The experience at RSA this year was definitely something our team will never forget. Whether it was the use of security concepts just thrown together in a sentence (or usually a bunch of sentences) to explain a product or booth displays that mirrored a mix between a circus and a strip club, we have to admit that at times it almost didn’t seem like reality. The sad thing is this is the largest event we have as a security community, yet the primary ideas we walked away with include:

1. The use of security terms with no meaning is at an all time high

2. There is a serious lack of security professionals available right now

3. If we were women (and we are not), we would be pissed with what we saw at the show

4. The over-emphasis of technology.

So what do we mean….

We are firm believers that if you can’t describe the problem that your product addresses in a single sentence, you just can’t say it. For us, this concept was never demonstrated more clearly than as we walked around the expo floor of RSA before our presentation this year. As we strolled the endless miles of halls we conducted a little experiment.  It wasn’t double-blind, no control group, and it definitely wasn’t scientific.  Instead it was just a couple of security professionals trying to get information from other security professionals about a certain kind of security widget or service.

We made time to walk to every booth, and we gave each vendor 30 seconds to identify what their product or service does. The intent was to have two simple questions: What type of product or service did they offer? And, what security issue did their product or service address? The answers were mind boggling.  What was really sad is most of the time the answers were not even comprehendible. It was often the use of the same security buzz words just in different orders.  Think of the Dilbert Mission Statement Generator with security phrases. If it hadn’t been so pronounced, it would have been comical. The most common words were:

Policy, PCI,  Compliance, Network, Strategic, Dynamic, Security, Threats, Executive, Reporting, Enterprise

We could provide examples of sentences, but we promise it would depress you and embarrass some vendors, so we won’t. Instead, we will focus on what we think is causing the problem, and the answer is four-fold.

First, there is a serious lack of security professionals out there. Most booths had a bunch of people, but usually only one who could answer most if not any of the more detailed questions that were asked. So, when we approached the first person available at a booth, if it wasn’t the one knowledgeable person, they usually knew almost nothing about security other than to say a phrase with the above mentioned words, often a sentence that was factually incorrect. It was as if someone had pulled a string in their back and out came the random security phrase. They would generally talk for 5-10 seconds,  then spend 15 seconds (or five minutes) trying to scan our badges, and then the last ten seconds either attempting to get the knowledgeable person or the datasheet for the company. Hard to get anything of value in this model when you are only giving them 30 seconds.  Next time we’ll have to allocate each vendor 30 minutes, but we’re still skeptical of what we would get from the exercise. 

The second item that we believe leads to the problem is that it is quite obvious that the marketing people and the security professionals at most companies do not communicate.  At each booth, the one knowledgeable person usually could provide some valuable information (once we got to them), but frequently it was in direct opposition to what was displayed on any of the booth banners or product literature presented at the show. Once again , we will exclude examples so as not to embarrass any companies. That was odd, but what we found most interesting was that many of these people were actually restricted from saying certain things by their marketing departments, even though usually these are the “tid-bits” that we found to add value.

The third factor, and maybe the most important, is that most security professionals are fixated on solving security issues solely with technology. The number of vendors at RSA that were addressing physical elements of security were scarce, and anyone addressing the sociological elements of security were nowhere to be found(except one that does not count because they solve the problem with an appliance). Technology cannot solve every security issue, all it does is create an imbalance in a company’s security program that leads to a false sense of security (Pardon the pun).  

The last thing we found of interest at RSA this year was the overall atmosphere on the expo floor. If you missed it, here is a recap. There were items such as the seven foot lady in formal wear taking pictures with attendees (By the way she was very nice), getting the opportunity to visit Hackistan (we don’t know why we have never seen them at the Olympics before), and our personal favorite, the hot ladies in short outfits balancing in place on the Segway with hardhats.

For those of you that missed it, we aren’t joking it really happened. And though we are definitely not feminists, Susan B Anthony would have turned in her grave if she walked down even one aisle at RSA this year.  What is most interesting about the male-focused marketing is how it totally alienates women, even though some of the most powerful CSO’s, CISO’s are women, as well as a large component of the members of this site. We know this observation is a concept straight out of Tom Peters, but it is surprising how blatant and obvious it was. Even though we are big fans of looking at hot women, this was a sad display. We do not feel that the largest security conference of the year is the time or place for these tactics. 

To be fair to RSA this experience is common at most of the shows we speak at, RSA is just the biggest so it makes the issues far more pronounced. What is alarming for us though is that we are not talking about basket-weaving, our security community deals with the task of protecting our country, companies, and our families. Hot Girls on Segways with hardhats should not be the only thing we remember from this years RSA, yet at least this year it is. 

Looks like we still have some work to do…