The 2019 RSA Conference took place earlier this month in San Francisco. The event draws hundreds of vendors from the cybersecurity space and over 50,000 attendees for a week of drinking from the proverbial firehose. I sat down with three individuals from Alert Logic who have been attending the RSA Conference for more than a decade (or two) to get their thoughts on this year’s RSA Conference, as well as some insight on how the event has changed over the years and what the future might have in store.
Jack Danahy, Ryan Berg, and Tony Bradley are each respected cybersecurity experts, but they come from different backgrounds and view the past, present, and future of cybersecurity through slightly different lenses.
- Jack Danahy is the Senior Vice-President for Security at Alert Logic. He has created three successful security companies, holds 11 patents in a variety of security technologies, and has been a frequent speaker and writer on topics of computer and network security since the mid-1990’s.
- Ryan Berg is an Engineering Fellow for Alert Logic. Berg holds 17 patents and is a speaker, instructor, and author in the fields of security, risk management, and secure application development.
- Tony Bradley is Senior Manager of Content Marketing for Alert Logic. He previously worked in the trenches as a network admin and security architect. He was recognized as a Microsoft MVP in security and cloud for 11 consecutive years and has been a CISSP-ISSAP since 2002. He has authored or co-authored a dozen books on the subject of cybersecurity and writes prolifically for a variety of outlets.
These three have decades of experience working in and around the cybersecurity industry, and they have witnessed firsthand how the RSA Conference has matured and adapted—for better or worse—and how it reflects broader trends throughout cybersecurity. I asked each of them the same four questions, and here are their responses:
Jack Danahy
When was your first RSA Conference and what was your initial impression of the event?
My first RSA Conference was in January of 1996. It was held in the Fairmont Hotel on Nob Hill in San Francisco, and it was called, in those days, the RSA Data Security Conference. Security was a very different market back then, and RSA was a vendor of encryption products. The CEO was a charismatic fellow named Jim Bidzos, who was advocating for loosening restrictions on the export of cryptography, and who recognized that there was a growing community of people who were very interested in security and its increasing relevance to the young Internet.
I was very impressed by the other attendees, a few hundred of them as I remember it. Many were pioneers in the space, like Whitfield Diffie, Ron Rivest, Stephen Kent; innovators in cryptography and in its application. I learned volumes about advances in crypto technology and met leaders that I would see at this show annually for the next 23 years.
Why did you go to your second RSA Conference?
It was an easy decision to make. The Internet was still developing, and while I attended other conferences on incident response and threats, RSA 1997 provided a unique venue to hear about the ways in which organizations were trying to protect themselves. It was a conference focused on technologies that facilitated the creation of secure online interactions in those days and was unlike others where the emphasis was (and is) on solutions that test security, block or respond to attacks, or identify and mitigate vulnerabilities.
I also went to continue to develop my relationships in the space. There was so much to learn, and it was changing so rapidly, the ability to connect with others who were similarly engaged was priceless.
What was your chief takeaway from the 2019 RSA Conference?
My biggest takeaway from 2019 is that we have reached a point where there is just too much noise. There is real, physical, noise from vendors shouting over one another, but there is even more noise in the descriptions of the solutions. I walked the floor and actually snapped pictures of messages that were huge but said nothing. I am hard-pressed to know why “100% bot visibility and control” is an important feature, or why the analysis of “6.5 Trillion signals every day” matters to me.
I originally attended RSA to evolve my own security point of view in an environment that was solely focused on the young security community. I wasn’t distracted by presentations on other kinds of technologies, and I could explore the changing security landscape. At this year’s show, I feel badly for novices who come to learn, because the information sharing has been overshadowed by companies spending what was once unimaginable investor dollars on value propositions that are more and more niche, and on messaging that is mostly generic and less meaningful or clear.
As I leave RSA in 2019, I think that an attendee’s biggest security challenge would be understanding enough about the potential solutions to create an informed and balanced plan for implementing protections that are relevant to the business problems they are trying to solve.
How have you seen the RSA Conference change over time, and what do you think it will look like 5 years from now?
The number of exhibitors at RSA has grown almost as fast as the number of breaches, attacks, hacking groups, and vulnerabilities. In looking at the billions of dollars that have been invested in the space, I hope that we are at a point of inflection, where customer value and clarity will make their return as differentiators. Today, new companies pop up regularly to address very small and specialized areas of risk. Hopefully, customers are becoming more experienced and knowledgeable, and they will be more prescriptive in describing the kinds of protection they want most. When that happens, expect consolidation and organic technical evolution or technology acquisition from existing players, and expect less of the free-for-all that has driven the conference’s growth over the past 15 years.
Ryan Berg
When was your first RSA Conference and what was your initial impression of the event?
I believe my first RSA was in 2000 right after we built our first company, Qiave, a hardened Windows kernel protection system. The name, of course, was perfect for the time — if you could spell it you wouldn’t be able to pronounce it and if you could pronounce it you wouldn’t be able to spell it. I believe the virus of the day was Code-Red and Nimda. Static websites all over the place were getting popped and defaced. The times were different and the threats were different. I didn’t realize–even back then when the event was a fraction of the size it is today–how much security was a cry into the wilderness. While the problems were simpler, the security industry’s ability to communicate to the business wasn’t.
Why did you go to your second RSA Conference?
RSA is an annual trek for me after bringing three separate security products into existence. RSA is a great place to continue to see how far we have come as an industry, in addition to how much further we have to go. I have experienced the small booth security company trying to convince the world you have a new way to solve a security problem, and the medium-sized booth experience, looking for the next round of financing or business partner and making noise. I have also experienced the large company looking to show the world how they are leading the industry in all things security. There is so much happening at RSA, even though I don’t like to travel, it is hard to imagine a time when I won’t be there.
