The RSA Conference marks its 30th year with a virtual-only event
June 4 2021
by Scott Crawford, Fernando Montenegro, Daniel Kennedy, Matthew Utter, Garrett Bekker, Aaron Sherrill
For many in cybersecurity, the 2020 RSA Conference (RSAC) was the last occasion for travel before the onset of a global pandemic. The world has changed considerably since then, not least in the nature of gatherings such as RSA. Like many before it over the past year-plus, RSAC 2021 necessarily had to reinvent itself as a virtual-only gathering, if it were to go on at all. Yet despite the pitfalls of a conference held entirely online, there were some distinct advantages for the RSAC community as well.
The 451 Take
In what should have been a year of celebration for one of the industry's longest-running conferences – 2021 marks the 30th year of RSAC – the limitations of a virtual-only event may have combined with an accumulated year of videoconference fatigue to cut overall participation sharply. But a virtual event also has its advantages. For one thing, attendees had a lot more latitude for attending the sessions, which are, ostensibly, the focus of the conference's educational program. While normally, RSAC is as much a networking and meet-and-greet event as it is a learning venue, even the most social of participants could attend on-demand virtual sessions on their own schedule this year, bringing a welcome reprioritization on learning for many. The exigencies of the pandemic may have precipitated provocative changes in the way RSAC serves the vendor community as well.
Further motivating interest was the timing of events surrounding RSAC, coming as it did on the heels of the high-profile ransomware attack against Colonial Pipeline, as well as the Biden administration's Executive Order on cybersecurity – which, in turn, was precipitated in part by another high-profile incident, the campaign against SolarWinds, which became public knowledge late last year. When combined with the emphasis on security emerging as the top priority for organizations as a result of COVID-19, according to our Survey, these are among the factors that ensure the endurance of the RSA Conference as an industry institution, no matter what form it takes.
Doing what we can
According to RSA, more than 20,000 people registered to attend this year's fully virtual conference. This is clearly a large event, but a far cry from the 50,000-plus that roam the halls of Moscone and the streets of San Francisco during a traditional year. There may still be significant post-event participation since hundreds of sessions are now available for on-demand playback until early summer. While a substantial reduction in ticket prices probably helped with attendance – a full-price ticket for a traditional physical conference is approximately $2,800, but the virtual equivalent this year was just $800 – this was definitely a different, more subdued event.
This is far from unexpected and aligns with the general experience of other large-scale events during the pandemic. We're all doing what we can, and in many cases, this means adapting to radically different constraints.
A similarly scaled-down sponsor experience
Similar factors shaped the experience of the vendor expo as well. Whether you love it, hate it or (like many if not most) fall somewhere in between, the Expo Hall at the RSA Conference is a key component of the event and is often a good microcosm of the industry itself. In other years, there are numerous themes in play within the seemingly ever-expanding footprint at Moscone: major industry vendors with massive booths down to 'startup alley' and the Early Stage Expo areas with minimal physical footprint for each vendor, the competition for attendees' interest via a combination of exotic and boastful designs, and meeting fellow professionals on the corridors, at vendor booths or elsewhere near the floor, and so on.
This year had none of that. The fully virtual conference meant a fully virtual sponsor experience as well. While premium sponsorship packages did include more prominent placement on a screen, being able to provide more information for the virtual attendee, and more, there was very little differentiation between vendor entries. Vendor participation, when measured in number of sponsors, reflected this downturn. While participation in a typical year includes about 700 sponsors of all sizes, this year's edition had barely over 200, even less if exhibitors such as media partners and industry associations are not included in this count.
But now year-round...
The forces imposing virtual-only experiences on the industry are not without their positive aspects, however. One of the key announcements by the conference organizers was that it has launched a 'Marketplace' experience that will be available year-round. This extends the concept of the online marketplace from online vendors and retailers to industry conferences as well, which could become an enduring hallmark of industry events – physical, virtual and hybrid – from now on. The concept has a dual benefit for participants. For vendors, it offers a single point of attraction for reaching a number of motivated prospects. For customers, it means exposure to a range of vendors they may not otherwise have considered.
The RSA Conference acknowledges these benefits, noting that the impetus is to help customers have easier access to information on hundreds of cybersecurity vendors participating in one of the industry's most prominent venues. At present, the Marketplace has roughly 300 vendors and can be seen as an extension of the virtual expo: vendors have a single page with limited wordcount and links to resources. Conference organizers indicated that future versions of the Marketplace may include capabilities to fine-tune a search for relevant vendors serving a given organization's identified gaps in their security program.
Innovation Sandbox: 'Turtles all the way down'
With RSAC 2021's shift to virtual, the conference's Innovation Sandbox also adapted to changing circumstances by staging its competition in a first-ever virtual environment. Regardless, the format remained the same as 10 finalists battled for the title of 'most innovative' through three-minute elevator pitches.
