Understanding the RSA Conference iceberg: revealing the unknown truths and explaining the well-known concepts
Looking at what RSAC is, how it works, what role it plays in the ecosystem, what people typically misunderstand about it, and why it is here to stay (at least in some form)
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Now that most of us have cleared the post-RSAC spam from our inboxes, unsubscribed from most email lists (sometimes more than twice, to no avail), and skimmed through tens of LinkedIn posts recapping the “trends” from this year’s event, let’s talk about the conference.
In this post, I would like to look back and discuss the world’s largest cybersecurity conference - RSAC. No, not just the RSAC 2023 edition but more generally - what RSAC is, how it works, what role it plays in the ecosystem, what people typically misunderstand about it, and why it is here to stay.
Assumptions about the event
When I ask people about their observations from the event, I typically hear a combination of the following:
It’s a very busy event with hundreds of vendors and subsequently - an army of marketers and salespeople all looking to sell something
It’s a place where every vendor is trying to scan as many badges as possible to then spam everyone unfortunate to pass by their booth
It’s a messy show where pitches of hundreds of vendors blur into one and no security practitioner can ever tell what a specific company does and whether a product it advertises works (or even exists)
This, admittedly, is my most polite and reserved summary of people’s thoughts as the actual wording can get much more creative, depending on whom you talk to. The vast majority of security leaders and practitioners nowadays prefer to avoid the event altogether deeming it a shame of the industry, a waste of time, and a place that gathers all the evil forces that make security the mess it is today.
I have been reflecting a lot about the nature of RSAC and its role in the cybersecurity ecosystem and concluded that most people have a fundamentally incorrect understanding of what the RSA Conference is.
The RSA Conference iceberg
The best way to start understanding the nature of the conference and the role it plays in the cybersecurity ecosystem is to identify the components that make the event what it is and look at each of them separately.
While there is much more happening at the annual conference, the following four elements are most prominent:
Vendor private parties
These four components are what most attendees worry about when they plan their RSAC schedule, but things that truly matter do not happen there. In its essence, the RSA Conference is an iceberg. First, there is the part above the water - what people see, get excited about, and focus their energy on. The above-mentioned Expo floor, all kinds of events, innovation sandbox and launchpad, and even the invite-only private parties hosted by the vendors all fall under this category.
The true force of an iceberg, however, is the part under the water - the part people do not see, and quite often do not even suspect its existence. This part of the conference is devoid of any marketing buzz, sales fluff, and the madness of the expo floor.
Breaking down the RSAC iceberg
The Expo Floor
First, let’s get the obvious out of the way: the Expo Floor, the place most people picture when they think of RSAC, is the highest-noise, lowest-importance part of the event. Ironically, this is also where the attendees spend most of their time, wandering on the floor, from one booth to another, trying to make sense of what different companies offer, or simply collecting swag just to later toss most of it into the trash cans at their hotel rooms, keeping only socks and some t-shirts.
The Expo Floor of the RSAC looks a lot like one of the street markets popular in developing countries. If you have ever been to one of these, you will understand what I mean: hundreds of booths that all seem to be offering the same thing, sellers some of which are trying to attract buyers with creativity and others that simply pull them by hand, negotiable prices, inability to assess the quality of the product, and so on. Because there is so little differentiation and the produce is basically the same (all “cheap”, “fresh”, and “delicious”), those who are more aggressive, will win.
Walking on the RSAC Expo Floor can be eye-opening because it makes one experience what CISOs & security practitioners go through daily: an army of “me too” vendors all helping to “stop breaches, prevent ransomware, cut costs, and become a single pane of glass”.
The fact that the Expo Floor is so chaotic makes it obvious any attempts to summarize “trends” by walking around are less than useful. First, the positioning of most companies is so generic that it’s almost impossible to understand what they do. Second, it is not clear what percentage of the startups on the RSAC expo floor sell the product and capabilities they have vs the product and capabilities they are planning to release “soon”. Third, since the overwhelming majority of startups on the floor are venture-backed, the fact that they offer a certain product and have a big booth doesn’t mean that anyone is buying what they build. This list can go on and on, but one thing is clear: any analysis explaining what market segments were popular at RSA is unhelpful.
