Stalled-Fi in Florida: The Sun Sentinal newspaper looks at stalled, dropped efforts at city-wide Wi-Fi in Palm Beach County. Boynton Beach had a network early on, in 2005, but the city dropped the operator in March 31 due to complaints over maintenance. Delray Beach (E-Path) and West Palm Beach haven't advanced.

Minneapolis Wi-Fi requires booster for best use: This isn't an enormous surprise, or anything, and one of the consultants on the Minneapolis project said that USI Wireless starts with the notion that a booster is needed, which is highly sensible. Reporter Steve Alexander found service was highly variable outdoors with a standard laptop Wi-Fi adapter. The company sells boosters: a $160 high-gain laptop card and an $80 ($5/mo rental) home bridge. Alexander didn't re-test problem areas with the high-gain card. You can see the map of Alexander's test locations.

Orange Line in Los Angeles can't attract Wi-Fi operator: A spokesperson suggested riders should take advantage of "existing satellite" providers, where I think he'll be red-faced to know he should have said cellular. Or the reporter misheard. Say satellite and cellular each ten times fast. Now drink a glass of water.

Scarborough (Yorkshire Coast, UK) offers free Wi-Fi: 5.5m visitors pass through this coastal town each year, and a local business association has decided to unleash free Wi-Fi. The service will be pointed outwards for boats in the harbor, as well as inland.

Free Wi-Fi float in Sebastopol parade: The Apple Blossom Festival Parade last Saturday included "a fluorescent and sparkle-clad crew that shouted, 'Free Wi-Fi.' " The parade was led by a 1906 San Francisco Earthquake survivor.

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't.

I spoke with one person whose trip was paid for by a smallish security firm. He was one of the company's first customers, and the company was proud to parade him in front of the press. I asked him if he walked through the show floor, looking at the company's competitors to see if there was any benefit to switching.

"I can't figure out what any of those companies do," he replied.

I believe him. The booths are filled with broad product claims, meaningless security platitudes, and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.

Commerce requires a meeting of minds between buyer and seller, and it's just not happening. The sellers can't explain what they're selling to the buyers, and the buyers don't buy because they don't understand what the sellers are selling. There's a mismatch between the two; they're so far apart that they're barely speaking the same language.

This is a bad thing in the near term -- some good companies will go bankrupt and some good security technologies won't get deployed -- but it's a good thing in the long run. It demonstrates that the computer industry is maturing: IT is getting complicated and subtle, and users are starting to treat it like infrastructure.

For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.

No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference. This is the future of IT security.

You can see it in the large IT outsourcing contracts that companies are signing -- not security outsourcing contracts, but more general IT contracts that include security. You can see it in the current wave of industry consolidation: not large security companies buying small security companies, but non-security companies buying security companies. And you can see it in the new popularity of software as a service: Customers want solutions; who cares about the details?

Imagine if the inventor of antilock brakes -- or any automobile safety or security feature -- had to sell them directly to the consumer. It would be an uphill battle convincing the average driver that he needed to buy them; maybe that technology would have succeeded and maybe it wouldn't. But that's not what happens. Antilock brakes, airbags, and that annoying sensor that beeps when you're backing up too close to another object are sold to automobile companies, and those companies bundle them together into cars that are sold to consumers. This doesn't mean that automobile safety isn't important, and often these new features are touted by the car manufacturers.

The RSA Conference won't die, of course. Security is too important for that. There will still be new technologies, new products, and new start-ups. But it will become inward-facing, slowly turning into an industry conference. It'll be security companies selling to the companies who sell to corporate and home users -- and will no longer be a 17,000-person user conference.

This essay originally appeared on Wired.com.

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares. The show floor is filled with new security products, new technologies, and new ideas. Many of these are products that will make the attendees' companies more secure in all sorts of different ways. The problem is that most of the people attending the RSA Conference can't understand what the products do or why they should buy them. So they don't.

I spoke with one person whose trip was paid for by a smallish security firm. He was one of the company's first customers, and the company was proud to parade him in front of the press. I asked him if he walked through the show floor, looking at the company's competitors to see if there was any benefit to switching.

"I can't figure out what any of those companies do," he replied.

I believe him. The booths are filled with broad product claims, meaningless security platitudes, and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.

Commerce requires a meeting of minds between buyer and seller, and it's just not happening. The sellers can't explain what they're selling to the buyers, and the buyers don't buy because they don't understand what the sellers are selling. There's a mismatch between the two; they're so far apart that they're barely speaking the same language.

This is a bad thing in the near term -- some good companies will go bankrupt and some good security technologies won't get deployed -- but it's a good thing in the long run. It demonstrates that the computer industry is maturing: IT is getting complicated and subtle, and users are starting to treat it like infrastructure.

