RSA SECURITY CONFERENCE – SAN FRANCISCO, FEBRUARY 2013

I used to speak at the conference every year, but deal flow and administrative duties got in the way. After a 4 year absence I was able to go down and spend a day at this year’s event. Not much has changed, and that is a good thing. It is one of the best run conferences I have frequented in any industry, with high-quality attendees, presenters and exhibitors. It is one of the few tech conferences routinely attended by CEOs. Art Coviello’s vision remains alive, even after the integration with EMC.

Based on my conversations several dozen companies, I walked away with a couple of central themes.

First, the vendor promise has moved from outright protection, to risk management. Vendors used to sell on FUD; “Buy or stuff or else you will get hacked, and it will be catastrophic!”. Now the pitch is, “you have already been hacked. You are being hacked every day. You need tools to prioritize your vulnerabilities and risks, so that you can make intelligent decisions about what to fix first.”

Traditional modes of protection – perimeter, host – are still driving some innovation. I was very impressed, for example, with Barracuda’s positioning of their Next Generation Firewall. Barracuda is definitely a company to watch. Several years ago I wrote a white paper on EMC’s acquisition of Data Domain, a paper that was immediately picked up by the Wall Street Journal. It was basically a best practices piece (available here) highlighting the discipline and hard work that made the acquisition a success. Well, that same team – BJ Jenkins, ex- EMC, and Rod Matthews, ex-Data Domain – are now guiding the ship at Barracuda. Good things to come.

So there is still opportunity on the perimeter, but the Wild West and the big opportunity today is in malware prevention. We expect fast, aggressive consolidation in that area.

The shift from outright protection to risk management is evident on the mobile front as well. The coolest company I met in mobile was Appthoria. They test mobile apps to find out how malicious, vulnerable, or secure they are. They give a detailed analysis of the app’s behavior, open APIs, etc., so that IT managers can create and enforce policies that will minimize the risk of compromised BYOD and corporate mobile devices.

The desktop security guys are moving to mobile as well. Stephen Cobb from ESET told me about an Android hack that he and his team have been demoing. A game is downloaded to the phone. Along with the game comes an application, designed to trigger off opening the first app, that will copy the entire contents of your phone to a remote server. Email is a gold mine for hackers. An app that makes your message store available can reveal trade secrets, credit card numbers, social security numbers, and other data that has value in the hacker bazaar.

There are markets for passwords, credit card and social security numbers. There are markets for compromised computers and phones. Payment is by credit cards, PayPal, or any of several alternate, untraceable cash proxies. Cybercrime happens at a distance from its victims. The information that is ultimately used to commit a crime was probably stolen and sold two or three times first, creating even more distance. Tibetan Buddhists don’t mind eating meat, so long as they don’t witness or commit the killing. Someone else takes care of that, creating a karmic buffer from the killing. A cybercriminal can take similar comfort the layers of transactions between them and their victims.

Android devices are wide open to hackers. IOS is more locked down. Blackberry has finally recognized that security is one of their best features, and has launched a new phone that caters directly to the IT manager and security officers of enterprise companies. At RSA I had a chance to play with the Blackberry Z10, not yet released in the US, and I was very impressed.

The Blackberry Z10 is an enterprise dream come true. Hold a finger on the screen, and then drag down. Two tabs appear at the top – work and play. Click on work and you are in a secure, encrypted partition of the phone, managed by the Blackberry Enterprise Server. Information can’t move between partitions. When they hang up their briefcases and bow ties, workers can then tap “play” and enjoy angry birds to their hearts’ content. Blackberry went as far as to provide tools and a runtime environment that makes it easy to port IOS and Android apps to the Blackberry platform. Kudos to RIM for finally emerging from their stupor, playing to their strengths, and playing well with others.

Having just experienced the Blackberry before sitting down with Stephen to here his stories of mobile hacking, I was curious to hear about how he manages risk in his own mobile life.

“What phone do you use,” I asked Stephen, expecting him to pull a hardened blackberry out of his pocket. “I just bought an Android,” he said. “I’m not paranoid. I just try to live like an ordinary person and see what kind of challenges come up.”

I started talking about themes and quickly went down the rabbit hole. There is so much investment and opportunity in security today that it is hard to step back and see the bigger trends. Let me try again:

1) Risk management, not outright prevention
2) Mobile
3) Importance of the channel.

Regarding the channel, one investment theme that PE firms should consider would be to buy companies with some success selling direct, and shift them over to the channel. I spoke with several firms that are run by direct guys who don’t know how to go to the channel, and are missing perhaps their most important growth opportunity.