Creating a market demand for CC without government involvement?(Also appeared in shorter form as an answer on linkedin.com)
With the economy slowing down and evaluation labs starting up especially in places like Singapore, it is natural to ask how to create a market demand without government involvement.
The short and a tad oversimplified answer is that the only semi-sure way to create a CC market demand is due to a powerful accreditor absolutely requiring CC.
Very often this is the government for wanting secure products for own use (US requiring it for federal and DOD use for example) or for showing that they care about the safety of the voters' privacy (ePassport and eVoting evaluations come to mind). But it can also be a powerful non-government organization like the major credit card companies pushing security requirements as acceptance requirement, and the smartcard software developers as a result pushing it to their hardware developers. They came together and decided (in discussion and consensus with all parties involved) to use CC as the main method (making PP-0002, now PP-0035). This was politically and business wise a hugely courageous step to go for co-operation instead of competition, but in the end cost and efficiency driven. (More on the consensus building in my ICCC10 summary).
No hard requirements, no evaluationsWithout such a hard requirement from a marketforce, CC will not (and should not in my opinion) be adopted, as it simply is an expense (evaluation costs and most importantly the internal costs) without tangible reward. The original question was from an evaluator at a CC-lab, he should also know the direct and indirect costs of evaluations for his customers. That same money can also be used for marketing and a good manager at the customer will ask that question. When I was senior evaluator, I always brought that question up myself if it hadn't already been considered by the customer. Better early in the process then aborting the evaluation halfway because the finance department starts asking that question and there is no reasonable answer.
Pitching the ideaThe pitch to the market to adapt CC is rudely summarized:
Spontanious combustionSome markets have a latent security evaluation need, i.e. a significant set of the customers would buy the product if it had a security brand, over another product that does not have that brand. The CC has that brand-power, so sometimes a developer will use a CC evaluation to gain that marketing advantage. If it has a sufficiently enough value, the competitors will follow eventually (with the first adopter having the headstart as advantage, at the cost of the original risk taking). Sometimes this is anticipated by market leading developers and they work together in developing the PP, which also can trigger the market to completely go for the CC. The printer/copier workgroup IEEE P2600 is going for this route I gather. The Trusted Computing Group with the TPM is also going in that route (probably based on the positive experience of the smartcard developers in that group). In my humble opinion, this is by far the best situation but a highly political and sensitive process.
ConclusionIn any case, keep in mind that a successful PP is mostly defined by the consensus in the market (or failing that brute market force of the accreditor requiring the PP). A PP written without connection to the market is going to fail to create the market AND sour the market significantly for any future attempt to introduce CC there. Please don't do that.
|Author: Wouter Slegers - Copyright Your Creative Solutions 2009 - All rights reserved|