So, The Show of''em All, RSA has come and gone. Now that everybody has recovered from hangovers and information overflow, it is time for ... you know ... deep thoughts and stuff :-)
Before we begin, go read my RSA Impressions (Part 1,2,3,4). Next, read what others said about RSA 2008 (via my del.icio.us feed). Then reflect on past RSA shows (2006, 2007).
First, what was the theme? I personally couldn't pick any (unlike in the past). The candidates were GRC (yuck!), DLP (mmmmm), IAM (huh?).
What I saw too much off? Even though their numbers have shrunk, I still saw too many stupid NAC vendors there (Lockdown, here we come!). One of my friends joked that there were more "GRC vendors" than NAC vendors, but both were in low enough numbers to make a trend. As far as loud noises from 2007, "identity-driven this or that for security" was still very visible.
Overblown messages? "Information-centricity." It was cool and new when Hoff said it (hi Chris, it was fun to finally meet you!). But when it trickled to keynotes of some "trailing edge" exec, it became boring and stale. And, no, "information centricity" still leaves people to worry about "A" (availability) first (see this discussion)
What is also bizarre is that people still start log management companies. I saw a couple of new ones - ama
What I didn't see enough of? VOIP security. Somehow this previously hot trend is quite. Also, I saw a lot of web application security vendors, but I think that is still not enough as this is an area with a raging fire, not just "some hotness." Also, I expected to see more vendors messaging (and, actually helping!) with fraud. Dan Geer's Verdasys kinda mentioned that, but pretty much in passing. Is fraud handled outside of security (and thus out of RSA)? I am not sure.
What I didn't see at all? I didn't see much "market consolidation" - no huge deals, no vendors of note "taken out", etc. Still a huge number of security companies around ... One of the speakers said that nowadays "no single security pure-play expected to change the world", but it sure seems like many will try...hard! Along the same line, Mike R said that such shows are 18-24 months ahead of what "normal" people deploy. This might explain the VOIP and other missing items.
As I said before, "consumerization" of IT - i.e. IT infrastructure, servers, laptops, storage, services, computing resources, applications, etc provisioned outside of IT departments was an elephant in the room. It is not simply "unmanaged IT" or "consumer-grade IT for business", it is the whole "not-IT-department IT" phenomenon. Yes, via mashups it even includes "non-IT application development" (read this fun 451Group report on that). Security implications of this are nothing short of ginormous.
In light of this, I liked how one presenter said this: "we lost the desktop" - meaning "1/3 is managed by users, 1/3 is unmanaged and 1/3 is 0wned." Sad but true... Dave Aitel used to joke how in the future banks will have to "re-compromise / re-0wn" your PC so some temporary security can be established for you to transact business with them. Are such horrifying times upon us already? :-)
Finally, a parade of fun quotes about this year's RSA from my fellow bloggers.
- Rich Mogull: "And this year’s theme at RSA is… Nothing. Nada. Zip."
- Mike Rothman: "RSA show messaging [...] is probably 18-24 months ahead of most practitioners"
- Mitchell Ashley: "Security Industry Missing Ride On The Cloud"
- Rob Newby: "In a way I'm glad there was no theme. It means that I was right about the market not going anywhere. Maybe security will have a chance to catch up with the marketing now, and then the compliance will get nicely rounded too, and everyone will stop complaining about it. I doubt it though."
- Richard "IDS is dead" Stiennon: "Every RSA show is different. Every year there is a buzz. It takes two or three days of walking the show floor, hearing vendor pitches [...] to identify that buzz."
- Michael Dahn: "This year, everyone is talking about two things at RSA: risk and regulatory compliance. "
See ya at RSA 2009!?