For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.

No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference. This is the future of IT security.

You can see it in the large IT outsourcing contracts that companies are signing -- not security outsourcing contracts, but more general IT contracts that include security. You can see it in the current wave of industry consolidation: not large security companies buying small security companies, but non-security companies buying security companies. And you can see it in the new popularity of software as a service: Customers want solutions; who cares about the details?

Imagine if the inventor of antilock brakes -- or any automobile safety or security feature -- had to sell them directly to the consumer. It would be an uphill battle convincing the average driver that he needed to buy them; maybe that technology would have succeeded and maybe it wouldn't. But that's not what happens. Antilock brakes, airbags, and that annoying sensor that beeps when you're backing up too close to another object are sold to automobile companies, and those companies bundle them together into cars that are sold to consumers. This doesn't mean that automobile safety isn't important, and often these new features are touted by the car manufacturers.

The RSA Conference won't die, of course. Security is too important for that. There will still be new technologies, new products, and new start-ups. But it will become inward-facing, slowly turning into an industry conference. It'll be security companies selling to the companies who sell to corporate and home users -- and will no longer be a 17,000-person user conference.

This essay originally appeared on Wired.com.

Before we begin, go read my RSA Impressions (Part 1,2,3,4). Next, read what others said about RSA 2008 (via my del.icio.us feed). Then reflect on past RSA shows (2006, 2007).

Ready now?

First, what was the theme? I personally couldn't pick any (unlike in the past). The candidates were GRC (yuck!), DLP (mmmmm), IAM (huh?).

What I saw too much off? Even though their numbers have shrunk, I still saw too many stupid NAC vendors there (Lockdown, here we come!). One of my friends joked that there were more "GRC vendors" than NAC vendors, but both were in low enough numbers to make a trend. As far as loud noises from 2007, "identity-driven this or that for security" was still very visible.

Overblown messages? "Information-centricity." It was cool and new when Hoff said it (hi Chris, it was fun to finally meet you!). But when it trickled to keynotes of some "trailing edge" exec, it became boring and stale. And, no, "information centricity" still leaves people to worry about "A" (availability) first (see this discussion)

What is also bizarre is that people still start log management companies. I saw a couple of new ones - ama

What I didn't see enough of? VOIP security. Somehow this previously hot trend is quite. Also, I saw a lot of web application security vendors, but I think that is still not enough as this is an area with a raging fire, not just "some hotness." Also, I expected to see more vendors messaging (and, actually helping!) with fraud. Dan Geer's Verdasys kinda mentioned that, but pretty much in passing. Is fraud handled outside of security (and thus out of RSA)? I am not sure.

What I didn't see at all? I didn't see much "market consolidation" - no huge deals, no vendors of note "taken out", etc. Still a huge number of security companies around ... One of the speakers said that nowadays "no single security pure-play expected to change the world", but it sure seems like many will try...hard!   Along the same line, Mike R said that such shows are 18-24 months ahead of what "normal" people deploy. This might explain the VOIP and other missing items.

As I said before, "consumerization" of IT - i.e. IT infrastructure, servers, laptops, storage, services, computing resources, applications, etc provisioned outside of IT departments was an elephant in the room. It is not simply "unmanaged IT" or "consumer-grade IT for business", it is the whole "not-IT-department IT" phenomenon. Yes, via mashups it even includes "non-IT application development" (read this fun 451Group report on that). Security implications of this are nothing short of ginormous.

In light of this, I liked how one presenter said this: "we lost the desktop" - meaning "1/3 is managed by users, 1/3 is unmanaged and 1/3 is 0wned."  Sad but true... Dave Aitel used to joke how in the future banks will have to "re-compromise / re-0wn" your PC so some temporary security can be established for you to transact business with them. Are such horrifying times upon us already? :-)

Finally, a parade of fun quotes about this year's RSA from my fellow bloggers.

• Rich Mogull: "And this year’s theme at RSA is… Nothing. Nada. Zip."
• Mike Rothman: "RSA show messaging [...] is probably 18-24 months ahead of most practitioners"
• Mitchell Ashley: "Security Industry Missing Ride On The Cloud"
• Rob Newby: "In a way I'm glad there was no theme. It means that I was right about the market not going anywhere. Maybe security will have a chance to catch up with the marketing now, and then the compliance will get nicely rounded too, and everyone will stop complaining about it. I doubt it though."
• Richard "IDS is dead" Stiennon: "Every RSA show is different. Every year there is a buzz. It takes two or three days of walking the show floor, hearing vendor pitches [...] to identify that buzz."
• Michael Dahn: "This year, everyone is talking about two things at RSA: risk and regulatory compliance. "

See ya at RSA 2009!?

