Jonathan Penn

For those who are used to seeing me post here, I have been writing more frequently to security vendor strategists rather than security & risk practitioners. I just posted on Forrester’s Vendor Strategy blog about my impressions from RSA. You can read the unabridged version there, but here’s the CliffsNotes:

  1. End user attendance was way down, as was end user enthusiasm. Low buzz on the floor.
  2. If you can spare the money and time, it’s still a great place to go to see lots of vendors and talk with them in detail. For first level compare-and-contrast work in evaluating security products, the RSA Conference remains unparalleled.
  3. Vendors never seem to get it. Two questions for you. First, “What’s more important: security delivered in a cloud/SaaS model, or securing all your IT applications, systems, and interactions that are taking place in the cloud?” Seems simple, right? Not to vendors. The second question I know the answer to (thanks to our big data surveys we do) “What’s more important, reducing cost or reducing complexity?” The complexity of security practice (of which cost is a manifestation but is by no means the sole issue facing security teams) looms like a dark cloud. It keeps you from focusing on strategic work, keeps products from working together, and it hinders greater IT and business initiatives.

If you went to RSA, I would love to hear your
thoughts about the conference; I
had no time to attend any of the sessions. I was hoping to sit in on a few
(those that seemed decidedly not vendor pitches), but missed them
all.

Anything stand out? Will you go next year?