In my humble opinion, the RSA 2009 security conference, held this week in San Francisco, was extremely flat compared with past years. Yes, the economy had a lot to do with it. I believe last year's attendance was around 17,000 people, and I've heard that this year was off about 12 percent to 13 percent. Personally, I can't believe there were more than 10,000 folks there.
Beyond economic woes however, RSA 2009 was still rather lifeless for a few reasons:
The speakers. The keynote speakers really had nothing new to say. This was especially troubling because the lineup looked so strong. Unfortunately, the most disappointing speaker of all was President Obama's cybersecurity point person, Melissa Hathaway, who read from a script and said next to nothing about her cybersecurity research effort. Hathaway underwhelmed an audience of security professionals, missing an opportunity to bond with a constituency whose support is critical to her success.
The topics. In the past, there was always one topic at RSA that grabbed everyone's attention. Not this year--same old tired stuff.
The vendors. I'm now convinced that most security vendors have no conception of what their customers need. Vendors pitch point technology solutions while users are crying for help to secure their IT-based business processes. There are really only a few security vendors that recognize this. I can't overstate how much this disconnect alienates the security community.
I was certainly pleased to see the active discussion around cybersecurity and public-private cooperation, but even this fell flat. Too much boring rhetoric and nearly no action.
It's time the security industry recognizes a few realities. First, the whole term "security" is a misnomer. The real goal here is risk management. Second, users don't want security technologies, they want solutions based upon the old IT triad of people, process, and technology. Finally, reducing risk has to go hand in hand with business process enablement. In other words, make the business agile and secure.
What do I expect for 2010? I'm pretty cynical and a bit frightened at this point. If the security industry can't understand the relationship between business processes and risk management we are all in trouble.