Five Quick Takeaways From the First Two Days of the RSA Conference

The madness that is the RSA Conference is well underway. Here are five quick takeaways from the first day and a half:

1. We may be in San Francisco, but the center of the cybersecurity world is Washington, D.C. At the opening ceremony, the next five speakers after Jane Lynch from Glee completed her song and dance number ("cha-cha-cha- changes/work to save domains") were long time Washington players. Amit Yoran, now president of RSA, kicked things off. Yoran, a West Point graduate, formerly worked at the Department of Defense and was director of US-CERT in the Bush Administration. He handed things off to Scott Charney, director of Trustworthy Computing at Microsoft, a former prosecutor at the Department of Justice and current member of the President’s National Security Telecommunications Advisory Committee. Jim Lewis of the Centre for Strategic and International Studies presented awards to former White House cyber coordinator Richard Clarke (lifetime achievement) and current White House cyber coordinator Michael Daniel. Secretary of Homeland Security Jeh Johnson closed out the session by announcing that the Department of Homeland Security was going to establish a presence in Silicon Valley.

2. Half the people at RSA are from Washington, all meeting with each other. I ran into the Chief Information Security Officer of a major defense contractor whose calendar I have been trying to get on since January. We drank tea together for an hour. It was good to catch up but we all should use RSA as an opportunity to get outside the beltway bubble. Maybe next year, the week before RSA, we should all check into the W Hotel next to the White House for three days of eating, drinking, and meeting. Then we could spend time at RSA bridging the gaps between the public and private sector and the east and west coasts, or even, God forbid, attend some of the sessions.

3. The other half of people at RSA are venture capitalists. With lots of investment money available and fewer opportunities in social media, cybersecurity is definitely the new hot area for investment. It’s a bit of a challenge because the founders of security startups don’t look like the founders of social media companies. If a Sand Hill road venture capital company takes the model they have applied to identify successful startups in the social media world (i.e. find a CEO who is a Stanford dropout willing to work 24/7 for 50k a year and live with five guys in a group home), they are not going to find very many companies. A lot of innovative companies out here are being founded by guys with gray beards, bald heads, and ten to twenty years of experience hunting on networks.

4. Diversity remains an issue. Characterizing conference attendees as predominantly men (though not predominantly white) is by and large a fair characterization. RSA made the smart move to ban scantily clad “booth babes,” a welcome step but more needs to be done, particularly to overcome the many barriers to building technical skills in this space, which are often handed down in some sort of folk tradition along strict gender lines. More on that point in a later post.

5. Long live the NIST Cybersecurity Framework! Getting back to point 1, it is amazing to see how something kicked off two years ago with the stroke of the President’s pen, is actually leading to real change in the field. There is a whole cottage industry of consultants and tech companies working in and around the NIST Framework. I counted at least five panels touching on it, and many large companies are using it not only to structure their cybersecurity programs but requiring vendors to use it.

Heading back out for another round of meetings with people I should really see more often back in Washington.