I thought I'd been alone in my utter confusion at most of the products on display at RSA this year. Some of them seemed OK, most of them were pretty rubbish to be honest, and all of them purported to be DLP/PCI/GRC or part of a risk management solution. Right. Like Rich said in his blog earlier, there was hardly a theme.
The problem seems to be that security got sexy, the guys in sandals became guys in suits, then girls in nurses uniforms. I have nothing against this, but it proves that where there were once ideas, there is now marketing in force. Once the marketeers get involved, everyone has to fight for the same dollars, which become cents, slices of a finite pie.
In a way I'm glad there was no theme. It means that I was right about the market not going anywhere. Maybe security will have a chance to catch up with the marketing now, and
then the compliance will get nicely rounded too, and everyone will stop complaining about it. I doubt it though.
Some of the bigger crimes of the conference that we discussed tonight:
The vendor who talked about 'encrypting the PIN' to Walt, who when corrected, ('er, that's PAN'), threw a strop and refused to talk any more.And finally, there was some good stuff too:
The vendor who Mike asked about their POS protection who replied that what they were selling was more of an e-commerce solution, like TJX. Mike pointed out that TJX was POS, to which she replied, 'oh yeah, that sort of thing.'
The literally hundreds of vendors sitting there trying to make one little box do 50 different things, just to get a sniff of a customer, purporting to solve PCI in one fell swoop. THIS CAN'T BE DONE.
I've heard rumour that there was a log solution vendor saying that they just addressed logs.I was particularly impressed with PKWare, who I will be representing at InfoSec in a couple of weeks. I love their technology, just because it's simple, it cuts through the marketing bullshit and does what people need, much like their products always have. It's also cheaper and easier to install than anything else I've ever used, and when it comes to encryption, there's not much I haven't used.
I also hear tales of the vendor who only purported to address PCI requirement 1, and nothing else.
I saw products which only addressed one problem, not even a compliance issue, didn't talk about GRC or DLP or TJX or PCI, and did it well. These are the ones you will see at next year's conference.
So, some of RSA was disappointing, but to be expected. There are still some genuine treasures to be found out there, and the future for them is bright.