RSA 2013: The Age Of Security Commercialism

 

Contributing analysts to this blog: Stephanie Balaouras, Ed Ferrara, Rick Holland, Eve Maler, Chris McClean, Heidi Shey, Chenxi Wang. Photo credit: SC magazine. 

Walking on the RSA 2013 show floor, it was a chaotic, noisy, and energetic place, pulsing with excitement. The industry has reasons to celebrate; the security space is white hot, with more VC money pouring into the space than ever before; Obama’s recent executive order placed cybersecurity front and center. RSA this year was bigger, louder, and more bullish than ever, with more than 360 vendors exhibiting, 24,000 attendees, and 394 talk sessions.  

The week heading to the conference was interesting to say the least; with Java 0-days wreaking havoc on the Internet and the Mandiant report taking every major newspaper headline, RSA could not have had a better set-up.  

After the dust (and the smoke) settled, we, the Forrester security team, came away with these impressions and takeaways:

Security commercialism is in full swing. This year at RSA, the products and vendor booths had strong commercial overtones – without the support of necessary problem identification and solution offering. The level of commercialism is manifested strongly in vendor proliferation: over 360 had a booth and many more were milling around outside the show floor. There was a dizzying array of products, many of which lack visible differentiation. You can’t help but get product fatigue after a round on the show floor. We all know that nation-states and organized crime are on the offense. Please, people, our response can’t be yet another scanning product, can it?!

Each product, in itself, has useful functions, but collectively, vendors at RSA are telling users to accumulate more technical debt just to secure bits and pieces of their systems. While FireEye is doing a bang-up business selling in-depth malware analysis and saw many vendors follow suite, I’ve got to ask: “How does knowing the particular details of some malware help me with my general security posture?” FireEye is selling instant gratification, not long-term strategy, and they are not alone in doing that.

Too few surprises and too little differentiation. Case in point: Almost every vendor that Forrester spoke with claimed they were a threat intelligence provider. Many love to brag about the vast amounts of data they are amassing via deployed products, services, and other feeds, but no one was able to provide concrete examples of how they can glean meaningful insights from this data. The vendors don’t seem to get that having a pile of data does not equate to better intelligence. To be honest, if everyone’s got everything there is to know about threats, why the heck do we keep having breaches? (The Forrester team, however, did like RSA’s SOC demonstration where processes and technologies, namely Archer, SIM, and NetWitness, were woven together somewhat coherently to address threats in the environment.)

Another case in point: how many mobile app analysis services do we need? Last year it was Appthority. This year there were almost 10 vendors that have a play in this space. Each one has a story about how  the app is communicating with third-party ad servers, scraping your contacts, or collecting your location info. Even the portals start to look alike after a few demos. (Forrester did enjoy FireEye’s mobilyzer demo, which seems to provide more in-depth analysis than some of the others.) Sure, mobile app analysis is useful, and we could all use something to protect us from those information-stealing mobile apps, but come on, that is a feature, not a standalone offering.  

The big guys are missing the point. The larger vendors, the ones that can afford the front-and-center booth space at RSA, the HPs, IBMs, and Symantecs of the world, are still not articulating a clear message about how everything they do fits together in a business context. These guys, and the managed service providers like IBM and Dell, are sitting on a golden opportunity – users can’t conceivably acquire 50 different technologies just to protect themselves, they need help. But the solution offerings are uninspired at best and downright patchy at worst. There was also a lack of focus on services at RSA – plenty of discussions on clouds, but having a cloud does not equate to successful service deliveries.

Disruptors are sorely needed. We desperately need innovations in identity technologies, but instead we get new entrants for password management. We need innovations in application security (to help tame the root of exploits), but instead we get more mobile app scanning services.  We need meaningful security intelligence, but we continue to get more half-baked SIM products. We need security capabilities delivered as a service, but we get more boxes and software that we need to manage.

When people judge how well your company is doing by the size of your RSA booth, the show has gone the way of CES – more show than substance. And we, as a community, are at risk of perpetuating an industry that is “too big to fail.” So, next year, instead of coming to RSA to sell a product, try solving your users’ problems first. 

Comments

On being disruptive

I'm a small company being disruptive in the security space, and can tell you why you never hear about those of us who are working on new and innovative things.

When you're new and unfamiliar, it takes education and frankly support for people to know you exist. Everything you mentioned is familiar, understandable and fits easily in the context of the ongoing security narrative.

It takes special people to see value in new things, so you're more likely to hear about things that are riding a trend wave because it's already proven.

There are probably lots of small, scrappy, innovative companies in the security space, it's just hard to hear us with all the noise in the room.

Eric Fiterman
www.spotkick.com

Re: On Being disruptive new

Eric, I agree. It's tough to be a small company trying to get your message out. Small companies do not have the type of marketing dollars that big ones do. Have you done a briefing with Forrester? If not, please do so, we love to hear from small innovators.

Thanks

Little Fish in a Big Pond

Totally agree with all points, Eric. As a small business, 5 people strong, we just do not have the marketing dollars to compete with these larger players. We looked into RSA, but at $16000 for space alone, not including outfittings, lodging, personnel and marketing gimmicks, you're looking at a hefty price tag. In addition, sometimes new ideas are too far outside the peripheral vision. Our company stands in the grey space between physical security and cyber security. The discussions are coming, but the majority of security and IT professionals are not looking beyond the cloud and enterprise. Corporate espionage is a spooky word, but isn't that one of the angles of all these hacks and intrusions? To obtain pertinent competitive information?
www.vector-techs.com

What can we do to change this?

I was at RSA, and as a tiny startup with no marketing budget, I can tell you that I felt like a goldfish in a sea of sharks. Our startup was named one of the top 10 most innovative companies by RSA Conference 2013 (http://lightpointsecurity.com/pressroom/light-point-security-to-compete-...). We presented at the RSA Innovation Sandbox event, and gave a few demos on the exhibit floor. But even that wasn't enough to stand out.

I've seen an abundance of articles post RSA sharing the same sentiment: too much commercialization, too many booth babes, too much marketing, and not enough substance. It's nice to see that people are taking notice of the direction these big companies are taking at conferences, but unfortunately, I only see things getting worse. The reason these companies spend tons of marketing dollars on flashy, non-descriptive collateral is because it's working for them.

There's a lot of innovation happening in our industry, but a lot of it is happening within startups. A lot of the bigger players mostly have "me too" products, and the only way to compete with a "me too" product is to throw tons of marketing dollars behind it.

Zuly Gonzalez
Co-Founder, Light Point Security
http://lightpointsecurity.com

On being disruptive

I wasn't at RSA but I'd agree with Eric and Zuly's very well articulated thoughts. I also love the Forrester overview - can't argue with their views, but of course it's what you get when the big players throw far more dollars at sales and marketing than they do on talking to their customers and developing solutions to their customer's problems!

I think buying organisations are beginning to realise that most of what they're paying the market leaders for their vastly overpriced, often under engineered and almost always non-integrated solutions is to cover the cost of those huge sales and marketing operations and VC returns!

So, being disruptive is about sensible pricing, delivering value for money and genuinely disruptive technology, which us smaller innovators are well placed to deliver.

Booth Babe opinion

Wow, I find it interesting how I can easily seduce you security people to enter my soft-carpeted booth, whisper into your ear to talk to my sponsors, and give you goodies possibly not healthy to chew on or stick in your computer. What is it again you tell your flock at your company not to do?