By Bruce Schneier
Last week was the RSA Conference, easily the largest information
security conference in the world. More than 17,000 people descended on
San Francisco's Moscone Center to hear some of the more than 250 talks,
attend I-didn't-try-to-count parties, and try to evade over 350
exhibitors vying to sell them stuff.
Talk to the exhibitors, though, and the most common complaint is that
the attendees aren't buying.
It's not the quality of the wares. The show floor is filled with new
security products, new technologies, and new ideas. Many of these are
products that will make the attendees' companies more secure in all
sorts of different ways. The problem is that most of the people
attending the RSA Conference can't understand what the products do or
why they should buy them. So they don't.
I spoke with one person whose trip was paid for by a smallish security
firm. He was one of the company's first customers, and the company was
proud to parade him in front of the press. I asked him whether he walked
through the show floor, looking at the company's competitors to see if
there was any benefit to switching.
"I can't figure out what any of those companies do," he replied.
I believe him. The booths are filled with broad product claims,
meaningless security platitudes and unintelligible marketing literature.
You could walk into a booth, listen to a five-minute sales pitch by a
marketing type, and still not know what the company does. Even seasoned
security professionals are confused.
Commerce requires a meeting of the minds between buyer and seller, and
it's just not happening. The sellers can't explain what they're selling
to the buyers, and the buyers don't buy because they don't understand
what the sellers are selling. There's a mismatch between the two;
they're so far apart that they're barely speaking the same language.
This is a bad thing in the near term -- some good companies will go
bankrupt and some good security technologies won't get deployed -- but
it's a good thing in the long run. It demonstrates that the computer
industry is maturing: IT is getting complicated and subtle, and users
are starting to treat it like infrastructure.
For a while now I have predicted the death of the security industry. Not
the death of information security as a vital requirement, of course, but
the death of the end-user security industry that gathers at the RSA
Conference. When something becomes infrastructure -- power, water,
cleaning service, tax preparation -- customers care less about details
and more about results. Technological innovations become something the
infrastructure providers pay attention to, and they package it for their
No one wants to buy security. They want to buy something truly useful --
database management systems, Web 2.0 collaboration tools, a company-wide
network -- and they want it to be secure. They don't want to have to
become IT security experts. They don't want to have to go to the RSA
Conference. This is the future of IT security.
You can see it in the large IT outsourcing contracts that companies are
signing -- not security outsourcing contracts, but more general IT
contracts that include security. You can see it in the current wave of
industry consolidation: not large security companies buying small
security companies, but non-security companies buying security
companies. And you can see it in the new popularity of software as a
service: Customers want solutions; who cares about the details?
Imagine if the inventor of antilock brakes -- or any automobile safety
or security feature -- had to sell them directly to the consumer. It
would be an uphill battle convincing the average driver that he needed
to buy them; maybe that technology would have succeeded and maybe it
wouldn't. But that's not what happens. Antilock brakes, airbags and that
annoying sensor that beeps when you're backing up too close to another
object are sold to automobile companies, and those companies bundle them
together into cars that are sold to consumers. This doesn't mean that
automobile safety isn't important, and often these new features are
touted by the car manufacturers.
The RSA Conference won't die, of course. Security is too important for
that. There will still be new technologies, new products and new
startups. But it will become inward-facing, slowly turning into an
industry conference. It'll be security companies selling to the
companies who sell to corporate and home users -- and will no longer be
a 17,000-person user conference.
Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear:
Thinking Sensibly About Security in an Uncertain World. You can read
more of his writings on his website.
Let identityLoveSock take your personal information into
their wanting hands. http://www.identity-love-sock.com/
Because victims have money too.