Well well well... what a week! Sadly, I didn't make a single session (other than my own) due to poor time awareness (several times I realized I had just missed the session I'd been planning to see, derailing myself by being chatty... go figure!). Overall, this was one of the best RSA conferences I can recall over the last few years. I mean, it ended with Hugh interviewing Billy Beane... how could it be much better? :)
For everyone I saw in San Francisco last week - it was great seeing you! For those I missed... dreadfully sorry, and I hope we catch-up at any of the many other events I'll be at later this year (e.g., Secure360, RMISC, MISTI "Big Data Security" conference). It has been a busy year thus far, and the pace will not be lessening anytime soon. Wheeeeeeeeee! ;)
Now, on to my annual post-event mega-post... apologies for typos, but I'm not going to go back and edit this thing... :)
3 Trends for 2013
Based on conversations, sessions (or, session titles), and walking the expo floor (ever-so-briefly), I couldn't help noticing a few big trends this year. The first trend actually aligned with the conference theme, which struck me as almost too coincidental not to be a coincidence (if that makes any sense). I've never noticed messaging aligning directly to the main theme before, so this really jumped out at me. Allow me to elaborate...
Moving toward actual analysis...
The conference theme was "Security in knowledge: Mastering data. Securing the world." In practice, this theme played very heavily to "big data" and "data analytics." This theme is certainly one that's been a hot topic for the past year or two, but is one that is also finally maturing into something plausibly useful (*gasp!*). The big advance I noticed this year was getting beyond vague rhetoric about "managing big data" to better articulated statements and marketing around how to do analytics on very large datasets. Given that I play for a GRC software vendor in my day job, I felt that this message resonated very well with the GRC space. It also helped validate much of what I've been saying the past couple years, such as that GRC's role is increasingly about providing a 2nd tier of analysis that aggregates data and reports from various silos, wherein we already have reasonably good specialized analytics.
One interesting shift in PR/marketing lingo was to also shift everything toward being some form of "analytics"... last year everything was phrased in terms of "risk"... is this a good thing, a bad thing, or just a thing? Hard to tell... we are talking PR/marketing here... ;) That said, though, I was pleasantly surprised to see actual analysis capabilities emerging that seemed to make sense. Usability will of course be the other big question to tackle, but at least it seems to be a step in the right direction.
Real risk management...
Last year showed a marked increase in casting projects as /something/ risk-related. This year saw the continuation of that trend, with "risk intelligence" persisting, and with the emergence of "risk analytics," which I saw in several places (including at least a couple GRC vendors recasting themselves as "risk analytics" tools/platforms).
More interesting than the show floor, however, were the conversations happening all over the conference. People were talking about risk management for real this year, and not just based on a pile of lousy qualitative finger-in-the-wind measures. The week started very strong with the "Advancing Information Risk Management Practices" half-day seminar, in which I was honored to participate. The presentations of the other panelists were all solid, as was the Q&A from the floor.
For the first time ever, I started to feel like we're finally reaching the tipping point of people who "get it." Sure, there is still a LONG way to go, but this was the most encouraging signs I've seen of late. Just in time for everything to change, of course, but that's almost beside the point... ;) Just the fact that there were so many risk managers present, representing the reasonably sound risk management programs of their orgs, was encouraging to me. Now to finish the transformation by getting these programs fully aligned to business management and yanked out of IT and infosec teams... but I digress... ;)
ET&A moves toward behavior modification...
Last, another emerging trend that just about slapped me in the face was a major upheaval and revival in the "security awareness training" space. Finally! There are a few small organizations that are now challenging the status quo, offering compelling alternatives that oftentimes focus on behavior modification approaches instead of the tired old "kill by drill approach." At least one vendor is driving toward an integrated knowledgebase approach that will make comprehensive awareness data available to all consumers, including providing the hooks for integrating it into remediation practices.
