Captains log, star date 0421.15. The alien exploration of RSAC continues and we've noticed some anomalies.
One of the most prominent features of RSA is the sheer size of it. The number of talks, exhibitors, attendees, parties and everything else is on a different level to almost anything else. Just over 500 security vendors are exhibiting this year which, when you think about it, is a ridiculously large number of companies - most of which are providing an offering tailor made to address a particular set of security threats.
Being at RSA, we took the opportunity to ask some of the attendees how many security technologies on average they use, or have seen other companies deploy. It was a small sample and we didn't qualify the question by asking for the size of organisation, industry vertical or any other measure - anyone who agreed to speak to us was welcome.
A few observations can be made from these conversations. Firstly, companies tend to invest in a lot of technologies - many of whom don't even know how many actual security technologies they've purchased. This leads to companies sometimes buying additional products without optimising existing ones.
This leads onto the second and perhaps more important observation which is articulated by Ken Baylor at the end of the video, that buying a product is the easy part - actually successfully deploying and integrating a security product is where the challenge lies.
It echoes a number of finding I had in my previous life as an analyst at 451 Research, where I spent a considerable amount of time looking into the phenomenon of 'security shelfware' i.e. those security products which companies purchase but either don't deploy or fully utilise. A number of interesting points came to light such as lack of clarity and purpose that some companies have when purchasing security products. My favourite quote was from a respondent, "A fool with a tool is still a fool".
Feel free to share your comments or observations around trends around how purchasing decisions are made and what you believe the minimum number of security products any one company should invest in? Is a company with 50+ tools more secure and effective? Or do they end up spending more time trying to derive meaningful data out of them as opposed to securing the organisation?