The RSA Conference can be overwhelming for first-time attendees, while returning security professionals are looking for something new. Program committee chair Hugh Thompson offers tips for how to get the most out of this world-class security event.
Thompson's best advice for a newcomer to the RSA Conference: Attend the orientation session on Monday afternoon.
"It will give you the basics of how to approach the conference, set your agenda, and [decide] what you want to get out of the conference," Thompson says in an interview with Information Security Media Group [transcript below].
"One of my favorite [parts] of the conference is that it's a place where information security professionals get together to talk about problems," he says. "The hallway conversations and some of the social events we have - to me they are some of the most enlightening things for security veterans because you really get to collaborate with your peers around some of these topics."
In an interview in advance of RSA 2014, Thompson discusses:
- This year's new session tracks;
- The controversy surrounding speakers who are boycotting the event;
- How the conference has physically expanded.
Thompson is program committee chair for the RSA Conference, the world's leading information security gathering. In addition, he's also chief security strategist at People Security and an adjunct professor in the computer science department at Columbia University in New York. He is an expert in application security and has co-authored four books on the topic including, "How to Break Software Security: Effective Techniques for Security Testing" (with Dr. James Whittaker, published by Addison-Wesley, 2003), and "The Software Vulnerability Guide" (with Scott Chase, published by Charles River, 2005).
RSA 2014: A Preview
TOM FIELD: What is new for RSA 2014?
HUGH THOMPSON: First let me say this is the best conference that we've ever put together. Just phenomenal speakers, a lot of stuff is going on in the information security space, and we do have some new tracks this year. People have been talking a lot about analytics and big data; what does it mean to mine all this data? There was so much interest from folks coming in and submitting sessions on that topic, we added a track this year called Analytics and Forensics. Anybody that is interested in big data, anybody that is trying to figure out how to track down something if it has already gotten in the network, I think you're going to find a lot of interesting sessions there.
We also added a new track called Security Strategy. You can think about it as planning a year, two years, even five years down the road on your information security program. What are the things you need to be thinking about, how will you change your architecture? We've got the tried and true favorites; Hackers and Threats, Breaking Research (I think folks will find a lot of interesting technical content this year), and my personal favorite we added just a couple years ago called the Human Element. [This is] where folks will find a lot about social engineering, and how people are using and profiling employees and targeted attacks. It's a pretty packed agenda.
FIELD: When you add new tracks, does that mean other tracks have to disappear or are you just putting more into the conference?
THOMPSON: Some tracks do disappear, some get merged together. I'll give you an example. We had a track that was on identity and access management, and it's the amazing disappearing reappearing track, right? It was there forever, [but] we took it away because we got less submissions on that topic. We brought it back, I think year before last, but today a lot of the interesting identity and access management talks are all about cloud. So folks will find a lot of that information in the Cloud Security track, so you're right, in some ways it's a zero-sum game, but one thing that changed this year is we've expanded the conference. Folks that have been to RSA Conference in previous years know Moscone north and south well. They know that underground tunnel in between both. We've added Moscone west this year, so we've got more space for sessions, more space for content, and I think folks will get a very different experience.
FIELD: We have to go outside for that as well, correct?
THOMPSON: Sometimes, only sometimes, and my personal prediction without any data is good weather.
Past Security Trends
FIELD: What are some of the security trends and events from the past year that have most influenced this year's content?
THOMPSON: A lot has happened in the last year. Think about everything from the big breaches that we've seen just in the last couple of months, to some of the revelations that Snowden had around NSA; people have a lot of open questions around privacy, data sovereignty, and recoverability. This idea that you need to build up a response competency inside the business, that at some point you will get broken into, and need to develop the ability to recover quickly and track down those threats. I think in some ways it's a new mindset around security. That [has] definitely helped shape the content.
Privacy is going to be a big topic this year, and there is a lot of discussion about where data needs to be kept, in what country, in what data center, even beyond some of the regulations that we're seeing in Europe. It's become a global question. There are definitely some interesting sessions around that.
One other thing I'll throw in, because you mentioned analytics, is I do think we're finally getting to a time in big data and analytics where we're actually getting results. I'd say two years ago it was an interesting topic, it was a buzzword. Everybody was talking about big data, "Wow, think about the amazing things that we could do if we could analyze this data." I think what you'll see this year in the content is people that have actually gone out, started to do it inside [of] their own businesses, and are getting some actionable insight. I'm looking forward to those sessions.
