Over 45,000 people descended on San Francisco last week for the annual RSA conference, the biggest information security convention in the world. I was one of them.
This was my third RSAC, and a few things struck me as noteworthy compared to years past.
The People — Diversity was the most obvious difference this year. There were a lot more women at the conference, both in the speaker lineup and in the audience.
On the show floor there was not a single (obvious) booth babe in sight. Sure, there were a couple of ladies is electric pink jumpsuits that pivoted all questions to the men in their booth, but overall, vendors seem to have gotten RSA’s message to cool it with the female lures.
In response to last year’s lack of female speakers debacle and OURSA, RSA made a conscious effort this year to be more inclusive to both women and people of color. One of the seminars last Monday was fully dedicated to women in security. Organizations like the Women’s Society of Cyberjutsu (WSC), Women in Security and Privacy (WISP), the Executive Women’s Forum (EWF) and others shed light on the lack of diversity in tech, the challenges of attracting and retaining women and minorities and, most importantly, provided actual tips on how to address them.
Learning that there are companies out there that are on their way to solving the diversity gap was very refreshing. As Emily Heath, VP & CISO of United Airlines said, “It’s got to be intentional.” Companies need to make diversity and inclusion a part of their DNA. In order to solve problems that have never been solved before, organizations need people with diverse ways of thinking. One way to do this is to demand diverse interview slates and actively look for people with different backgrounds.
Caroline Wong, VP at Cobalt.io, said that “Values have to come top-down.” She also touched on the importance of fostering “psychological safety,” addressing depression and burnout, and building the right culture that values and retains employees. “Diversity ends up happening because we’re trying to keep the best people.”
Perhaps Vanessa Pegueros, VP & CISO of DocuSign said it best: “Don’t hire assholes.”
The Tech — Around 30 new products got released during RSA, including solutions for threat hunting, authentication using biometrics, app security, container security, SIEM tools, etc. The buzzwords were rampant and the expo floor showed it, with the underlying understanding that breaches are unavoidable. This is depressing.
There was little focus on privacy among vendors. CCPA and GDPR got their mentions upstairs, most notably by Bruce Schneier, the Crypto Panel, and the speakers in the CCPA track, but overall privacy is not yet a money-maker for the industry.
There is hope for security, though. DevSecOps was big this year, which struck me a step in the right direction — integrating security into the development process versus fixing security later on. In industries like healthcare, where the cost of error is high and human lives are at stake, there is an ever-louder call for making tech more secure. At DevSecOps Days San Francisco, the notable Chris Roberts and Anne Marie Zettlemoyer, VP Security Engineering at Mastercard, delivered the most memorable message for developers and security technologists: “Talk in a language that leadership understands.”
The Language — The security industry has a language problem. The same term can mean completely different things to different people. Artificial Intelligence can mean one thing to an engineer or a data scientist, and something entirely different to a person from a different industry or in a different department (Marketing, Legal, etc.).
We need to bridge the language gap and define certain terms. Bruce Schneier called for security technologists to become involved in public policy. To do this, there needs to be better communication between public and private, between security and different professions. Technologists need to reach out, become more accessible, explain things.
By removing the mystic of security, we can begin to understand each other better. By bringing security into the mainstream, we can all be more security aware — which is a big step closer to being more secure.
Having world-known names like Dame Helen Mirren and Tina Fey as keynote speakers, while baffling to some, succeeds in turning the attention on this industry in a non-FUD way. Security needs to celebrate its successes more, do more to build the “trust landscape” and reach out to all. As Helen Mirren said, we can be better by recognizing the humanity in each other.