Another of my observations is that the number of people on the floor who work for security vendors greatly outweighs the number of any other category of attendees, especially buyers. RSAC, therefore, isn’t an event where companies can get new customers (definitely not on the Expo Floor). All of this combined - the competition, commoditized offerings, and the absence of economical buyers - begs the question: why do vendors invest hundreds of thousands and sometimes - millions of dollars in their Expo Floor presence? The answer, in my view, is complicated because no company starts by spending so much from day one; the story typically goes as follows.
For a cybersecurity startup, the first official presence at the RSAC is like a ritual of initiation: it signals to the market that this company is “real”. Moving from the early-stage expo into the Expo Floor is the second big step that shows everyone that the company is becoming a visible player in the market. Although it wouldn’t matter as much in other industries, it does in cybersecurity where the reliance on trust is high, and any sign that the company is stable and growing is important for customer acquisition. From there, signaling and getting an ever-larger presence on the Expo Floor often become an addiction, just like raising more capital. Nobody wants to see the size of their RSAC booth go down because it would imply that the company is in trouble, and so more and more money is spent to “look big”.
As time goes by and marketing budgets grow, executives start asking for proof that spending so much on RSAC presence makes sense. Tasked with this mission impossible, marketing departments double down on chasing what looks like a good metric: the number of “leads”. By the time the “lead-gen” directive reaches those on the floor, it means one thing: scan as many badges as possible. It no longer matters if a person just stopped by to get a free t-shirt, or if someone dropped glasses in front of the booth and had to bend to pick them up - everyone’s badge will be scanned, and emails included on the “nurture” campaign as a lead. Some marketing departments go as far as to buy “lists of RSA attendees” from scammers (RSA Conference, for obvious reasons, doesn’t offer personal data for sale).
The RSAC Expo Floor plays a role of a photographic developer (a chemical that converts the latent image to a visible image) as it brings to light everything that is wrong with the industry: marketing and sales teams scanning everyone’s badges instead of building connections, vendors proudly displaying the pay-to-play “awards” that recognize them (all!) as “market leaders”, and huge booths greatly disproportionate to the grim reality of the companies putting them up. And yet, despite the disproportionately large size of the Expo Floor, what happens there is probably 5% at best of the value one can get from the conference.
As RSA Conference is, well, a conference, it offers a wide variety of sessions, typically featuring security leaders, investors, vendors, and industry insiders. The talks tend to be more high-level, although the breadth and depth vary dramatically from one speaker to another.
People rarely come to the RSAC to attend sessions and panel talks and those that do show up, do it strategically, for one of the following reasons:
To show support to their friends who are speaking
To meet some of the speakers
To network with other attendees who might be interested in the topic
To get some breakfast and a morning coffee
This is rather unfortunate as many sessions can be quite good, especially for future founders and those interested in the business side of security. Admittedly, there are very few sessions useful to technical hands-on security practitioners (for that, I’d go to BSides, Blue Team Con, THOTCON, ShmooCon, and others). The pass that includes RSAC sessions is very pricey, making it unlikely that security practitioners or aspiring founders end up in any of these events. The target audience includes CISOs, investors, channel partners, those working for established security vendors, industry analysts, and the like.
RSAC innovation ecosystem
RSA Conference innovation programs are an umbrella term for a set of initiatives designed to foster innovative ideas and approaches in the industry. Although there are many different options, the following four, in my opinion, are most relevant to anyone interested in early-stage companies and up-and-coming approaches:
RSAC Innovation Sandbox - a pitch competition where ten shortlisted early-stage cybersecurity companies present their approaches to the panel of judges who then award the winner with the title of “Most Innovative Startup”. It is free to enter the competition.
