The RSA Conference has gotten bigger and louder — not just because of the clamoring sounds of tens of thousands of attendees, but also due to the din of construction equipment as San Francisco works to rebuild the Moscone Center. Despite all the noise, this year’s attendees heard a number of key themes reverberating loud and clear throughout the conference as experts shared ideas about where the industry is heading and how security professionals can build strong foundations for the future.

Key Themes From the RSA Conference 2018

This year’s event featured a stronger emphasis on diversity in cybersecurity, a sharper focus on emerging technologies such as the Internet of Things (IoT), and too many captivating insights and discussions to sum up in a single recap. So let’s focus on some of the major highlights. Below are four key takeaways from this year’s RSA Conference.

1. RSA onDemand: The Gift That Keeps on Giving

This year, the conference organizers made a lot more recorded content available online, enabling attendees to catch up on presentations they had to miss. Given the number of concurrent sessions — not to mention the difficulty of navigating around heavy construction machinery — the online recordings certainly came in handy.

2. Promoting Inclusion and Diversity in Cybersecurity

The solid speaking lineup at the counter crowdsourced show, OURSA (get it?), and the all-female panels at the conference afforded attendees numerous opportunities to learn about underrepresented perspectives in cybersecurity. You can sneak a peek at the entire day’s OURSA activities by watching this video.

3. IoT Goes Mainstream

There were many IoT-related sessions at the conference and connected device vendors on the show floor. In fact, the IoT has gone so mainstream that the Target across the street from the Moscone Center set up a storefront to showcase smart home devices.

4. FIDO2 Announcements Abound

There are now millions of Fast Identity Online (FIDO) clients in the hands of real users. Yubico announced a new USB key that supports the latest extensions, and Microsoft and Google delivered a joint presentation on FIDO2 authentication.

Experts Discuss Cryptography, Blockchain, Leaky Clouds and More

One of the biggest attractions at RSAC is the annual “The Cryptographer’s Panel,” which featured two of RSA’s founders and other experts who have actually built cryptographic systems. This year’s session was punctuated by the usual humor but tempered with a dose of reality.

Avi Shamir complained that current academic research is often too mushy and imprecise, while his RSA co-founder, Ron Rivest, asserted that “blockchains can be a very bad database choice for keeping track of voting. It doesn’t matter if it is immutable if your vote isn’t recorded correctly.” During this session, Moxie Marlinspike, the founder of Signal, also noted that “the utopian narratives of connecting the world are coming to an end. The social media tools are now considered weapons when found in the wrong hands.”

Another popular panel featured a collection of experienced SANS teachers who talked about their favorite new attack types. Ed Skoudis explained the difference between having an accurate asset inventory and data inventory, and advised enterprises to appoint a data curator who knows where you data is and how it is distributed. Skoudis also complained about the many high-profile cloud storage data leaks. “When you are putting data in the cloud, you have to keep track of it carefully,” he implored. He also suggested numerous free and automated data discovery tools that organizations can use to improve cloud security.

More Highlights From RSAC 2018

The OURSA speaker lineup was a riveting program. Many of the speakers, including a large contingent of women, talked about very practical security implementations.

Eva Galperin, director of cybersecurity at EFF, led off the day. “If you think you understand what being part of a vulnerable population is, you don’t — not without doing your homework,” she said. Galperin also set the record straight on the common misconception that Tor and Signal are interchangeable.

Ashley Tolbert, who works at Stanford’s Linear Accelerator Center, noted that when she earned her computer science degree, she didn’t have to take any security classes whatsoever. In addition, Kate McKinley, a security engineer at Facebook, spoke about various memory hacking techniques and how to harden code to prevent these incidents.

Kelly Lum, now a security engineer at Spotify, gave an excellent talk about how she rolled out HTTPS certificates when she worked at Tumblr. She described the practical problem of having great crypto without infringing upon customers’ privacy. Elizabeth Zwicky, antispam and delivery engineer at Yahoo, then spoke about the economics of spam, the process of sorting good from bad email, and how she had to consider the wide range of email-enabled clients, including emails sent from copy shop printers and devices designed to help visually impaired users. “Mail is sent in many ways that you don’t expect, and the outliers are from disproportionately underserved communities,” she said.

Finally, I always enjoy listening to cryptography pioneer and IBM special advisor Bruce Schneier, who recorded a podcast with Flashpoint Editorial Director Mike Mimoso at the conference. “Nobody wants you to know how your data is being used, and the more that this debate brings this into the sunlight, the better,” Schneier said. “We are having our personalities dissected in order to sell us stuff. Is this the kind of society we want to build?”

Building a Stronger Foundation for Security

Overall, the RSA Conference 2018 featured a wide range of perspectives, a healthy dose of reality and a strong undercurrent of optimism about the future of cybersecurity. As the construction crews clamored about the Moscone Center, the speakers, vendors and attendees at the conference worked toward building a stronger foundation for security by sharing valuable insights and making solid connections. This exchange of ideas, camaraderie and collaborative spirit is the industry’s most powerful weapon against rapidly evolving cyberthreats.

Watch IBM Security General Manager Marc Van Zadelhoff’s Keynote Address at RSAC 2018

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…