Prediction: The RSA Conference Will Shrink Like a Punctured Balloon

Prediction: The RSA Conference Will Shrink Like a Punctured Balloon
Prediction: The RSA Conference Will Shrink Like a Punctured Balloon 

By Bruce Schneier
Security Matters

Last week was the RSA Conference, easily the largest information 
security conference in the world. More than 17,000 people descended on 
San Francisco's Moscone Center to hear some of the more than 250 talks, 
attend I-didn't-try-to-count parties, and try to evade over 350 
exhibitors vying to sell them stuff.

Talk to the exhibitors, though, and the most common complaint is that 
the attendees aren't buying.

It's not the quality of the wares. The show floor is filled with new 
security products, new technologies, and new ideas. Many of these are 
products that will make the attendees' companies more secure in all 
sorts of different ways. The problem is that most of the people 
attending the RSA Conference can't understand what the products do or 
why they should buy them. So they don't.

I spoke with one person whose trip was paid for by a smallish security 
firm. He was one of the company's first customers, and the company was 
proud to parade him in front of the press. I asked him whether he walked 
through the show floor, looking at the company's competitors to see if 
there was any benefit to switching.

"I can't figure out what any of those companies do," he replied.

I believe him. The booths are filled with broad product claims, 
meaningless security platitudes and unintelligible marketing literature. 
You could walk into a booth, listen to a five-minute sales pitch by a 
marketing type, and still not know what the company does. Even seasoned 
security professionals are confused.

Commerce requires a meeting of the minds between buyer and seller, and 
it's just not happening. The sellers can't explain what they're selling 
to the buyers, and the buyers don't buy because they don't understand 
what the sellers are selling. There's a mismatch between the two; 
they're so far apart that they're barely speaking the same language.

This is a bad thing in the near term -- some good companies will go 
bankrupt and some good security technologies won't get deployed -- but 
it's a good thing in the long run. It demonstrates that the computer 
industry is maturing: IT is getting complicated and subtle, and users 
are starting to treat it like infrastructure.

For a while now I have predicted the death of the security industry. Not 
the death of information security as a vital requirement, of course, but 
the death of the end-user security industry that gathers at the RSA 
Conference. When something becomes infrastructure -- power, water, 
cleaning service, tax preparation -- customers care less about details 
and more about results. Technological innovations become something the 
infrastructure providers pay attention to, and they package it for their 

No one wants to buy security. They want to buy something truly useful -- 
database management systems, Web 2.0 collaboration tools, a company-wide 
network -- and they want it to be secure. They don't want to have to 
become IT security experts. They don't want to have to go to the RSA 
Conference. This is the future of IT security.

You can see it in the large IT outsourcing contracts that companies are 
signing -- not security outsourcing contracts, but more general IT 
contracts that include security. You can see it in the current wave of 
industry consolidation: not large security companies buying small 
security companies, but non-security companies buying security 
companies. And you can see it in the new popularity of software as a 
service: Customers want solutions; who cares about the details?

Imagine if the inventor of antilock brakes -- or any automobile safety 
or security feature -- had to sell them directly to the consumer. It 
would be an uphill battle convincing the average driver that he needed 
to buy them; maybe that technology would have succeeded and maybe it 
wouldn't. But that's not what happens. Antilock brakes, airbags and that 
annoying sensor that beeps when you're backing up too close to another 
object are sold to automobile companies, and those companies bundle them 
together into cars that are sold to consumers. This doesn't mean that 
automobile safety isn't important, and often these new features are 
touted by the car manufacturers.

The RSA Conference won't die, of course. Security is too important for 
that. There will still be new technologies, new products and new 
startups. But it will become inward-facing, slowly turning into an 
industry conference. It'll be security companies selling to the 
companies who sell to corporate and home users -- and will no longer be 
a 17,000-person user conference.


Bruce Schneier is CTO of BT Counterpane and author of Beyond Fear: 
Thinking Sensibly About Security in an Uncertain World. You can read 
more of his writings on his website.

Let identityLoveSock take your personal information into 
their wanting hands. 
Because victims have money too. 

Site design & layout copyright © 1986-2014 CodeGods