Of the three trends I note, this one is the best one to watch. Lump-in "gamification" and we see a ground-swell building that will likely change the entire landscape of awareness practices. This is a Good Thing (tm)! I'm also hopeful that this signals a swing back toward education and away from rote training, which has not only been the bane of awareness training, but has also become the downfall of the American education system. I digress, again... :)
Overarching Thoughts
Following are some quick thoughts on the event overall...
* Too Big? This conference is *the* big event of the year, but this year it really felt like it was simply too big. The expo spilled over into a second room. There were simply too many talks to catch all the ones I wanted (not that I made them anyway). There were 2-3 talks opposite my own sessions that I would have enjoyed watching. The tracking approach is good, but I almost wonder if there's an opportunity to adopt the "university comprised of several schools" model? Maybe not. Suffice to say, there were a lot of people, a lot of vendors, and a lot of ground to cover. I have to wonder just how sustainable this growth will continue to be...
* More Vendors Than Delegates? Probably not, but it sure felt that way. Every time I turned around, I was standing face-to-face with another vendor or consultant. Sure, this is where we all go to network, do deals, and drum-up business, but my goodness... I'd actually love to hear from FTEs who attended as Delegates and get their opinion on things, too. Also, who are Delegates most interested in hearing from: vendors or practitioners? Several orgs (e.g., IIA, ISACA, FS-ISAC) have now modified their rules to effectively ban vendors and consultants as speakers and attendees, instead strongly preferring to hear from practitioners and limiting vendors to the limited expo space. Anyway... this was just the sense I got this year of being surrounded by anybody but our core constituency...
* 20-minute Format = Awesome! Bill Burns and I presented a 20-minute talk (by design!) and it went very well. I really liked this format, and would highly encourage RSA to allocate more of them in the future. In fact, for that matter, I could very much see only allowing 20-minute talks, requiring that longer sessions be presented in a panel format only. Presenting in 20 minutes requires refining materials and really getting down to business right away. If you think about most longer talks, they typically waste 10-20 minutes on introductions, background, etc., that could just as easily be a handout or external reference. There is one exception to this point, and it has to do with the LAW track and CLE credits. To earn CLEs, sessions must be a minimum of 30 minutes, so I would want to ensure that enough full-length sessions are maintained to help attending lawyers earn their credits. Beyond that, moving all traditional talks to a 20-minute format also means increasing the number of talk slots available, which is also a Good Thing (tm).
* 60-minute Panels Felt Rushed Speaking as a moderator and panelist, 60 minutes seemed a bit rushed. We had to cut-off several good Q&A interactions in the "Hot Topics in InfoSec Law" panel in order to accommodate giving adequate coverage to the topic. Doing so worked out ok, but another 10 minutes sure would have been handy. For those considering panels next year, please make sure to keep the time limitations in mind when scoping your panel. This thought brings to mind a couple others, which is that it might make sense for RSA to offer sub-categories under "panels" to differentiate between talking-head panels and interactive/Q&A panels, since there is a time and place for both. Anyway... we'll see what the 2014 CFP looks like, eh? :)
* Wed. & Thurs. PM = Wasted Schedule Space? Alright, that's perhaps a bit damning, but to be quite honest, I was rather disappointed to realize that both Wednesday and Thursday afternoons were blocked off for (primarily sponsored) keynote sessions, and did not have any track sessions. Wed. & Thurs. PM was also the two timeframes where I could finally get to talks (and I wasn't alone). I realize commitments are made to sponsors at the higher tiers, but what this tells me is that the bar is set too low for getting a guaranteed talk slot. I also noticed 2 rooms allocated for sponsored talks, which seems to reinforce this notion. I say all this, not to stomp on what were undoubtedly some good afternoon keynotes, but because it's nice to have alternatives, plus it would be great to have more talk slots available (given the high competition these days). Either that, or maybe RSA should start strongly encouraging vendors to start their receptions Wednesday afternoon, helping free up some cycles for the evening, as well as suggesting that a Thursday afternoon reception (before the Bash) would be acceptable, too. Just a thought...