RSAC Early Stage Expo - a special area at the event where emerging cybersecurity startups get the ability to showcase their products. For a fee substantially lower compared to the prices of the RSAC booths, startups get a small stand where two people at a time can present their work.
RSAC Sandbox - probably the only and coincidentally the least known place at the RSAC for technical security practitioners. There are hands-on labs, Capture the Flag (CTF) competitions, and other activities designed by and for security professionals.
RSAC Launch Pad - a pitch event for startups whose products haven’t yet hit the market. As a part of this event, three shortlisted companies get to present their ideas to investors and people in the audience.
In my opinion, RSA Conference innovation programs are the only formal part of the conference worth attending for hands-on, technical security practitioners interested in learning what new stuff is being built in the market, and early-stage entrepreneurs. Most of these companies are small enough to have founders on the floor (or at least close by) who can easily go from sharing their vision to explaining how the product is built, what tech it uses, and what problems it solves. When talking to early-stage founders at these innovation programs, you see people who are still capable of discussing problems and debating approaches to solving them, instead of saying “Just get my tool”. By the time their companies “graduate” into the main Expo Floor, it will be much less about solving problems, and much more about scanning badges and handing out swag.
One of the observations I made at the last RSA event is that truly up-and-coming innovation at the RSA doesn’t wear the vendor badges; it wears the cheapest (and often free) Expo badges. Some of the most interesting people I’ve met at the innovation events were founders of startups that are so early that they don’t have a working product or even a legal entity, let alone any “official” presence at the RSAC.
The part that typically gets a lot of praise is evening drinks and parties, typically organized by vendors and investors. The size and the levels of exclusivity of these events vary. Most are hosted in venues such as bars, pubs, and restaurants around the Moscone Center, and fit anywhere between 50 and 100 people. Although every event has a limited capacity and requires registration, with very few exceptions, those who haven’t made it on the list can show up and get in regardless. The tracker that includes many of the unofficial events accessible to the public is crowdsourced yearly; here is the one used in 2023.
Security vendors organize events to reconnect with customers, partners, investors, and the broader networks of friends, prospects, and advisors, while VC firms do it to deepen the relationship with their portfolio companies, industry partners, and founders. Many startups choose to organize socials with their partners, which allows them to broaden the audience and control costs (renting any venue during the week of RSA can get very pricey).
I find that these after-hour events are a great win for everyone involved. For people, it’s a great way to relax, rest and have meaningful conversations with those interested in building relationships, forging partnerships, and looking for ways to work together. For vendors, they make it possible to get people they want to talk to out of the madness of the main RSAC event where their attention is being bombarded non-stop by the shiny lights and loud sounds of the conference. Moreover, if done well, it can also be a great investment: for less than it costs to put up a booth on the RSAC floor, security companies can connect with those they actually want to talk to and make it a good experience (not a transactional exchange) for all sides.
My personal favorites are invite-only events for friends and partners of the organizers. This is because they further filter the crowd and remove anyone looking to simply get a free drink and a snack. The quality of connections automatically goes up when the attendees have some interests, ideas, backgrounds, or approaches in common.
The invisible parts
The biggest and arguably the most important part of any iceberg is the part not visible to outsiders; the RSAC iceberg is not an exception. This is the main reason so many people in the industry are bewildered when they attend the event for the first time asking themselves why would anyone voluntarily agree to partake in this carnival of vendors.
The truth is that the most important part of the RSAC happens outside of the Moscone Center, official and unofficial events, and events sponsored by vendors and VCs. Instead, it happens in private conversations in the lobby of the W hotel, Blue Bottle Coffee, Starbucks, private hotel rooms, coffee shops, and offices of VC firms conveniently located in downtown San Francisco. It happens during private lunches and dinners. It is at those invisible to an untrained eye events that contracts are negotiated, partnerships agreements are sealed, and terms of financing are discussed. Away from public attention, founders, investors, channel partners, and other players in the ecosystem brainstorm go-to-market strategies, set in motion joint ventures, and kick off initiatives that define the future of the industry.
