The RSA Conference has gotten bigger and louder — not just because of the clamoring sounds of tens of thousands of attendees, but also due to the din of construction equipment as San Francisco works to rebuild the Moscone Center. Despite all the noise, this year’s attendees heard a number of key themes reverberating loud and clear throughout the conference as experts shared ideas about where the industry is heading and how security professionals can build strong foundations for the future.

Key Themes From the RSA Conference 2018

This year’s event featured a stronger emphasis on diversity in cybersecurity, a sharper focus on emerging technologies such as the Internet of Things (IoT), and too many captivating insights and discussions to sum up in a single recap. So let’s focus on some of the major highlights. Below are four key takeaways from this year’s RSA Conference.

1. RSA onDemand: The Gift That Keeps on Giving

This year, the conference organizers made a lot more recorded content available online, enabling attendees to catch up on presentations they had to miss. Given the number of concurrent sessions — not to mention the difficulty of navigating around heavy construction machinery — the online recordings certainly came in handy.

2. Promoting Inclusion and Diversity in Cybersecurity

The solid speaking lineup at the counter crowdsourced show, OURSA (get it?), and the all-female panels at the conference afforded attendees numerous opportunities to learn about underrepresented perspectives in cybersecurity. You can sneak a peek at the entire day’s OURSA activities by watching this video.

3. IoT Goes Mainstream

There were many IoT-related sessions at the conference and connected device vendors on the show floor. In fact, the IoT has gone so mainstream that the Target across the street from the Moscone Center set up a storefront to showcase smart home devices.

4. FIDO2 Announcements Abound

There are now millions of Fast Identity Online (FIDO) clients in the hands of real users. Yubico announced a new USB key that supports the latest extensions, and Microsoft and Google delivered a joint presentation on FIDO2 authentication.

Experts Discuss Cryptography, Blockchain, Leaky Clouds and More

One of the biggest attractions at RSAC is the annual “The Cryptographer’s Panel,” which featured two of RSA’s founders and other experts who have actually built cryptographic systems. This year’s session was punctuated by the usual humor but tempered with a dose of reality.

Avi Shamir complained that current academic research is often too mushy and imprecise, while his RSA co-founder, Ron Rivest, asserted that “blockchains can be a very bad database choice for keeping track of voting. It doesn’t matter if it is immutable if your vote isn’t recorded correctly.” During this session, Moxie Marlinspike, the founder of Signal, also noted that “the utopian narratives of connecting the world are coming to an end. The social media tools are now considered weapons when found in the wrong hands.”

Another popular panel featured a collection of experienced SANS teachers who talked about their favorite new attack types. Ed Skoudis explained the difference between having an accurate asset inventory and data inventory, and advised enterprises to appoint a data curator who knows where you data is and how it is distributed. Skoudis also complained about the many high-profile cloud storage data leaks. “When you are putting data in the cloud, you have to keep track of it carefully,” he implored. He also suggested numerous free and automated data discovery tools that organizations can use to improve cloud security.

More Highlights From RSAC 2018

The OURSA speaker lineup was a riveting program. Many of the speakers, including a large contingent of women, talked about very practical security implementations.

Eva Galperin, director of cybersecurity at EFF, led off the day. “If you think you understand what being part of a vulnerable population is, you don’t — not without doing your homework,” she said. Galperin also set the record straight on the common misconception that Tor and Signal are interchangeable.

Ashley Tolbert, who works at Stanford’s Linear Accelerator Center, noted that when she earned her computer science degree, she didn’t have to take any security classes whatsoever. In addition, Kate McKinley, a security engineer at Facebook, spoke about various memory hacking techniques and how to harden code to prevent these incidents.

Kelly Lum, now a security engineer at Spotify, gave an excellent talk about how she rolled out HTTPS certificates when she worked at Tumblr. She described the practical problem of having great crypto without infringing upon customers’ privacy. Elizabeth Zwicky, antispam and delivery engineer at Yahoo, then spoke about the economics of spam, the process of sorting good from bad email, and how she had to consider the wide range of email-enabled clients, including emails sent from copy shop printers and devices designed to help visually impaired users. “Mail is sent in many ways that you don’t expect, and the outliers are from disproportionately underserved communities,” she said.

Finally, I always enjoy listening to cryptography pioneer and IBM special advisor Bruce Schneier, who recorded a podcast with Flashpoint Editorial Director Mike Mimoso at the conference. “Nobody wants you to know how your data is being used, and the more that this debate brings this into the sunlight, the better,” Schneier said. “We are having our personalities dissected in order to sell us stuff. Is this the kind of society we want to build?”

Building a Stronger Foundation for Security

Overall, the RSA Conference 2018 featured a wide range of perspectives, a healthy dose of reality and a strong undercurrent of optimism about the future of cybersecurity. As the construction crews clamored about the Moscone Center, the speakers, vendors and attendees at the conference worked toward building a stronger foundation for security by sharing valuable insights and making solid connections. This exchange of ideas, camaraderie and collaborative spirit is the industry’s most powerful weapon against rapidly evolving cyberthreats.

Watch IBM Security General Manager Marc Van Zadelhoff’s Keynote Address at RSAC 2018

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read