When I first got into security, I was an academic, writing conference papers, grant proposals, and crap like that. Even in my time consulting and in product development, I have tried to do some things that were both academically interesting and practical.
Having been on both sides of the divide, I’d say that for the most part there is not much practical work coming out of academia that is making a big impact in the real world. There are certainly a few exceptions, most of them in the world of cryptography.
There are lots of reasons for this, an important one being that industry and academia don’t share very much. Lots of academics are reinventing what industry has been doing for years.
Academics don’t just suffer because they don’t know what industry has done. They suffer from not understanding the problems well.
Academics don’t spend enough time with customers or with companies in the industry to figure out the true problems that need to be solved. Part of this is because academics tend to be more focused on publishable results than on which problems need a better solution.
Academic peer review is a great thing, but in the security field, the fact that publications usually have to meet a high novelty bar is a bad thing. The real world would benefit if industry could say, “Here’s a proposed system. It’s a combination of a lot of ideas, but it’s a new, novel system.”
Right now, academics don’t get any credit toward tenure for breaking stuff (though they still might do it for the publicity). But it would be great if academics could get publication credit by publicly analyzing those systems. I think they should get credit for contributing in a practical way to industry – the world would get better systems, after all.
I don’t know how to fix the problem. This is a downward spiral: the less relevant academia is, the less effort industry will put into the relationship, which will leave academia less able to provide value to industry.
(from J.Viega, Myth of Security, O’Reilly 2009)
