Having attended every RSA Conference but one in the last 14 years, I’ve grown accustomed to the following questions:
- What’s new or hot this year?
- What are the big lessons?
Looking at RSA Conference 2018, the crowd was noticeably younger this year, suggesting an industry growth spurt and raising questions about where infosec goes from here.
It’s natural for people to ask what’s new, and it used to be a question I could easily answer after a stroll through the expo hall. In 2005, the buzz was all about data breaches, then a new and scary thing. Between 2006 and 2008, it was cloud security. Another year, it was advanced persistent threats (APTs).
This year, buzzword marketing was more muted. It’s hard to get excited when data breaches have long since become daily occurrences. There’s still a lot of talk about ransomware, malicious crypto-mining and blockchain technology people struggle to understand. And most challenges continue to be examined through the compliance lens, the latest example being GDPR.
Security practitioners deal with threats that constantly change shape, but within those shapes, they see the same core problems that have dogged them for 20 years. They’re not coming to RSA in search of what’s new. They seek better ways to deal with old problems.
Many long-time friends in the industry made the same observation: The crowds have become noticeably larger, to the point where veterans can’t recognize most of the people around them. Almost everyone I know asked aloud: Who the heck are all these people?
By its own count, RSA put this year’s attendance at more than 42,000 attendees, in the same zone as last year’s 43,000 attendees and 2016’s approximately 40,000. But a lot of security attendees came to town without an RSA registration. Instead, they held meetings in the surrounding hotels, restaurants and bars.
Are all these new faces a positive development? I’d like to think so. More people means more companies are taking security seriously, hiring more cyber soldiers and sending them to events like RSA for training.
Whether that’s a sustainable trend remains to be seen. According to those surveyed for our recently released Winning the Battle of the Budget report, CISOs expect their own budgets to go through more scrutiny as their bosses seek proof that infosec costs are providing business value and return on investment (ROI). Headcounts could level off as a result.
If all the new hires and their conference experiences result in fewer data incidents, the crowds will keep growing. Or, we could be staring at a human resources bubble about to burst.
Industry veterans also marveled at how young the new attendees are. Some believe millennials are clueless, a presence that threatens to dumb down the profession. Having met some smart, hard-working people of that generation, I don’t believe that line of thinking for a second. But going forward, they’ll have much to prove. They’ll need mentors to guide them in the coming years.
There are a lot of great sessions each year, and 2018 was no exception. But as happens every time, the most important thing you can do at RSA is meet as many new peers as possible and reconnect with older ones. We’re all in this together, and the more we can share notes, the better prepared we’ll be when the next WannaCry hits.
It’s great to see security becoming more mainstream. But as it continues to rapidly expand, I wonder if RSA is losing focus.
RSA used to be held in one place. Now it’s in two. Presentation rooms are a lot more spread out through the Moscone neighborhood than they used to be. The result is a lot of running around and not as much attention to the detail of the talks.
I don’t have a good answer for how we deal with that. Maybe RSA needs to run more shuttles throughout town to help attendees get from Point A to B. Perhaps getting around will be easier once all the construction is complete.
Either way, between the expanded geography and the influx of new people, RSA has some work to do if people are going to continue learning and growing.
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.