Mark Wood from nCircle blogged about his recent experience at the Gartner IT Security Summit in D.C. Alan Shimel commented on Mark's summary and both of them make an interesting argument about how Gartner operates as the overall gauge of the security industry. Given that I was also there, I thought I'd add some color to Mark's commentary:
In 2006, there were two types of solutions that seemed to dominate the floor: network admission control and data leakage (with the old reliable identity and access management coming in a strong third). This year, the NAC vendors were almost all gone and there were many fewer data leakage vendors than I had expected. Nor was there any one type of solution that really seemed to dominate.
...that's probably because both of those "markets" are becoming "features" (see here and here) and given how Gartner proselytizes to their clients, features and those who sell them need to spend their hype-budgets wisely and depending upon where one is on the hype cycle (and what I say below,) you'll see less vendors participating when the $ per lead isn't stellar. Lots and lots of vendors in a single quadrant makes it difficult to differentiate.
The question is: What does this mean? On the one hand, I continue to be staggered by the number of new vendors in the security space. They seem to be like ants in the kitchen -- acquire one and two more crawl out of the cracks in the window sill. It's madness, I tell you! There were a good half a dozen names I had never seen before and I wonder if the number of companies that continue to pop up is good or bad for our industry. It's certainly good that technological innovation continues, but I wonder about the financial status of these companies as funding for security startups continues to be more difficult to get. There sure is a lot of money that's been poured into security and I'm not sure how investors are going to get it back.
Without waxing on philosophically on the subconscious of the security market, let me offer a far more simple and unfortunate explanation:
Booth space at the Gartner show is one of, if not the most, expensive shows on the planet when you consider how absolutely miserable the scheduling of the expo hours are for the vendors. They open the vendor expo at lunch time and during track sessions when everyone is usually eating, checking email, or attending the conference sessions! It's a purely economic issue, not some great temperature taking of the industry.
I suppose one could argue that if the industry were flush with cash, everyone showing up here would indicate overall "health," but I really do think it's not such a complex interdependency. Gartner is a great place for a booth if you're one of those giant, hamster wheel confab "We Do Everything" vendors like Verisign, IBM or BT.
I spoke to about 5 vendors who had people at the show but no booth. Why? Because they would get sucked dry on booth costs and given the exposure (unless you're a major sponsor with speaking opportunities or a party sponsor) it's just not worth it. I spoke with Ted Julian prior to his guest Matasano blog summary, and we looked at each other shaking our heads.
While the quality of the folks visiting are usually decision makers, the foot traffic is limited in the highly-compressed windows of availability. The thing you really want to do is get some face time with the analysts and key customers and stick and move.
The best bang for the exposure buck @ Gartner is the party at the end of the second day. Crossbeam was a platinum sponsor this year; we had a booth (facing a wall in the back,) had two speaking sessions and sponsored a party. The booth position and visibility sucked for us (and others) while the party had folks lined out the door for food, booze and (believe it or not) temporary tattoos with grown men and women stripping off clothing to get inked. Even Stiennon showed up to our party! ;)
On the other hand, it seemed that there was much less hysteria than in years past. No "we-can-make-every-one-of-your-compliance-problems-vanish-overnight" or "confidential-data-is-seeping-through-the-cracks-in-your-network-while-you-sleep-Run!-Run!" pitches this year. There seems to be more maturity in how the industry is addressing its buying audience and I find this fairly encouraging. Despite the number of companies, maybe the industry is slowing growing up after all. It'll be interesting to see how this plays out.
Well, given the "Security 3.0 theme" which apparently overall trends toward mitigating and managing "risk", a bunch of technology box sprinkling hype doesn't work well in that arena. I would also ask whether or not this really does represent maturity or the "natural" byproduct of survival of the fittest -- or those with the biggest marketing budgets? Maybe it's the same thing?