According to the RSA Conference website, there was a total of 641 vendors exhibiting or sponsoring the conference in the over 738,000 square feet of exhibit space dedicated within the two-million-square-foot Moscone Center. I had meetings scheduled with approximately 20 of these vendors and met with a small handful of additional vendors on the expo floor as time permitted. I didn’t keep track of how far I walked this year, but the entire Moscone Center complex is approximately 87 acres in size. For comparison, the United States Capitol building is only 4 acres. I made several laps around the expo floor each day, as well as walking around the entire complex throughout various parts of the day. Needless to say, my feet are quite tired, but with the conversations I had with vendors, it was worth it.
As an analyst, I have the privilege of sharing a unique perspective on my attendance at the RSA Conference. Unlike many who attend the conference, my day was far too packed with meetings to be able to attend any of the breakout sessions or keynotes. Instead, I got to walk the show floor and experience the excitement and energy of the vendors and attendees at the expo. Of course, this meant I got all sorts of “swag,” and this year’s most prized possession is a sticker quoting the movie Tron, “I fight for the users!” And that is quite possibly the best summary of my takeaways from this year’s conference.
Not surprisingly, one of the common themes at the conference this year among the vendors was artificial intelligence. Almost every vendor had their latest “AI-powered solution” in what appears to be an AI-powered arms race for the best cybersecurity solutions. But underneath all of the flashing lights and artificial intelligence talk, I held some fascinating conversations with vendors and attendees about the human problems behind the technology solutions and the real challenges ordinary users face due to security.
One of the biggest concerns discussed with me at the conference was not the latest detection algorithms or encryption techniques, but the human impact of cybersecurity technology. While it’s not as “flashy” to talk about user experiences, it’s becoming increasingly important to address user experiences and the possible negative experience users may have due to cybersecurity products and associated configurations. For those of you who did express those concerns to me, know that they did not fall on deaf ears.
We talk about how zero trust is a journey, and security is a journey with compliance being the first step – but very rarely do we talk about the human impact of that journey. As a software developer, I know far too well the impacts of negative user experiences on productivity, especially when those experiences occur for the sake of security. One of the most common problems I and other developers have seen are code-scanning tools – well intentioned at preventing vulnerabilities from making it to production, but often poorly executed. Developers are provided vague descriptions of code security vulnerabilities without clear guidance on the full impact of those vulnerabilities or even how to correct them. Imagine being a system administrator, presented with a report saying that your servers have multiple vulnerabilities, but the report doesn’t provide specifics of the vulnerabilities or how to correct them. That tool would be ignored, replaced, and removed as quickly as possible, or even worse, bypassed. That is the heart of the matter – poor user experiences due to security measures will often result in the bypass of those security measures, leading to a false sense of organizational security.
The other interesting topic of discussion I had with multiple vendors at the conference, and related to the user experience issue, is that there are still too many barriers between IT and security, especially when performance issues come into play. In an ideal world, ITOps and SecOps should work together toward a common goal of empowering users to achieve maximum productivity in a safe and secure manner. Somewhere along the way, we seem to have lost sight of that – and ITOps and SecOps find themselves at odds with each other, with ITOps blaming SecOps for performance and productivity issues, while SecOps blames ITOps for security vulnerabilities and misconfigurations.
Of all my takeaways from the RSA Conference, I believe that my most important takeaway is this: before we begin focusing on the latest AI innovation, the latest detection algorithm, the latest advanced persistent threat, or the latest in zero trust technology, we need to all take a step back and look at the human element of this ever-evolving security journey, the journey that the users of the technology are experiencing. More importantly, we need to begin breaking down the barriers that are limiting the improvement of those user journeys.
See you next year, RSA Conference, and keep fighting for the users.