The RSA security conference took over downtown San Francisco this week with thousands of attendees packing vendor parties at restaurants and clubs. The festivities were a throwback to the heady days of the Internet boom, when venture capitalist funds fueled a bubble that burst in 2000 after years of hype surrendered to an inability to generate profits.
Unlike the privately funded companies in the dot-com era, many security vendors running on investor money have technology that would be useful in protecting corporate computing systems from hackers and cybercriminals. The problem is there's too many of them.
To draw attention, millions of dollars are being spent on marketing, which breeds hype that gives birth to buzzwords like cloud security, mobile device management and bring-your-own device. Because marketing bypasses reason and targets emotions, a shortage of useful information was available at many RSA booths.
[Related: What's Hot At RSA 2012? 18 Products To Look For ]
The upshot of all the hype has been cynicism among potential customers. "Because of all the hyping, people don't really move past a 1990s model of protection," James Lyne director of technology at U.K.-based security vendor Sophos, said. "A lot of this new stuff is more marketing than reality, when you actually look at the new technology being deployed. And that's really harmful and frustrating."
Driving the marketing frenzy are hundreds of vendors desperate to profit from the industry's growth. The latest five-year global projections from IDC show endpoint, network and mobile security with a compound annual growth rate of about 8 percent, 6 percent and 35 percent, respectively, through 2015. While mobile is growing at a faster clip, it is also starting from a much smaller base. By 2015, revenue is forecast to reach almost $2 billion, while the other categories are expected to top $10 billion.
The RSA Conference also has been growing. While not providing numbers, Sandra Toms LaPedis, area vice president and general manager, said in an e-mailed statement that attendance has been "trending very positively" since 2009.
Beneath the hype is a market attracting lots of venture capitalists. Peter Bybee, president and chief executive of San Diego-based Security On-Demand, said he was contacted at the show by "no less than 10" VCs or private equity firms interested in the managed security service provider. "It's hot," Bybee said of the market. "They're putting money out."
These firms have told Bybee that investors are looking to take companies like his public as soon as they reach a potential market capitalization of $1 billion. Less than that and investors would likely look for a merger or acquisition with another company. And if the latter does not happen, "you hope you become cash flow positive and profitable, so that you can pay your own bills, rather than burning up VC money," he said.
With so much money and hype driving the industry today, a shakeout is inevitable, a cycle repeated many times in the technology industry. "Right now, there's somewhere between 600 and 800 pre-IPO security companies. They're not all going to make it," said Jeremiah Grossman, founder and chief technology officer of Web site protection firm WhiteHat Security, based in Santa Clara, Calif.
Grossman, a blogger for more than 10 years and well-respected industry observer, believes the security market is currently at the "height of pre-consolidation." But judging from the steady pace of acquisitions, that phase has already begun. Large acquisitions completed over the last couple of years have included Hewlett-Packard buying ArcSight, Symantec gobbling up Verisign and Intel purchasing McAfee.
Large tech companies are not through with acquisitions. For example, Chris Young, Cisco's new senior vice president responsible for the company's security strategy, said at RSA that Cisco plans to make security a part of its entire product portfolio. HP chief executive Meg Whitman has singled out security as a focus of the company's software strategy. Assuming these companies won't want to make everything themselves, grabbing the technology through purchases is the predictable option.
So with the feeding frenzy ramping up and the VCs looking for prospects, the time to party like it's 1999 is now, before the inevitable hangover.