Last week, Enterprise Strategy Group (ESG) principal analyst, Jon Oltsik, wrote an article for CSO titled: “RSA Conference: CISOs’ top 4 cybersecurity priorities.” Jon highlighted four areas that security executives will be looking for at next week’s RSA Conference:

  1. Executive-level threat intelligence (Jon highlighted Digital Shadows (now ReliaQuest) in this category)
  2. Integrated security platforms
  3. Business risk
  4. Changing security perimeters

In the past, I’ve written my own RSA Conference (RSAC) preview blogs and Jon’s article reminded me that I should do it again. A few things to note before I get started:

  • This blog is going to be focused on conference talks that will resonate with most CISOs.
  • I know there will be many other activities going on next week and you have limited time, let me help you maximize the time you have allotted for talks.
  • You should absolutely take advantage of “hallwaycon” and all the networking opportunities associated with the RSAC week. This will get you the best return on your investment.
  • You could just go to the RSAC “Sessions & Events” page and search by the “Core Topic” of “C-Suite View” or “Security Strategy,” but your time is precious. So, to save you some, I spent the morning going through the RSAC agenda, so you don’t have to.
  • I focused on the following areas: (1) investment, metrics, and communication, (2) GDPR, (3) recruiting and retaining staff, (4) third party risk, (5) cloud native security, and (6) national security.


Here are my recommendations for the RSAC talks you should check out:

  • The Innovation Sandbox. This isn’t a talk, but something I highly recommend nevertheless. I’m a big fan of the Innovation Sandbox, and while I was at Forrester Research I moderated several panels at the event. I admit I could be a bit biased towards it. The Innovation Sandbox is a great way to track startups that could help you solve some of the challenges that CISOs face. It is also fun to watch the pitches, and you can also pick up techniques to improve your own presentation style/public speaking. This can be very useful, particularly as you think about it applying to your own board presentations.
  • Investment, metrics, and communication. This year, there is no shortage of CISO focused talks. I suggest the following as the topics really resonate with me and there are also real work examples from practitioners in the mix. These talks also align with Jon Oltsik’s business risk area from his CSO article.
    • Stop Translating, Start Defending: Common Language for Managing Cyber-Risk TECH-W04
    • Building and Selling Your Security Strategy to the Business STR-W14
    • Creating Order from Chaos: Metrics That Matter GRC-W04
    • Implementing a Quantitative Cyber-Risk Framework: A FinSrv Case Study STR-W02
    • Security Programs. ROI not CYA EXP-R14
    • Charting a Clear Course: Prioritizing Security Investments and Activities STR-T07
    • 10 Tenets of CISO Success STR-W04
    • Inside Cyber-Balance Sheets: A Rare Window on Digital Risk in the Boardroom CXO-R14
  • GDPR. Worried about GDPR? You will be. If you deal with European Union citizen data, this year’s RSAC has you covered and it’s important since GDPR enforcement is now “next month.” I’m almost as excited for GDPR as I am the for Deadpool sequel featuring Thanos, and the new Han Solo movie (please, please save it Donald Glover). While I work on my Privacy Impact Assessments, consider these talks:
    • How to Tackle the GDPR: A Typical Privacy and Security Roadmap PRV-T10
    • The GDPR Is Only for Europe—Right? GRC-R02
    • GDPR Compliance—You Forgot Your Digital Environment GRC-R12
  • Recruiting and retaining staff. I think the “cyber security talent shortage” is a self-fulfilling prophecy. Don’t be a statistic, and don’t succumb to the hype! I think these talks can help you:
    • A NICE Way to Find and Keep Cybersecurity Workers PROF-W04
    • The Cybersecurity Job Seekers Report: Results and Implications AST1-W02
    • The Life and Times of Cybersecurity Professionals AST3-R02
  • Third party risk. I’m always looking for ways to get better at managing third party risk and if you read the headlines, nearly everyone else should be looking as well. I would’ve liked to have seen more talks on this topic. I included some Peer2Peer talks in here as well:
    • Personality Profiling Your Third Parties for Effective Supplier Management STR-T08
    • The Supply Chain Threat GRC-T10
    • Effectively Managing a Third-Party Technology Risk Program P2P4-R05
    • Third-Party Risk Assessment Tilt-A-Whirl. Stop the Ride, I Want to Get Off! P2P3-W04
  • Cloud security. Cloud security is a key component of our security program and the same is likely true for you. I really like the contrast of following two talks. In the first, you have one of, if not the top industry analyst who covers cloud security Rich Mogull (of Securosis fame). In the second, you have the founder and former CEO of Tim Prendergast, who is now the Chief Cloud Officer at Palo Alto Networks. was recently acquired for a cool $300 million.
    • Building and Adopting a Cloud-Native Security Program CSV-W14
    • Is Cloud-Native Security Enough? SPO3-W14
  • National Security. I’m a self-professed national security geek and I think all CISOs need to track geopolitical and national security issues. Check out these talks:
    • Cyberwar Game: Behind Closed Doors with the National Security Council EXP-T07 (I’ll pretty much watch anything Jason Healey is involved in)
    • DARPA R&D Enabling US Cyber-Deterrence PNG-F03R (DARPA is cool, and they are doing this talk twice!)
    • Former NSA and Israeli Intelligence Directors on Resilience EXP-F01 (Despite getting 8200’d/NSA’d to death at Forrester, I still want to see this talk).

Am I missing any talks that resonate with you? Please share.

I know that many people (queue the Infosec Twitterverse) bash big security events like RSAC, my suggestion is to ignore that and make the most of the event. Next week is a great opportunity to gain knowledge that you can bring back to your team and an excellent opportunity to build your professional network.

Next week is also a great time to unwind and step away from the chaos that is being an information security professional.  Digital Shadows (now ReliaQuest) is sponsoring the “Security Leaders” party on Tuesday night April 17th at City View @ Metreon. Come join us and have a good time with your peers and make some new friends. You can register here.

RSA Party Digital Shadows (now ReliaQuest)