The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

The RSA 2019 Conference


I have now attended 13 of the last 18 RSA Conferences (see some of my comments for 2016, 2015, and 2014). Before there were RSA conferences, there were the Joint National Computer Security Conferences, and I went to those, too. I’ve been going to these conferences for about 30 years now.

As I’ve noted from previous years, the deep content simply isn’t here. I no longer attend to learn about anything new and innovative — if I encounter such a thing, I view it as a pleasant surprise. Instead, this is basically a time and place where I can catch up with many friends and former students, see some industry trends, and maybe score a few new T-shirts. It also is a good intro to my spring workout schedule — I do about 20 miles of walking over 5 days, and I don’t eat many full meals.

Here are some of my random takes on this year’s conference:

The Program

  • The program is far too full, with all sorts of concurrent workshops and sessions. Most of them are simply people spouting obvious maxims and recounting basics as seen through the lens of the company they represent. It is difficult to pick out ahead of time the ones that aren’t really a waste of time if you know something about the field already.
  • Major talks seem to fall into two categories: executives speaking in slots their companies paid for, and “celebrities” who end up speaking nearly every year. Some of the latter are quite talented, but there is a déjà vu element at play.
  • Most of what is presented in sessions would not be a surprise to my students (at least, not the ones who stayed awake in class). I ran into about 15 former students here, and some basically repeated that to me. Apparently, there is a demand for being told unsurprising, basic information at conferences.

The Exhibitors

The Moscone Center was packed again. It took well over 2 days to walk all the booths, asking questions at some and skipping others. Overall, I was not impressed.

  • Once again it seemed that about 20% of the booths were new companies we had not seen before…and may not see again. For many new starts, the VC money is spent to create a booth here, and if the company doesn’t catch a certain level of notoriety (and sales), it may not exist a full year.
  • Many more non-US companies were exhibiting here this year. I recognized players from the UK, Canada, China, Taiwan, Germany, Korea, and the Netherlands.
  • The consolidation trend is more obvious: M&A activity has been integrating smaller companies into bigger players to provide more of a “full suite” solution to customers. Bigger companies tend not to take risks to innovate internally anymore. Instead, they let small companies do the innovation, and if they survive, they get gobbled up.
  • No apparent buzzword trend this year. Big data and threat intelligence were prominent a year ago. I was afraid that this year I would be overwhelmed with some combination of “blockchain,” “AI,” and “data science.” Thankfully, that didn’t happen. Maybe next year?
  • Over half the booths had no words or diagrams on the walls to indicate what the company actually did or why I would want to stop to talk to the people there. A majority made claims such as “leader,” “complete,” “new” and other such adjectives that were clearly false or unverifiable.
  • Conference management has been good about keeping the vendors from employing “booth babes” (see my links to the 2014/2015 conferences, above). To bring people into the booths, the leading contenders seemed to be participatory video games, contests to win drones, and people in white lab coats. One vendor was even raffling off a car. If the companies did a better job conveying what they were doing, perhaps they wouldn’t need these gimmicks?
  • Sideshow-style 15 minute, loud presentations in big booths were more prevalent — and still obnoxious. Several of these presented a traffic hazard when trying to walk by them.
  • At some locations the personnel were especially obnoxious about trying to scan every badge of every person even walking in the aisle. Most were polite, however, and a few were even friendly. I enjoyed talking with many people.
  • Socks seem to have replaced T-shirts as the predominant clothing giveaway. There were still some good shirts to be obtained, however. One vendor rep was joking that next year it will be branded underwear.
  • I got the sense budgets were leaner at many companies — fewer people, fewer giveaways.
  • I noted two companies had commitments to donate to non-profits when people visited their booths: Tripwire and Tinfoil Security. Kudos to them. I’d definitely rather have that than a fidget spinner or a box of mints.

More generally

I had a few people recognize me and say hello. That happens less each year. I am not so vain that I expect people to recognize me, but I do feel somewhat the dinosaur to be wandering the aisles when people don’t know my name even with prompting. My wife (who wandered the floor with me) found it particularly amusing when they tried to argue security concepts with me, or teach me history. One fun example was when a couple of people tried to explain the history and operation of the Internet Worm to me. Another fun time was had at a booth when a sales guy tried to dismiss my comments about his product with my “The only secure computer is one encased in concrete…” meme without knowing it was my original quote or who I was; I first uttered that years before he was born! (See #8 here.) He was annoyed I started laughing.

