Immediacy. In our impatient society, we will pay to have something right now, even if we can have it cheaper or free in a few weeks or months. This has been said so many times by so many people it must be obvious to everyone -- so why have we security folks not heard? How did we miss this?

We must have missed this, because as a consumer every time I see a security measure it's as a roadblock, a barrier to stop me spending my money. Registration processes with data validation schemes that don't recognize my address or my phone number -- just give me the product. The pages of interminable license agreements that I do not and never will understand -- just give me the product. The increasingly complex authentication processes: username, password, secret word, CAPTCHA, mother's maiden name, inside leg measurement of your father's cousin's pet hamster -- just give me the product!

Each of these mechanisms slows down the consumer just a little bit. And time and time again I've heard security people say "But it's just a simple verification step. This won't really get in the way." Maybe each on its own won't, but add all the security steps together, and then see which is easier to get hold of: your legitimate product or a counterfeit copy.

If it's easier to get hold of the counterfeit than the real thing -- and I bet you, 9 times out of 10 it will be -- then you're going to have a fun time trying to get your consumers to pay money for your version. I tried buying some GPS software online recently, and kept running into barriers. Every step was made that little bit more difficult by intrusive and poorly designed security mechanisms, and eventually I gave up trying to give these people my money and went and downloaded a pirated version. I spent about two hours struggling with the company's Web site before giving up, then spent about 5 minutes on Pirate Bay finding a pirate copy. I actively wanted to give this company my money, and they seemed to actively be trying to stop me. They succeeded.

Of course there are good reasons why some of these security steps need to be in place, and I've put in enough in my time. I'm not for one moment suggesting we get rid of these mechanisms, but we must switch our focus. There must be two fundamental design objectives for any security mechanism: it must let the good guys in as easily as possible, and it must keep the bad guys out as effectively as possible. Too often, we concentrate on the bad guys and forget that it's the good guys that pay our wages.

Personalization. There's no inherent security problem in tailoring a product to a person. The security problem comes in identifying the person in the first place, in remembering who they are and what they like, in recording what they've bought and what they decided not to.

This is identity management, one of the hardest problems in security. Over the past two decades I've seen security problems wax and wane in difficulty: firewalls have gone from specialist network routing devices to a black box, a standard building block in any network architecture; antivirus has gone from custom-coding responses to individual Excel macro viruses to a mass-market product that even your grandparents will buy and use. But identity management remains hard.

Identity management is already one of the hardest problems, but if personalization becomes a driving force of the new economy it's only going to get harder. Some companies do this well already: Amazon remembers me when I visit, remembers what I like and what I don't and recommends books and DVDs to me, like a village shopkeeper that knows all her customers as friends. But apart from the retail success stories, most companies are still struggling to remember who their own staff are and to manage the identities of their own employees, and are a long way from being able to extend this to their customers.

If Kelly is right about personalization, then companies need to look at their identity management solutions now, and wonder if they're future-proof. Will it still support the needs of your staff and a (hopefully) expanding customer base in five years' time? If not, now is the time to start putting this fundamental piece of IT infrastructure in place.