Once again, the RSA Conference (RSAC) is in the crosshairs of the cannibalistic, eat-your-own-young security industry. This year’s uproar is over the face that only one of the 20 keynote speakers is a woman, and that woman is Monica Lewinsky—not exactly a titan of the cybersecurity world. While I would love to see more women speaking at the event, my reaction to the backlash is, “Haters gonna hate.”
I don’t mean to be flippant here, but let me offer up some history and take a closer look at the facts that have been either ignored or twisted to turn up many well-meaning Gender Avengers against the biggest showcase of the security industry.
First, the history. This whole thing reminds me of when the Security BSides movement started in 2009, when Black Hat rejected some submitted proposals for speakers at its conference, but it quickly spilled over to San Francisco and RSA. The first BSides San Fran competed against RSA and there was similar hate and vindictiveness aimed at RSA Conference for not giving people a chance to speak.
I was there then. I remember having a meeting with Mike Dahn and I think Jack Daniel, along with Jeanne Friedman, Hugh and others from RSA. This was when BSides San Fran was in its second year, I think. The fact is, RSA couldn’t have been more supportive. They offered a room at Moscone Center where BSides could be held (the BSides folks decided not to take RSA up on its offer). They offered to help support it in many ways. Ultimately, peace was made, as there is enough room for more than one security conference that week.
The fact is, RSA has a whole host of satellite conferences that take place during the week of the conference. Besides BSides, there is the Americas Growth Capital (AGC) conference, our own DevOps Connect: DevSecOpsDays, the Cloud Security Alliance and more.
When putting on a show the size of RSAC, there will always be haters or people who have perceived injustices. In fact, there are probably many things that are not fair about how RSAC is conducted. But overall, I will tell you that in the 15-plus years of working with them, I have found the RSAC team to be extremely fair. They are always looking for ways to improve the conference, work better with the community and be as helpful as possible.
They helped me start the Security Bloggers Network and meet-up, as well as the blogger awards. For years they were the sole sponsor of the Security Bloggers Network. RSA really didn’t get a hell of a lot out of it, other than knowing it was helping the community.
But enough history about the good deeds of RSAC. Let’s look at the problem at hand, which is a lack of women keynoting at RSAC this year. I have spoken to several people about this, including folks from RSAC and people from the selection committee. Before calling for the roasted gizzards of the RSAC team, here are a couple of things worth considering:
- Much of the senior leadership of the RSA Conference team are women. This isn’t a case of some old boys club sitting around picking “us and those like us.” To the contrary, the women leading the RSA Conference team are dynamic, empowered leaders. There is no doubt in my mind that they are very sensitive to the issue of diversity in those who speak at the conference. In addition, you may be surprised to know that RSAC isn’t some large, monolithic organization—the group does an awful lot with a few full-time folks and a whole lot of help from the industry.
- Of the 19 or 20 keynote slots available, the overwhelming majority are given to sponsors that pay for them. Whether you agree with the pay-for-play aspect is another topic. But these vendor keynote speakers are chosen by the vendor, and RSAC doesn’t have the choice here.
- I have heard from multiple sources—internal to RSAC, the selection committee and outsiders—that more than several women were considered and offered keynote sessions. These invites were turned down for a variety of reasons, including the fact that some of were prohibited from speaking due to conditions of their employment (such as those in financial services or government sectors). Other women flat-out refused, deciding RSAC was not the right platform for them.
Another thing worth considering is it takes a certain amount of gravitas to keynote RSA. That’s not to say there aren’t plenty of women with the necessary skill set and experience, but frankly some of the names I have seen thrown around aren’t yet RSA keynote speakers—though they are more than qualified to present at RSA.
Finally, a word about the folks behind the new OURSA conference, featuring lots of women speaking. More power to them. If they feature good content and people want to hear it, the conference will thrive. If it is just a protest to this year’s keynote selection, it will be yet another footnote to RSA history, which is littered with protest counter-conferences that proved to be rather short-lived.
I don’t know what it is about the success of RSAC that makes so many security professionals throw stones so easily. You would think we’d want to put our best face on to the world. But no, every year there is some issue that the malcontents rally around.
Frankly, kudos to the RSAC team for taking the high road with these protests. Inevitably, they take the lessons learned and incorporate them into the program for coming years. Ultimately, it makes RSA Conference bigger and better. And that is a good thing for the security industry.