For years now, I am asked if I will be at the RSA Conference (RSAC). Invariably, I answer no because I will not subject myself to it, or support the conference in any way.
The short answer as to why, is that it is basically the “Comdex” of InfoSec. Overly large, full of flash, and mostly a waste of time. Rather than real value or progress, RSAC offers the same buzzwords and claims of innovation that fail us year after year. The same technology from last year, five years ago, and often ten years ago is rebranded, given a new interface, and sold to us as if it is the next great miracle that will magically solve all of our security woes. Every year, security gets worse, attackers get better, more systems are compromised. RSAC is doing nothing for us.
And then there are the keynotes. The biggest names in InfoSec! People that make the news, lead the biggest companies, boldly take on the title of “visionary” or “thought leader”. They give banal talks that rehash the same ideas that are supposed to be the fundamental core of our business. Rather than providing real help, they offer us crappy analogies and the latest buzzwords. These platitudes fill the seats with professionals that are excited to be there, walk away feeling they got some kind of value, and return to providing mediocre services that consistently fail to secure the networks they consider so valuable.
Watching Tweets from the conference are absolutely disgusting. The blatant fan-boy attitudes, getting excited about free giveaways, bragging about the parties attended. They live-tweet talks that frequently offer the same platitudes and buzzwords as the keynotes. The worst part, they don’t even realize they are part of the problem.
Speaking of the parties, this year has around 70 parties crammed into one week. Remind me, as an industry, what exactly are we celebrating? Record number of data breaches, almost a thousand vulnerabilities disclosed every month, endless malware, new types of attacks that are harder to detect, compliance initiatives that waste time and offer no lasting security. Are we celebrating that? Or that these security companies continue to make stupid amounts of money selling inferior products and solutions?
So no thanks, not interested in attending the security cesspool.