April 18, 2008

2 views on the RSA security conference: a war of signals?

2 guys went to RSA conference and came back with slightly different tales. Both are down on it. Gunnar Peterson says the sellers of product are not of our kind, to put it politely. He spotted an apparent exception with Ping Identity, a seller of something or other, which apparently is impressing clients, who reported this anecdote:

Someone wandered by our booth and when they saw the Ping logo, they stopped and paused, looking perplexed. When one of our sales team inquired, the gentleman said, "I thought you guys were bigger than that."

Signal! In a market with insufficient information, signals arise as proxies for the metrics that we don't have, but still demand. There are no good signals, only less bad ones, because if it was good it would be a metric.

In this case, the observer thought that the booth size indicated corporate size, with the implied expectation that this said something (good) about the product. The Ping guy went on to muse on a strategy of deliberately going perverting the signal by setting his booth size at 10x10 (feet?) regardless. He could go further, and not go at all, but apparently he isn't ready for that test.

Meanwhile, Bruce Schneier also went to RSA and said:

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't.

This is a subtle difference between Gunnar and Bruce. Gunnar says that all is crap, and Bruce says that the products are good, but the buyers don't get it. Bruce's theory is that the marketing departments are not selling on security, and in some sense have drifted off to selling something else.

"I can't figure out what any of those companies do," he replied.

I believe him. The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.

Which is to say, whatever they are selling, it isn't speaking to security, as far as their customers are concerned. So if we assume that they do know security (whatever that means) and their products are good for us (as Bruce suggests), the question then becomes, why can't they communicate this to us?

Bruce provides the answer elsewhere:

In 2006, IBM bought ISS. The same year BT bought my company, Counterpane, and last year it bought INS. These aren't large security companies buying small security companies; these are non-security companies buying large and small security companies.

Whatever it is that the security companies know, it isn't about what the customer needs. Now, we could split hairs about this point: is the wisdom that the company holds "security" or, is what the customer needs, security?

But it is clear that the customer needs X and the seller isn't aware of what X is. Further, if the above events are indicative, the specialised security company is not capable of entering the market for X. The market for X is reserved for the IT generalist company.

I agree with the notion that we are facing crunch time for the sector (and have been predicting it for longer than I care to remember). It is certainly an exercise for the armchair economists to predict where it goes from here. But, let there be no doubt about change: It has to change, because the disconfirming data is in: the security industry did not save us from the current threats, and has no good answer, if the RSA conference is anything to go by.

From my armchair, here is where it goes: It's your job, do it. Security is something that becomes a part of the application, and the market then splits two ways: you the builder of applications will do it yourself, or you will outsource practically all of the application to (only) companies who can sell all parts of the application, from requirements to rollout (the consolidation that Bruce refers to).

Buy IBM, sell anti-virus companies. Ditch security professionals as contractors, re-employ them as permanent parts of your generalist team, if they are general enough. Integrate savvy people into your team, and encourage them to learn some security, too. Install books on secure programming on the bookshelf, uninstall security products.

Which still leaves a hair-splitting question of what the difference between security and X is. Well, back to my armchair for that one.

Posted by iang at April 18, 2008 07:21 AM | TrackBack

I cannot possibly imagine what effective tools Bruce Schneier is talking about. The people I saw there whose tools actually work were in the 10% minority. Look I know I can run Fortify or Ounce on your code and find security bugs, but that is two vendors out of a gajillion. The vast majority of those people are selling toys to security "professionals" who want to play cops and robbers on the shareholders' dime. Then the vendors wonder why people don't want to pay for these toys, guess what guys - Christmas/Hannukah/Diwali/etc only comes once a year! You gotta find something to sell besides toys and shenanigans for the other 11 months a year.

We are not debating the efficacy of side airbags versus the side curtain airbag. Its the efficacy of undercoating (hopefully they have sleazy car sales people in the uk so i don't have to splain this), its shenanigans.

I remember back a few years, a company buys a seven figure (!) identity provisioning suite from a large vendor. Now they are closing the deal and this sucker is supposed to integrate all their disparate directories, provision roles, propagate attributes, the whole nine yards.Well so as the deal is closing, the big regional sales guy flies in and sort of oozes his way into the meeting and says 'hey, uh, now that you guys got this software, what kind of hardware can I sell you on?" and proceeds to launch into this sales pitch. omfg, THEY JUST SPENT MILLIONS OF DOLLARS ON YOUR IDENTITY SOFTWARE - PLEASE MAKE SURE THIS ACTUALLY WORKS (which it didnt/doesnt) - AND PLEASE STOP SELLING FOR TWO SECONDS.

These big companies have all these "security" products which are little web enabled toys, they all generate reports really well, but the companies don't buy them for a security product they buy them so they can sell you a bunch of operating systems and hardware that no one wants. The money does not go as Andre said into improving the product it goes into booths and shenanigans. That is why for informed buyers Ping and innovation focused small companies win.

Posted by: Gunnar at April 18, 2008 04:44 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.