Jack HammWow! What a fun time I had at RSA 2018 in San Francisco. I’m a bit embarrassed to admit it but this was my first RSA conference. I enjoyed meeting with peers, seeing the show floor and attending some amazing talks. I learned new things and came away reinvigorated to work in the cybersecurity industry. While practitioners still face complex challenges, I was encouraged by all the great people trying to keep the world safe from attacks and breaches.
What I Learned as a Newbie at RSA
#1. Keep to a schedule
Seriously, RSA is overwhelming. If you’re a bit of an “Oooh, shiny lights and squirrels!” person like me, then you’ll easily become overwhelmed and distracted. Creating a schedule ahead of time will keep you on track and at least put you in the right building — even if you abruptly decide to attend a totally different talk than you had originally planned because the sign makes it sound much more interesting.
#2. Budget for travel time between buildings
It’s easy to get caught up talking to colleagues and new contacts, walking the show floor or getting a coffee — I recommend Blue Bottle. However, due to the ongoing building construction around the Moscone Center, and what often felt like vast distances between buildings, it often took longer than I expected to get to my next destination. I quickly learned to leave early to make sure I got a seat at sessions. PRO TIP:
If you’re attending a lab, your pre-registered seat is only held for 15 minutes before the lab starts — so get there early!
#3. Balance wandering time with focused searching
Have a plan for how to manage the Expo or be prepared for a kidnapping by vendors! The show floor can be the most overwhelming part of RSA if you’re not careful. There were thousands of boxes, endpoint agents and other solutions promising to save attendees from the bad guys. Differentiating between them was a formidable task to say the least. My strategy was to allocate approximately two hours for random roaming to catch serendipitous meetings and then use the rest of my time more intentionally. For example, I dedicated several hours to specifically meet vendors that may help complete my 2018 security plan.
#4. Don’t forget to network and unwind
There are loads of cool folks at RSA, so make sure to build time to head over to the nearby W Hotel to get a drink and network. I found people were willing to chat with strangers on the state of security and how we can move into the future with a good posture.
My Main Takeaways from RSA
#1. We’re in grave need of improved network visibility to feed the myriad tools
Without a mechanism to feed shiny boxes, tools are basically useless. This realization was driven home in a lab I attended titled, “How to Measure the Security of Your Network Protection Devices” by Winn Schwartau and Mark Carney.
Amongst their many astute observations is the idea that viewing security as a binary situation is fundamentally flawed. Moving to a model where security lives as a function of trust on a time domain gives us a much more accurate and actionable method for securing networks.
Security is a function of detection time plus response time — leading to the obvious conclusion that if you have infinity in that equation, your security will drop to zero. An easy way to have a problem is for detection time to be infinite by, for example, you never see the traffic. It follows then that visibility is absolutely critical to enabling the boxes.
#2. SecDevOps — the order of terms is key — is gaining a ton of traction
When it comes to industry nomenclature, it makes sense that we put security up front to avoid the traditional “greased pig over the fence” problem. Security is taking a cool new approach of informing business decisions, and I think that’s wonderful. Before I defected to SecOps, I was one of those people who dreaded the inevitable argument with InfoSec and the dance that ultimately resulted in ignoring each other. It’s awesome to realize that security is bridging functions throughout the industry and building the partnerships needed to support business.
#3. Security practitioners care about people
I loved hearing that so many practitioners have a strong defender mentality and are committed to protecting those who are unable to protect themselves. I think this level of engagement is sometimes overlooked when we’re overly focused on worrying about GDPR or Spectre or the latest CVSS 10.
It’s always a good reminder to realize that behind all the technical minutia there are real people who are suffering from real harm and that our expertise as practitioners can help alleviate that suffering. Security isn’t just some abstract goal to achieve, but rather a meaningful solution that can save lives, grow the economy and create a positive impact in the world.
Keep up the great work folks! See you next year at RSA!
