John Katsaros

If you didn't think there was a recession before you went the RSA conference, you might have come away with a completely different view. The conference was "too quiet" which may have been due to its unusual scheduling (usually the conference is in February while this year it was in April during a week which conflicted with two other infrastructure events plus Spring Break for many families). But you couldn't help feeling the slowdown -- it didn't seem as big or as active as past RSA events. And there is plenty of reason for thinking that the security business could be in for an economic driven slowdown. As you know, the security value propositions have evolved to include risk and compliance. Several vertical markets, most notably the financial services vertical (banking, securities and insurance) consequently play a greater role in the early adoption cycle of these products -- the financial industry understands risk and has lots of regulations to deal with. Unless you've been under a rock for the past six months, it's hard to miss the fact that the financial sector is being pummeled due to the mortgage crisis -- companies in this space are loosing billions. It's well known that companies in the financial sector are quick to respond to changes in their bottom line by increasing (or in this case decreasing) their IT spending. And of course, it's likely that what gets cut first is discretionary spending on new project initiatives (the very thing that the security infrastructure sector needs the most). So it may be that there is a direct path from the front page woes of the financial industry to a slowdown in the rate of adoption of new security initiatives. Usually, we look to the financial sector to lead infrastructure sectors out of a recession by being the first to increase budgets. The question is: "If not them, then who?"

After the 2006 RSA conference, we made special note of a truly distressful talk given by the CEO of ISS (a security focused division of IBM) who started off telling a story (about how a horse's ass determined the width of roads in ancient Rome which ends up being the limiting factor on the size of the Space Shuttle's engines) which he apparently thought was true but which turns out to be an one of those urban legends that circulates through the Internet ever couple of years. We wondered -- if he got duped by an Internet propagated urban legend, how relevant was the rest of his view on security trends? So it was with great anticipation when we attended Val Rahmani's keynote at RSA. Val is the articulate General Manager of IBM's ISS division. Although Val is a good public speaker, she seemed to miss the fact that she was talking to a room full of security experts. She got off to on the wrong foot by using the line "IBM is getting out of the security business" as a public speaking device to generate interest (it turns out, of course, not to be true). Her talk had lots of cute animation of things like someone rolling a rock up a hill to illustrate her observations that companies aren't getting the most out of their security offerings. What she doesn't seem to understand, perhaps because it hasn't occurred to her, is that her company has been one of the market leaders supplying the very products that she's labeling as ineffective and disappointing. RSA sessions are composed of sophisticated security experts who aren't patient with some patronizing banter about "the new security mandate." The problems with security that she was citing might have more to do with the lack of completeness of the products being sold rather than the lack of understanding of security managers of how to do their jobs. We think the audience wants, and deserves more.

It's the time of the year again when the RSA Conference comes to town. It's always an interesting event as security companies get to strut their stuff. The market for security products has changed radically -- five years ago the threat landscape drove infrastructure gymnastics and lots of spending as IT managers wanted to avoid being on the front page of tomorrow's newspaper. But today's threats, although more lethal, are not as visible in the media, causing repercussions among security vendors as they're trying to learn how to sell in this new environment. It was really frustrating last year when speakers at the RSA Conference talked about the consolidation that was going to occur in the security market as weaker companies would be consumed by the stronger guys. Rather than preaching these gloomy self serving messages (self serving because it's the big company guys who get to do the keynotes) we're hoping that in this year's speakers come up with some good ideas as to how the security industry can provide greater customer value -- like in making products that are so valuable to customers that they'll buy them.

The Information Leak Prevention infrastructure sector makes you scratch your head and wonder how this whole thing plays out in the long run. Last year we wrote a series of reports on ILP/DLP technology and basically concluded that, while these products do interesting things, customers wanted more complete offerings that delivered important business value and that this market needed more time before it would ignite. Last week's acquisition of Tablus by EMC's RSA division seems to underscore this and may even point out that ILP technology is better viewed as extending the functionality of larger information management subsystems. Websense is taking this approach by integrating its recently acquired Port Authority product within a broader framework. The value of the EMC/Tablus transaction wasn't announced, which more often than not is a disappointing signal. Couple that with the ensuing discussions pointing out that Vontu's 2007 revenue number may be closer to $25M than to $50M has us all wondering about the short term health of this sector. With about 20 plus startups in this sector and more than $500M in venture investments, we're all expecting an exciting business to develop. As we've done before in other sectors, we'll be keeping score as newcomers enter into our DLP/ILP Hall of Fame.

DLP/ILP Hall of Fame

This wouldn't be our annual RSA wrap-up issue if we didn't mention the keynotes.  Once again, Art Coviello, whose official title is Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC followed the Bill Gates keynote.  Art's a nice guy and he rang the bell when he sold RSA to EMC last year, but following the Bill Gates/Craig Mundie discussion may not have been the best spot.  Coviello's talk did create quite a stir when he said; "With the exception of a few innovative startups,(there will be) no more stand alone security businesses within 3 years."  Considering that as president of RSA he's more or less the host of the conference,that statement might have come as a shock to the several hundred stand alone security companies in the Exhibit area that paid dearly to participate at the conference.  Does this mean there will be no RSA Conference in 2010?

For the past two years, RSA hasn't had a significant external threat lurking around -- things like Melissa, Blaster, Sasser, Trojans and Zombies to a large extent helped define past RSA agendas.  While there are even more threats out there, they don't get as much "the sky is falling" type publicity probably because today's companies' defenses have improved.  The lack of visible external threats ultimately forces RSA Conference speakers to stop speaking "geek" and instead seek out higher ground.  And it's about time.  Chasing the threat de Jour meant scaring customers to death about their potential exposures and then plugging a specific hole in their defenses.  Certainly specific threats could be avoided but ultimately a business may be locking the front door while leaving the rest of the place unguarded.  We've been saying for a long time that the higher order drivers of security spending should relate to an organization's overall risk posture.  "How much risk is a company willing to take and how does the remedy compare to the risk?"  This year a lot more attention was placed on risk assessment and mitigation.  Ultimately, this topic drives the debate toward the business value of security investments, a good thing for future RSA Conferences to focus on.  Maybe next year we'll have to wear ties.