Blog | How Bad Was RSAC19?

Jason Johnson, CISSP, PMP, FHIMSS

President-Elect, HIMSS Northern CA
Information Security Officer, Marin General Hospital

March 2019

Maybe it’s just the algorithms that program my news feed, but hate is abounding towards this year’s RSA Conference in San Francisco. For the uninitiated, the RSA Conference (RSAC) is the largest annual gathering of information security professionals in the world. In the court of public opinion, RSAC was gravely disappointing. Order, order! The court is now in session.

In my newsfeed, the charges levied against RSAC19 are:

  • Neglect in the 1st degree
    • I didn’t get anything from the sessions I attended. “I picked the perfect schedule and am offended that they weren’t exactly tailored to me!”
  • Assault in the 2nd degree
    • The expo floor was SO overwhelming. “I cannot believe that companies would send their marketing and sales professionals to accost me!”
  • Misrepresentation
    • Some percentage of the vendors showcasing their product don’t understand my needs and won’t be here next year. “EVERYONE should be polished and know my exact use cases!”

Ok, the bullets above might be a little facetious, but they sum up what I have read over the last few days. I poke a little fun, and those who pressed charges aren’t completely incorrect, but it also isn’t as black and white as many make it out to be.

Some bright rays of optimism and positivity did punch through the clouds of despair! Tales of accidental run-ins with the industry elite (For me it was Gary Hayslip #CISOapproved), learning about new behavior-based detection tools, password alternatives, and, more than anything, connecting with trusted partners and long-lost accomplices in the world of information security.

Interestingly, some of the negative write-ups included positive anecdotes but didn’t connect the dots between the good and the bad. Can you have the good without the bad? Can you run into your idolized legend at The W Hotel Bar if he wasn’t in town presenting a session that you’d later pan for your online audience?

Ultimately RSA is what you make it. This is true for any large, international conference regardless of the subject matter and I learned the hard way at the annual HIMSS gathering several years ago in Chicago (now moved to Orlando and Las Vegas). It was daunting. Over 70,000 HealthIT nerds, analysts, providers, vendors, and sycophants descended on an unsuspecting city just like the cyber warriors parachuted into San Francisco this week. It was overwhelming, vast, exciting, scary, and awe-inspiring. The sheer concentration of talent boggled my mind. Initially I didn’t know what to think; I was scared and didn’t have a plan, so I blamed the event for being “too much”, “disorganized”, and generally exclaimed “WTF” at least once an hour. After I got home and binged House of Cards for two days to recover, I resolved to come up with a plan instead of dwelling on my gloomy perceptions.

Boom. The value suddenly came into focus. The event didn’t change – in fact it got bigger and more complex. Rather, I changed my expectations, schedule, and execution. I have done the same with RSA over the last several years. This year I asked myself some simple and important questions a few weeks before stepping foot into Moscone. At the most basic level it boils down to attending with purpose.

  • What are my organization’s InfoSec priorities? Pick 3 or 4 and don’t deviate. Things like data loss prevention (DLP), identity management, and incident response.
  • Who do I NEED to talk to? Partner relationships, new product demos, etc.
    • Bonus points for who do I WANT to talk to
  • What do I want/need out of this week in general? Am I focused on parties and swag (nothing wrong with that!), learning about new products, or advancing my own knowledge in areas that I’m lacking?
  • How will I spend my free time (if there is any)? Early stage expo? Full expo? Hanging out at Starbucks? Catching up on email? Meeting friends?
  • What do I need to bring back to my organization? Spoiler alert: this is easy to answer if you fully consider the previous questions
    • These events aren’t cheap – how am I maximizing my organizations investment into these few days?

I am disappointed in all of the hate towards RSAC this year. As a community we need to collaborate now more than ever. If you wrote something negative about the conference this year, I don’t mean to put you on blast. I do ask, though, that you channel your energy towards making next year better. Many talented, smart, innovative, and dedicated security professionals are at the helm of this event. Give them real and actionable feedback, apply to speak on a topic that you’re passionate about, or at least commit to planning your experience with purpose.