What was your chief takeaway from the 2019 RSA Conference?
RSA 2019 has probably been my best RSA that I can remember, though the reasons may come as a surprise. The size and complexity of the show really offers something for everyone to find value. Security seems front and center, and much of our public discourse shows we have matured as an industry, but unfortunately while we have gained a voice we now struggle with the solutions. The problems have only grown in complexity and the sheer number of solutions and new words that we are expecting people to understand is also growing exponentially. Ultimately people want security to be someone else’s problem, it shouldn’t be any harder to buy “security” than it is to buy a toaster. When you buy a toaster, you know what value it provides. Does it make a good piece of toast? With security it isn’t that way, but I am seeing companies begin to lead in solutions rather than delivering products that people simply can’t take advantage of because they lack the ability to acquire the right talent, maintain that talent, stay up to date on new threats, new languages, new products, faster networks, and monitor all the things. Security should be like that toaster and what made me most excited about RSA was that I came away with the feeling that the direction of this ship is turning.
How have you seen the RSA Conference change over time, and what do you think it will look like 5 years from now?
RSA will continue to be the place where security gathers, (at least in North America) once a year to tell ourselves how far we have come, and how much further we have to go. I believe we will continue to see more companies delivering security solutions and not security products, ahem problems. A lot will have changed while at the same time very little. I know I will likely have a lot more gray in my beard, and I will have to be a lot more careful with my hair as it will likely be touching the ground.
Tony Bradley
When was your first RSA Conference and what was your initial impression of the event?
My first RSA was in 2008 I believe. I was not familiar with the conference, but I had started working with Zecurion in a marketing role and they asked me to attend and help man the booth. One of the things that stood out right away was simply the sheer size of the event. I had worked in and written about network and computer security a decade at that point in time, and I was very aware of the household names in the market like McAfee and Symantec, but I was not aware there were so many smaller cybersecurity vendors out there. The second thing that I recall is being amazed at how ostentatious it was—both in the investment in the vendor booths themselves, and the investment in the events and activities (let’s be honest—the parties) around the event.
Why did you go to your second RSA Conference?
Zecurion and I parted ways, but I returned to RSA because I had made the decision to go full-time in my role as self-employed tech journalist and freelance content creator and RSA is where all of the companies and people I wanted to learn about and write about would all be in one place at the same time. The RSA Conference is the focal point of the year for most cybersecurity vendors, so that was where I would find the stories I needed to write. At that second RSA and every RSA after that, though, I learned that the vendors and the announcements are great, but the real value of attending RSA is the networking and making connections—both with cybersecurity vendors and professionals, and with other tech and information security writers.
What was your chief takeaway from the 2019 RSA Conference?
The main takeaway I got from this year’s RSA Conference is that machine learning (ML) and artificial intelligence (AI) seem to have matured. ML and AI have been tossed around as buzzwords for a few years, but there seemed to be little understanding of what they actually are or how to employ them effectively for cybersecurity. When a company would say machine learning or artificial intelligence, I would generally roll my eyes, give a sarcastic smirk, and keep walking. This year, though, I feel like many vendors have moved past the buzzword stage and are taking ML and AI seriously. There seemed to be much greater understanding of the potential benefits, as well as the caveats and pitfalls. Organizations seemed to recognize that ML and AI can be great tools, but they are not magic solutions and that ML or AI that is not properly developed and implemented may have tragic or unforeseen consequences.
How have you seen the RSA Conference change over time, and what do you think it will look like 5 years from now?
The RSA Conference has evolved to be so much more than just the RSA Conference now. The RSA Conference itself has grown massive—the number of attendees and the hundreds of vendors now fill Moscone North and South and the connecting hall in between. The RSA Conference has spilled over into Moscone West and the Marriott Marquis. But, above and beyond that, there is also the Cloud Security Alliance Summit, DevOps Connect, BSides San Francisco, AGC Partners Conference and other alternate or counter events going on simultaneously. You could go to San Francisco during this week and attend briefings and keynotes all week without ever attending the RSA Conference at all.
It’s difficult to imagine five years from now because the RSA Conference—and the surrounding events and activities—continue to grow and expand, but it seems they have pretty much maxed out the capacity of San Francisco. Every hotel is booked, and every restaurant and bar in a 5-mile radius is closed for private events. That said, I am confident it will continue because it is the premier event every year for cybersecurity vendors and cybersecurity professionals, and the exchange of ideas and launching of new products and services is important.
Summing Up
It’s easy to look at the history of cybersecurity and become somewhat jaded. At face value, hundreds of companies and tens of thousands of people show up every year to talk about essentially the same problems and incremental or iterative improvements on basically the same solutions. It isn’t quite that simple, though. New technologies are introduced, and new attack vectors and techniques emerge every year. We continue to face similar problems year after year, but they are across a constantly shifting ecosystem and a much larger pool of devices.
The fact is that we won’t ever “solve” cybersecurity. There won’t magically come a day when these discussions, tools, and services will just not be necessary. What will hopefully happen, however, is that cybersecurity will become more effective, while also becoming simpler and more streamlined. Ultimately, people don’t attend the RSA Conference because they want to buy the latest cybersecurity products. People want less stress. They want peace of mind.
If the insight and predictions from these three cybersecurity veterans holds true, we can expect to see a shift in cybersecurity to focus less on specific products and more on how to reduce anxiety and enable customers to manage and grow their businesses with confidence.