FIELD: What else is different about the event this year from previous years?
THOMPSON: I think folks will notice quite a few differences. I'll just go through some of my personal highlights. One is Innovation Sandbox. I don't know if you've been to Innovation Sandbox that usually runs on a Monday of the conference, but it's basically a celebration of innovation in information security. We have a competition amongst start-up companies; it's very entertaining, very competitive. But folks have to get up, pitch their company, talk about the product all in three minutes and then are grilled by a panel of experts.
Then, throughout the afternoon, we've got other sessions on how to become a real entrepreneur in security; how to take the seed of an idea that you might have around a new security solution and turn it into a business. That was Innovation Sandbox of 2013. If you go in 2014, it's bigger than ever. The program on Monday has been expanded, but we'll now [do] Innovation Sandbox content throughout the entire week. You can go there, look [at] new technologies, experience things hands-on, and the hope is to nurture some of the budding entrepreneurs that are in the audience at the conference.
They'll also notice a difference in the expo. We now have two large expo areas where a lot of content is happening. For those folks that loved flash-talks last year, it's back. It is going to have an all-star cast this year. There is a lot to do, a lot to see. It's going to be pretty overwhelming for somebody who is first time is at a conference for sure.
FIELD: There have been stories about RSA the company and some speakers - a minority -- have pulled out and are boycotting the event. How do you respond to questions about this controversy and the boycott?
THOMPSON: It has been in the news quite a bit over the last few weeks. It's disappointing that some of the speakers have chosen not to speak. Several of those people are people that I personally respect, would love to hear, and they got through our incredibly competitive process to be selected as part of the conference. But you mention they are a minority; there is actually a very small minority of the overall session. We've got about 560 speakers at the conference, and to my knowledge [only] 9 folks have opted out of speaking. Every year we have some number of folks that can't speak for whatever reason, and because of that, we've got a pretty good framework in place to fill those slots. We select alternate sessions, so those slots have already been filled. Personally, it's disappointing that those folks chose not to speak this year at the conference, but I'll tell you to spite that, we've got the best agenda that we've ever had at RSA conference. So I think it is going to be a terrific event.
FIELD: For the person that is new to RSA conference, how should they approach this event?
THOMPSON: It is overwhelming, and my best advice is an orientation session that we have on Monday afternoon. It will give you the basics of how to approach the conference, set your agenda, and about what you want to get out of the conference when it comes Friday and the whole week is an incredible blur. There are also tips on which parties to go to, which I think is critical for the first timer. There is also a session that we have called Security Basics Bootcamp, and if it's the first time you've been to the conference, or your fairly new to information security, I'd highly recommend that session. Some of the leaders throughout the security space talk about what's happening in each of the security domains.
FIELD: How does one come back fresh and get the most out of the event?
THOMPSON: I think every year there's something new to get out. Certainly in the agenda we've got a lot of great content around analytics that I mentioned, great stuff around mobile, social engineering, and privacy. You mentioned the controversy around RSA and the NSA, a lot of sessions will talk about that too. I think there is a lot new to get out from a content perspective, but one of my favorite pieces of the conference is that it's a place where information security professionals get together to talk about problems. The hallway conversations and some of the social events we have, to me they are some of the most enlightening things for security veterans, because you really get to collaborate with your peers around some of these topics. I don't think there has ever been a more important time for us to get together and talk about security.
FIELD: What are the international events for 2014?
THOMPSON: The Asia-Pacific and Japan event we have in Singapore coming up later this year. We'll have some content in Europe. It's going to be a pretty incredible year internationally. I'll tell you, having lived in Singapore for a few months myself last year, I'm really looking forward to that event. It was just a terrific turnout. You get a very different perspective on information security, and in some ways I think you get a preview no matter which country you live in or which company you work for, of what might be coming next. So I would encourage folks to not just come to RSA conference USA, but consider some of these international venues too.
Year of Security
FIELD: We say it every year. Is it finally the year of security?
THOMPSON: I feel like we might be in the decade of security if you measure it by news stories, that's for sure. I don't know if this is any positive indication or not, but my mom definitely knows the difference between a firewall and a wall on fire now. So that might be it.