Impressions of the RSA Conference: Notable for what was missing

The RSA Conference is now over, though by no means have I decompressed: it was a whirlwind of activity (I held 38 meetings in 5 days!). As evidence of how significant the RSA Conference is as the place to show your wares and to be seen, by my count there were over 350 vendors exhibiting - which is a bit less than half of the entire security vendor community. Notably, though, many of the booths were smaller than in years past.
My colleague John Kindervag predicted in advance of the conference that cost-cutting and "cloud" were going to be the two big pitches coming from vendors. Credit John with a direct hit on that.
But here's what I saw missing from the event:

1. End users. By all reports, not a lot of customer business was done (I've heard from non-RSA sources that end user attendance was down 20%-30%). Foot traffic on the expo floor was way down, as was the overall energy level. One vendor joked to me that all the good prospective customers were on stage! To be fair, the end users who had and spent the discretionary funds to attend were serious about starting projects soon. We still see security spending rising in 2009, and even accounting for all the chest-thumping, my conversations with vendors seem to bear that out. But conferences everywhere are hit by the recession.

2. Another notable thing that was missing from the RSA Conference was a singular trend or theme. In the past we had events where "data security" or DLP, GRC before that, compliance, and identity management really stood out as hot areas. This year, nothing. If I were an optimistic fellow, I'd say this reflects a maturity of the market. But I'm an analyst, and get paid to be skeptical, so what do you think? :-) 
The remaining two items missing from the conference have to do with vendor strategy and positioning.

3. Messaging that really resonates. John Kindervag was spot on about the focus vendors have on positioning their solutions in light of cost savings. Yes, lower TCO is important, and cost justification even moreso (though I'll take business justification over cost justification any day). But what really matters in today's climate of both economic pressure and vast IT change is helping security groups to take the complexity out of their jobs, not just lowering the price or capex of a product, or even getting a quicker ROI (however that might be measured). Addressing complexity was sorely lacking in everything except - surprisingly - Art Coviello's keynote about the need for integration across vendors'  products.

4. The identification of a larger opportunity. It's the toxity of capex and the focus on TCO that is driving a lot of the hype around security in the cloud as well. But here, most vendors are simply looking at cloud - and SaaS - as a new delivery model. The only vendors who really benefit from in-the-cloud vs. on-premise security are the MSSPs focusing on network protection and the threat management vendors who are trying to solve the problem of pushing out too many signatures (McAfee, with Artemis) or recognizing the benefits of (like RSA/Cyota and Websense have been doing for a while) or both (as Panda just announced). Few vendors recognize the opportunity to secure the IT environment as it migrates to cloud-based or SaaS-based solutions (I've written about this in my recent report "VC Trends In IT Security"), which is the bigger opportunity.

I had no time to attend any of the sessions. I was hoping to sit in on a few (those that seemed decidely not vendor pitches), but missed them all. Anything stand out?

If you're a vendor who went to RSA - or one who decided to sit out this year - I would love to hear your thoughts about the conference.
Despite the gloomy post, I still think it's a must-do event for vendors.

Jonathan Penn