Many Thoughts about RSA 2016

RSA 2016 was a whirlwind of meetings, discussions, and cocktail parties.  Now that I’m back home and have had a weekend to reflect on the conference, here are a few words to describe my impressions of this year’s show.

1.       Crowded.  I heard that attendance was up 15% this year, meaning that there were roughly 40,000 people at RSA.  It really did seem more crowded in the halls, on the show floor, and even in the bathrooms than in the past.  And while RSA has evolved into an industry-first event, I did meet a lot more cybersecurity professionals who were attending the show this year.  With the current threat landscape, it’s easy to imagine that the show could draw even more attendees next year. 

2.       Fear.  In spite of the crowds and festive atmosphere, there was also an undercurrent of fear at the show on two fronts.  First, there is a general fear about the threat landscape and sophisticated cyber-adversaries.  I heard a number of scary stories from some of my security researcher and threat analyst friends in attendance.  There was also industry fear as well.  The stock market is down, the IPO market has disappeared, and there is a general uneasiness about future VC investment in the cybersecurity market – especially in light of the recent Norse implosion.  In a blog I wrote earlier this year, I predicted a VC panic, leading to a lot of bargain basement M&A activity.  After attending RSA, I think that these deals may start happening soon.

3.       Hype.  An outsider attending RSA might think we are selling vinyl siding rather than sensitive data protection.  I actually heard statements like, “no false positives,” and “100% protection” while walking the show floor.  Ay, ay, ay, no wonder why cybersecurity professionals are so cynical.  Maybe it’s just me but I believe the industry needs a hefty helping of humble pie.  We need to remember that our role is to protect sensitive data, IT systems, and business assets, not sell soap. 

4.       Confusion.  What’s worse than mere hype is that the supply-side of the industry is totally confusing its customers.  Case in point:  I gave a presentation on “next-generation endpoint security” to about 400 conference attendees.  I started my presentation by asking audience members to raise their hands if they thought they’d heard a clear definition of “next-generation endpoint security” from any vendor.  Not one hand went up in the entire room!  Note to the cybersecurity industry: You are losing your valued customers to rhetorical nonsense.  Winning vendors will offer cogent descriptions, real-world examples and actual help while eschewing Madison Avenue nonsense. 

5.       Overwhelming.  RSA 2016 was a bit of a microcosm of the state of cybersecurity today.  When I asked cybersecurity professionals what they thought of the show, many expressed the feeling that it was overwhelming – too many exhibitors, vendors, presentations, parties, etc.  Funny, but this is exactly how these same folks describe their day-to-day professional lives as well.  There is an acute cybersecurity skills shortage so many organizations continue to be understaffed and under-skilled with cybersecurity.  Industry hype, confusion, and W hotel parties aren’t making things any easier. 

6.       Hope.  Okay so RSA was clearly over-the-top but it wasn’t all bad.  In between the hyperbole, there were a lot of worthwhile discussions that provided a glimmer of optimism.  First, the show began with a headline about incident response automation and orchestration when IBM announced its acquisition of Resilient Systems.  This led to lots of talk about how technology can improve cybersecurity productivity and efficiency as a countermeasure to the global cybersecurity skills shortage.  Other vendors like Bay Dynamics, Phantom Cyber, and ServiceNow had similar news.  I’m also encouraged by innovation in artificial intelligence and machine learning algorithms for cybersecurity, though it’s early in this game.  Companies like Forcepoint, LogRhythm, LookingGlass, Niara, and Splunk come to mind.  Finally, I’m seeing the maturing of managed services from basic monitoring to proactive hands-on support.  Dell’s “red cloak” endpoint detection/response initiative and Symantec’s investments in new managed security offerings are good examples here.

I admit that I was over-stimulated and overcome by the constant barrage of industry activity last week but I’ve come to accept this as an annual occurrence.  In between all of the banal activities, I did have some sober conversations and saw a lot of cool innovations.  That should keep me going until Infosec Europe and Black Hat.