The Bad and Ugly at RSA 2013

I was pretty happy with last week’s RSA Conference and blogged about some of my positive impressions earlier this week. It’s good to see the industry discussion the state of cybersecurity, current challenges, and promising innovation. Still, the RSA Conference is a trade show and trade shows are all about selling products. The capitalist nature of the security industry was on display in several misguided ways with:1. Magic bullet products. In spite of the fact that organizations spend billions of dollars on security technologies and still get hacked, several vendors pitched their products as rock-solid defense against attack. Huh? I thought security was a process and not a product. The best any product can do is lower risk in a particular area, so this type of rhetoric is offensive to experienced security professionals and does the entire industry a disservice. 2. Unclear terminology. We industry analysts share the blame here with vendor marketing. For example, I had several discussions with vendors and security professionals about “next-generation firewalls.” In each case, the definition of a “next-generation firewall” was slightly different. Yes, this may just be poetic marketing license but it leads to confusion – like enterprises putting “next-generation firewalls” in front of web application servers believing that they have sophisticated WAF capabilities (they don’t). Security technologies are different from Ethernet switches and servers in that are used to protect valuable assets. As such, we owe it to our customers to provide clear and concise definitions of what some product does and doesn’t do. 3. Industry disconnect with users. I get the feeling that a lot of security technology vendors spend hours a day in internal meetings but never talk to customers. For example, there are a lot of new security analytics technologies coming out which I view as a good thing. Unfortunately, almost no one is telling users what to look for in terms of network traffic, file types, locations, behavior, that may indicate a compromise. I get that some users know exactly what to look for but the vast majority don’t. Security analytics technologies need to be complemented with services, reference architectures, training, and canned rule sets or many will become highly-sophisticated boat anchors. 4. Security community disconnect with Washington. Highly-experienced and brilliant security professionals in Washington seem to think that the world ends outside the Beltway. This is a crying shame since: A) The Feds have a lot of knowledge and resources, and B) Our tax dollars are going to waste on an inwardly-focused cybersecurity culture. After one panel discussion of Washington cybersecurity heavyweights, several senior security professionals I spoke with said they couldn’t understand half the stuff they talked about. This one is on the Feds to actually connect with their constituencies. Information security is confusing enough without Silicon Valley, VCs, and Washington throwing a never-ending series of curveballs. Vendors certainly need strong marketing to create awareness and arm their distribution channel but that’s about it. Given the dangerous threat landscape and extremely complex cybersecurity environment, users need accurate and succinct communications and guidance. Security vendors that support, educate, and enable customers with a strong perspective on overall cybersecurity will be far more successful than those with creative branding, catchy advertisements, or frequent golf outings.