Two years ago, I wrote a column about the RSA Security conference, held every year about this time in northern California. Some people call RSA the "Comdex of security," because it draws more IT security folks than any other conference. But if you've ever been to Comdex, you know that's not necessarily a compliment.
RSA has a longstanding (and well-deserved) reputation for being a vendor show, and this year's event (held Feb. 19-22) was no different. The total number of attendees was about the same as last year -- between 12,000 and 13,000. But the number of paid "end user" attendees was down by about 20 percent. More than a few exhibitors told me they won't be back next year unless "real" attendance picks up. Yet these same vendors also told me they don't come to RSA to generate customer leads, but to be "seen." So I suspect I'll see them again next year.
Painfully aware of this trend, the conference organizers have worked hard to attract more enterprise professionals. The educational program was stronger this year, not quite so tilted in favor of thinly veiled vendor pitches. One security engineer told me that this year's RSA program is one of the strongest in the industry, similar in quality to the USENIX and SANS conferences. But for many, it wasn't enough to justify the high cost of attending RSA, particularly during a slumping economy.
On the vendor side, the RSA conference is all about "juice" -- who has it, who doesn't and why. Everyone buzzes about the exhibit hall gossiping about The Next Big Thing, and the hotel lobby and restaurant are the setting of many a new business venture or partnership. In fact, amid all the posturing and hype, I'll bet more business deals get inked at RSA than at any other conference. I guess that's what happens when you don't have enough customer prospects to talk to.
I went into RSA looking for broad themes, and here's what I found:
9/11. The general consensus was that, contrary to popular opinion, the Sept. 11 attacks did little to increase business for security providers. Some niche markets, such as DR and business continuity, saw an uptick in interest and sales, but mainstream security providers didn't. If anything, business declined a little, rebounding slightly in late Q4.
Cyclical cycles. On a related note, a lot of vendors commented about how much longer their selling cycles are now. What used to be a four-month cycle is now half a year, as corporate CFOs scrutinize every P.O.
Get horizontal. When a security vendor wants to sell its cool new product, it usually begins by targeting key vertical markets. That's vendor-speak for identifying the industries (like financial or health care) it wants to sell into. Now the big trend is selling horizontally -- into consumer markets as well as business and government. Firms like SonicWall and WatchGuard are leading the charge in this area with a well-defined channel and solid service-provider relationships.
"Web services." Web services are to 2002 as PKI was to 2000. Everyone's talking about the topic, but no one knows for sure what it means. In a nutshell, companies such as Microsoft, IBM, Sun and Oracle are offering tools to create distributed software that can be accessed through a service model. The business opportunities are endless, but this is very complicated stuff. The infrastructure and standards aren't there yet -- particularly for security.
Host-based security. This is an area that's been heating up for some time. As we move further and further away from the castle-and-moat model of perimeter defense, managing security at the host level will take on added importance. A year ago, only a handful of vendors offered host-based solutions, mostly HIDS or personal firewalls. Today, a wide range of host security solutions are available, from kernel-hardening tools to application proxies to "intrusion prevention" products. Keep your eye on companies such as Sanctum, Okena and Entercept.
The more things change... In 2000, everyone at RSA was predicting that the security market would undergo rapid consolidation within the year. In 2000, everyone said the enterprise software firewall was dead, soon to be replaced by appliances of all shapes and sizes. In 2000, everyone was talking about how cool IDSes would be if we could only make them work right. In 2000, the single biggest problem was managing security information, alerts and policies across the distributed enterprise. Guess what?
About the author:
Andy Briney is editor-in-chief of Information Security magazine.