It's Time to Break Up the RSA Conference

In 1983, the late Harold Greene presided over a consent decree that broke up the Bell System. While you might debate the national security implications of that divestiture, you cannot debate the innovations that followed. Just a quarter century later, for example, we all watched as Steve Jobs hopped on stage to demonstrate the new iPhone. I believe this superb invention, and many other advances since, were enabled by the break-up.

Which brings me to the RSA Conference. I first started attending the annual event in the mid-1990’s, and believe it or not, the conference during that period was both relevant and edgy. It made real news, held real fights (remember Clipper), and accepted real technical papers by real experts. I still have one of those iconic RSA Conference posters from the mid-90’s showing NSA as the only agency that “listens to its customers.” Awesome.

Today, however, the RSA Conference has devolved into a routine event for mid-lifers with booth-after-booth-after-booth of the same-old, same-old. And just as with AT&T in 1983, this situation was not caused by bad leadership, but rather by that terribly unavoidable corporate condition: The dreaded S-curve. I believe the RSA Conference has finally reached the top part of that scary curve, which is why it’s time to take action.

Let me acknowledge that the RSAC corporate ownership, its fine program committee, and its expert conference advisory board will explain that they’ve evolved the event. They will point to the new programs, sessions, competitions, and on and on. But look – AT&T said all the same things back in 1983. They were just as averse to change as I suspect RSA leadership will be to my recommendation. No one likes change, really.

But not acting will be bad for business. Steve Martin, for example, quit his stand-up act back in the 70’s when he noticed just a couple of new empty seats in the back row. Similarly, I’d recommend that RSAC leadership act accordingly while the conference is still strong. If they don’t take action now, then RSAC will continue its slide toward becoming the cyber security equivalent of (ahem) a Wayne Newton Show in Vegas.

Here’s what I recommend: RSAC leadership should sunset the existing advisory board (no offense to my friends). It should then create five new program committees with no member over twenty-nine and at least two-thirds women. These five new committees should then caucus over beers outside Whisler’s to reinvent five crazy-interesting conferences with themes that are meaningful and edgy. They should push the envelope.

Then the PCs should reinvent how these five new S-curves are physically held. It could be something cool like those crowdsourced, simulcast, conference-BNB things. Maybe it could involve using the headquarters of security companies from around the world. Instead of having physical booths at Moscone, vendors could host concurrent RSAC three-day parties for anyone who chooses to come to their venue. Or whatever. It would be fun.

Look – I know this would be a jolt, but if RSAC continues on its present path, then here is my prediction: Within three years, the RSA Conference will book less than 20K paid attendees, and it will start to lose its grip on the vendor community. Perhaps worse, the current show is really turning into a BoomerCon. Just like Spot the Fed at DEFCON, RSAC could initiate a Spot the Non-Boomer contest. It would be quite a challenge.

By the way, Black Hat is the new RSA Conference. Just look at this sponsorship page for a conference that started as anti-establishment. Rich Powell and I developed a cartoon to lampoon this inevitable transition. You see, Black Hat is riding up the middle of its S-Curve. It is still somewhat edgy, and still somewhat relevant. In a few years, I’ll probably be whining that they please stop kicking their conference can down the road.

Oh – and there’s this: RSAC 2020 attendance looked to our TAG Cyber team to be about 50% down. This had nothing to do with the conference and everything to do with the virus. But it is precisely such random events that can trigger a downfall. Some security vendor or enterprise team might notice, for example, that the earth continues to rotate despite not having been at RSAC. This leads to a decision next year to maybe . . . well, you get the idea.

I believe that breaking up RSAC into five new conferences is good business for the owners and healthy for our industry. Even the venerable AT&T, where I spent most of my adult life, thrived mightily post-divestiture despite decades of fighting the courts. If RSAC ownership wants to protect its investment, then they will listen to my advice. If they don’t – well, at least RSAC 2025 will be easier to navigate, because no one will be there.

I hope they listen.