Published: March 6, 2020

Authors of this Market Insight report: Scott Crawford, Dan Kennedy, Garrett Bekker, Fernando Montenegro, Aaron Sherrill, Eric Hanselman, Matthew Utter and Paige Bartley.


This year's RSA Conference focused on the human aspects of cybersecurity, which often get lost with the industry's emphasis on the technical, yet these are the very aspects without which no security program can hope to be truly effective. The irony of this year's theme – the human element – was not lost on the many who held back from participating due to a very human concern: the troubling worldwide spread of COVID-19, the disease propagated by novel coronavirus.

The 451 Take

COVID-19 wasn't the only concern on the minds of the industry, however. Concerns about San Francisco as a venue remain, as do nagging questions about innovation in the light of long-standing security problems and the impact of security conferences generally. Regardless, the industry continues to need rallying points to confront realities like the secular and sometimes existential impact of trends such as cloud adoption and digital transformation, as well as the explosion of more capable and far-flung networks of (allegedly) 'smart' things. For these reasons and more, the 2020 US edition of the RSA Conference (RSAC) continued to hold forth as one of the industry's premiere events for security technology and services vendors, and as an opportunity for security's 'tribe' to renew old acquaintances, learn from each other and forge new ties.

Emphasizing security's human aspects

With 'the human element,' RSAC put forward a narrative that elevates security well beyond the traditional technical domain and into a much broader frame of societal impact. The term itself served as a launching point for numerous topics, all of which made their way into the keynotes (with many including more diverse speakers than years past) and broader discussions. What is the role of humans in an atmosphere where initiatives such as machine learning and AI are a growing priority? How do humans interpret and react to the broader story being told about security? How should the security industry move forward in engaging with other humans – organization-wide personnel and senior management alike, not to mention societal mechanisms like governments and the courts – in order to provide good security outcomes?

The overarching message put forth in keynotes points to a different future for security, one that is less about technology absolutism and more about engaging with stakeholders with a risk-based approach and an appreciation for the fact that technology is developed for humans, not the other way around.

The downside of human factors

It was ironic that, of all the negative forces affecting RSAC 2020, the one that would be most visible was linked to a purely human concern – the risk of exposure to novel coronavirus, the agent responsible for the spread of COVID-19 disease.

This is assumed to have played the most significant role in a notable decline in RSAC attendance of approximately 14%, down to about 36,000 in 2020 compared with 42,000 in 2019, according to official RSA Conference outlets. Last-minute no-shows may have been significant, given that the Conference anticipated more than 40,000 as late as its February 21 entry on its novel coronavirus update page, and noting that approximately 1.2% of the total number of expected attendees had canceled their participation as of February 20.

Individuals weren't the only ones concerned about coronavirus risk. A total of 14 exhibitors had canceled their participation as of February 21, including six from China, seven from the US and one from Canada. Among these were AT&T (which acquired AlienVault in 2018), IBM and Verizon. Total exhibitor numbers appear to have dropped slightly from approximately 730 in 2019 to 670 in 2020, although it should be noted that these numbers are estimates (some exhibitors may have more than one booth).

Despite these declines, the impact of coronavirus risk on those who did attend appeared to be negligible. While the conference put out numerous hand-sanitization facilities (leading some observers to note that this left attendees constantly rubbing their hands together like an army of supervillains), interactions were notably unguarded. Sessions were well-attended and the expo floor was as active as ever, in spite of somewhat reduced traffic. Few masks were observed, and noncontact variants on handshakes seemed mostly to be used as icebreakers.

Adding to the irony of a conference predicated on human interaction is an emerging outcome of the coronavirus outbreak – the opportunity to further the cause of 'virtual' events delivered as a digital-only experience. These are already appearing in response to the public health risk, and could force a rethinking for organizers of events such as RSAC. Already, the influence of industry conferences as a top source of information has slid among practitioners, declining from the top answer in 2018 to fifth place among respondents to a 2019 451 Research Voice of the Enterprise (VotE): Information Security study.

