RSA 2016 De-Brief Part 1: Storm Clouds on the Horizon for Security Vendors?
RSA’s U.S. conference rolls around each year, and it’s a leviathan that sucks in the focus of most security vendors in the industry. In fact, this year it may have been even larger than usual. ESG’s Jon Oltsik speculated - based on what he’d heard at the show – that attendance may have been up 15% compared to last year. So how did this year’s event shape up? Based on the feedback I’ve heard and seen from analysts, journalists and attendees, it’s fair to say that the vendor community needs to up its game on how it approaches the event. As I’ve mentioned previously, there are a number of steps vendors should take prior to the show to maximize their impact. So – based on feedback from analysts, media and attendees - let’s look at what how the vendor community fared.
There seem to be three standout observations from this year’s show:
- Behold My Shiny Jargon! – Simply put, too many vendors positioned around the same default terminology or used outlandish positioning. The net result was that many vendors just sounded too similar, relying on the same language too often. Or worse, their claims simply sounded too far removed from the reality customer’s experience. I asked one journalist for his perception on this year’s show – he shrugged derisively and said, “there’s a heck of a lot of snake oil selling on the floor.” Many influencers have been arguing for some time that vendors at RSA need to be more grounded with what they say. That’s not to say that many vendors didn’t have interesting things to say, but simply that many vendor insights are not always useful enough for their target audience. For example, Jon Oltsik blogged that “the industry needs a hefty helping of humble pie. We need to remember that our role is to protect sensitive data, IT systems, and business assets, not sell soap.”
- Security is Not Just for the Rich – Gartner’s Anton Chuvakin blogged that “a lot of the tools firmly target the ‘security 1%-ers’, NOT the mainstream.” Anton raises an interesting point and he’s not alone in saying it, either. Many other analysts, at a variety of firms, also echo this point: vendors ignore, or downplay the mainstream market at their peril. At the highly entertaining IDC Breakfast briefing one of the key buyer trends that Chris Christiansen highlighted was ongoing buyer confusion. He noted that buyers want to see simplified products from vendors that will help them take action. I would also add the observation here that simpler products are a key requirement for mass-market adoption as well. And of course, many want to see security products and services operate at scale with reliable performance. Industry analysts are increasingly apt to ask vendors, ‘if you’re tech is as robust as you say – when are you going to offer it at scale in the cloud?’
- Thin Content – A consistent criticism of many vendor presentations at RSA was the over reliance on marketing-centric content and not enough specificity on the how of doing better security or insight into solving specific challenges. Customers attend events like RSA because they want to discover new insights that will change the game for them. In many cases it’s not just whether a product or architecture is right for them, but they are also looking for examples of how their peers solved a challenge, or guidance on new strategies they should consider. IDC’s Chris Christiansen stated that some early adopters of emerging security solutions ‘fail to plan for the required organizational and process changes.’ He raises a great point: This is a key part of the technology puzzle that vendors need to do a better job addressing and organizational changes and evolving processes are only going to get more important as cloud, IoT and digital continue to challenge security strategies and infrastructures.
In my next RSA blog post I’ll take a closer look at the kind of questions security startups can expect to face from VC firms and industry analysts, as well as recommendations for RSA 2017.