You can tell a lot about the state of an industry by the kinds of parties it throws. Computer security conferences historically have been relatively small, low-key, training-focused events with a minimum of the glitz and marketing frenzy you expect at shows like Comdex, PC Expo and NetWorld+ Interop. That is not to say those shows were uninteresting or poorly attended, but that they appealed to a very narrow segment of the IT community and were not considered crucial events for most businesses or tech vendors.
If the recent RSA Security conference in San Francisco is any indicator, times have changed. Always a big event in security circles, this years RSA was the largest security event ever, with conference organizers claiming more than 250 exhibitors and 10,000 attendees. It almost seemed as if there had been some sort of a time warp back to a Web development event in 1998; the expo floor was packed with new startups, splurging on lavish booths and parties and trumpeting venture-capital funding. There were even a few celebrity appearances, including singer Pat Benatar opening the show and Dana Carvey as a closing act. In short, the security business has arrived.
As is often true when it comes to security, that has both an upside and a downside. The good news is that the tech industry as a whole finally appears ready to move beyond giving security lip service, start taking risks seriously, and put at least some money where its mouth is. Moreover, increased competition will not only drive up product quality and push down prices, but also will increasingly force vendors to target the relatively low-margin small-to-midsize business (SMB) market segment. That will give smaller shops access to options once reserved only for the high end.
Now for the bad news. With the brakes slammed on most of the rest of the tech industry, everyone who possibly can is trying desperately to jump on this latest bandwagon. Unfortunately, security expertise is not something you can fake or pick up as you go, and, frankly, a lot of these new players dont know what theyre doing. The majority probably wont be around for the next RSA conference.
They can do a lot of damage before they go, however. Most of the potential market for security products and services—particularly the SMB space—has little or no experience with the field, and almost no basis for distinguishing the good from the bad. Vendors are fully aware of the situation and often have few qualms about exploiting it. One RSA exhibitor actually claimed to have developed a new technology that "provides consumers and businesses 100 percent protection from hacker/security threats." While security veterans find such claims amusing at best—one colleague laughed so hard that 7 UP actually came out of his nose—potential customers are not as savvy.
Bottom line: Buyer beware, now more than ever. The vendors pitching their product may be no more trustworthy than the intruders trying to get into your network.