Matt Hines over at InfoWorld has an article up on the inevitability of software as a service becoming more prevalent. I don't want to rain on anyones parade and I do believe we will see more SaaS, but there are a few things in this article that bear correction and comment.  So here are my three biggest lies about SaaS.

1.SaaS is the way to sell "security by subscription. That is the title of Mat's article, "Security by subscription".  The fact is the companies Matt mentions, Symantec, McAfee and Trend have been selling security by subscription for years. They don't need SaaS to do so.  In my definition subscription is when you buy their AV or similar product and if you don't re-up at the end of the license period you stop getting updates.Without the updates the software is useless.  Over the years the entire AV industry moved to this model including Microsoft when they entered the market.  In fact they automatically renew your subscription and it can be a pain to get them to stop.  So though SaaS is one way of selling security by subscription it is not the only way or even the dominant way. It is not novel or a particularly big driver for the SaaS model.

2. SaaS is cheaper with a better ROI.  I say bull crap to this. Another company I helped create was called Interliant and we were one of the top 3 ASPs back in the day.  We did a ton of analysis on this and I can tell you that while SaaS can deliver a high level of coverage, it is not cheaper. In fact SaaS actually winds up being more expensive over an extended period of time.Generally it may be slightly less over time for the service itself, but when you factor in the total costs it most often is not.  So lets not start saying that SaaS is a way to deal with shrinking budgets and downturns in the economy.

3. SaaS is not channel friendly.  The problem is that a channel partner can easily sell the SaaS, but at that point is cut out of the picture. They have nothing to with the delivery or other ways for value add.  Once they don't own the customer and have been cut out of the delivery of the product there opportunity to monetize the customer is diminished and this is bad business for the VAR.  SaaS is a great way to cut out the middleman and the middlemen are smart enough to see this very quickly and reject it.

All of the above not withstanding I do think SaaS and security in the cloud will become more of a factor. The trick is that there is more to SaaS than a Symantec live update service.  That is not SaaS.  As Matt correctly notes, there are certain types of security technologies that lend themselves well to SaaS and there are some that do not. Figuring out which is which is the key. Also outsourcing versus in house is a consistent pendulum that swings first one way and then the other. People will start complaining about not having enough "control" over the process and not enough customization options to do it they way they want. They start complaining about the cost, when they find out it is more money. Just as the trend appears to be swinging towards SaaS now, it will inevitably swing back the other way.

Matt Hines over at InfoWorld has an article up on the inevitability of software as a service becoming more prevalent. I don't want to rain on anyones parade and I do believe we will see more SaaS, but there are a few things in this article that bear correction and comment.  So here are my three biggest lies about SaaS.

1.SaaS is the way to sell "security by subscription. That is the title of Mat's article, "Security by subscription".  The fact is the companies Matt mentions, Symantec, McAfee and Trend have been selling security by subscription for years. They don't need SaaS to do so.  In my definition subscription is when you buy their AV or similar product and if you don't re-up at the end of the license period you stop getting updates.Without the updates the software is useless.  Over the years the entire AV industry moved to this model including Microsoft when they entered the market.  In fact they automatically renew your subscription and it can be a pain to get them to stop.  So though SaaS is one way of selling security by subscription it is not the only way or even the dominant way. It is not novel or a particularly big driver for the SaaS model.

2. SaaS is cheaper with a better ROI.  I say bull crap to this. Another company I helped create was called Interliant and we were one of the top 3 ASPs back in the day.  We did a ton of analysis on this and I can tell you that while SaaS can deliver a high level of coverage, it is not cheaper. In fact SaaS actually winds up being more expensive over an extended period of time.Generally it may be slightly less over time for the service itself, but when you factor in the total costs it most often is not.  So lets not start saying that SaaS is a way to deal with shrinking budgets and downturns in the economy.

3. SaaS is not channel friendly.  The problem is that a channel partner can easily sell the SaaS, but at that point is cut out of the picture. They have nothing to with the delivery or other ways for value add.  Once they don't own the customer and have been cut out of the delivery of the product there opportunity to monetize the customer is diminished and this is bad business for the VAR.  SaaS is a great way to cut out the middleman and the middlemen are smart enough to see this very quickly and reject it.

All of the above not withstanding I do think SaaS and security in the cloud will become more of a factor. The trick is that there is more to SaaS than a Symantec live update service.  That is not SaaS.  As Matt correctly notes, there are certain types of security technologies that lend themselves well to SaaS and there are some that do not. Figuring out which is which is the key. Also outsourcing versus in house is a consistent pendulum that swings first one way and then the other. People will start complaining about not having enough "control" over the process and not enough customization options to do it they way they want. They start complaining about the cost, when they find out it is more money. Just as the trend appears to be swinging towards SaaS now, it will inevitably swing back the other way.