If there was one theme that prevailed in the competition overall, it was abstraction. Enterprises are daunted by the growing complexity and distribution of IT across a host of both 'cloud native' and legacy technologies, on- and off-premises, as well as growth and diversity in the digital technologies at the network's edge. Predominant were startups representing approaches to bringing coherence to security's many challenges across these landscapes through the abstraction of higher-level processes interacting with underlying environments. While there were representatives of more fundamental technologies, such as new techniques for recognizing email threats, a variety of plays implementing these higher-level strategies for control were evident in a variety of use cases, from the application lifecycle to managing identities, sharing data, deriving machine learning while assuring privacy, mitigating fraud, and managing infrastructure. Such approaches seek to meet a specific need or serve a specific audience – a trend that tends to create additional layers of management and coordination (and suggesting the mythic concept of the world riding on successive layers of 'turtles all the way down' to its fundamental underpinnings beneath). The finalists were Abnormal Security, Apiiro, Axis Security, Cape Privacy, Deduce, OpenRaven, Satori, Strata, Wabbi and Wiz.
Out of these 10 finalists, New York-based Apiiro emerged as the competition's 2021 winner, presenting a non-traditional approach to application security. In the theme of orchestration and simplifying the complex, Apiiro aims to help organizations identify and prioritize code changes that can have an impact on application security. The company takes a broad approach to the development lifecycle by tapping into underlying application development, deployment and operational management tools and combining this data with context from developer profiles to understand which changes are material to security. From here, the company aligns these sources of information with processes such as ticketing and workflows to engage the correct individuals or groups for issue remediation.
Application security, notably code governance, features prominently
Given the role of application vulnerabilities in eventual breaches, amply demonstrated by the significant percentage of security incidents where 'basic web application attacks' were a factor as reported in the Verizon 2021 Data Breach Investigations Report released not long before the conference, it was not surprising to see application security concerns discussed frequently at the 2021 RSA Conference. Two keynotes prominently featured such concerns. The first of these was given by Anne Neuberger, who in April joined US President Joe Biden's administration as deputy national security advisor for cyber and emerging technology, leaving her prior role as the NSA's director of cybersecurity.
Neuberger reiterated content reflected in the President's Executive Order on Improving the Nation's Cybersecurity released on May 12, with a strong focus on current security issues inherent in the software supply chain. She noted that existing approaches of 'build, sell, patch' with an expected number of known security defects where the vendor has deemed the risk of those defects to be acceptable, aren't working – after all, one would not purchase a car with the idea of buying a seatbelt or airbag later on. The goal at the federal level of software procurement thus becomes ensuring that security is a basic design consideration – from how software is built (code governance) to how it is tested for known or potential vulnerabilities (application security testing) and the provenance of code (software composition analysis). She also touched on the fact that there are limited resources for those wishing to make economic decisions regarding software based on security, so transparency of software security must increase. Finally, given that many vendors supply the same software to government as the private sector, the hope is that these requirements will also then benefit the private sector.
Code governance – the security in how software is created and distributed – was certainly a featured theme of the keynote discussion with Sudhakar Ramakrishna, president and CEO of SolarWinds, which suffered a breach widely publicized in December 2020 that extended through the software supply chain to affect a number of third parties. And the theme continued with the winner of the RSA Conference Innovation Sandbox content, Apirro, whose Code Risk Platform allows practitioners to evaluate the risk of code changes in the development process. Wabbi, a provider that concentrates on application security issue management, also featured as a finalist in the competition.
Back to the future?
As we look beyond the RSA Conference, we note a definite uptick in industry gatherings moving back toward at least a hybrid model combining virtual and in-person events. Black Hat US, for example, will offer four days of virtual training in late July-early August, while the two-day main conference on August 4- 5 in Las Vegas will be both virtual and in-person. DEF CON, which ordinarily occurs the same week in Las Vegas, is likewise going hybrid this year.
Other events scheduled for later in the year, however, are beginning to return to full in-person participation. Whether this will become a full-scale trend across the industry remains to be seen – but given teasers for a growing number of in-person events, there is clearly a desire, if not outright pressure, to return to business as usual as much as possible. Event producers and exhibitors would like to see a return to more robust numbers and visitor traffic. Hosting venues and supporting hospitality and travel industries, of course, need the business.
Whether global conditions – and hoped-for participants – cooperate to the extent desired also remains to be seen. Some of the world's regions with the greatest emphasis on technology have been some of the hardest hit by the pandemic. Cybersecurity threats may sometimes seem similarly out of control – but the cyber adversary is an intelligent actor operating on motives that drive people, from the individual to the strategic interests of nations.
Despite its use as a metaphor early in the evolution of cybersecurity, a virus is something altogether different.