Where's the security leadership?

Industry watcher Jon Oltsik says that the security business is undergoing profound changes, and not all players are created equal.

Jon Oltsik
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
Jon Oltsik
4 min read
This year's RSA Conference was another opportunity for the security glitterati to shine.

The event, which attracted a record 13,000 visitors, also was a testament to how hot the security market is.

As for me, I got a chance to walk the floor, meet top security companies and listen to a number of keynote speeches. I heard a lot of hyperbole and security dogma. Some vendors surprised me with their clarity of vision, while I was baffled by the hype and confusing messages of others.

Based on these conversations, I've taken the time to grade the vendors, based on my own subjective criteria.

A: Symantec. Wall Street still may not get the Veritas Software deal, but CEO John Thompson showed that he is a leader with chutzpah. He not only stood up to endless questions about the new Microsoft security offerings, he also described an integrated "risk management" vision where Symantec products and services work in concert to protect critical assets.

Symantec's booth also offered a potpourri products, demonstrating that it's more than just antivirus company.

B: Check Point Software Technologies. The firewall king has a fantastic product lineup, offering full integration into its Smart management tools. Nevertheless, Check Point seems to be at a crossroads. It needs to outgrow its "firewall-only" roots, sell security solutions and take the business to the next level. Large customers I spoke to haven't seen this happen yet.

Also, where was Gil Shwed? I certainly believe that Gil's industry status make him a natural keynote speaker for this event.

B: RSA Security. You've got to hand it to Art Coviello's gang. The conference is still a marketing bonanza for RSA, a relatively small $307 million company. This year's focus on identity and access management also helped boost RSA's position. But Wall Street remains unconvinced. The money guys believe the company relies too much on revenue from low-cost security tokens--a commodity market. RSA says that its tokens are a key part of security solutions that offer customers higher ROI than competitors do.

If you peel back the emotion, you also see that Microsoft really "gets it."

Maybe, but stock market types say this sounds a lot like the rationale Digital used to offer about its money-losing PC business. Adding fuel to the fire, RSA decided to abandon its historical practice of publishing token sales and average selling prices on a quarterly basis. RSA's logic makes sense to me--but it's never good when investors are scratching their heads.

B: Microsoft. Forget Bill's two-hour Windows commercial for a second. Microsoft's giving away anti-spyware? Minimal impact on Symantec and McAfee franchises, but I'd hate to be Webroot.

If you peel back the emotion, you also see that Microsoft really "gets it." The biggest threat to the industry is Microsoft's plan to integrate security with operations and administration tools--a powerful combination. Bill's company would get an "A" grade, except for one huge obstacle: Security people view Microsoft as a natural enemy. Changing this situation is bound to take a while.

B-: Computer Associates and Novell. I grouped these two together since they both play in the identity and access management piece of security. CA's message is good, and I truly believe CA has a comprehensive product portfolio, but there is an underlying sadness in Islandia that may take a while to overcome.

Novell's identity vision blew me away, but technical vision has never been in short supply in Provo. I still need to see some enterprise wins outside the old "red box" market before I drink the Kool-Aid.

B-: McAfee. Good products and great vision, but investors are hung up on the CFO change and impending financial results. This put a dark cloud on an otherwise sunny presence.

C: Cisco Systems. I didn't get Cisco's whole approach to RSA. First, it reannounced a bunch of products and acquisitions that didn't fool anyone. Then, John Chambers did his keynote speech, which reminded me of Khrushchev's "we will bury you" speech at the United Nations, presented with a hospitable southern accent rather than a banged shoe.

I didn't get Cisco's whole approach to RSA.

I have no doubt that Cisco will continue to expand its security footprint, but it needs to do a better job of putting the pieces together into a cohesive story, instead of flexing its PR and acquisition muscle and saying nothing in the process.

C- (on a curve): Internet Security Systems. This company continues to mystify me. It just completed its most successful year ever and has some growing products, but its "boil the ocean" strategy reminded me of IBM's infamous Systems Application Architecture, circa 1990. Remember? Everything was going to fit together from MVS to PS/2--only it never worked. If IBM couldn't use its vast resources to integrate its systems, what chance has ISS? I'd like to see a bit more realism and humility out of ISS next year.

I spoke to lots of others at the show: users, vendors, investors and venture capitalists. All were impressed with the size of the event, but most people judged the RSA Conference with two words: "nothing new." I share this feeling, so the companies I rated highest presented a prudent, business-centric and realistic view of security and themselves.

Security never will be sexy; it is about protecting assets from malicious attacks and accidental damage. Someone should spread this word around.