Top sources of information about security products and technologies

451 VOTE infosec organizational dynamics.png

Source: 451 Research's VotE: Information Security, Organizational Dynamics 2019

Innovator's dilemma, meet the 'pomegranate theory' of security

That large-scale virtual conferences are even considered feasible today highlights the impact of disruptive technology beyond the security market per se. As digital transformation progresses and the IT industry continues its steady migration to the cloud, the innovator's dilemma has become particularly acute for incumbent security vendors with a substantial amount of revenue rooted in legacy network security tools. How much to invest in the old world versus the new and its emerging technologies presents a formidable challenge for many legacy security firms. This dilemma manifests itself in the changing nature of RSAC vendor participation, with far more emphasis on relevance to modern IT. However, there's another subtext to that issue that has more to do with simple math and the law of large numbers than it does with any corporate resistance to change or unwillingness to take on new risks.

The defining characteristic of a pomegranate is that, although from the outside it appears as a very large fruit, once you peel the skin it's really made up of hundreds of small seeds. Similarly, the overall cybersecurity market is somewhere around $80bn-100bn. But aside from a few relatively large segments, such as network or security, the overall market is really made up of lots of little markets that are generating less than $1bn in total revenue – like CASB, container security, HSMs and so on. In more than a few cases, these markets are really segments that should be features of a larger whole. The upshot is that, even if some of the incumbent security vendors are willing to innovate, the sheer size of their legacy revenue base can dwarf any potential new revenue streams from entering new markets. For a vendor doing $3bn in revenue, for example, capturing even 100% of the CASB market isn't going to move the needle much – certainly not enough to bolster flagging overall growth rates.

The pomegranate theory is further amplified in light of the future of third-party security vendors in the age of hyperscaler cloud providers. AWS, for example, is on track to generate $40bn in annual revenue at a growth rate north of 30%. When Microsoft Azure and Google Cloud Platform are added in, these three hyperscalers alone may arguably generate as much revenue as the entire security market – and likely considerably more before long, given their remarkable growth. From that perspective, does AWS or GCP really care that much about the HSM market? Or file encryption, or DLP? From a purely financial standpoint, one could put forward a convincing argument that the hyperscalers are interested in security mainly to the extent that it helps remove barriers to them selling more cloud. For reference, 451 Research VotE data repeatedly shows that, although companies are becoming more comfortable with the cloud, security remains a significant barrier to cloud adoption.

Perhaps paradoxically, this is good news to the third-party security providers that continue to be the preference of enterprises, according to VotE findings. Third parties continue to see opportunity in areas such as cloud security posture management, which in part addresses the need to apply consistent policy and compliance priorities across multiple cloud providers.

But the extent to which hyperscalers increasingly integrate security directly into their fabric remains a threat to security pure plays – and one that RSAC vendor exhibits consistently demonstrate is a priority for acquisitions and organic development throughout the market. Where the threat is most pronounced appears where hyperscalers are taking on legacy security incumbents directly. Google Cloud's absorption of Chronicle is one example that stands out, particularly this year as Chronicle takes on more of the security operations opportunity and real-time security management, in addition to post hoc investigation. Microsoft has also expanded its security operations footprint through initiatives such as Azure Sentinel, while AWS has launched its own conference focused on security, re:Inforce. Not all security incumbents have weathered these changes well, but many have sought to respond, from Palo Alto Networks' series of cloud-centric acquisitions, to Cisco's recent launch of SecureX for integrating the management experience of its security portfolio across any environment – be it cloud, legacy or hybrid.

People-centric opportunities in security services

Services was another pervasive theme at RSAC 2020, adding a further dimension to the human element. Managed security services continue to expand beyond the realms of traditional MSSPs as technology vendors, consulting firms, resellers, cloud providers and professional service firms seek to capitalize on growing demand.

RSAC highlighted the growing expansion of security services, with firms promoting managed services across an increasing range of security domains, including threat hunting, security operations centers, SD-WAN security, cloud, incident response, identity, security automation and IoT/OT. The demand for security services will continue to increase as organizations face increasingly sophisticated threats and attacks that exploit their expanding and diverse IT ecosystem and the ongoing shortage in security resources and expertise. While a number of firms introduced their initial security service offerings at the conference, it was interesting to see the beginning of a shift, with traditional security players subtly promoting their managed service offerings over their traditional hardware and software products.

