The RSA Conference in San Francisco is the premier security conference here in the US. Vendors from around the world come to show their latest technology, and test their new marketing messages. Savvy conference attendees bypass large booths owned by major security vendors and work their way to the edges where numerous small vendors who often have new or unknown, yet interesting and innovative technologies.
To me, these small vendors are far more attractive because they are hungry to share their ideas. They are happy to give you details on why they created their solution and what current problems they are looking to solve or close a current security gap. They are also usually staffed by an engineer with a Santa beard wearing sandals ready to talk in-depth about the technology, as opposed to the larger vendor booths that have pretty ladies trained to communicate a scripted message.
The prominent thread as I walk the aisles of large vendors is how to accomplish a security process “easier,” “cheaper,” or “with greater visibility.” These clichés are not relevant to the mature security organization whose most important factor is “effective.” The focus for their pitch is always the fantastic benefits, how you can “see the invisible” on your network, or “block the unknown.” These descriptors seem more like symptoms of a larger problem that require medication to solve, than something relevant to a CISO. I just want to know WHAT the product does, I’ll tell you if it’s relevant to my environment and how it would be valuable in my infrastructure. There are some vendors who get it; who when asked “how can you make me more secure?” they reply “tell me about your business first, and we’ll see.” That is the core of good security management philosophy, understand that which you need to protect, understand those business risks that could impact the business, and how IT may contribute as a threat vector. Not do it backwards by buying the magic box that will “make it easy for you protect from advanced threats, while saving time and money.” Again, I don’t care to do something easier or cheaper, I care that it’s effective and manageable.