As a security show, the RSA Conference leaves a lot to be desired. Its technical sessions carry an uncomfortable load of marketing baggage and don’t have either the cachet or entertaining edge of those at Black Hat or CanSecWest.

Anyone will tell you that the real business of RSA is happening off the show floor – in conference rooms and hotel suites and restaurants, where companies are doing business: technology partnerships and strategic alliances, mergers and acquisitions. Speaking personally, I’ve always found it ironic that the show, which started as a retreat for monkish cryptographers, has morphed into the back-slapping, business development Lollapalooza that it is today, but so it is.

As a technology analyst, my experience of RSA is as a blur of one-on-one briefings and less formal talks with software vendors. It can be a kind of pointillist approach to getting the “big picture” of the show, so I try to do my homework ahead of time and understand what the big forces are that are shaping the industry I write about, and that will be driving discussions at RSA. Here are a few overarching themes I see at this year’s show:

Get yer recession on!

The sour economy will be a hot topic of conversation at RSA, also, though looked at through the odd prism of IT security rather than, say, economics or social policy. So what does the global recession mean for IT security firms? The 451 Group released a two-part report on the kinds of firms that we think are positioned to benefit from tough times rather than be wiped out by them. Take privileged identity management (PIM), a technology that correlates employees’ user identities and passwords with other stuff – patterns of activity and even data. Always a useful tool, PIM takes on new importance in an environment where companies are anxious about the threat posed by ex-employees or by disgruntled current employees. Companies like Cyber-Ark, Cloakware, e-DMZ, Centrify, Lieberman Software and Xceedium play in this space. Expect these smaller firms to have a bigger presence on the RSA show floor this year.

And PIM won’t be the only area where firms are drafting off the tough economic environment. Managed security services and hosted security services also stand to benefit from a trend towards outsourcing non-core activities and getting by with less IT spending and fewer people. Increased concern about operating costs is also pushing interest in technologies like power management and virtualization, which can reduce expenditures on electricity and new hardware purchases in short order. No surprise, then that we expect to hear a lot from companies that will be pushing the penny-pinching aspects of their products or helping companies wrestle with the management and security implications of virtualization in the enterprise or in cloud-based deployments.

That Wacky World Wide Web

Enterprise IT staff didn’t need the recent bru-ha-ha about the Twitter worm to tell them that they’ve got a major hole in their defenses when it comes to the Web, and that the Web is now one of the most significant threats to enterprise security. They already know that. And, beyond knowing it, they’re under increasing pressure to do something about it.

The Payment Card Industry (PCI) DSS now requires for companies that accept credit cards to conduct application code reviews for public facing Web apps, or installing an application layer firewall in front of those Web apps. With that kind of sword hanging over the heads of merchants and other firms, RSA will be a kind of gold rush of Web security firms all vying for a piece of the action. Established vendors like Blue Coat, WebSense and McAfee will be talking up their secure Web gateway story and promising better visibility into difficult-to-decipher Web application traffic.

There may be some M&A related news in the secure Web gateway space timed for the show, as well. SaaS based alternatives from ScanSafe, MXLogic as well as venture funded startups like Purewire and zScaler will also be in the spotlight.  On the flip side of the coin, expect to hear cries of agony about the need to bring security – if not sanity — to Web application development. PCI aside, if a high-profile company like Twitter can somehow manage to overlook a Cross Site Scripting vulnerability, how secure should we believe the average enterprise Web app or e-commerce site is? As it stands, feature development is running far ahead of security and enterprises are hungry for better tools for vulnerability analysis and code reviews that can find holes in Web application code and allow their developers to focus on what’s important.

Leading vendors in the space – IBM, HP, Cenzic, WhiteHat, etc. – will be at RSA in force, and expect to see some new entrants, as well. Also look for vendors in the Web app testing space to have an outsize presence in panel discussions, technical tracks and the like. RSA is no hacker or pen tester’s show, though, and many well-established firms in the code analysis and Web application testing space appear to be passing on a pricey RSA booth this year. We can hardly blame them.

Talking shop with Mom and Pop

While there’s a natural interest in what’s cutting edge, I’ll be paying close attention to the kind of attention given to the security needs of small and mid sized businesses. I say this for a couple reasons. For one thing, small businesses account for most of the businesses in the U.S. And, with the rapid downsizing on Wall Street and the financial services sector, SMBs are increasingly where the dollars are. There’s also a gulf that’s opened between the kinds of technologies that large businesses in regulated industries are interested in – anti data leakage, virtualization management, complex fraud detection – and what SMBs are interested in, namely effective and affordable security and business continuity services for mission critical applications like e-mail, networking, file servers and the Web.

Landing a Fidelity Investments or Morgan Stanley has always been the mark of a serious IT security firm, but take a look this year for all the security firms that want to talk shop with mom and pop, so to speak, and offering various combinations of threat detection, data security and business continuity as a hosted service or a managed offering.

Paul F. Roberts is a senior security analyst at The 451 Group.

Categories: Uncategorized