* Booth Babes? There's not much I care to say on this topic as it's being beaten to death in other places. I did not spend much time on the expo floor this year, but in the little time I did spend there, I was actually pleasantly surprised by improvements around this topic. Yes, a few vendors still felt it necessary to have scantily-clad girls in their booths as bait, but I also found a few notable exceptions, as well as some great creativity. One booth had actors in Star Wars apparel for a photo op. Veracode brought in the real life "Soup Nazi" from Seinfeld days. And, at Stonesoft, I spoke with their in-booth model ("Hope"), who was *not* scantily-clad, and who had rapidly learned many of the sales talking points for the products (vendors, take note: this is a very good approach!). I understand the rationale in catering to prurient interests, but there is much to be said about toning the costumes down while training the models to effectively deliver talking points. Just a thought... oh, and btw, what was the deal with the one booth with blue-shirted lasses with tablets mounted at chest-level? That was weird...
* A Maturing Industry? Dare I dream the unimaginable... that this industry may finally be growing-up a bit? Maybe. ;) In all seriousness, though, I felt like products and people were starting to have a much more mature outlook on the industry and problem-space. If true, then this is a wonderful thing that gives me an inkling of hope for the future. I can't wait to see if next year proves me right or wrong! :)
Looking to the Future
Speaking of next year, I was struck by a thought heading into the conference, which was that of what our future looks like relative to people in and around the industry. This line of thought brings me to three (hopefully quick) points:
* A few new faces... I noticed several newer, younger speakers and attendees (ok, I'm getting old), which I thought was good. ow do we build on this success to grow the industry? Where is the next generation? Are they attending? Do they care? What are they up to, and what would be of value to them? I'd like to see some programs launched to get cyber-* students from around the country out to San Francisco to attend the conference each year. Case-in-point, Gen. Raduege noted that there are more than 12,000 students at UMUC in cyber-related programs. Are any of them attending or presenting at RSA? How do we get them there? Now expand this to all the other cyber-* and information assurance programs around the country (and world!). The sooner we can corrupt^H^H^H^H^H^H... er, engage these future generations, then the tighter the feedback loop gets, and the faster we can advance as an industry.
* Transitional career support... pt1 There are two aspects to this thought... First, as noted above, there was a noticeable shift with regards to awareness training programs toward behavioral modification, gamification, and knowledgebases. Almost all of these new ideas draw on people from outside the security industry. How do we pull more of these people into the industry? Consider the Workshop on the Economics of Information Security (WEIS) and the Security and Human Behavior conference. We need to better engage thinkers from outside the industry, not only to better refine the problem-space, but to also provide fresh perspectives and historical context on analogs.
* Transitional career support... pt2 The other aspect of career support is generational in nature... specifically, in addition to working toward getting more young people involved and engaged, it would also be great to see better support provided (perhaps via the professional development track, perhaps as separate non-time-conflicting sessions/opportunities) to mid-career professionals who are either looking at transitioning up the chain of command, or who would like to make a horizontal leap into areas with which they have less experience (e.g., cross-pollination between various technical tracks). I'm guessing there are some fun ways to mix things up and help provide people exposure to other areas of the industry. One such topic that I think could be very interesting to mid-career professionals is how to make the transition to management, including what sort of resources might exist for helping develop people management and financial management skills.
In Closing...
The best part of RSA, hands-down, is the networking and conversations. Sure, there are dozens (if not hundreds) of awesome presentations and panels, but without the social aspect this would be "just another conference." Despite all my meandering thoughts above, the one thing I wish more than anything else is to see that culture maintained and grown. Frankly, I wish there were more opportunities (similar to P2P sessions) to kickoff a conversation in a group and then let it just range about freely, without any false requirement to capture results to report back centrally. Part of me wonders if there is a way to bottle the essence of these social attributes, while the other part of me think that trying would ruin the experience. I believe that moving all talks to the 20-minute format, allowing 20 minutes between each session, and pushing for fewer talking-head panels (in favor of more interactive discussions) would help grow this culture. Beyond that... who knows? And, really, who am I to make such a suggestion anyway? Obviously the conference organizers are doing something right given the massive growth these past few years...
I look forward to seeing you all there next year! :)