Despite GDPR coming into force in the EU (and the rest of the world, for large companies), privacy was hardly mentioned at any booth. Apparently, that isn’t of interest to this crowd.

There were some really questionable decorations. One booth was highly illuminated in bright green light. It actually made me feel a little nauseous; what were they thinking? Others had bright flashing lights (distracting, annoying, and probably a trigger for people with migraines or epilepsy). Word salad was the norm on too many booths. Few appeared to be accessible to the mobility impaired, although I only saw 3 such people in the floor in 3 days.

I saw a few vendors who effectively claimed they supported customers keeping longer audit logs that could be examined to find evidence once a breach was discovered. Think about that — the assumption is that assembled products can’t protect an enterprise well enough, or respond quickly, so that a months-long record is needed to find out when and why the failure occurred. Furthermore, that idea is normalized enough that there are companies that can sell products & services around it. Crazy.

There seem to be more advertised products/services around metrics. They don’t agree with each other on what they should be measuring or how they do it, but they claim to measure “security.” In many cases, I conjecture throwing dice would be cheaper and about as useful.

I was disappointed by the expertise and horizons of some of these people. I talked to the “CTO” at more than a half-dozen of the vendors, and their knowledge of some basic terms and history seems to reach back only about 5-6 years. This contributed to the claims of “brand new!” for several of them — they had no idea what was done before. (This is a problem rampant in academia, too — if something occurred before Google was able to index it, it never happened, apparently.) After failing to find any reasonably-aware person in my first half-dozen attempts, I stopped looking.

Sadly, the lack of foundations for the people at most of the booths mirrored the lack of a solid foundation for the products. There are some good, useful products and services present on the market. But the vast majority are intended to apply bandaids (or another layer of virtualization) on top of broken software and hardware that was never adequately designed for security. Each time one of those bandaids fails, another company springs up to slap another on over the top. That then leads to acquisition and integration into security suites. No one is really attacking the poor underlying assumptions and broken architectures. (See my last two blog posts here for more on this: here and here.) This is related to why I don’t submit proposals to talk at the conference — I tried a few years ago and the message conveyed to me was that it was out of step with what the sponsors wanted presented. The industry is primarily based on selling the illusion that vendors' products can — in the right combination and with enough money spent — completely protect target systems. Someone pointing out that this is fundamentally flawed is not a welcome addition. I get that a lot — it is probably why I don’t get asked to be a company advisor, either. People would rather believe they can find a unicorn to grant them immortality rather than hear the dreary truth that they will die someday, and probably sooner than they expect. Instead of hearing that, let there be bread and circuses!

I am giving serious thought to this being my last RSA Conference — the expense is getting to be too great for value received. The years have accumulated and I find myself increasingly out of step here. I want to do what is right — safe, secure, ensuring privacy — but so much of this industry is built around the idea that “right” means creating a startup and retiring rich in 5 years after an M&A event. I don’t believe that having piles of money is how to measure what is right. I will never retire rich; actually, because I will never be rich, I probably can’t afford to retire! I am also saddened by the lack of even basic awareness of what so many people worked so hard to accomplish as foundations for others to build on. We have a rich history as a field, and a great deal of knowledge. It is sad to see that so much of it is forgotten and ignored.

Oh, and I wish those damn kids would stay off my lawn.


Posted by Sam Bowne
on Thursday, March 7, 2019 at 02:29 PM

Did you go to BSides?  I like it a lot more fun than RSA.

Posted by Gary Hinson
on Thursday, March 7, 2019 at 08:00 PM

So RSA is a sales-fest, eh, Spaf?  Roll up roll up get your security solutions here!  Although I haven’t ever been to one (it’s a long way from NZ!), I’m not surprised at your findings.  I used to go to the annual infosec ‘conference’ (sales-fest) years ago in London until the point that the sales pitches, booth babes, gloss and glitz got too much. The rise of the ‘hospitality suites’ and’private functions’ was the final straw for me! The antivirus companies (at the time) had the biggest, most brash booths and seemed utterly unconcerned with actual security - just sales and out-glitzing their competitors.  The smaller booths were far more interesting with some truly innovative products tucked away in the cheap corners, off the beaten track ... with less foot-traffic and hence depressingly quiet. It might have been nice for the organisers to reserve and offer discounted top-spots for the most exciting and innovative newcomers, except of course that the struggle to land those concessions would, today, be just a social media bun-fight among the marketers, leaving the geeks in their caves ‘where they belong’ ... unless, that is, you can see a way for the greybeards and academics to shortlist the contenders?

