Other long-time industry folks feel free to disagree with me, but I think I've seen a dramatic decline in excitement, weirdness, and surprise at the show in the past 5 years.
In the beginning, the buzz was all about the crypto wars: new companies would come out with new "great' crypto systems every year. Some were good, some were snake oil, and most were just unnecessary. (I'm thinking, for example, of the guys who announced the unbreakable million-bit encryption system. It was super-strong, and used 'matrices and new science'. The only problem was the customer was left to figure out how to move those huge keys around. For the non-crypto folks: this is a pretty big oversight) It was obvious something big was going to happen in security, and in this wild-west period everyone was trying to stake a claim. It was great for the crypto community players. This period was hard on customers though, as they had to make career-defining security decisions without enough solid information.
The years from 2001-2004 settled down a bit. With the collapse of the internet boom, a lot of the noise left the market. Companies settled down and sold good, well planned products that actually solved the current security issues pretty well. It was easier to select a product then. If you needed a VPN, (and you knew you did - the press was doing a reasonably good job too) you could go out and evaluate a dozen compatible VPN servers from a dozen decent companies that all contained sensible crypto. The security industry had come into its own.
Having worked out a sensible model, the next thing, naturally, was to break that model. Security is no-longer a stand-alone feature that companies bolt on to their IT systems. No, security is an integral part of the network, client, OS, and storage system. The latest era has been one of integration and consolidation as IT giants like Cisco, EMC, and Microsoft have made security a core competence and built it into the product.
I observed this shift from the inside at my previous company. Initially, we made the specialty crypto chips and sold them to Cisco and others. Then more players came in to the market. To grow, we had to move upstream and started selling the protocol software that runs the security system. As the market matured, even that business was squeezed. The latest model was to license the crypto chip designs to the big chip makers so they could integrate it into their systems. All the basics a customer needs comes in their network switch now. There is little room left for a pure-play security company in network security.
What is a pure RSA-conference-attending security vendor to do now? What we are seeing at the RSA show these days, is a combination industry maturation and opportunistic marketing. The main players are now IT companies (EMC/RSA, Cisco, Microsoft, CA, IBM, Novell, and Google).
But there is another trend happening: read the blurbs for many of the exhibitors and you might be forgiven for thinking you were looking at an auditor's conference. This is a very typical blurb:
[Company X] delivers enterprise governance, risk and compliance (GRC) solutions. ... [X] enables companies to manage enterprise risks, demonstrate compliance, automate business processes, and gain visibility into corporate risk and security controls.
Stuff like this will chill the heart of any security enthusiast. And there are dozens of these compliance-officer-pleasing companies in the market now. This is the opportunistic thing I was telling you about: it sells because of government regulations and fear of lawsuits. Not that the security community has anything against selling on fear, we've done it for a long time, but this seems a long way from security to me. It seems like accounting. In any event, my hat's off to the evil geniuses that figured out they could shift the market and sell this stuff under the guise of security.
So what will this year's show bring? What will be remembered and talked about later? Who knows, I'm heading out to see with a small thrill of anticipation. But you know what I want: The resurgence of weird.
No comments:
Post a Comment