Another RSA conference (not RSA, not #RSA, but “THE RSA Conference” – those that bought the conference do not want it to be associated with RSA the company, which leads me to wonder why they didn’t just rename the thing to something else more securityish) is in the books, and I thought I would share a few thoughts about things I saw and vendors that I met with at the conference.
Look – I like AI. I like new disruptive technologies. I like when tech vendors embrace those technologies to do new and interesting things. But we are just not there (yet). Using ChatGPT to provide some basic description of an event is a simple use case, but it is not terribly innovative. In fact, it was the initial use case that I discussed when we first started talking about ChatGPT a year ago. Now, I want more. I want heuristic policy creation based on an examination of billions of events to find the corner case. On the data security side, I want to use AI to determine the contents of unstructured data and assist in data classification. I want WAF and next-gen networking solutions to use AI to intelligently monitor and evaluate threats (not just prepackaged playbooks), propose actions, and potentially recommend/implement access policy based on immediate and relevant CVEs.
I know that we will get there, and I talked to plenty of vendors (looking at you, F5 and IBM) that will lead the way. But don’t be fooled – we are not there yet. I also want vendors to be brutally honest about the level of effort required to train these AI models: how much training do they do, how much training can a customer expect from updates, and how much training will be incumbent on the end customer. Without a fair and honest evaluation of training, ASI is nothing more than “garbage in, garbage out,” and any vendor that cannot give you exact details on how their AI is being trained probably is selling “aspirational features.”
When I think about data security, there are three main aspects that I consider: data discovery, data classification, and data custodianship. Data discovery is the area in which we are making the greatest amount of progress. There are tools available now (again, ones that every size of company can purchase and utilize without needing a staff of 200 security experts) that really solve 90% of this problem (we will never be 100%, but being in the 90s is where everyone should shoot for). Data classification is the next frontier – you have found all your data, now what is it? The example I use is one that is likely relevant to most: there is a difference in how a lunch order from five months ago should be protected compared with an HR record containing employee salary information compared to source code that is the intellectual property that generates most of the income for the company. As I mentioned, AI will eventually be great at solving this, and several companies will continue innovating in that direction. Data custodianship – well, this is mainly a human problem, and should be seemingly easy to solve (HR, data goes to HR, source code goes to dev, etc.). But it is never that simple.
But how much is that worth? What is the value of an attendee who visits a booth at the RSA Conference? For those who like to nerd out about things like conference marketing math, a fully qualified lead is what exhibitors are hoping to gain from a badge scan at a conference. But when you start the napkin math on how much that lead costs when you add up all of the associated conference costs, you have to start wondering if it is worth the massive dollars it costs to be seen at the RSA Conference. Also realize that 90% of your booth visits (I am being generous – it is likely higher than that) are those looking for conference swag or to play with puppies (which may have been the greatest booth draw I have ever seen from any conference).
With new ownership (the conference was purchased from RSA [the company] in 2022), maybe the conference will start to evolve and change. I certainly noticed from the session catalog that it did, and maybe that is a good thing. Maybe it isn’t –many notables that I expected to see presentations from were left off the agenda this year.
I also think that the conference needs to seriously consider a different location. I know that there are plenty of folks who appreciate the close proximity to Silicon Valley, but the outrageous costs for attendees, exhibitors, and anyone associated with the conference makes me wonder if there could be a better choice somewhere else – I know people have Vegas fatigue with all of the conferences that are there, but then you have to consider that the reason that there are so many conferences there is that Vegas was practically made to host excellent and (relatively) inexpensive conferences.
Nothing earth shattering here, and I hope that you found this blog interesting. We will also cover this in the Cybersecurity Awesomeness podcast in the next episode or so. Thanks for reading!