Blog

What I Learned at RSAC

By Adrian Lane

I was surprised at the negative tweets and blog posts after the RSA show this year, many by the security professionals at the core of this industry. I have been to RSA most years since 1997. This year, discontent and snarkiness seemed to be running high. “There is nothing new.” “There is no innovation.” “The vendors are all lying.” “These products don’t work as advertised.” “I have seen this presentation before.” “That attack won’t work in ‘the real world’.” I saw nobody excited about the concept of winning a car – what’s up with that!?! You know it’s bad when attendees complain about booth babes – booth babes! – and then go to the Barracuda party. You know who you are.

This year, like most years, I learned a lot. I got a great introduction to mobile OS security fron Zach Lanier (Quine) over dinner. I learned a lot about Amazon EC2 and related seurity issues. I learned that a vendor may have lied to me about their key manager. Jeremiah Grossman’s presentation got me thinking about how I can improve my Agile SDL presentation. I learned that CIOs and CISOs are still struggling with the same challenges I did 10 years ago; and falling victim to the same role, organizational, and communication pitfalls. Chris Hoff answered a question on why app level encryption will probably scale better when protecting data in VMs. Talking to attendees, I learned there are a couple technologies that are still giant mysteries to average IT professionals. I learned that far fewer developers have worked within an Agile process than I expected. And by watching security and non-security people, I am still learning what makes a good analyst.

Beyond what I learned, there is the whole personal side of it: meeting friends and getting some of the inside stories about security breaches and vendors. I got to meet, face to face, a couple of the people I criticized here, and was relieved that they appreciated my comments and did not take them personally. I got to meet people I admire and respect, including Michael Howard of Microsoft and Ivan Ristic of Qualys. I got to talk Rugged software with a very diverse group of people. But perhaps the biggest single event, and the one I have the most fun at every year for the last four, is the Security Bloggers Awards – where else in the world am I going to attend a professional gathering and see 50 friends in the same room at the same time?

I recognize that only about 35% of this is due to sessions and RSA sanctioned events; but all the other training sessions, parties, and people would not be in San Francisco at one time if it was not for the conference. The sheer gravity of the RSA Conference pulls all these people and events together. If you’re not getting something out of the conference, if you are burned out and not learning, look in the mirror. Not every year can you be hit on the head with a career-altering revelation, but there are too many smart people in attendance for you not to come away with lots of new ideas and reshaped perceptions. I am overjoyed that I can still get excited about this profession after 15 years, because there is always something new to learn.

No Related Posts
Comments

I’ll swing the tone a bit.  This was my first rsac, and going in, I knew that the “show” was the thing.  I attended some good sessions and some not so good sessions.  I didn’t attend keynotes by CEOs as I felt that I was not going to get the substantive information that you would get talking to someone who may actually deliver or configure the product.

I enjoyed the non-security talk by Michio Kaku and the session on the Murder Room.  Deviaitons from pure security that help to see the world in different ways.  I came to rsac looking for slivers of inspiration and in a few random corners I found some.  Enough to justify the time and cost?  Probably not.

rsac’s targeted audience felt more geared towards budget approvers and those who can actually spend money with bits thrown in for the implementers of the world.  For those charged with day-to-day operational responsibilities, Blackhat, Defcon, CanSec, Shmoocon, Bsides, etc are probably a better investment of time and money.

By kivumanzi


@another known one - There are so many aspersion’s in your comments I don’t know where to start. Perhaps you are confusing us with someone else? We do not provide ‘private’ RSA sessions - and while I appreciate the clever way you made it sound like some sleazy ‘VIP’ room - I am just not sure where you are getting your information. Fact is we do not get paid to speak at RSA. We do not get paid for sessions or to participate on panels. We do not get paid to travel there. There are no perdeims provided. There are no free hotels provided. I don’t even own RSA stock. I concede there is lots of free booze, but that’s not the incentive it was 10 years ago.

Are lots of our clients are there? Heck yeah! Both security vendors, investors and the customers who ask for our advice. We’d be stupid not to catch up with them there, and even dumber not to investigate possible business. Despite all of the free research we provide we do actually have to fee our kids/dogs and pay our mortgages. There is an added benefit that if people like what we have to say at a session, maybe we get contacted for business in the future. Or maybe we suck and no one calls. It happens. We would be stupid to not talk business if there is an opportunity, but we don’t get compensated to go there, and we don’t get paid to promote the conference. Please don’t imply that enjoyed = paid because you disagree with my viewpoint.

-Adrian

By Adrian Lane


Securosis has a vested interest in RSA don’t they? dont you provide private sessions, the breakfast and other events? Don’t you guys spend/make $ off this show? Isn’t it one of the bigger marketing campaigns you have every year?

Is the breakfast free? Is the time you put into the RSA conference guide free? And all of your employees time/flights/perdiem/etc, I hardly think any of this goes without costs. As a research firm, these types of shows benefit you and the new “clients” you bring on. From what I have seen over the years, you have clearly spent more money (time) on this show than most. I would consider that a vested interest that spans much further than “invigorated by the show.”

By another known one


@You - “you are out there defending your personal vested interest in RSA and the $ Securosis has spent over the years”.  WTF are you talking about? Seriously? I don’t understand ‘personal vested interest’ because I have no personal vested interest in RSAC. What do you mean “$ has spent over the years”? Conference registration?

