The RSA Conference: What Happened?
Last week I attended the RSA Conference in San Francisco. I’ve attended this conference for something like six or seven straight years now, and am very familiar with how this conference works and what to expect. Lamentably, this year’s conference was in many respects a letdown for me, however. Normally, the best thing about the RSA Conference is getting to see the security technology vendors “hawk their wares” at the RSA Exposition. Every year several brand new (and often exciting) products are announced and demonstrations are given. Although I walked completely around the expo floor twice or two different days, I did not see any evidence of newness or innovation. I also expect to learn of new features in products, and although there were a few new features in some products, for the most part the security technology I came to see was the “same old same old.”
I suspect that the lack of new products and features at the RSA Expo is due in large part to reductions in force in vendor company ranks. Information security has taken more than its share of hits during these hard economic times. Budget and staff cutbacks are now the rule, not the exception. When there is little or no money in information security budgets to buy products, vendors also suffer and must therefore tighten their belts.
Something else also caught my attention. Normally, the RSA Conference is filled with attendees to the point that just walking from one point to the other in the Moscone Center is often a very frustrating task. This was definitely not true at the 2009 RSA Conference; the number of attendees was substantially down from last year. The official head count will understandably be a tightly held secret among the conference staff, but one does not have to be very observant to notice just how much this year’s attendance numbers plummeted compared to last year’s. Again, the bad economy is ostensibly the cause. Information security professionals are fortunate simply to have jobs; I am sure many do not even try to request approval for conference attendance because funding is currently so tight.
As I wandered around from booth-to-booth I noticed a small crowd seated around a small stage at one of the booths. A speaker was promoting his company’s product by bashing conventional firewalls. He repeatedly said that conventional firewalls now do absolutely no good any more. The speaker was correct is saying that there has been a radical shift in types of attacks over the last few years and that conventional firewalls are not designed to thwart attacks launched at the application layer of networking. But he was dead wrong in saying that conventional firewalls are worthless. Firewalls still perform valuable security-related functions such as blocking malformed packets and unnecessary protocols, logging all inbound and outbound traffic, and stopping externally-initiated probes against machines within an organization’s internal network.
I was going to raise my hand and challenge the speaker, but decided against it on the basis that he obviously was not there to exchange ideas with those who listened to his talk. If the premise that firewalls are useless were logically challenged, he would vigorously fight back, not for the purpose of pursuing truth, but rather because he appeared willing to say anything that promoted his product. So I listened for about five minutes, then couldn’t take it any more and left. Sadly, almost everyone else stayed and listened, and even sadder still is the likelihood that some of them probably took what he said at face value.
Hopefully, the economy will pick up by the time the RSA Conference is held next year. If it does, I am confident that this conference will get back on track. Excitement will be in the air, vendors will be announcing new products and features, and attendance numbers will be much better. But even if so, I cannot guarantee that.vendors such as the one to which I listened will not spout nonsense from their little stages!