One of the most commented on cringe moments was the flashmob dancer media stunt. On X (the platform formerly known as Twitter) the comments were a bit biting with many referencing security flaws in existing products which have not been addressed and others commenting on what seemed like a bad way to spend money. After cutting forecasts and seeing a direct impact on stocks, the over-the-top dancer routine and drone exhibits were viewed by some as financially irresponsible. Now, it is important to note that everyone knows that marketing is important, but considering existing challenges at the product level, these seemed tone deaf at least.
Next up was comments from CISA about the strength of US cybersecurity and how it is going well. This sparked a few interesting comments on how this was simply not true given the decrease in spending for cybersecurity, the layoffs at cybersecurity companies, and a recent rash of 8k filings with the SEC covering breaches. It is also worth to note that several suspected breaches were disclosed during the RSA event and while a few have not been confirmed, at least one event at Dell has been with notices sent out to affected customers already.
Many in the industry have felt that RSA has become a bit like the LinkedIn of conferences. It is pure marketing with the same hype and toxic positivity found on LinkedIn. It misses some of what is going on in the real world to tell you what everything is going to be ok. Sadly, the state of security is more like the Kevin Bacon scene in “Animal House” with him screaming “All is well!” as people chaotically run past him. Then again, I am old enough to remember hearing things like Black Hat is the new RSA when talking about the value one can get from going to the conference.
Now before the RSA people their fans start grabbing pitchforks and torches, I am not saying the conference is worthless or saying do not go… well I might be saying that if it stays in San Francisco given some of the stories I head this year, but I am getting off the point. Conferences, even RSA are still important, they allow people in the industry to talk and meet and compare ideas and thoughts. Where things go sideways is when they become more like a rally than a conference and I do feel that RSA has tipped over that particular hill and Black Hat is not too far behind.
Both events can get back to their roots easily enough with a subtle shift in what is presented and how information is shared, training accessed, and by bringing back just a little bit of the real world, you know the not so positive side of things. This is where authenticity matters instead of the show feeling like the “everything is awesome” song… sorry but it just isn’t.
For now, I will just leave people with what I have said for a while now. RSA and Black Hat are events that show case that the industry thinks is going on, Def Con (and especially sky talks) and BSides are what is really going on. at least until Def Con too, turns into a more corporate event and Dark Tangent feels the need to sell it off and create a new one. Some might be thinking this might not be too far off as Def Con 2023 saw an increased presence by the US government and seemed to have more corporate presence than in previous years. For me, I think there is value in bringing a small part of the government and corporate people into the show, I think it can illustrate the current state of the target environment and show that the infosec/hacker/cybersecurity community are not the bad guys. Still, it should be limited in scope so that Def Con does not become another RSA with tone deaf speeches and marketing.
Ok. Soapbox put away, for now.