Wanted to post my highlights of the RSA show. Rich and I meant to post daily updates about our experiences during the show, but we were quite literally in meetings or gatherings from 8:30 AM until we went to bed each night. No chance of writing and posting from a secure connection. I have a stack of 70+ business cards sitting here on my desk, and I gave out almost all of the 200 I brought with me. I can barely remember talking to that many people over the course of the week.

The weather was awesome. Warm. Actually, very warm. For those of you who don’t get to San Francisco too often, it was about 20 degrees hotter than it was supposed to be Sunday through Wednesday. Rich and I usually stay at a funky little hotel that is close to Moscone; it’s cheap and we are never in the rooms for very long. However the older hotels lack air conditioning. In fact, if you want to get cool air, you open the window. Sleeping in a 90 degree room with big city traffic outside your window does not make for a restful visit. When you combine 15 meetings a day on four hours of sleep, things begin to blur together. But both Rich and I had an awesome time, and spent the entire weekend recovering from sleep deprivation.

Best Food: The Venrock party was held at ‘Two’, which is a nice little restaurant off Howard and somewhat hard to spot. The food was simple ‘Cowboy’ fare: barbequed tri-tip – carnitas like shredded pork and roasted chicken, but simply amazing. We were planning on going out to dinner but our plans were promptly discarded when we tasted the food. We ate until they took the trays away. I am going to have to go back there for dinner!

Best Party: The Security Bloggers event, if for no other reason that there were so many interesting people there that I talked until my voice gave out. Good friends, good food, good drink, and good fun!

Best Presentation: I am probably disqualified from this category, but I am putting out my nomination anyway. I was only able to attend a half dozen presentations, and I knew both the people on stage for my favorite, however there was one clear winner from what I saw. Rich Mogull and Chris Hoff on Disruptive Innovation simply rocked. Biased? Sure. Small sample size? Sure. But on a Friday morning, to fill a conference room and have no one leave is pretty amazing. To cover 160 slides in 50 minutes and make sense is astounding. When it becomes available on the RSA site, you tell me if it was not the best preso! Special mention goes to Brian Chess and Gary McGraw for another interesting Friday talk on secure coding and the release of the Building Security In Maturity Model. http://www.bsi-mm.com/

Attendance: Officially I was told that the numbers were off about 22%. Lots of the vendors along the edges of the exhibitor hall were complaining that they were not getting anyone by their booths, but I have seen that first hand in past years as well. What I did not see were the people with shopping bags loaded with tchotchkes and stuff – instead I saw people legitimately there to see what the vendors offered. Seemed like the people who had company budget to show up were there to learn from the sessions, visit a couple vendors they were interested in speaking with, and that was about it. Not many people looking for innovation, but their existing vendors to get better at what they do, or in some cases, what they are supposed to do.

Biggest Surprise: How many of you knew Webroot has a complete email and web security service offering? I cover the space and I did not even know until this week. Kind of a strange time to start, but the service based offerings makes switching very easy to do. And if Postini’s ability to filter spam continues to slide, I think Rich and I will begin looking at other vendors. If we are, I will bet others would consider this as well.

Favorite event: First annual Securosis Recovery Breakfast (which will be named The Disaster Recovery Breakfast in the future, thanks Mary Catherine) was a big hit. Jillian’s was really nice to us and gave us the entire restaurant. We had about 70 people show up. No screaming over the noise, no elbow to elbow crowds, lots of chairs and good food. It was different than anything I have been to at RSA, and I am glad Rich had the idea. Relaxing fun, so we will definitely do it again next year.

Theme: Security. This may seem obvious to some of you, but it should not be. We have gone through previous years where every vendor was a one stop shop for solving your compliance problems, and we have seen every gadget and appliance marketed to us as the one and only solution for Governance, Risk and Compliance. I expected to see 500 vendors telling me how they could secure the cloud, but I only saw a smattering of that. While I know a very large percentage of revenue is derived from compliance spending, the message was back to security, and I think that is a good thing! The buyers are beginning to see that operational controls, compliance, and security are closely linked needs.

Saddest Scene: It’s a security conference. We are security professionals. We read about how easy it is to hack wireless end points, and that man in the middle attacks are sometimes trivial for a skilled hacker, but common traffic sniffing is usually sufficient to gather user accounts and passwords. This is not a big secret. Yet there was always a group of people grouped around the wireless access points, gathering their email and checking their eBay bids. Are you freakin’ nuts? RSA needs its own “Wall of Sheep”!

One last comment: How many of you ran across the guy sitting on the corner of 4th and Mission, just north of Starbucks, with a camera attached to what looked like a cell phone apparatus? It dawned on me that with a hot-rodded RFID reader I could get the picture and contact information for half the RSA attendees in a couple of hours. I am wondering if I am going to see a presentation on this at Black Hat?