In terms of providing a venue for pure vendor sports, the RSA show may be one of the most unique events in this industry, given the general lack of customers and all the sniping that goes on among the vendors.
Hosted by the RSA business unit of EMC, the show provides an industry service, but because the sales people for both RSA and its competitors are reluctant to push customers to come to an event where they can meet a whole lot of their competitors, there just aren't a whole lot of IT people at the event itself.
Instead, we tend to get treated to Tastes Great, Less Filling debates between various security camps. For example, vendors that back behavioral security approaches that shut things down when there is any kind of anomaly like to accuse vendors with rival signature-based approaches of having a flawed model incapable of detailing with today's zero-day attacks launched from botnets. Then just to make matters more interesting, people like Websense CEO Gene Hodges will enter the fray to say that both approaches are deeply flawed and as such the industry needs to move in the direction of the ThreatSeeker technology from Websense that searches the Web to identify sites that giving sanctuary to malware.
The truth of the matter is that all three approaches will be required but that won't stop anybody from trying to undercut the other guy's position.
In fact, one of everybody's favorite targets for criticism is the host of the show. For example, when the show opened, Entrust took RSA to task for ripping people off when it comes to the price of security tokens. The Entrusts tokens will now be priced at five dollars, which apparently was enough of a threat to get a rise out of RSA president Art Coviello, who took pains to remind the press that the price of security is determined more by the overall value and return on investment in the system than it is in the price of the token.
Not content with just that attack, Entrust also called for support for an open standard co-authored by Entrust and Verisign that will make it easier to collect and share fraud data across multiple security applications. Today, that type of security application is pretty much dominated by proprietary applications from RSA. Of course, no sooner did Entrust pat Verisign on the back for supporting the open standard, then Entrust took Verisign to task for overcharging customers for validated SSL certificates that Entrust now plans to offer for $495 each.
It's not that all this competition is bad, but when it comes to security we're all in a war that at the moment we're not winning. So when you see security vendors screaming at each other about who has a better cold remedy, you have to wonder if anybody is actually working on a cure. Or has this become like the pharmaceutical industry, where the bulk of the research is focused on treatments rather than cures because treatments tend to be a lot more profitable over time than cures.
It's probably not as cynical as all that yet. But you can't help but wonder if the security vendors are focused on the right things and as the attacks continue to get more sophisticated and targeted, whether the march of progress that has been a hallmark of this industry is going to be substantially slowed because of an inability to focus its collective efforts on a problem that continues to spin out of control.