Dell sells RSA - what's in a market?
Dell sold RSA to Symphony Technology Group, a PE firm, last week. I'm sure you've heard by now.
For some reason I missed it. Is it my imagination, or was this downplayed, even at RSAC where it was announced? Maybe I've been living under a rock to avoid the coronavirus and climate change stories now filling my airwaves.
Market Forces
In hindsight, it was almost inevitable. Dell’s strategy is almost completely Cloud infrastructure (VMWare, EMC, etc.) and their security products will be Cloud security-based, built into those. RSA haven't done a lot of new product development since the EMC acquisition in 2006, and in relative terms this acquisition represents a financial loss for Dell. EMC acquired RSA for $2.1bn, Dell just sold it for a little under this ($2.075bn) 14 years later.
Looking at this more positively for RSA, there is a lot of investment by VCs at the moment in Security. It’s a growth area, clearly, and until recently there were lots of unicorns and silver bullets. The market has matured however, CISOs are older and wiser and more cynical as a group.
There is no silver bullet, and the VCs know this as well, if not better than the CISOs. I spoke to a partner at a VC last week who had invested in one of the biggest unicorns of recent times and got out at the right time. He knew it was a unicorn, and has realised this wouldn’t happen again, because the market is wise to it. Anyone who can benefit from a gamble that large and not get sucked into doing it again is very smart in my book, particularly with the market messaging that comes around any new investment.
That doesn't mean that sales and marketing doesn't work. We are seeing it in the Risk space right now lots of investment in marketing and sales, the market is flooding with white elephants and a lot of interesting peripheral functionality is growing around the edges with new tools and features - we are following the money, but then the market needs it. It's a complex space that has never been adequately addressed.
So whilst the market is fracturing into ever smaller details, CISOs and VCs alike are looking for some consolidation. I continually hear from both groups that the market is swamped and confusing, people need guidance on what is real and what is marketing.
Consolidation
There are 2 ways that I see a successful consolidation play going. Either management or product consolidation. I’ve been thinking about the management side for a while (as a CISO), a simple tool which designates ownership and applies priorities and metrics for measuring how well the underlying processes are running. I'd buy something that allowed me to delegate ownership of areas of security, but ensured the underlying processes were operating correctly.
The second for of consolidation will come out of this (for the VCs), as it is a natural progression of the market. There are currently products which help with compliance, risk management, supply chain risk management and assigning costs to risks. There are products for threat intel, threat management, vulnerability management, detection and response. There are tools for workflow and process management. What there isn't, is a tool which oversees all of this and reports back the current state. Yes there are tool monitoring tools, irrelevant as they miss 80% of security processes, and 100% of the people involved - no ownership means another tool left on the shelf.
However, unified security management is a huge spectrum of process monitoring and tools to support, and therefore prohibitively expensive for all but the very wealthiest of VCs, and even then they’d be taking a chance.
The thing that most CISOs have learnt from the last 20 years of experience is that there is no magic tool, and if you don’t prepare in advance and know your processes, you will end up with something you never realise the benefit of. This is why I think anything which focuses on business processes will win out in the long run. Security is a spectrum of processes, not tools, and monitoring these across everything from asset management to environment recovery, particularly where the responsibility for operating them lies outside security, is key to this next move in the market.
Will STG get this with RSA? Not sure, they will certainly have some value: Archer for GRC, NetWitness for SIEM, threat detection and response, SecurID for 2FA, and Fraud & Risk Intelligence; and not least a foothold in the market, but there are still a lot of gaps to be filled. Like the CISO, they will have to look at the processes they are covering before they invest in more tools.