RSA Conference 2016 preview: Top speakers, tracks and security trends

When the Moscone Center doors open on February 29, RSA Conference 2016 will kick off its 25^th annual edition, welcoming 30,000-plus attendees hungry for information security knowledge, as massive hacks against corporations and governments continue to occur with an increasingly disturbing frequency.

Although RSA Conference is one of the world’s oldest and biggest security conferences (see all the top information security conferences in 2016), organizers say that they strive to keep the structure, logistics, and content fresh and relevant. This year’s conference, which will have an expo with more than 500 exhibitors and a program with more than 400 sessions, will feature several new and enhanced elements.

Practicality and business impact headline the show

On the content side, speakers have been nudged to include more practical information in their presentations, such as concrete tips, best practices, and lessons learned. “A lot of times people will present some really great research findings, but the session falls flat on: How do I take this home?,” says Bill Burns, vice president and CISO at Informatica, speaking during a recent press conference with fellow RSA Conference program committee members.

The effort to increase the practicality of sessions began a few years ago, and judging by the session submissions Burns reviewed for this conference, the message is getting through to the speakers. “I came away with these early drafts of the presentations saying, 'Someone can come to the conference and take away real nuggets of practical experience,'” Burns says.

More speakers are also explaining the business impact of whatever they're discussing and not just limiting themselves to describing research results and technical issues, he says. This is important because line-of-business managers are increasingly interested in InfoSec, especially those who have made technology decisions on their own, without involving their IT department. “They’re now aware of the security risks and responsibilities they’ve assumed, so now they’re looking for trusted guidance,” he says.

A similar interest and awareness about InfoSec is growing among CxOs and board directors, a demographic the conference also will address. For example, there will be an event called Cyber Risk Board Forum, organized jointly by RSA Conference and NYSE Governance Services, a provider of governance, compliance, and education services for companies and their board directors.

The Cyber Risk Board Forum is aimed at CxOs and directors who want to sharpen their “cyber governance” of data and intellectual property security. “As we celebrate the 25th Anniversary of the RSA Conference, we have looked for ways to expand our reach and educate new audiences, and we are thrilled to collaborate with NYSE Governance on this opportunity,” says Sandra Toms, vice president and curator for RSA Conference, in a press release.

Bigger focus on privacy issues and challenges

Ruby Zefo, vice president and chief privacy and security counsel at Intel, is new on the RSA Conference program committee and is focused on increasing privacy content at the event. “Security and privacy are inextricably intertwined, so it’s very important that we continue to break down the silos between those two practices, which I continue to see,” she says.

It’s essential for privacy and security experts to have a solid basic understanding of each other’s fields if they expect to be able to do a good job in their respective areas. “My focus today is on security and privacy pros learning more about how to do that through various sessions at the conference,” Zefo says.

For example, there’s a common misconception among security professionals that if their organization’s data is properly protected, the privacy aspect is also taken care of. “That data may not have been collected appropriately, legally, or according to users’ expectations,” she says.

Making sure the data is secure is the low-hanging fruit. “There’s so much more to the conversation than that,” Zefo adds.

Another misconception is that privacy is satisfied if compliance rules are met. “Sometimes that’s the lowest bar you have to meet,” she says. Rather, the challenge is to meet customers’ expectations with regards to the privacy protection of their data, and this changes with time and varies from country to country. “That’s where the privacy-by-design component comes in, so that what you have is an attractive user experience, which may or may not have anything to do with compliance,” Zefo says.

These and similar issues will be addressed at RSA Conference this year. She highlighted several sessions, including a four-hour seminar titled “Privacy and Security: Working Better Together,” organized by the International Association of Privacy Professionals, and another titled "Privacy Primer for Security Officers."

“I’ve been really happy to see the privacy sessions increasing over the past several years,” Zefo says.

IoT security issues evolve; mobile security breaks out

Michael Murray, vice president of security research at Lookout Mobile Security and another member of the RSA Conference program committee, is eager to hear about Internet of Things (IoT) security challenges in the real world. These systems are appearing in mainstream products and “where the rubber meets the road of practical challenges,” he says.

For example, it’s one thing to do vulnerability research on an isolated web app, but it’s another thing to do it on a vehicle or on medical devices. “We’ve been talking about IoT for the past couple of years, and we’ve all been very ‘pie in the sky’ excited about it,” he says. “But I’m looking forward to seeing how we get from the theory to the practical reality.”

Indeed, Forrester Research recently published a study about the topic, concluding that while most IoT technologies have attained deployment maturity in the market, “vendors have just started building security and standards.”

Mobile is another area of particular interest this year. “We’re moving from a time when mobile was its own niche item, and a thing to talk (about) by itself, to where all security is mobile security,” Murray says.

He’s also interested in hearing about machine learning, which the security industry should pay much more attention to than it historically has. “I’m looking forward to seeing the new research, the new thinking, and who is doing it well, because I haven’t seen a whole lot of that to this point,” Murray says.

Notable speakers and events at RSA 2016

Notable speakers include U.S. Attorney General Loretta E. Lynch, White House Special Assistant to the President and Cybersecurity Coordinator Michael Daniel, InfoSec investigative journalist Brian Krebs, and cybersecurity guru Bruce Schneier.

The conference’s Codebreakers Bash this year sounds like potentially a lot of fun. It will be held at AT&T Park, which is home to the San Francisco Giants and considered one of Major League Baseball’s most beautiful stadiums. It will feature a performance by Grammy award winning singer and songwriter Sheryl Crow, “a gaming experience” with pro skateboarder Tony Hawk, a fireworks display, and other activities.

Organizers have also extended expo hours, so the halls will be open on Tuesday and Wednesday from 10 a.m. to 6 p.m. and Thursday from 10 a.m. to 3 p.m. Educational tracks have also been extended to all day Wednesday and Thursday, while the interactive, hands-on Learning Labs, introduced last year, have grown in number to a dozen. New sessions called Focus On have been added to the proceedings. They will feature popular speakers in a small group setting, where all the time is devoted to discussion and Q&A with attendees.

Organizers have posted resources online to help attendees make their conference plans, including a video for first-time attendees and another one with social activity suggestions.

Are you attending RSA Conference this year? What sessions and speakers are you most looking forward to? Add your comments below.