As to the presentations being not even subtle sales-pitches, it’s much the same at most conferences these days.  They expect presenters to pay their way, sometime even pay the conference fee AND buy a speaking slot, hence surprise surprise virtually all the presenters are ‘sponsored’ by vendors, with obvious expectations to earn their keep.  The keynote speakers seem to get some compensation and are occasionally fantastic - guys like you with a wealth of experience, engaging presenters and the guts to step out of line - but most, in my experience, are conceited, egocentric and full of   it. 


Posted by Casey Corcoran
on Friday, March 8, 2019 at 12:42 PM

Spot observations, Dr. Spafford.  Informative, new content has been missing from RSA for some time now.  And that isn’t surprising.  News travels the speed of the internet.  How is an annual meeting supposed to unveil anything substantial that hasn’t already been seen by millions of eyeballs.  For me RSA is useful as a convenient place and time to meet people you want to meet or already know and don’t see enough. 

Most interesting for me are your observations regarding the trends toward consolidation and fewer buzzwords.  I think these signal a market space that is tired of point solutions and unsubstantiated claims.

Posted by Joe
on Friday, March 8, 2019 at 03:08 PM

I agree 100% with your observation of RSA presentation Deja Vu. I however noticed a thematic undertone of the “Zero Trust Model” with an emphasis on the Google BeyondCorp framework/paradigm. I’m starting to see that it’s being pushed to the top of the sales and marketing ‘silver bullet solution’ buzzword bingo stack.

Posted by Kevin Kumpf
on Saturday, March 9, 2019 at 12:06 AM


We have known each other virtually for many years. And if I went into how we exactly met I would lose 75% of the people with the mention of things like alt.bizarre and vax 11/750 or 2400 baud.

Which brings me to the point of this comment. Cyber Security has evolved from an elder statesmans domain to a young hipsters world where they know it all without having ever been on the inside in many cases.

This is akin to the notion when I started in the industry that people who worked on mainframes didn’t truly grasp security like the up and coming world wide web guardians of the Erwise landscape.  And ever so slowly, or quickly those mainframe gurus were out the door being viewed as luddites working on outdated technology in many circles.

And yet today their knowledge is in demand and they are viewed as some of the original keepers of the crown jewels in security. I am not going to get into the logic behind booth babes, and coffee and kumbaya dispensing gurus in every other booth, but I would recommend next year you walk around in a shirt that says original rainbow warrior on the front. You can leave them guessing what whales have to do with security, though we all know it’s in reference to books (you all knew this right). On the back a picture of George Santayana, with “Those who cannot remember the past are condemned to repeat it.”  written underneath it. That way you can perplex them both coming and going.

And lastly respect your elders. One day you will need us again and respect is a two way street.

Posted by Jason Hong
on Saturday, March 9, 2019 at 11:55 AM

Hi Spaf,

We had a really fun session on Monday (the first day) on Security, Privacy and Human Behavior. This was a session of academics organized by Lorrie Cranor, and we talked about some of the latest research on passwords, social media and privacy, Internet of Things, decision making, browser security, and more.,-Privacy-and-Human-Behavior

I think it worked well because of the scientific aspect of security, the topics (the human dimension of security, something everyone can relate to), and because we weren’t trying to sell anything (other than our own research). It’s also a good bridge between academia and industry, which we’re sorely lacking right now in privacy and security.

Posted by Josh Marpet
on Saturday, March 9, 2019 at 12:51 PM

Make you a deal. Come to one of my conferences. Bsides Delaware, Bsidesdc, and come to the spawncamp.  Enjoy the kids and actually teaching people who will listen .

Please? smile. I’d love to see you enjoy.

