15.05.01 - #RSAC 2015; What has really changed?

Last week we met with countless members of our community. This is our brief take.

Introduction

We had some great conversations, and maybe even made a few new friends. The security community has grown up a lot in the last decade.

But last year was a painful one. Nobody needs to relive the numbers. And to be frank, what we've seen on display is a pretty strong indication of why - the level of innovation just isn't what we'd hoped for. Someone just yesterday said we've been putting out crap as an industry and it's got to stop. Mr. Yoran's keynote was equally blunt. There's a lot of truth to this - we have no cause to raise a case to the contrary. We can't.

Many More Failures To Follow

We've seen a number of highly touted companies in the limelight fail quickly. We think there will be more of that this coming year, along with some consolidation in overlapping industries. Perhaps the Blackberry purchase of WatchDox is an indication, as noted by some analysts. We think so, especially given that #RSAC has some 500 exhibitors and in 2014 there were over 200 funding events in security alone. A lot of those companies will not make it. Easy predication, you say - only 1 in a hundred makes it, right? Or is it 20 out of 100? Depends on what you use to measure it - but 20 in 100, undoubtedly on the higher end of reality, would give us another 50 new companies.

Overlap, Innovation, and Copycats...Repeat

How are we going to take on 50 new companies doing machine learning anti-APT, threat reporting services and whitelisting, 2nd-factor authentication, magic encryption, and all the traditional things like firewalls, VPNs, and policy managers? Don't we have a lot of overlap already?

It's going to take some real innovation to get there. There's a fine line between a gimmick and an innovation. I'm not quite sure how to resolve a couple newcomers just yet, as they seem to be right on the line but time will of course tell.

Misperception On Executive Security Perspective

In the meantime, I think we need to come to terms with a misnomer being promulgated to those who don't specialize in security. That area is in Executive awareness and perception. There seems to be this constant picture painted of the clueless Executive who, if only he or she would spend more money, wouldn't be suffering the painful results of all these breaches. This seemed to be a fairly consistent perspective on why budgets have been so inadequate.

Nonsense. First, I've never met a clueless CEO in my life. Sure, they're there - but they tend not to last very long. CEOs aren't unaware of security. They don't miss the significance of intellectual property disclosure. Not at all. What people seem to forget is they can't come right out and say, "Why should I spend $10M when all I see is people failing. I'll just wait until we get breached, pay the $2M, and move on with the $8M invested in growing our business in other places". Thanks to legal liability, there aren't a lot of CEOs flying that flag. Maybe we don't read about it more often so as not to offend or even state the obvious.

Help Wanted: Measurable Value Required

Either way, of the 80% or so that are being painted as clueless in this respect, probably 5 have some real learning to do and the other 75 know exactly what they are doing. That isn't going to change this year - until $10M gets a CEO a measurable result, IT security spending isn't going to grow at the astronomical rates we are always told it will. We're stuck at 6%, if that. Get used to it.

Why Are We Here?

On top of that, we started to reflect on where we were as a company, and were asked many times why we started our company in the first place. Need. We've made some reference to it in our literature and our Company page - and yes, we want to make a difference and help stop the unbelievable frequency of data breaches that the general public - fortunately or not - isn't aware of. But there's more to it. We got into this game because we couldn't find what we wanted - that 80/20 option that was easy to deploy, which would help a company struggling with an APT buy some time while they built up a security team and put the investment into their efforts required to manage it on their own. We couldn't find it. There was always a, "But...".

A Short List of Buts...

So what is the real problem? As we looked at our proposition, and dug into some of the competitive pressures we encountered, on the surface we saw things that made us think, "Did we miss something?" But then when we really got down into details - which really doesn't take very long - there's always the, "But..." clause. It's that clause that got us into the game. For us, and our Endpoint Data Protections, and for what we saw, here are some of those Buts...

1. Protections apply only to Microsoft Office and Adobe PDF documents...
2. You need to be sure you have rights to export your Active Directory...
3. You will need SQL Server, and a machine with xyz to run it on...
4. You have to tie your storage into SharePoint Workspace...
5. You must deploy a suitable PKI service, which is beyond the scope of...
6. We don't concern ourselves with the endpoint, we're focused on the cloud.
7. "The endpoint is someone else's problem" (w/ a literal hand-wave to our face; dismissed)
8. Face it, you're just selling an insurance policy
9. You're in competition with exciting innovative R&D projects. They aren't going to fund you.
10. What am I going to get out of this? Show me what these protections stop and what that's worth.

Liar Liar Pants On Fire: Where We Get To Start

In looking at what's out there, and in talking to people and doing a competitive refresh, we've found that a lot of those, "But..." clauses still exist. And it hurts us too, because when we tell people what we do and the extent to which we do it, we get the eyeroll. We get the sigh. We get the, "there's no way you could do that - and even if you did, it wouldn't be effective against APTs". We got that one, too (almost verbatim; the chosen words are not appropriate to quote).

And it's unfortunate that we have to pay the price for the dishonesty committed by others. The path they blazed with intentional deceit all in the name of making a buck affects everyone - customers who are unfortunate victims of these antics, honest businesses trying to make a name for themselves, and those that are paid to come in and clean up the mess. Believe me, those guys aren't paid enough - they love what they do, and undoing the mess is always 10x harder than most people recognize (and often the very same people footing the bill).

A Community with Integrity Shall Prevail

For every unethical player in our industry, there are several more honest, well-meaning folks working with passion, wondering how to overcome that Good Guys Finish Last.

They don't. But sometimes good intentions yield to long-term travails, opting for an easier path along questionable ethical lines. Some are pressured or simply choose to bend the rules, some violate their own convictions unknowingly, while others simply give in to temptation, become complacent, and turn to the Dark Side. (Yea I know).

But there are those of us determined to maintain a positive influence, offer the proper tone, our best measured approach, and combat the ill effects of this dirty noise coming from the Silver Bullet sales pitch. With time, our community will overcome these challenges, and perhaps in the process one of us will offer a step-wise change that breaks that spending barrier held by the Executive today wrongly perceived as unwilling.