The cybersecurity world descended on San Francisco's Moscone Center this week for RSAC 2026, the 35th annual flagship event – and the numbers alone tell you this is no niche gathering. Around 43,500 attendees, 700 speakers, 600 exhibitors, and 400 members of the media converged on the conference, which spans multiple stages and countless hands-on experiences. That's a lot of people, and a lot of opinions; some of which are ones I hope you are paying attention to, and some that I would prefer you ignore. After spending the week meeting with some of the best vendors at the conference, as well as a few passing conversations in elevators and airplane queues, four themes kept coming up again and again – and if you're serious about your security program, they're worth paying attention to.
Get Your Data House in Order Before You Even Think About Agentic AI
Everyone is talking about agentic AI, and if you're not planning for it, you're already behind. But here's the uncomfortable truth that kept surfacing in conversations across the show floor: most organizations don't have the data security foundations in place to deploy AI agents safely.
Put simply, AI agents need to access data to be useful. If you don't know where your sensitive data lives, who can touch it, and how it flows across your environment, you're essentially handing a set of master keys to a system you don't fully understand. The conversation at RSAC this year increasingly centered on observability, identity, and governance as prerequisites for safe AI adoption – not nice-to-haves that can be bolted on later. DSPM isn't a checkbox; it's your foundation.
AI is a(n Immature) Tool, Not a Headcount Replacement
Let's be blunt about something: regardless of the insane velocity of the evolving AI market, AI solutions are still immature, and organizations that are treating it as a headcount reduction tool are making a serious mistake.
As AI continues weaving itself into security operations, the conversations at RSAC pointed to a clear reality: adoption is accelerating faster than the frameworks designed to manage it. The technology has real promise, but using it to trim your workforce before it's mature – before we have reliable governance, before we understand how agents behave at scale – is the kind of short-term thinking that creates long-term disasters.
The CISO is Now a Risk Manager, Full Stop
The role of the CISO evolved for years, but RSAC 2026 felt like the moment the industry finally agreed on what it's evolving into. The days of the CISO as the technical “chief nerd” who keeps the lights on are over. The modern CISO is a business risk manager who happens to understand technology deeply.
The CISO's role has increasingly been codified as a fiduciary responsibility, with the strategic focus shifting from breach prevention to reducing breach impact and improving cyber-resilience. Boards want to know what risks exist and what they cost – not what tools you're running. Risk quantification has become about telling the story of your security program: why investments are being made and how they map to business impact. This shift matters enormously for how security teams are built, how CISOs communicate with leadership, and where budget conversations start. If you're still framing your security program in purely technical terms, you're speaking a language your board doesn't understand (more on this in the coming weeks).
Post-Quantum Cryptography: The Clock is Running
For a long time, post-quantum cryptography (PQC) was the conversation happening in the corner of the room – important, sure, but not urgent. Almost treated as a “science project,” it rarely received any real consideration, much less budget allocation. Finally, the conversation is shifting.
Vendors highlighted PQC as one of the defining areas to watch at this year's event. The shift in tone is real. IBM's vice president of technology told RSAC attendees that quantum computing is no longer a far-fetched dream – regulators and industry leaders are aligned that it's coming in a few years. The "harvest now, decrypt later" threat model, in which adversaries collect encrypted data today to decrypt it once quantum capability matures, means the risk is already present, even if the capability isn't.
RSAC discussions repeatedly highlighted encryption visibility and governance as foundational capabilities for quantum readiness, with practical guidance centered on mapping cryptographic assets across environments before introducing controls and migration strategies. Organizations that wait on PQC are going to find themselves in the same position as those who ignored cloud security until after the breaches started.
RSAC 2026 made one thing clear above all else: the complexity isn't going away, and the margin for error is shrinking. Whether it's governing AI agents, reframing the CISO's role, or preparing for a quantum future, the organizations winning the next era of security are the ones doing the foundational work right now.
