If security vendors shifted from delivering outcomes via appliances and/or software, to delivering those same security outcomes via APIs, I believe we’d have happier customers and less effective adversaries.

Can you shift left?

Shift left through use of API delivered security
It’s time to look left…

Laggards being the exception, most customers don’t want to buy traditional security “tools” anymore. With network perimeters mostly eliminated and data residing in a multitude of systems and locations, the focus should be on providing customers with security outcomes in the most efficient and flexible way. And I believe that is security via API. By allowing customers to enable higher-quality, more secure experiences and controls faster, we eliminate all the pain, effort, and expense of acquiring, installing, and managing archaic hardware-based solutions. It would also potentially help close the cybersecurity skills gap (which I’ve addressed in this separate post).

Under the current software/hardware model, security experts are spread too thin trying to manage security software across the entire organization while detecting and responding to threats. But by delivering security via APIs, developers can quickly and easily build security functions directly into applications, freeing up the security team’s time to focus on higher-level strategy. By shifting security left and building it directly into the applications, it would also make applications inherently more secure.

Though we haven’t seen a massive shift in the security industry towards delivering via APIs, there are a few companies who embraced the model early on. Auth0 (which was acquired by Okta for $6.5B), is probably the best, most recent example of a truly API-first security vendor. However, there are definitely a number of big players like Cisco, FireEye, and CrowdStrike who have started to dip their toes into the API waters.

Auth0 Paved the Way

Auth0 is a fantastic example of a security company that delivered an Identity and Access Management outcome to its customers via API from day one. They recognized very early on that identity verification was an incredibly arduous and painful process, and something to get right.

“Since our inception, we’ve always believed in a single platform to solve all Identity and Access Management (IAM) requirements. We take a very different approach compared to what traditionally has been done in this industry. Developers, the “makers” of this new world, appreciate building blocks that are simple to integrate but that can adapt to different situations,” said Matias Woloski, CTO and Co-founder – Auth0.

Globally, Auth0 now authenticates and secures more than 2.5 billion logins per month for its 7,000 customers. How’s that for proof in the pudding?

Making the shift from the software/hardware model to security via API would no doubt bring a whole slew of new challenges. But it would help security practitioners (and developers) integrate critical security capabilities and controls into their applications and infrastructure more quickly and broadly, while enabling the security industry to catch up to the broader tech community.

I’d love to hear your thoughts on the security industry embracing the use of APIs. Do you think this shift will happen in the near future? Have you seen other API-first companies emerging to drive this change? Let’s chat.

Get radically effective data-level protection. Get Ubiq.