RSA Conference Recap

May 21, 2024 8:56:01 AM

Another RSA conference (not RSA, not #RSA, but “THE RSA Conference” – those that bought the conference do not want it to be associated with RSA the company, which leads me to wonder why they didn’t just rename the thing to something else more securityish) is in the books, and I thought I would share a few thoughts about things I saw and vendors that I met with at the conference.

  • AI - All The Time – As you might imagine, the RSA Conference was all about artificial Intelligence (AI). I believe the literal price of admission for a vendor to exhibit on the show floor is to promote the work they have done with AI, or will be doing. So much vaporware at this point, since many of the vendors out there are using AI to be part of the conversation, not as a feature differentiator.

Look – I like AI. I like new disruptive technologies. I like when tech vendors embrace those technologies to do new and interesting things. But we are just not there (yet). Using ChatGPT to provide some basic description of an event is a simple use case, but it is not terribly innovative. In fact, it was the initial use case that I discussed when we first started talking about ChatGPT a year ago. Now, I want more. I want heuristic policy creation based on an examination of billions of events to find the corner case. On the data security side, I want to use AI to determine the contents of unstructured data and assist in data classification. I want WAF and next-gen networking solutions to use AI to intelligently monitor and evaluate threats (not just prepackaged playbooks), propose actions, and potentially recommend/implement access policy based on immediate and relevant CVEs.

I know that we will get there, and I talked to plenty of vendors (looking at you, F5 and IBM) that will lead the way. But don’t be fooled – we are not there yet. I also want vendors to be brutally honest about the level of effort required to train these AI models: how much training do they do, how much training can a customer expect from updates, and how much training will be incumbent on the end customer. Without a fair and honest evaluation of training, ASI is nothing more than “garbage in, garbage out,” and any vendor that cannot give you exact details on how their AI is being trained probably is selling “aspirational features.”

  • Data Security is Finally Happening – I had some fantastic conversations with vendors about the strides that we (the security industry) are making in data security. Blame regulatory pressures or just improving technologies, but it is finally becoming possible for a small to medium enterprises to achieve some reasoned level of data security. Of course, we still have a long way to go.

When I think about data security, there are three main aspects that I consider: data discovery, data classification, and data custodianship. Data discovery is the area in which we are making the greatest amount of progress. There are tools available now (again, ones that every size of company can purchase and utilize without needing a staff of 200 security experts) that really solve 90% of this problem (we will never be 100%, but being in the 90s is where everyone should shoot for). Data classification is the next frontier – you have found all your data, now what is it? The example I use is one that is likely relevant to most: there is a difference in how a lunch order from five months ago should be protected compared with an HR record containing employee salary information compared to source code that is the intellectual property that generates most of the income for the company. As I mentioned, AI will eventually be great at solving this, and several companies will continue innovating in that direction. Data custodianship – well, this is mainly a human problem, and should be seemingly easy to solve (HR, data goes to HR, source code goes to dev, etc.). But it is never that simple.

  • Has the RSA Conference Jumped the Shark? The honest answer to this is that I don’t know, but I am starting to wonder. When big names choose not to exhibit or have a presence at the conference, people pay attention. For years now, it was understood that decision-makers come to the RSA Conference to see everyone in one room, and that practitioners go to Black Hat a few months later to try to understand how to implement the solutions that their decision-makers purchased because of the RSA Conference. It was my experience (for a long time) that the nerd side of me finds much greater value in the Black Hat conference than RSA Conference. But the RSA Conference is the only real opportunity there is to meet with 40,000 of my closest friends all in one place.

But how much is that worth? What is the value of an attendee who visits a booth at the RSA Conference? For those who like to nerd out about things like conference marketing math, a fully qualified lead is what exhibitors are hoping to gain from a badge scan at a conference. But when you start the napkin math on how much that lead costs when you add up all of the associated conference costs, you have to start wondering if it is worth the massive dollars it costs to be seen at the RSA Conference. Also realize that 90% of your booth visits (I am being generous – it is likely higher than that) are those looking for conference swag or to play with puppies (which may have been the greatest booth draw I have ever seen from any conference).

With new ownership (the conference was purchased from RSA [the company] in 2022), maybe the conference will start to evolve and change. I certainly noticed from the session catalog that it did, and maybe that is a good thing. Maybe it isn’t –many notables that I expected to see presentations from were left off the agenda this year.

I also think that the conference needs to seriously consider a different location. I know that there are plenty of folks who appreciate the close proximity to Silicon Valley, but the outrageous costs for attendees, exhibitors, and anyone associated with the conference makes me wonder if there could be a better choice somewhere else – I know people have Vegas fatigue with all of the conferences that are there, but then you have to consider that the reason that there are so many conferences there is that Vegas was practically made to host excellent and (relatively) inexpensive conferences.

Nothing earth shattering here, and I hope that you found this blog interesting. We will also cover this in the Cybersecurity Awesomeness podcast in the next episode or so. Thanks for reading!

Chris Steffen

Written by Chris Steffen

Christopher Steffen, CISSP, CISA, is the vice president of research at EMA, covering information security, risk, and compliance management. Before EMA, he served as the CIO for a financial services firm, focusing on FedRAMP compliance and security. He has also served in executive and leadership roles in numerous industry verticals. Steffen has presented at numerous industry conferences and has been interviewed by multiple online and print media sources. Steffen holds over a dozen technical certifications, including CISSP and CISA.

  • There are no suggestions because the search field is empty.

Lists by Topic

see all

Posts by Topic

see all

Recent Posts