Smart founders and busy executives do not rely on the RSAC schedule and serendipitous interactions alone to see what happens at the event. They reach out to those they want to meet weeks ahead, knowing that during this one time of the year, most people shaping the industry will be in San Francisco downtown, regardless if they’re native to the area, or if they call other areas home - be it DC, New York, Tel Aviv, or London.
RSAC isn’t an event, it’s a global appointment
What many people don’t understand is that the real RSAC happens outside of RSAC. For those who come to San Francisco with intention, the presence on the Expo Floor is just noise. RSAC isn’t an event in a classical sense, it’s a global appointment for security executives all over the world that says “I will see you in San Francisco during this time”.
There are indeed many problems surrounding the RSAC. There is a lot of noise at the Expo Floor, a lot of nonsense marketing, and transactionally-inclined vendors scanning everyone’s badges because they were given a directive to “generate leads”. It is also true that there is a lot of homelessness in Downtown San Francisco. And, during the week of the event, hotel prices in the city skyrocket. What is also true is that in the world of remote work, the value of in-person interactions has increased dramatically. Cybersecurity is based on trust, and despite the ever-increasing levels of technological advancement, we need to shake someone’s hands and look them in the eyes for that trust to be built.
Sometimes I wonder: since the value of RSAC isn’t in the Expo Floor but in the events that happen outside of Moscone and in-person interactions, what would happen if the Expo Floor was gone? What if the conference could, indeed, evolve into a place where we go to attend sessions, hear about new ideas, and debate new approaches to security? What if we can build an industry where the answer to the question “How should I approach securing my X?” isn’t “Just deploy my tool!”.
I don’t know if RSAC will ever evolve into a place where the industry can engage in serious discourse about the problems that matter. I have high confidence that we would highly benefit from such an event. For now, let’s preserve what we have and don’t let events like BSides, Wild West Hackin' Fest, THOTCON, FIRST Conference, and ShmooCon, to name some, turn into RSAC Expo Floor.
Making the most out of RSAC attendance
Since we have to make do with what we have, the security industry must understand how to make the most out of RSAC.
For security startups, presence at RSAC is an important signal for investors and potential customers. However, the size of the booth matters little: their money is better spent inviting a small number of allies, investors, customers, prospects, and potential partners into small, well-planned private events and one-on-one conversations.
Established security vendors need to understand that RSAC Expo Floor presence is not imperative, it is optional. If they do choose to participate, the best they can do is to limit their appetite for insane booths and treat the cost of RSAC as a cost of doing business, not an investment. The return on investment (ROI), if one could calculate it (but no one can so don’t expect your marketing teams to do it) is almost always going to be negative. Even when it’s not - it is still inversely proportional to the amount spent, which in simple words means that the more money you spend on RSAC, the less ROI you are going to get.
Vendors would do well by practicing ethical marketing: don’t claim that you do things you actually don’t and focus on communicating value in simple words instead of repeating the newest buzzwords. Any company should understand that mass badge scanning and judging the work of marketing teams by the number of “leads” they bring can only impact their brand negatively, as will spamming people’s inboxes after the event. To make the matter worse, most of these “leads” are going to be students and other vendors. Focus on having deep, genuine conversations with those who care about what you do and want to hear from you instead of exchanging stickers and pens for useless emails.
RSAC is typically well-attended by resellers, consultants, integrators, and IT firms so it can be a good place to form relationships with prospective channel partners.
Adventurous conference attendees who choose to spend time at the Expo Floor, need to understand what they are getting themselves into. They should also stop trying to make sense of the noise and predict where the industry is moving by looking at how many vendors fit under a specific “category”. This exercise is pointless: a large percentage of the vendors on the floor are bleeding money, and an even bigger part is working hard to position one trick ponies as revolutionary billion-dollar markets.