I’m heading home post another RSAC, and it always leaves me with mixed feelings. You get to meet old hax0r-friends who once eschewed the corporate event, and while young-me hates it, we’ve written at length about how well a booth actually works for us as a young product company.
This year felt different though. It was still great for us to meet customers and sign new ones, but we’ve kinda carved a niche that flows against the general current. The general mood was a little more subdued.
It’s so strange to see companies that ostensibly have products that do solve (some) problems pivot all their messaging towards problems they objectively can’t solve (yet). And very few ppl can indeed solve “secure AI” yet, because for the most part, we barely know what this means/how this is going to play out in the enterprises. So why does it happen so frequently? Why is the RSAC floor so dominated by promises that can’t be kept?
Because incentives..
A long (long) time ago, the ever quotable Dave Aitel mentioned that RSAC is not where people go to sell their security products, it’s where they go to sell their security companies. Seen through this lens, a very clear pattern emerges:
- An area is declared hot;
- Funding swings towards this area;
- A bunch of startups pop up in response to this;
- The market (and analysts) start asking established players what their $hot-space strategy is;
- Some seasoned founders raise from brand-name VC’s and splash out in $hot-space;
- Headlines, funding announcements, and a fancy RSAC/Blackhat booth make their domination of the space obvious;
- Big established player buys $hot-space leader;
What’s interesting from this dance, is how (almost) everyone gets a “good” result:
VC’s get their return on investment and the founders get their liquidity event.
$Big-company gets their stock-bump, because the analysts/markets reward the acquisition.
Predictably, within about 16 months, the space would have slightly fizzled, $Big-company would have fired lots of the team that joined, and the founders would have cycled out (possibly looking to put in another coin and play again).
Everyone made some money (even if nobody made anything useful!)
The main losers are the customers, who get all this confusion shoved down their throats without actually getting better products (because you will notice, that actual better products don’t feature in the dance at all).
Eventually, $Big-company will be poorer for this strategy too. Instead of their products (and their product teams) being revitalized by useful innovation-protein, they get used to sugary-announcement-bumps, which leads to kinda fatty bloating that eventually hurts more than it helps. But those are long cycles and there are many fat bonus years before that calcification kills.
It explains why we have these crazy infosec themes that barely resemble the actual problems faced by customers, and why millions keep changing hands while we still struggle with problems we had in the 2000s.
I used to ask how it was, that so many companies didn’t even try to demo their products on the floor. But then I realised Dave was right: for the most part, security products are just not what’s on sale..
It so doesn’t have to be this. We can totally do better…