I wrote the post because I was actually invigorated by the show this year - mostly for off conference stuff but the presentations I saw were really good. Lots attendees talking about tech that I worked on 10 years ago, which is boring, but what was of interest to general IT practitioners. I admit I hold a minority opinion. Your claim I have some vested interest in promoting the RSA conference is total B.S. 

I don’t have a vested interest in Black Hat, Defcon, OWASP or Source Boston either, in case you were going to make that claim as well, but I like going to those shows for exactly the same reasons.

-Adrian

By Adrian Lane


Hey there! Just have to weigh in on this one. I think it is great that you are out there defending your personal vested interest in RSA and the $ Securosis has spent over the years. It is nice to see event supporters try to issue a positive spin no matter what the community has to say.

I for one, had never been there before. I have heard all the hype and over inflated importance of ALL of the talks *as mentioned in the “premier conference” comment above* and decided I should try and see what all the fuss is about. Unfortunately, I was met with GREAT disappointment. This show, far more than many I have been to, appears to have an air to it that is less about education and more about display. I wish I had known that beforehand, but unfortunately I READ the marketing material and was led to believe the opposite.

So in short…. I agree with this “un named” group of people * or maybe I am part of it? 

IMO

There was little innovation

There were many rebranded or refreshed solutions created in 1970-2000 (funny to tie the *new* innovations to that history wall)

There were paid girls at an NSA crypto booth! Come on…. *though we did talk for a while and they decided to not show on the last day*

I agree that the parties were fun and the “hallwaycon… or better stated BarCon” was of great value but those events are NOT RSAC!

I think it is awfully self-serving, to put burnout and a “mirror check” on those with the salt to ask people to try harder. Maybe the fact that you had to post this rebuttal should allow YOU to look in the mirror and ask “When did I accept status quo stop asking questions?” Driving innovation and creativity is what has made this industry attract a wealth of “smart people.” What is the point of degrading and attempting to demoralize those who KNOW that the “smart people” on that floor had more to offer…and had the guts to ask for it?

By you know who this is


Adrian,

Thanks for attempting to put a positive face on the RSA Conference. I agree that there were nuggets of good information, but I would expect that from a conference just starting out. For the RSA Conference that promotes itself as the premier security event in the world, every presentation should be worth listening to. So much so that you look forward to the email from RSA allowing you to view the talks online that you missed in person.

Additionally, I expect security pioneers to speak at a security conference. I am sure President Clinton is a great speaker, but as a security professional, I want to hear from the security technologists that are building, breaking or defending technology. I liken this to attending a medical conference for cardiologists and having the keynote delivered by a dentist. He may have great things to say, but how does it apply to the cardiologist.

As for the social aspect, I agree this was the best part of the conference, but with Black Hat, Defcon, Source and B-Sides there are many more smaller intimate conferences that cost less and in this down economy ultimately provide more value than RSA. In the end, will I stop attending RSA, not as long as I have the means, but if the day comes that I have a fixed budget for events like this, it will be the first to go.

By SecureTom


@Private Citizen - That’s actually a really good idea. I’ll do short posts on each over the coming weeks.

-Adrian

By Adrian Lane


Found your site from KrebsOnSecurity and your SocSec Award. Congrats!

If you get to the point where you’re looking for topics to write about, I would be very interested to read your take on numerous assertions above ;-) (many not directly related to security, but your experience sounds valuable).

> I got a great introduction to mobile OS security…

> Amazon EC2 and related seurity issues.

>how I can improve my Agile SDL presentation.

*** > I learned that CIOs and CISOs are still struggling with the same challenges I did 10 years ago;

***** > and falling victim to the same role, organizational, and communication pitfalls.
Each one of these aspects would be a very interesting post!

> why app level encryption will probably scale better when protecting data in VMs.

**** > a couple technologies that are still giant mysteries to average IT professionals.

> I learned that far fewer developers have worked within an Agile process than I expected.
I’m looking for a work now, and I too am surprized at how few places mention Agile/Scrum, et. al. in job descriptions.


*** >  I am still learning what makes a good analyst.


** >  getting some of the inside stories about security breaches and vendors.
Write them up with ‘names have been changed to protect the innocent’ (and not-so) ;-)

Thanks

By Private Citizen


Nice piece, Adrian—and it was good to meet you too.

The general sentiment I heard from vendors I talked to was that the overall mood was better at RSA this year and there were more end-users (as opposed to vendors and partners selling to one another).  I can’t form an opinion, as this was my first RSA, but I’ve been to a lot of other conferences and I really didn’t see much difference between this one and other “commercial” ones.

That being said, I did see some interesting stuff going on, and I think it’s our job to seek it out and nurture it.  And get rid of both the booth babes AND the party babes.

By shrdlu


A couple of observations-

First, I heard more people and companies outright lying on the show floor than normal.  Maybe it was just my vantage point, but there are people and companies I *used* to respect in this industry who blew it last week.

A related issue was that the expo floor seemed more full of vendors attacking the competition (often with slight of mouth) rather than promoting themselves.  This always happens, but it seems to be getting worse.  And RSA is a focal point for it.

And the “booth babe” thing- while your point is valid, I believe there is a big difference between the “opt-in” nature of the Barracuda (or any other) party and the trolling-the-show-floor, in-your-face “booth bait”.

By Jack Daniel


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.