It’s that time of year again, when the security industry looks westward with a mixture of anxiety, dread, and expense-account induced giddiness: RSA week.
When people who have never been to the RSA Conference before ask me what to expect, I never have a good answer. A lot of it depends on what your job description is and what you’re hoping to accomplish. If you’re an engineer looking to expand your knowledge base, there are a decent number of technical sessions run by highly experienced and competent speakers that are worth your time. If you’re an executive looking to compare notes with your peers, set up shop in the lobby bar at the W Hotel, open a tab, and watch the tide roll in. And if you’re in sales, well, RSA is the Promised Land.
For journalists, RSA week is a weird mix of all of those things. The first time I covered the conference was in 2001 when it was still just emerging from its proto-crypto stage. The engineer-to-salesperson ratio was about 20:1, if not higher, and only a handful of reporters were there, nearly all of whom were from tech publications. I had only been covering security for about six months at that point, and I remember walking out of the cryptographers’ panel that year convinced I had a concussion. The next year–which was just a few months after 9/11–was a scaled-down, somber affair in San Jose marked by bomb-sniffing dogs and dire predictions.
I remember walking out of the cryptographers’ panel convinced I had a concussion
A few things have changed in the intervening 16 years, but many more have remained the same. Every year is still the year of PKI, users are still blamed for virtually every data breach, compromise, and security failure, and most of what you will hear in the sessions, on the show floor, and in the hallways is doomsaying and depressing. To some extent, that’s just the nature of the beast. Security is a dependent profession, not an independent one. It needs the constant specter of new and terrifying threats in order to succeed.
Make no mistake, the threats are very real. And they’re more sophisticated and difficult to detect than ever before. Those are just the facts. We have intelligence agencies, well-financed private groups, and cybercrime rings all taking aim at enterprises, government agencies, and individual users. They all know what they’re doing and they have a pretty substantial arsenal of tools at their disposal.
But so do the good guys. Sure, there are more bad actors than ever (See: Ryan Gosling) and the tools that once were only available to the apex predators are now commoditized. But the people doing defensive work are getting better and better at their jobs, too.
Knowledge doesn’t discriminate. And that’s the great thing about RSA week. Regardless of what you do, where you’re from, or who you work for, this week presents a rare opportunity to learn and advance your craft. Many of the sharpest women and men in security will be wandering around the Moscone Center, and in my experience they’re almost all willing to share what they’ve learned over the years.
If you see Bruce Schneier, say hi. He’s really nice. Same goes for Chris Wysopal, Katie Moussouris, Gary McGraw, Jon Oberheide, Jennifer Steffens, Dino Dai Zovi, Caleb Sima, Paul Judge, Alex Stamos, Jeremiah Grossman, and dozens of others I’m omitting here. Don’t miss that chance to stop them and ask a question.
And if you happen to see this dazed reporter wandering around, don’t be afraid to say hello.
Image: Jeff Gunn, CC By license.