RSA Conference 2019: Highlights you might have missed

Nearly 50,000 attendees flocked to the newly expanded Moscone Center in San Francisco for a whirlwind week at RSA Conference 2019.

The keynote lineup was eclectic, with 31 presentations across two stages featuring speakers ranging from FBI Director Christopher A. Wray to actress and comedian Tina Fey. Topics aligned with this year’s conference theme, “Better,” and focused on actions that can be taken by everyone from the C-suite to those of us on the front lines to make cybersecurity better now and in the future.

In a surprise appearance, Helen Mirren, accompanied by the Oakland Interfaith Gospel Choir, welcomed attendees with a rousing opening keynote, proclaiming, “The collective brilliance of this conference has addressed major world problems,” and praising security professionals as, “…an eternal beacon in the darkness.”

Together you stop the cyber underworld from growing out of control. – Helen Mirren

The conference featured over 600 sessions and 700 exhibitors sharing ideas about the latest cybersecurity threats, trends, and technologies. With so much content and activity clamoring for attention, it is impossible to recap every highlight. Here’s a glimpse of what caught my attention.

A major absence

The popular Cryptographer’s Panel was moderated once again by RSA CTO Zulfikar Ramzan. Panelists included Ron Rivest of MIT (the R in RSA), public key encryption co-creator Whitfield Diffie, security researcher Paul Kocher, Shafi Goldwasser of the Simons Institute for the Theory of Computing, and Tal Rabin, manager of the Cryptographic Research Group, IBM Research, who received the conference’s annual award for Excellence in the Field of Mathematics.

But the involuntary absence of Adi Shamir—the S in RSA—cast a shadow over the panel. Shamir, a long-time panelist, wasn’t granted a visa to enter the U.S. to attend the conference, possibly because of a backlog stemming from the partial federal government shut-down.

After playing a pre-recorded video message from Shamir, the panel discussed the absurdity of the situation before moving on to highlight issues including GDPR, the impact of Bitcoin attacks on blockchains, and Australia’s contentious Assistance and Access Bill, which forces technology companies to give law enforcement and intelligence agencies access to encrypted communications.

Noteworthy announcements

Israeli cybersecurity asset management provider Axonius was named Most Innovative Startup. Axonius aims to help organizations improve device visibility and control by providing a unified view into which devices are present on a network—both managed and unknown—and what’s on them.

Numerous security products and services were introduced during the conference. Here are a few key announcements:

• BitSight Peer Analytics helps organizations to compare cybersecurity performance measurements with real-time objective data and metrics on industry-wide security and peer-level performance across multiple categories of vulnerabilities and incidents.
• CyberArk Privileged Access Security Solution v10.8 automates detection, alerting, and response for unmanaged and potentially-risky Amazon Web Services (AWS) accounts.
• CylancePERSONA provides proactive endpoint behavioral analytics to identify rogue insiders and external threat actors exploiting valid user credentials.
• FireEye Secure Email Gateway delivers an integrated solution for advanced threat protection plus inbound and outbound antivirus/anti-spam (AVAS) scanning.
• IBM’s X-Force Red Blockchain Testing Service tests vulnerabilities in enterprise blockchain platforms.
• Microsoft Azure Sentinel gives developers a holistic view of enterprise security by helping them collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

Valuable sessions

Sessions were organized into over a dozen tracks, including:

• Analytics, Intelligence & Response
• Application Security & DevSecOps
• C-Suite View
• Cloud Security & Virtualization
• Cryptography
• Governance, Risk & Compliance
• Hackers & Threats
• Human Element
• Identity
• Law
• Machine Learning & Artificial Intelligence
• Mobile & IoT Security
• Privacy

While I couldn’t attend all the sessions, two that I found interesting focused on quantifying information security risk and ensuring appropriate security under GDPR.

In “Defining a Risk Appetite that Works,” FAIR Institute Chairman Jack Jones highlighted the difference between risk appetite—a target level of loss exposure that organizations are trying to manage to—and risk tolerance—the degree of variance from that goal that can be tolerated. He presented best practices companies can follow to effectively develop a risk appetite and stay aligned with it over time. His new model, Factor Analysis of Information Risk (FAIR), provides an international standard for understanding, analyzing, and quantifying information security risk in financial terms.

EasyJet Head of Information Security John Elliott tackled GDPR’s lack of specificity in “GDPR: How to Work Out if Your Security is Appropriate.” GDPR requires companies to implement “appropriate” measures to protect personal data.

What exactly do European regulators consider “appropriate” measures for protecting personal data?

Elliott recommended establishing a baseline that aligns with standards such as ISO, NIST, and the CIS Controls; reviewing and testing policies; and conducting a risk assessment that focuses on human impact rather than the organization. French data regulator CNIL has a helpful guide.

Hundreds of other sessions provided great opportunities to learn and exchange information. Here are some of the interesting facts I learned during the week:

• In May of 2018, GDPR was searched more often on Google than Beyoncé or Kim Kardashian.
• 90 percent of U.S. infrastructure is controlled by the private sector.
• Facebook Head of Cybersecurity Policy Nathaniel Gleicher estimates that 4 to 5 percent—or 1 in 20—Facebook profiles are fake.
• According to former U.S. CTO Megan Smith, Chattanooga has the fastest Internet in the Western Hemisphere.
• There are security lessons to be learned from classic films like The Sting and Oceans 11.

We are better together

There are more highlights than I can mention on a variety of other topics; I’ve barely scratched the surface of RSA Conference 2019! If there is one key takeaway, it is that the events of the past year have propelled security beyond just addressing the latest threats and attack vectors.

We need to work together to pursue trust. Our community came together in unprecedented numbers to attend this year’s conference and as Helen Mirren put it, we need to, “seize this moment to become better and stronger together.” By increasing collaboration across the public and private sectors and improving teamwork, we can better protect data, build trust, and improve cybersecurity overall.

If you are interested in watching recorded keynotes or exploring the conference tracks, numerous keynote videos and session presentations are available on the RSA Conference site. We’ll also be digging into some of the most interesting topics from RSA in later blog posts—so stay tuned!

Anne Grahn contributed to this post.