Posted by Peter Baurichter
on Sunday, March 10, 2019 at 11:16 PM

Dear Dr. Spafford,

When reading your post about RSA and then especially this line “I no longer attend to learn about anything new and innovative ...” then my thoughts were that your disappointment is something natural.  You continue to learn but there is no such thing as a collective learning of RSAC. There is perhaps a history and associated learning curve of individual security vendors at the exhibition but then again so many of them are new to the security market.
So being disappointing means one is learning, moving forward and is actually healthy.

Then I wanted to ask about your point: vendors claiming to keeping audit logs longer: isn’t that just to look backwards in your your logs to see if a company network that you try to protect has been communicating with a newly discovered C&C server (example)?  So isn’t it actually a good thing. I believe Google’s backstory is using this as well for their unique selling points: keep logs for at least a year while many companies purge it after 6 months.

Spaf sez:  The implication of keeping logs further back means that we are aware of —and in some sense, tolerating—not detecting a problem for a year or more.  That is a form of accepting defeat.  It is normalizing failure.  That is what is depressing.

Posted by Anky
on Monday, March 11, 2019 at 11:54 PM

I agree 100% with your observation of RSA. Good Information. Thank you.

Posted by Michael Borohovski
on Tuesday, March 12, 2019 at 02:03 AM


Agreed on nearly all counts, but especially on Tinfoil Security getting kudos. wink (I’m the cofounder & CTO)

I would love to chat sometime; I suspect (and I hope this doesn’t come off as arrogant) I’d be one CTO you’d enjoy having a conversation with, and I know I’d enjoy having one with you. smile

Feel free to shoot me an email anytime at either or; I’d love to have a conversation, talk about topics that might interest you, get advice, ... or just bitch about RSA. smile

I leave it in your court so as not to bother you in your email.


P.S. Because of RSA, we got to donate $5000 to the Humane Society of Silicon Valley and both of the cats who were there have long adopter lists. Community is one of Tinfoil’s four values, and we really do try to live by the values we set. If nothing else, thanks for the shoutout.

Posted by Hilary Hosmer
on Tuesday, March 12, 2019 at 12:54 PM

For innovation I hope you check out the New Security Paradigms Workshop (NSPW) at
This tiny (max. 40 participants) sounds like your cup of tea. Authors of accepted papers are invited, and the Call for Papers is available at


Spaf sez:
I have had several papers in NSPW.  It is a good example of a positive conference experience, although it may not be a good conference for practitioners vs. researchers.

Posted by Daniel Noriega
on Wednesday, March 13, 2019 at 06:08 AM

You know what’s worse than RSA? Old InfoSec Curmudgeons acting their age and going on the internet to complain about the “youth”.  Predictable behavior.  I had to laugh at some of these comments citing an under appreciation for all of the technology and security accomplishments to date.  It’s not the tech vendors fault that there are so many new products claiming to be new, it’s a failure in our education system and family values, frankly, that have failed to hold students accountable for understanding history. Plus those old concepts that new products are built around are almost always incrementally different from one another and add a new perspective to the use of an old idea. It’s called ‘i-n-n-o-v-a-t-i-o-n’, just not sea change stuff.

While I also went to RSA, I avoided the Expo. I didn’t need to get my annual dose of snark tank filled but this reads like you went to the Expo for the purpose of complaining about it.  I went for the meetings around the meetings where those pathetic looking tech vendors get their day in court. There is no action in the Expo, we all know this.

If you’d been to RSA for the last 13 years, you should have seen this coming and avoided it. Were the free T-shirt’s so compelling or did you simply need fodder to write a whiny blog and drive traffic to this ancient site?

And I had to LOL, openly contemplating your ability to be recognized by others at RSA - is this because your claim that you are the most reconfigured security professional in the world through the self-description on YouTube might be untrue? Certainly, it is egocentric.

Bottom line - hold the vendors at RSA accountable for their products and ideas, but do it with facts and humility. Mildly annoying booth children will be mildly annoying booth children regardless of a blog post, expect it.  Also, #GoBoilermakers

Posted by Edward G. Amoroso
on Friday, March 22, 2019 at 02:15 PM

Spaf -

If I’d have attended RSA this year (I had a family commitment that allowed me to play hookey), I sure would have appreciated you being there!

But then, I guess I am getting old too.

Thanks for the fun note.

Ed Amoroso

Leave a comment

Commenting is not available in this section entry.