So I'm getting ready to head over to RSA, and I'm curious. If you believe that "security is about outcomes, not about process," what outcomes do you want from RSA? How will you judge if the conference was worthwhile?
Many have commented that the world's premier security event is a worthless event from the point of view of security. So what's the point?
An event is successful if you increase your marketing capabilities. Obviously, RSA does, and for this reason it is totally successful, for them. What about you?
Security as a business is mostly about marketing; whether it be via books, blogs, personal contacts, conferences, or whatever. Quite why this is requires a deeper thrust into the economics into asymettric or imperfect information markets; in a market where neither the seller nor the buyer know what is to be done, then only signals are available as tools (c.f., silver bullets) and signals are the domain of marketing, not engineering.
Hence the rise of marketing -- perception -- as the key factor in success in the security business. A conference is a good thing; if you can get enough people to go year after year, then it is presumably a signal of something. Which feeds the whole process, it generates a feedback loop that is at least self-sustaining.
But in a crowded market for signals, one signal isn't enough. Hence, there is a tendency to pursue a range of signals. So far we've got: the blog, the book, the conference, the RFC, the job, the protocol, the project, the network, the paper, the award, the article, the government contract, the patent, the algorithm, the ...
Any serious practitioner of security can pull together one of those (as an assumption). I can, you can too, if you are reading this. But, can you bring together 4 or 5? That's the battle, and in that battle, it becomes a simple marketing game of proving that you are more single-minded, more productive, and more strategic than the competition, and can drown out their signals with yours.
(Hence, I am not posting that much these days... I simply haven't the time, because I'm concentrating on another signal :)
The winner of this game is the one who generates enough resources to then feed those resources back into building the base of signals. Thus, a positive feedback loop in signals. And so, we see the tendency is for the biggest player to win, because more resources means more signals. Hence, RSA plus the conference. And so, security takes on more of an aspect like classical markets like soap powder or breakfast cereals. The commodity product underneath is not important, the structure of industry and the ability of the major players to build barriers to entry to newcomers becomes the battle ground.
OK, that was all theory. What's the bottom line? If you want to win at security, study marketing.Posted by iang at April 26, 2009 11:04 AM | TrackBack