A CISO’s Guide to RSA Conference 2016

Look, let’s be frank – the week of the RSA Conference is a scheduling nightmare. On easy days it takes effort to manage, and on difficult days it’s completely unwieldy. There are more sessions, activities, keynotes, networking events, and ancillary get-togethers than you can possibly imagine, both in and around the actual conference. With the exception of the actual RSA training sessions, being double and triple booked is commonplace.

I look at the RSA Conference with mixed emotions. Years ago, as a consultant and technical contributor, this event was where I went to learn about new techniques and strategies, and geek-out over the crypto Illuminati. I truly went there to be educated. Now, as a CISO, the RSA Conference offers a different kind of education, but one you must develop a strategy for, otherwise, it could be a colossal waste of time. Over the years, I’ve managed to find some things that work, realized some things didn’t, and basically have figured out how to get the most from the event and all the interstitial happenings. Hopefully, you’ll find something valuable out of the list below, but as always, your mileage may vary.

The official RSA Conference:
This is the main reason we’re all in San Francisco – right? In one fell swoop, you can earn the vast majority of your CPEs for the year, gain an understanding of new approaches used by your peers, or go all uber-nerd and hear what the cryptology elite are worried about in the coming year. The truth is, most CISO’s don’t need to know about the next generation of prime number sieves (although we may want to) or side-channel attacks; we need to understand how the next evolution of crypto – or APT detection – or micro-virtualization will impact our enterprises.

Many of us grew up on the technology side and evolved into our current pseudo-tech / pseudo-business roles. However, the RSA Conference can make you feel like Michael Corleone himself, uttering those immortal words, “Just when I thought I was out, they pull me back in.” If you are an exceptionally hands-on CISO, then perhaps you should pepper your schedule with a few technical sessions, but for the most part, tracks like C-Suite View, Governance, Risk & Compliance, and Security Strategy are great values for a new CISO or one in a new organization who is looking for a refresher.

The RSA Expo floor:
1000100100. That’s the magic number this year. No, it’s not over a billion booths at RSA (although it really does seem like it), but 548 vendors split between the North and South Expo centers. The Expo is open for 21 hours – 1,260 minutes in total. That means, even if you did nothing else at RSA except visit the Expo, you would end up spending 2.5 minutes per vendor.

Ridiculous, right? So, with a limited checkbook and unlimited expectations, what’s a poor CISO to do?

Likely, we can all recite both our 12-month tactical and 3-year strategic plans in our sleep. We know what we need to address in the coming year and how that plays into our long-term program maturity goals. The RSA Expo is a great place to sniff out future partners. From product solutions to consulting firms to awareness tools, the Expo floor can provide you with a list of items to consider. That said, you must be strategic on how to approach such an expanse of floor space.

You have two options really, one is amazingly simple, the other tedious, but old-school effective. If you haven’t done so, download the RSA Conference app before you read another word. Once you setup your account using the same credentials you registered for the conference with, you can search the exhibitors for the ones you want to visit and add them to your personal list. Once added, you can see them under ‘My Exhibitors’ on the app’s main screen. Just select the vendor you want to visit, tap the pin in the upper right-hand corner, and whala!, the booth is highlighted on the expo floor map. By the way – side benefit – the app can manage your entire session schedule as well. You’re Welcome.

Now, while I’ll begrudgingly admit that I used the old-school method for more than one conference, I’m thrilled to retire the printed-expo-map-multicolored-highlighter solution that was all the rage years ago. However, if you’re in the mood to go all-out retro, you can go over to the Expo and Sponsors page, download the PDF for each floor and highlight away.

Private Vendor Suites:
Over the past several years, private vendor suites have become hugely popular during the conference. Many vendors now get a suite at one of the area hotels for private, one-on-one, demos, and meetings. The ability to have a normal conversation, without the worry of someone overhearing, interjecting, or diverting the discussion is actually quite refreshing. Most of the suites are less than a couple minutes walk from Moscone and are fully outfitted with the vendor’s entire catalog offering, allowing you to get hands-on with their products. The suites are usually staffed by their best folks, who can answer any questions you have and can actually show you the wheres-and-hows right on the screen.

The only caveat is that these sessions usually need to be scheduled beforehand. Don’t walk up to a vendor on the exhibit floor and expect to get an invite up to the suite – it’s highly probable that all the slots are booked by that time. If you have a particular interest in a vendor, reach out to them now, and ask for a demo. Most will happily make the time for you.

Planned Networking Events:
There are several organizations that manage networking events around the conference, in some cases even the weekends before and after. Most, if not all, of these events, are sponsored by vendors who have their executive management on hand to answer questions, discuss road maps, or offer customer panels. These events – which are usually luncheons, dinners, and receptions – also double as strong networking opportunities. Many sell out in advance of the conference, but if you are looking for explementary CISO-level networking, these are hard to beat. Since these are typically sponsored events, there is generally no cost to attend, but there is a pre-qualification process. All of these events are held locally, so they’re fairly easy to get to should you manage to snag an invite.

Ad-hoc Networking:
There’s something to be said for just kibitzing with your peers. In fact, one could argue that you’ll get more insight into a vendor, product, or program technique by talking to your peers than by spending time hearing the vendor’s pitch. The relationships you will develop during the networking events or even just in the hotel lobby will be invaluable in the future. InfoSec is a strange bird that crosses competitive and geographical boundaries with ease, almost relying on the ability to pick up the phone and talk with a fellow CISO from someone else in your industry. We are all facing the same challenges, so understanding what worked – and what failed – for someone else is invaluable knowledge. It’s critical that you avoid locking yourself away in the room for four days during the event. Meet – mingle – exchange QR codes – do whatever it takes to meet your peers; it will make the entire RSA Conference experience infinitely better.

So there you have it. Enjoy your time at this year’s RSA Conference and let me know if you have any suggestions of your own.

Originally posted on SecurityCurrent.com.