Before heading out to attend RSA Conference 2013, Bruce Schneier brought up this interesting point on his (excellent) blog:

Vendors at the RSA conference are only selling to the largest organizations.  And, as I wrote back in 2008, soon they will only be selling to IT outsourcing companies (the term "cloud provider" hadn't been invented yet) 

This was evoked by a post from Mike Rothman titled Security No-Man's Land, where he notes:

As the industry descends on the RSA Conference to discuss the latest and greatest in security, the underserved midmarket continues to struggle with basic blocking and tackling. The industry machinery is not built to solve that problem.

All of this is essentially correct; eventually most security and IT in general for the small and midmarket orgs might be adeptly served by cloud providers.  It's certainly the case that each year the big companies at RSA get bigger, blotting out the proverbial sun with their towering displays.  And of course many of the smaller vendors are busy trying to look like good acquisition targets.  But this isn't quite the entire story.

Last week when we were exhibiting at RSA 2013 (beyond the massive booth citadels, among the suburbs of smaller vendors), I had the great good luck to catch Bruce Schneier quickly pacing through the aisles, without really looking at the companies exhibiting there.  He mentioned that he was trying to find someone giving away notepads.  I would have loved to do the fan-boy thing, but since he was very obviously in a hurry, I fell behind and left him to his quest.

Although the circumstance of our meeting was just a coincidence, it was a poignant one to me.  Each year Collective heads to RSA to set up the little green booth.  We tell everyone who will stop to listen about AuthLite and yubikeys.  We are a small company and are not trying to be acquired, "make it big", or sell to the top 1000.  In fact, our 2-factor authentication product is priced and positioned to serve the small and medium market best; folks who are running their own Active Directory and want to add 2FA with a minimum of hassle.  The only way we succeed at this is by meeting new customers to sell directly, and meeting new consulting partners and value-added resellers, both of which reliably happen all week long at the show. 

As Bruce and Mike note, the cost to a small organization to implement good security can be severe (in time, experience, and dollars).  Every year I am continually amazed at how many people approach us whose companies are still just using static passwords to log on!  We are trying really hard to make it easy and affordable.  Companies like Yubico help by continually innovating in the affordable hardware space, and Google authenticator offers free OATH token support to mobile platforms.  And I know for certain there are dozens of other small vendors right along side us (both competing and orthogonal) who are variously working on the same goals.

I do think it's likely that the security landscape will keep moving in the direction noted by the experts above.  I'm not even worried about it as a vendor; the market moves like a steamroller and you have to innovate new things or be squished!  But as long as companies are still running their own directory, I will be happy to offer AuthLite as a 2FA solution.  I very much hope RSA doesn't become the exclusive purview of giant company booths all angling to buy and sell each other.

And I'm making a mental note right now to bring a notebook with me next year.  I want another shot at meeting Bruce :)