What I’m Looking Forward to at RSA 2018

The RSA Conference is back again. Regardless of whether you’re a first timer or a seasoned vet, the packed schedule can be overwhelming. Never fear. I’ve reviewed the list of panels and keynotes and have selected a few that I think highlight some of the biggest issues and most notable trends in the space.

Here is what I am most looking forward to and what I believe will be the most thought-provoking sessions at this year’s event. The below includes the RSA panel descriptions followed by an investor’s perspective.

The Dark Web and How It Affects Your Industry

April 17, 2018 | 1:30 PM — 2:00 PM

We all know that illicit activity takes place on the dark web, but very little has been done to help industry leaders understand how illicit marketplaces affect various industries — both from a cybersecurity and an economic perspective. This session will delve into how key US industries are affected by illicit marketplaces and what leaders should be considering in light of these growing phenomena.

The dark web, even by title, is difficult for most to conceptualize, but it’s important to understand the potential impact it has on all types of businesses, from startups to Fortune 500 companies. As data breaches increase in frequency for companies of all sizes, CEOs must understand their company’s unique digital risk profile and have the ability to quickly remediate situations where data leaks online, brands are tarnished or misrepresented online, or employees or suppliers put a company at increased risk for information theft. A growing sub-sector of companies is emerging to address deep web monitoring and from an investor’s perspective, I’m looking forward to getting better insight into which industries, outside of the usual suspects like financial services or healthcare, are most at risk, and how CISOs in those industries are prioritizing deep web monitoring relative to other cybersecurity needs. Growing traction in markets outside of financial services and healthcare is generally a sign that a sector is nearing a point of critical market adoption and could soon be ready for growth equity.

Personality Profiling Your Third Parties for Effective Supplier Management

April 17, 2018 | 2:15 PM — 3:00 PM

Every supplier and third party has different behaviors, abilities and knowledge. By developing a personality profile for each third party (think Myers-Briggs® for suppliers) you can provide more effective infosec and privacy assurance programs for your organization. This session describes the eight typical supplier personalities and how to adapt your assurance strategy based on each profile.

I’m interested to see a Myers-Briggs style personality profiling applied to the issues facing supply chain security. I think that large companies demanding improved cyber hygiene from suppliers will go a long way towards solving our nation’s cybersecurity issues. This panel focuses on the idea that every supplier and third party has different behaviors, abilities and knowledge that must be taken into account when developing appropriate cybersecurity hygiene.

The GDPR Is Only for Europe — Right?

April 19, 2018 | 8:00 AM — 8:45 AM

The EU’s GDPR is the first major overall of data privacy requirements in the EU since the 1990s and is effective May 25, 2018. The GDPR is more than a regulation; it is a way of integrating data privacy and information security into day-to-day operations. This session will use case studies to bring alive the key issues to be addressed and best practices to address them whether in the EU or not.

For those unfamiliar with this increasingly important topic, as you read in the panel description, this first overhaul of data privacy requirements since the 1990s is coming up quickly. US companies that have customers domiciled in the EU are all subject to these regulations requiring the integration of data privacy and information security into day-to-day operations. Interestingly, the US is the only country with siloed data privacy laws (HIPPA, COPPA, etc.) and no overarching data privacy regulations that address privacy overall and tie it to the operational elements of a business. I hope this session will shed some light into why the US has developed its privacy practices in the way it has, and provide some constructive solutions on how we can address the problem going forward.

Former NSA and Israeli Intelligence Directors on Resilience

April 20, 2018 | 9:00 AM — 9:45 AM

Both Keith Alexander, former NSA director, and Nadav Zafrir, former commander of Israel’s 8200 Intelligence Unit, will share what they miss about their previous roles in the public sector, their strategy for building security companies in the private sector, what keeps them up at night, and what are they hopeful about in the world of cyber.

I think this is an important conversation because the public and private sectors must work together on cyber issues facing the US. These issues are too big and important for any one entity to tackle alone. This discussion reminds me of a point the CEO of my firm, Steve Case, makes in his book The Third Wave. He talks about the importance of partnerships in the Third Wave of innovation and how it will be critical for companies to collaborate to be successful.

Within 10 Years, Autonomous Vehicles Will Change Every CISO’s Job

April 17, 2018 | 2:15 PM — 3:00 PM

Sound crazy? It isn’t. A fully autonomous ship will deliver fertilizer in Norway in 2018. Forrester security research leader Laura Koetzle will outline how and when autonomous transport will transform five business domains, and will recommend specific focuses for CISOs in each domain. The five are (1) automotive, (2) logistics, (3) insurance, (4) government and (5) media.

There are many issues facing autonomous vehicles, but gaining a broader picture of how they will impact the security industry will be particularly important for change makers in today’s connected vehicle market, who may be able to gain some macro insight into the risks associated with a growing attack base of code. As technology improves, the cybersecurity threat continues to grow exponentially. For example, it’s been reported that the first space shuttle had 145,000 lines of code, connected vehicles have 10 million lines of code, and autonomous vehicles are expected to have 100 million lines of code; each one of them vulnerable to attack.

Stop Translating, Start Defending: Common Language for Managing Cyber-Risk

April 18, 2018 | 9:15 AM — 10:00 AM

Time is of the essence when protecting your organization from complex cyberthreats. The clock doesn’t start when you have been breached — it’s always ticking. The board must articulate risk tolerances, management must set the strategy and IT must execute. The NIST CSF provides a common language for internal and external stakeholders, and helps the organization to stop translating and start defending.

Pushing this framework down from government and large corporate organizations to both SMBs and individuals is critical for successful cyber risk management. In my role, I work with smaller organizations who need to understand this common language to protect their organizations.

Now that you’ve got your panel schedule covered, all you have to do is pack some comfortable shoes, as many device chargers as you can personally carry, and find your way to the Rapid7 party!

*Panel descriptions are from www.rsaconference.com.