The RSA Conference
Last week was the RSA Conference, easily the largest information security conference in the world. Over 17,000 people descended on San Francisco’s Moscone Center to hear some of the over 250 talks, attend I-didn’t-try-to-count parties, and try to evade over 350 exhibitors vying to sell them stuff.
Talk to the exhibitors, though, and the most common complaint is that the attendees aren’t buying.
It’s not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees’ companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can’t understand what the products do or why they should buy them. So they don’t.
I spoke with one person whose trip was paid for by a smallish security firm. He was one of the company’s first customers, and the company was proud to parade him in front of the press. I asked him if he walked through the show floor, looking at the company’s competitors to see if there was any benefit to switching.
“I can’t figure out what any of those companies do,” he replied.
I believe him. The booths are filled with broad product claims, meaningless security platitudes, and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.
Commerce requires a meeting of minds between buyer and seller, and it’s just not happening. The sellers can’t explain what they’re selling to the buyers, and the buyers don’t buy because they don’t understand what the sellers are selling. There’s a mismatch between the two; they’re so far apart that they’re barely speaking the same language.
This is a bad thing in the near term—some good companies will go bankrupt and some good security technologies won’t get deployed—but it’s a good thing in the long run. It demonstrates that the computer industry is maturing: IT is getting complicated and subtle, and users are starting to treat it like infrastructure.
For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure—power, water, cleaning service, tax preparation—customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.
No one wants to buy security. They want to buy something truly useful—database management systems, Web 2.0 collaboration tools, a company-wide network—and they want it to be secure. They don’t want to have to become IT security experts. They don’t want to have to go to the RSA Conference. This is the future of IT security.
You can see it in the large IT outsourcing contracts that companies are signing—not security outsourcing contracts, but more general IT contracts that include security. You can see it in the current wave of industry consolidation: not large security companies buying small security companies, but non-security companies buying security companies. And you can see it in the new popularity of software as a service: Customers want solutions; who cares about the details?
Imagine if the inventor of antilock brakes—or any automobile safety or security feature—had to sell them directly to the consumer. It would be an uphill battle convincing the average driver that he needed to buy them; maybe that technology would have succeeded and maybe it wouldn’t. But that’s not what happens. Antilock brakes, airbags, and that annoying sensor that beeps when you’re backing up too close to another object are sold to automobile companies, and those companies bundle them together into cars that are sold to consumers. This doesn’t mean that automobile safety isn’t important, and often these new features are touted by the car manufacturers.
The RSA Conference won’t die, of course. Security is too important for that. There will still be new technologies, new products, and new start-ups. But it will become inward-facing, slowly turning into an industry conference. It’ll be security companies selling to the companies who sell to corporate and home users—and will no longer be a 17,000-person user conference.
This essay originally appeared on Wired.com.
EDITED TO ADD (5/1): Commentary.
Clive Robinson • April 22, 2008 7:33 AM
@Bruce,
You kind of missed an important point,
It’s not just the average “potential” customer who does not understand the product, Its those sales / marketing droids as well.
Part of the reason for,
“booths are filled with broad product claims, meaningless security platitudes, and unintelligible marketing literature”
Is that not one of the sales and marketing droids understand what the product actualy does or is capable of. Those in the organisation that do (engineers, designers etc) have had to dumb down the information to the Droids understanding level, because that’s what the marketing director has decreed.
The Marketing industry (possibly the largest industry in the world) has an inate belife not just in it’s self but that it is the sales “process” not the “content” that sells product i.e. “Bovine excreter baffles brains” methadology. It is also the reason they justify not learning about the product and also ask for outrageous renumeration (and why the rest of the directors etc kowtow to them).
While this might well be true for a large number of similarly specified mass consumer products (like say SUVs) where the consumer just wants to “buy” it is most certainly not true of bespoke or highly technical products. Where there is no imperative to “just buy” but to actualy do a bit of research to get not just the best bang for the buck but to actualy get both understanding and insight and therby get something directly of value to the individual making the purchase which helps them keep their marketability in a downward market.
Failier to communicate effectivly at any level (or at all) in a meaningfull way will always result in lost sales for technical products.
The Droids nead to realise that they need to understand the customers needs, and be able to point out their products advantages from that view point. Otherwise the customer might as well be watching a “chimps tea party” which a lot of these booths do look like.
Once upon a time HP understood this and sent out technical sales representatives with the sales person to find out the customers wants and needs and get them across to the sales droid who then “cut the” deal.