Root Causes 234: Report from the 2022 RSA Conference

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  I just went to RSA pretty recently for the first time in over two years, and we just thought we’d talk a little bit about RSA, what it is now, how it’s the same and how it’s different from pre-COVID. So, there we are.

• 

  Jason Soroko

  It’s been a little while for me too. I think I was there in 2018, not 2019, so it’s been a little while for me, for sure.

• 

  Tim Callan

  You missed 2020. 2020 was the weird one, of course, because that was right about the time that it was dawning to a lot of people, certainly in this part of the world, in our continent, that maybe this sort of thing, like, wasn’t going to be in the books going forward. I know a bunch of us showed up at RSA expecting it to be a normal RSA, and then there were booths that were just not there. People just did send their booth or their people or anybody, just empty.

• 

  Jason Soroko

  I found it interesting. The 2022 RSA, I found it interesting because I was actually booked to go to Mobile World Congress in Barcelona and that was flat-out cancelled, and it was mind boggling because that’s just such a gigantic event. The costs and the problems associated with just deconstructing that were enormous, I can just imagine. Because Mobile World Congress had been cancelled, I was surprised, but not surprised, RSA 2020 went ahead. So that was definitely an interesting year.

• 

  Tim Callan

  That was, I think, some of a Europe versus America thing ‘cause there was much more awareness of the hot spots. There were hot spots in Europe, and they hadn’t really yet left the ocean become hot spots in the Americas, and so some of it was sort of this level of local awareness, but RSA was probably a super spreader event because people did come in from all over, and so, that first started to happen and while we were there that week some of us started to have our eyes open to say, gee, maybe we all shouldn’t be here Certainly I wasn’t thinking in those terms when I got on the plane, and I absolutely was not thinking those terms when I got on the next plane. Then we were away for a long time and so I’ve been to couple other conferences since then, but this was the first RSA I went back to, and I did not know what to expect. On the balance it felt pretty normal. It was definitely smaller, and they were still using Mosconi Center, both halls in that area and between, and they were still doing speeches across the road in Mosconi West, but part of the way that they did it, was they have these black curtains that they hang at the edges just to cover the concrete walls, and the black curtains were just much further away from the concrete walls than they normally are. So what they did was they compressed the show floor and therefore, maintained the density that everybody is use to. It felt very similar, but the square footage that was available for us was less. I’m certain, I didn’t see numbers, but I’m certain the number of attendees was down from its peak, which was probably 2020 or maybe 2019. But it felt that while you were on the show floor walking around, it felt like a very normal RSA. In general, the biggest booths weren’t probably quite as big, and the display and the stuff they use to bring you in wasn’t probably quite as extravagant. So, it felt like everybody was operating on a little more of budget. Again, there was a lot going on, but I thought people were operating on a little more of a budget. Some people had definitely downsized their booths from what you would have seen previously. So that was kind of how it was in terms of the floor and the feeling. But, all the programs were full, and it was a lot of quality content, and there were plenty of vendors that were participating on the normal edge of things. I gave a speech about passwordless authentication, by way of example. Passwordless authentication was around a lot. That was something that you saw. You saw it in booths, you saw it in the agenda quite a bit. Quantum cryptography was a big, or post-quantum cryptography, was a big discussion, as you would expect. There was a whole panel that was just on that. And it had a variety of specialists, including Dr. Dustin Moody, who is running the NIST contest on post-quantum cryptography, and they talked a lot. That was sort of explanatory but they sort of explained everything that had gotten us to where we are today. There was also the crypto panel like they have every year. So cryptography was well represented. Authentication was well represented. Zero trust passwordless, some of the things we always talk about - software define parameter, those solutions were still out there. People were discussing those quite a bit.

  I’d say a lot of people really just trying to get back to normal. Trying to set up a booth and go around and learn from people and do things the same way that you used to. I saw a few masks. I did not see very many masks.

  So, it’s kind of like other places that you go in public. You always see some. You don’t see a lot. That’s how it was. So, I’m sure that they’re going to be back to a normal cadence now. I don’t know what they’re going to do in terms of time of year next year ‘cause this one got moved. As a reminder, it was supposed to happen in Quarter 1 like it always does. And then it couldn’t happen in Quarter 1, and so they moved it out to June. And I doubt that it will stay in June. I imagine it will probably go back to that same cadence.

• 

  Jason Soroko

  So what about the one thing that’s quite often in my mind, tongue in check, but it’s also very telling. Were there any examples of Marketing Groupthink? In other words, was every vendor a zero trust vendor or was there a bit more thought put into the marketing?

• 

  Tim Callan

  I made a joke when I started my speech, and I said the last time we were all here at RSA two years ago, some of us played a game where what you would do, is you would walk around, you’d put your head down and you walked to a random spot on the show floor, and then you’d ,your head up and rotate 360 degrees, and you’ d see if you saw the phrase zero trust. Everybody had a good laugh because we all remember it was everywhere like 30 months ago it was everywhere, and, I would say there was nothing that was that extreme. Certainly we did see a lot of discussion of passwordless. Lot of people talking about that now. That was definitely a topic that was there. Then, like I said two years ago, two and a half years ago, there would have been utterly nothing on the topic of post-quantum. Nothing at all. Now, in this case, there was, it came up in the cryptographers’ panel. It was discussed, and it had its own panel, and there were several vendors. So, I think in that sense those two things definitely have emerged as topics in a pretty big way since the last time we talked about it. Then some representation of the other sort of interesting new architectural trends that we expect. So for instance, there was some discussion or RPA. That was definitely around, but I would say passwordless was a much hotter topic by far.

• 

  Jason Soroko

  I’m not surprised by that. It’s a more core security topic. I think RPA, Robotic Process Automation, I think that would come more under a general IT subject matter, and I think the security aspect for that will extend down the road, but for now, it’s relegated to an IT matter rather than a security matter.

• 

  Tim Callan

  I’m not sure everybody is thinking about the security implications of that really. I think that’s a thought process a lot of people are still going through.

• 

  Jason Soroko

  That’s great, Tim. Thanks for that. Great - I didn’t have to go.

• 

  Tim Callan

  I missed it. I was glad to be back. I like to cherry pick, some interesting sessions to sit in. Usually I’m doing some kind of speaking, either on stage or in some other context, and I like to spend a lot of time on the floor and just walk around and see what’s new and what’s different. So, not having that, you do it other ways, and presumably you still get that work done, but I missed it. It was nice to be back.

• 

  Jason Soroko

  Well, that’s good. It’s kind of an important touchpoint for a lot of people. I know that one thing that I’ve learned over many, many, many years in this industry is that there’s really only a handful of us. Even if you think of that room as being a lot of people, it’s really not. What’s interesting is that it’s not all the same people every year, but it is quite often the same people every year, and that’s a good thing because you get to talk with everybody and the people who were in the know in the industry, in security in general you get to exchange ideas. It other words, whether you consider it mostly a trade show or a speaking event, it has all these elements, but what I think is very important is just bumping into people that you haven’t seen for a while and exchanging ideas and seeing what they’re up to. Those are important aspects to a conference, and it’s one of the main reasons I used to like to go.

• 

  Tim Callan

  Anyway, so there you are. RSA is back on the agenda. It’s going to happen every year, and I, for one, am happy.