RSA Conference 2020: CISO Tips for Making the Most of Conference Sessions


RSA Conference is just days away, and as I have done in the past, I thought I’d suggest a few talks that you should check out if you are attending.

If you are interested in tracking the latest emerging cybersecurity startups, then the RSAC Innovation Sandbox is “must see tv.” While I was at Forrester, I was involved with the event, and it remains one of my favorite events of the week. If you aren’t familiar, it is our version of Shark Tank. Ten startups deliver three-minute pitches to the five judges. There is also a mini expo floor where you can speak with the vendors while the judges deliberate. It is an effective way to learn about a curated set of startups. This year’s finalists include AppOmni, BluBracket, Elevate Security, ForAllSecure, INKY, Obsidian, SECURITI, Sqreen, Tala, and Vulcan. I’m rooting for Ben Johnson and his colleagues at Obsidian doing cloud detection and response. Doors open at 1:30 pm on Monday, and you will want to get there early.

 rsa innovation sandbox


A few things to note before I get started. I may or may not have leveraged previous content for some of this:

  • Hallway Con: You should take advantage of “hallway con” and all the networking opportunities associated with the RSAC week. Building your network will get you the best return on your investment.
  • RSA Schedule: You could go to the RSAC “Sessions & Events” page and search by the “Core Topic” of “C-Suite View” or “Security Strategy,” but your time is precious. So, to save you some, I spent the morning going through the RSAC schedule, so you don’t have to.
  • Security Leaders and Blue Teamers: This blog is focused on conference talks that will likely resonate with most security leaders and blue teamers.
  • I focused my research on the following areas: (1) Security Strategy (2) Cloud Security, (3) General “CISO topics” (4) Mental Health, and (5) Retention. I’m going to adhere to the rule of three and keep my recommendations short.


Recommendations for RSA Conference Talks

  1. Security strategy. If you like to victim blame, then these talks aren’t for you.
    1. 20 Years In: Security’s Grand Challenges, Then and Now Andy Ellis is Akamai’s Chief Security Officer, and I enjoy his take on our space. If this talk is anything like his retrospective piece on Dark Reading “From Operation Aurora to Zero Trust,” then you won’t want to miss.
    2. We the People: Democratizing Security. I’ve enjoyed Wendy Nather’s tweets leading up to her keynote. In 2013, Wendy came up with the “Security Poverty Line” concept, and I can’t wait to see what goodness comes out of this talk.
    3. Why Your People Are Still Your Best Cyber-Defense I’m excited to hear about Ann Jonhson’s recommendations for building a security culture where your people are your best defense.
  2.  Cloud Security. Going with just three recommendations was a challenge for this topic area.
    1. Break the Top 10 Cloud Attack Killchains. Any talk that Rich Mogull does should be required for anyone responsible for cloud security.
    2. At What Point Does DevSecOps Become Too Risky for the Business? DevSecOps is so hawt right now, and this talk resonates with me because it is counterintuitive to traditional thinking.
    3. Kubernetes Practical Attack and Defense This talk seems more technical than some of the other cloud content, and Jay Beale is a highly rated speaker.
  3. General “CISO topics.”
    1. The First 6 Months as a CISO Determines Success or Failure. Former CISO of Twitter Michael Coates will give a talk I could’ve used when I started my CISO journey.
    2. 10 Cybersecurity Visibility Gaps Every CISO Must Fill! Visibility is key to understanding exposure and risk. I’m interested to hear what Russell Eubanks has to say about it.
    3. Artificially Intelligent CISOs on the Blockchain: How Technical Should a CISO Be? So if you want an entertaining and useful discussion, Javvad Malik and Thom Langford are your guys.
  4. Mental Health. The struggle is real, and I’m pleased to see cybersecurity conferences with talks about our stress levels and burnout factors. Here are three mental health talks that stood out to me:
    1. Hacking Stress in Cybersecurity Operations I don’t know Dr. Celeste Paul, but her “Hierarchy of Hacker Needs” sounds very interesting to me.
    2. #Psybersecurity: Mental Health Impact of Cyberattacks A psychiatrist at RSAC? Yes, please!. I’m excited to hear what Dr. Ryan Louie has to tell us. It is always great to get outside expert’s perspectives on our space.
    3. Flameproofing Your Career: Preventing Burnout and Dealing with Adversity Karen Worstell will cover strategies to deal with “extremes of stress, unrealistic expectations, and continuous hypervigilance.” This sounds just about right to me.
  5. Retention. There is nothing worse than recruiting staff only to lose them to another opportunity. Sometimes this is beyond our control, but in many cases, there are things we can do. This panel “Why Your Staff Leaves, and How to Retain, Retrain and Build Leaders” resonates with me as I’m always looking to improve in this area.

I know that many people (queue the Infosec Twitterverse) bash significant security events like RSAC, my suggestion is to ignore that and make the most of the event. Next week is an excellent opportunity to gain knowledge that you can bring back to your team and a great opportunity to build your professional network.

Also, bring your hand sanitizer, not for coronavirus, but for the regular flu. Influenza has infected at least 22 million Americans and killed at least 12,000 so far this flu season. Based on social media commentary, it looks like we could stand to improve our healthcare threat modeling and risk management. Any predictions on how many vendors will be handing out branded hand sanitizer?


Where to Find Digital Shadows or Photon Research Team at RSA Conference

Come meet the team at RSA Conference 2020. You can find us at Booth 4617 throughout the week, or swing by our party on Wednesday night. (Make sure to get on the guestlist ahead of time!)

RSA party Security Leaders Party

rsa party partners

*** This is a Security Bloggers Network syndicated blog from Rick Holland – Digital Shadows authored by Rick Holland. Read the original post at: