Like Getting Socks for Christmas

The RSA Conference held each spring in the US has for many years been heralded as the security show to attend, to the extent that it sets the tone for the industry for the rest of the year. Besides accommodating the single largest collection of security vendors in one place, RSA allows for access to C-Level enterprise executives, particularly CIOs and CISOs.

And 2014 was no exception. This year’s RSA was big – over 350 exhibitors and over 25,000 attendees. Industry watchers held their collective breath to see what would be unveiled at RSA 2014, and the boycotts over the NSA allegations only served to heighten that anticipation. Unfortunately, once the show was over, it was a bit like realizing that all those presents under the Christmas tree were just socks. Yes, we all need socks, but what we were really hoping for was something unique and exciting.

A stack of new, white stocks with one sock uprightThis year’s show was lacking – in innovation, in hard-hitting announcements, and in unique messages. Many announcements felt similar (yet another announcement on threat intelligence) or dated (secure that URL). Opinions on why this was so include:

  • Concern and uncertainty over the effectiveness of the boycotts made vendors play it safe.
  • Security vendors had little news to share.
  • The signal-to-noise ratio of RSA has reached the point where many vendors do not believe that they can get the proper attention at RSA and so are holding off on Tier 1 announcements.

As the spring conference cycle gets underway, the next few months will be telling. If the lack of important announcements emerges as a trend, the importance of the springtime RSA conference will wane. Perhaps RSA will become a podium for small vendors, with large vendor announcements occurring closer to the mid-year point?

Was RSA 2014 a total loss? No. The show is worth attending for the professional networking alone. No other show attracts the depth of security professionals that participate in RSA. Further, RSA allows participants to gain a true understanding of what folks are looking for in the “real world.”

Some key messages did emerge from the many booths, announcements, and conversations at the show:

  • Cloud is still a major challenge – there remains considerable discussion over moving to the cloud, authenticating in the cloud, and securing data in the cloud. Many of the conversations about the cloud are post hype and more focused on the nuts-and-bolts implementation, which is promising.
  • The volume of threat-related announcements illustrates the concern many organizations have of the unknown and also the growing fear that “something is being missed.” Information sharing across devices and vendors still seems to be failing – there were no announcements over the fact that users can cross-pollinate security infrastructures with diverse feeds from different vendors.
  •  Security awareness was a consistent theme at the show, with more emphasis than ever on end-user education. The realization that the end user is the weakest link was consistent across various vendor solutions, and vendors with education offerings appear to be gaining traction.

While this year’s RSA lacked the WOW factor of previous shows, the high attendance rate and the impressive presence in the exhibition hall do make clear that security is perceived as important in today’s business environment. Perhaps this year’s trend of lackluster announcements is an anomaly – the result of concerns over the strained trust environment between end users, governments, and vendors.

Just like getting socks for Christmas, getting back to some security basics isn’t a bad thing, but we’ve been good, RSA, so can we have nice toys next year?

Follow me on Twitter (@robayoub) to keep informed as new research is released.

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: Cloud Security, Cybersecurity, Exploits, RSA Conference, Security, Threats