Contributing analysts to this blog: Stephanie Balaouras, Ed Ferrara, Rick Holland, Eve Maler, Chris McClean, Heidi Shey, Chenxi Wang. Photo credit: SC magazine. 

Walking on the RSA 2013 show floor, it was a chaotic, noisy, and energetic place, pulsing with excitement. The industry has reasons to celebrate; the security space is white hot, with more VC money pouring into the space than ever before; Obama’s recent executive order placed cybersecurity front and center. RSA this year was bigger, louder, and more bullish than ever, with more than 360 vendors exhibiting, 24,000 attendees, and 394 talk sessions.  

The week heading to the conference was interesting to say the least; with Java 0-days wreaking havoc on the Internet and the Mandiant report taking every major newspaper headline, RSA could not have had a better set-up.  

After the dust (and the smoke) settled, we, the Forrester security team, came away with these impressions and takeaways:

Security commercialism is in full swing. This year at RSA, the products and vendor booths had strong commercial overtones – without the support of necessary problem identification and solution offering. The level of commercialism is manifested strongly in vendor proliferation: over 360 had a booth and many more were milling around outside the show floor. There was a dizzying array of products, many of which lack visible differentiation. You can’t help but get product fatigue after a round on the show floor. We all know that nation-states and organized crime are on the offense. Please, people, our response can’t be yet another scanning product, can it?!

Each product, in itself, has useful functions, but collectively, vendors at RSA are telling users to accumulate more technical debt just to secure bits and pieces of their systems. While FireEye is doing a bang-up business selling in-depth malware analysis and saw many vendors follow suite, I’ve got to ask: “How does knowing the particular details of some malware help me with my general security posture?” FireEye is selling instant gratification, not long-term strategy, and they are not alone in doing that.

Too few surprises and too little differentiation. Case in point: Almost every vendor that Forrester spoke with claimed they were a threat intelligence provider. Many love to brag about the vast amounts of data they are amassing via deployed products, services, and other feeds, but no one was able to provide concrete examples of how they can glean meaningful insights from this data. The vendors don’t seem to get that having a pile of data does not equate to better intelligence. To be honest, if everyone’s got everything there is to know about threats, why the heck do we keep having breaches? (The Forrester team, however, did like RSA’s SOC demonstration where processes and technologies, namely Archer, SIM, and NetWitness, were woven together somewhat coherently to address threats in the environment.)

Another case in point: how many mobile app analysis services do we need? Last year it was Appthority. This year there were almost 10 vendors that have a play in this space. Each one has a story about how  the app is communicating with third-party ad servers, scraping your contacts, or collecting your location info. Even the portals start to look alike after a few demos. (Forrester did enjoy FireEye’s mobilyzer demo, which seems to provide more in-depth analysis than some of the others.) Sure, mobile app analysis is useful, and we could all use something to protect us from those information-stealing mobile apps, but come on, that is a feature, not a standalone offering.  

The big guys are missing the point. The larger vendors, the ones that can afford the front-and-center booth space at RSA, the HPs, IBMs, and Symantecs of the world, are still not articulating a clear message about how everything they do fits together in a business context. These guys, and the managed service providers like IBM and Dell, are sitting on a golden opportunity – users can’t conceivably acquire 50 different technologies just to protect themselves, they need help. But the solution offerings are uninspired at best and downright patchy at worst. There was also a lack of focus on services at RSA – plenty of discussions on clouds, but having a cloud does not equate to successful service deliveries.

Disruptors are sorely needed. We desperately need innovations in identity technologies, but instead we get new entrants for password management. We need innovations in application security (to help tame the root of exploits), but instead we get more mobile app scanning services.  We need meaningful security intelligence, but we continue to get more half-baked SIM products. We need security capabilities delivered as a service, but we get more boxes and software that we need to manage.

When people judge how well your company is doing by the size of your RSA booth, the show has gone the way of CES – more show than substance. And we, as a community, are at risk of perpetuating an industry that is “too big to fail.” So, next year, instead of coming to RSA to sell a product, try solving your users’ problems first.