The Many Forms of Education at the RSA Conference

By Michael Farnum ·

This year, I attended my fifth RSA Conference. I have been to RSA events with grand themes such as 1920s-era gangsters, a cryptographer from ancient India, Edgar Allen Poe, and others.  And, while the themes were always clever, impressive and essentially applicable to the industry, they seemed to create a sense of grandeur that masked the main reason that we should go to conferences - to learn. At these wildly themed conferences, the showroom floor and the after parties became the main attraction. And, though many of the sessions were still very good, the overall aura of the tracks was tainted with a bit of a technical gap that other shows filled. In general, people went to San Francisco to rub elbows and party, and the educational aspect of the conference began to get a bit lost in the lights. But things have changed. It is evident to me that the people planning the RSA Conference are fighting the good fight to bring education back to the forefront.

First, the RSA Conference organizers have toned down the splendor in the last couple of years. This seemed to start in 2011, where the theme was more understated.  The colors and decorations in the event area itself were toned down and even calming. The 2012 event was much the same. The opulence, though still there and arguably necessary to some degree, took a back stage to an emphasis on learning.

Second, the conference itself seems to be accepting more technical presentations. I know that friends of mine and I have often given opinions on feedback forms and surveys that we would like to see more technical content. From what I heard, 2011 had much of that (I wasn’t able to attend, so I can’t speak to the sessions). But I definitely saw more technical-leaning tracks in 2012. Now don’t get me wrong. The value of the RSA Conference is not going to be determined by a bunch of cool attacks that may or may not add value to your security program. Just like Robb Reck said in his post at Infosec Island, the RSA Conference “does not make the news like DEFCON or Black Hat with all the newly released hacks”. But having a bit of focus on the technically deeper content is not a bad thing. It attracts a more diverse crowd, which crosses the divide that often exists between the technical folks and the managerial/administratively-focused crowd.

And then there is the expo hall. If you have not seen the expo hall, it can be awe-inspiring the first time you walk in. There are huge displays in the middle of the floor where large security product and service vendors have mini theaters, balconies, cars, all-terrain vehicles, lights, etc. As you walk from the center floor, you get into medium and then smaller booths of a lot of point-solution vendors. It is truly a sight to behold. But some people view this display negatively because it represents the monetization and productization of the security industry. I understand the push back against point solutions to solve point problems that don’t take into account the larger security picture. Heck, I have as much fun as the next person playing buzzword bingo while talking to vendors on the floor. But, it is also true that the industry needs pioneering folks like small security startups and large security firms that offer diverse products and services. It is reality that security gaps need to be filled. Policies need controls. One of those controls might be a piece of technology that the security director/manager finds on the expo floor. Or maybe one control is a service that the CISO finds while talking to consulting firms on the expo floor. Either way, the large, medium, and small displays add value to the conference.

As far as the after parties and the elbow-rubbing, that will never go away – this is a reality of all events such as the RSA Conference. But it does not have to be seen as undesirable. Interaction presents great opportunities for valuable face time. As I said earlier, education should be the primary emphasis of any security conference.  But that does not mean that the education only happens in sessions. Just like the ‘49ers of the California Gold Rush, you often have to work hard to get valuable bits of information. The RSA Conference brings many people from many places together to talk about information security, which can offer a lot of information concentrated in one place. People can go to the RSA conference and speak about their problems to peers (P2P sessions at the show are always exciting and engaging). Trends that may have escaped one person may get revealed in discussions with others. New technology tools that can fill gaps in a manager’s security program abound on the expo floor. All one needs to do is be willing to converse, and those valuable nuggets will be found.

So all-in-all, I am very positive about the path the RSA Conference is taking.  I see an event that is pushing for a constant evolution in order to meet the needs and wants of the community. The organizers are definitely listening to the community. Infosec professionals feel the enhancements, and I see it becoming a better and better show in the years to come. Don’t take it off your conference travel plans folks. RSA is becoming more and more impactful to the community.

P.S. A point worth mentioning is that the San Francisco Security BSides conference was held during the first couple of days of RSA, within about 200 yards of the convention center. There was a fairly large group of security practitioners in attendance that some might not have thought they’d see at RSA (I can attest to the fact that I saw many more tattoos at the RSA Conference this year than I have in the past, which we all know is proof positive of “real” hackers, right?). For those of you not familiar with the BSides events, go check them out. The shows have an “un-conference” feel and offer a grass-roots view of the industry that is enlightening to say the least.  And, while many people that attended BSides went to RSA, I thought it was really great that the opposite was also true. In fact, one of the BSides speakers told me that he was forced to talk at a higher and more strategic level in his BSides talk, which was usually very technically deep. This was because there were regular attendees of the RSA Conference at BSides, and they were asking questions about how the issues he brought up in his presentation could affect their security program and security posture as a whole. That intermingling of the different groups can only add to the discussion and greatly benefit the community.