RSA: Security versus security products

I’ve been in back-to-back meetings at the RSA Conference which limits my time for blogging. Here is my brain dump for the day:1. The focus of RSA seems to be on cloud and mobile security. I get that these are hot areas with lots of marketing buzz but I have two problems here: 1) Mobile security technology is relatively easy but the weird triangulation between a user, an organization and a service provider creates some interesting dynamics. Do I buy mobile security from my mobile carrier? If I do, has does the corporate security group get engaged? Do I really want my company putting security software on my personal device? I’m not sure how this will be solved but suffice it to say that this is different than my corporate PC. 2) I understand that we have to make the cloud secure before we will really embrace this model but let’s face it, existing IT infrastructure isn’t secure. Why aren’t we talking about securing this first? 2. RSA is mostly about security products, not security. I know, it’s a money thing but I wish we would highlight more about use cases, reference architectures, and best practices and less about the latest security widget.3. HP and IBM are way more focused on security than most people think. HP now considers security one of its five top business initiatives and IBM has created a virtual security group headed by Steve Robinson with its own P&L. Both companies can address what I call “big security” use cases like securing networked business processes, creating IT risk management best practices, or dealing with cyber security issues at critical infrastructure organizations. How many other security vendors at RSA can do this? Less than 5.4. Speaking of HP, the company is talking about a vision that merges ArcSight with HP operations software for further improvements to both IT service management and security automation. Cool stuff. If this takes off, it will be the exclusive domain of a handful of companies. BMC could play but it needs a security portfolio. CA could play but it needs a better security portfolio. Attachmate may be a wild card here with NetIQ and Novell. 5. There are a number of threat reports available and most are pretty good. That said, Blue Coat Networks did a great job of presenting its web threat report yesterday. Very insightful and a worthwhile read.6. Another buzz area is virtualization security but this one is more real to me than others. Why? Virtualization security is pretty elementary today, based mostly on physical safeguards. While vendors are announcing virtual security products they need to focus on education before they jump into technology. ESG Research indicates that security professionals lack virtualization knowledge and best practice models for server virtualization security. Until they gain this knowledge they won’t buy security tools. Time to teach the market how to fish.7. When I think of security vendors, I almost never think of Barracuda Networks but I have to give it credit for its manufacturing and distribution skills. Someone is buying these gateways. More tomorrow.