The Sandbox – RSA Conference 2014 – San Francisco

RSA officially kicked off this weekend with the usually courses and side meetings. But today was something I look forward to with relish. The Sandbox where new companies come to the table with new ideas for security technology.  Last year was fully of unknowns and companies with some security pedigree but mostly without what I saw this year.  This year I see tons of infosec pedigree:

https://www.rsaconference.com/TheSandbox

• https://www.cyphort.com/who-we-are/
• https://lightcyber.com/management-team
• https://www.defense.net/company/management-team.html
• https://www.skycure.com/solution/
• https://threatstream.com/company/
• https://www.co3sys.com/company/management-team
• https://www.whiteops.com/company
• https://www.cylance.com/company/#theTeam
• https://bluebox.com/company/

It is an indication of the buyouts in the industry as consolidation by the larger firms to be a slow adopter continues. I say slow adoption since many of the firms acquired in the past couple of years had former leaders in this years Sandbox. Slow because the technology acquired has been on the market for years and is a safe bet. Slow adoption since most the technology acquired by the big boys is basic blocking and tackling on one hand, and sometimes ineffective on the other. They are well known (follow the links) for being big names in the industry. They are on the market with what they believe to be new ideas fresh and flush with cash that VCs love to through at them. They throw it at them because they have done it before.

Unfortunately, the buyouts stifle creativity and true innovation. Fortunately (or not), it frees up those who have done it to do it again. But do I want to have it done to me again, or not?

I was hoping for significant gains with the Sandbox this year but what I have found is iterative improvements at best. I also wonder, why is it that VCs would fund startups for incremental gains? But I am asking the wrong question since the only true question to ask is have they made VCs money in the past and can they do it again?  It is truly not about significant innovation and gains by leaps and bounds but about establishing a company with serial entrepreneurs who can make us money again and again. They may be solving some problem with the solutions I see this year, but the solutions are ‘incremental’ at best.

I ask myself, if I were a CISO again, would I want to buy any of these products as I see them today?  And my answer is no.  Why would I want to purchase products from serial entrepreneurs and security luminaries who have been selling me products over the past 5-10 years that don’t work against my adversaries?  Why would I want to repeat the same process and fail at protecting my IP with new tech from the same old same old? Why is it that the VCs fund these guys? Cuz they have done it before not because they are truly the cats meow to infosec innovation.  

As always, great show by RSA, Nth Degree and Hugh Thompson. Professional and well done. Disappointed by the need for pedigree to actually be the main qualifier on one had and the main stifling agent for true innovation on the other.