This year RSA is drowning in buzzword-laden security startups. If you’ve got a next-gen cloud-enabled startup that catches 100% of zero days no one has even thought of yet, there’s an RSA booth for you. No track record? No problem. Not sure whether it’s hardware or software? No problem.

The problem is that real security is really hard.

"Real security takes years to get right ... with lots of trial and error."

It’s not hard to mash up some buzzwords, license a few tech companies’ engines and hire a graphics team to put a booth together. But real security takes years, like more than two, and lots of trial and error. It takes a very long time to build the kind of trust that justifies companies' reliance on you. It also requires having more than one aspect to your security suite. Or at least that you have a suite.

I mean, no one is saying that there aren’t better ways to approach some novel add-on to the security stack. But that’s not how you position yourself for an acquisition. Mash-ups are definitely better if that’s your goal. And there’s plenty of acquisition shopping sprees going on here at RSA.

So you have a reputation system. So you offload the endpoint threat intelligence duties to a more powerful bank of servers somewhere in the cloud. So does everyone, well a lot of them anyway. So you’re not signature-only, and you claim not just to be reactive. So is everyone who’s endured the last 20 years of building the security stack.

This year you had to write Next-Gen on your literature somewhere: that’s important. Like the rest of the security vendors haven’t devoted teams of people in dimly lit labs to the same thing for decades. You also had to say that “the Cloud does all the thinking”. While smart Cloud things are an important aspect, they aren’t silver bullets – no single technology is all by itself. It’s all about the stack.

I love to walk the edges of RSA to the tiny booths for the up-and-coming security companies. These are the booths where, if the dev goes to lunch, the CEO has to be there or the booth is empty. A chance to interact directly with those who are busy doing the real work every day. They tend to have a more sober view of the technology and can explain why they find it compelling on a technical level. There is a real genuineness to those conversations and they shine a real light on tough technical problems we’ve all been trying to solve for a long time.

In the security business, this is a breath of fresh air – sort of letting the technology lead, and not just slick marketing. Sure, you have to market stuff to stay in business. But truly solving the next generation of problems will involve a heavy dose of both cutting edge tech and a humble, honest approach about how difficult the issues are of keeping those we care about safe digitally. We could all stand a bit more sobriety on that front, because the attacks don’t seem to be going away – we haven’t won yet.