451 Research takes a bow

Mentions of concepts from the 451 Research security team appeared on stage at both the outset and close of RSAC. At the opening, it was former colleague Wendy Nather noting various definitions of the democratization of security – notably, the idea of enabling the citizen contributor as outlined in our 2020 Trends in Information Security report. At the close, it was the joint presentation by Veracode's Chris Wysopal and Luta Security's Katie Moussouris of primary research commissioned from 451 Research around coordinated disclosure.

The disclosure debate is a long-tenured one, and quite important for application maintainers to consider, especially with regard to how the organization is set up to receive reports from third parties on discovered vulnerabilities. There is a regular drumbeat in trade media on organizations that haven't gotten it right, but in terms of evolution, the numbers shared on stage show an industry markedly different than a decade ago. For starters, 90% of those surveyed for the Veracode study see vulnerability disclosure as a public good, and 62% believe unsolicited testing is okay. The most common action once a vulnerability is discovered is to report it to the affected vendor.

Highlighting innovation's presence (and absence)

RSAC remains one of the venues where technology innovation is highlighted, and not just at the conference per se, but also at related events, such as the AGC Partners annual security conference near the RSAC venue. While Innovation Sandbox remains the most recognized such event at RSAC proper, additions to the conference lineup in recent years include the RSAC Early Stage Expo, the Shark Tank-like Launch Pad, hands-on experiences and how-to sessions for entrepreneurs.

Despite this emphasis, many in the security community are skeptical (to put it mildly) of the extent to which true innovation is apparent in today's vendor landscape. Even the innovators seem to acknowledge this with their efforts. The winner of 2019's Innovation Sandbox, Axonius, was not a new and glitzy approach to analytics, but an effort to get a handle on one of security's most longstanding issues: gathering and maintaining a comprehensive inventory of assets. Such startups are tacit testimony of the extent to which security still grapples with fundamental problems.

This year, Innovation Sandbox judges repeatedly challenged entrants on how they would help organizations solve the problems their products highlight. For years now, the industry has been awash in products that generate increasingly more data – data that under-resourced teams are already hard pressed to tackle. In past competitions, this has given an advantage to plays that emphasize security automation – such as Phantom Cyber (acquired by Splunk) – highlighting the importance of remediation, action and effective security response.

In keeping with these emphases, judges selected as this year's Innovation Sandbox winner, for its ability to engage both automation and analytics in helping organizations to both understand their comprehensive privacy posture and adhere to requirements with high impact on security initiatives, such as GDPR and the California Consumer Privacy Act. automates understanding of informational resources and the relationship between personal data and its owners, delivers these understandings in visually appealing analytics, and leverages robotic automation to tackle multiple aspects of compliance shared across regulations – all of which underpin a successful PrivacyOps methodology, which embraces.

The field against which prevailed was broad. Other finalists included AppOmni, BluBracket, Elevate Security, ForAllSecure, INKY, Obsidian Security, Sqreen, Tala Security and Vulcan Cyber. Contestants pitched their solutions, which included remediation-focused vulnerability management; novel approaches to email security, anti-phishing and security awareness; and application security for distributed architectures.

The takeaway from Innovation Sandbox can be largely applied to the RSA Conference as a whole: Year after year, RSAC celebrates innovation while bewailing problems that seem to remain unchanged. This is perhaps inevitable; many problems facing the security industry endure because they are hard to solve. Still, the innovation that seeks a hearing at such events continues to find opportunity and claim progress in taking them on. So long as there remains something new to learn, conferences such as RSAC will continue to draw a crowd, although that crowd may embrace more digital-first participation, both now and in the future.

Daniel Kennedy
Research Director, Voice of the Enterprise: Information Security

Daniel Kennedy is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference.

Jeremy Korn
Research Associate

Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received a MA in East Asian Studies from Harvard University, where he employed quantitative and qualitative methodologies to study the Chinese film industry.

Aaron Sherrill
Senior Analyst

Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation and disruption in the Managed Services and Managed Security Services sectors. Aaron has 20+ years of experience across several industries including serving in IT management for the Federal Bureau of Investigation.

Want to read more? Request a trial now.