You’ve reached the point in your #infosec career where you get a full conference pass to RSA. Not coincidentally, this means you are now so busy every day that you don’t have the time to preview the RSA full conference schedule to map out interesting talks.

If you fail to get that prep work doneyou can cheat by looking at my list — I had chosen these for my own reasons (each of which is explained below), and only a few of them conflict with each other.


9:15 a.m. PST — The Cryptographers’ Panel


Cryptography is only a small corner of the larger infosec landscape today, but this talk is always a great opportunity to witness conversation about controversial surveillance and privacy issues and just plain cryptogeekery from the giants of the fieldThe past two previous years were particularly dramatic; Whitfield Diffie publicly grieved for his recently departed wife, and Adi Shamir was unable to attend the conference named after him due to US visa issues and had to attend by video! Anyway, always attend the cryptographers’ panel.

11 a.m. — Shodan 2.0: The World’s Most Dangerous Search Engine Goes on the Defensive

Moscone West HT-T08

There’s a saying about a blade cutting both ways. Here’s a talk about using what was traditionally considered an “offensive” security search engine in a defensive way. In recent years, there’s been an interest around Shodan being used to map the OT/ICS environment, so I’m hoping to see some of that at this talk, too.

1 p.m. — Privacy: What Customers Want, Why Security Should Care and What To Do Next

Moscone West EZCL-T10

What if someone surveyed 80,000 customers and derived what they really wanted with regards to privacy? That would be some good data and would make for an amazing talk, right? Forrester’s Laura Koetzle will be there to lead small groups to work together to apply the lessons from this research to their own organizations.

1 p.m. — Frameworks, Mappings and Metrics: Optimize Your Time as CISO or Auditor

Moscone West CX0-T10

If CISOs really do spend half their time on compliance activities, wouldn’t it be nice to be able to de-dup some of the repetitive tasks and build some good metrics at the same time? Note that this talk time conflicts with the earlier one.

2:20 p.m. — SOC Metrics: Discovering the Key to SOC Nirvana

Moscone West AIR-T11

“You can’t manage what you can’t measure.” The speaker hopes to take Peter Drucker’s adage and apply it to security operations center managementI’m particularly interested in the speaker’s treatment of metrics around analyst skill development.


8 a.m. — Entropy as a Service: A Framework for Delivering High-Quality Entropy

Moscone West ACB-W01

Entropy quality has always been the dirty secret of cryptography, so of course one solution would be to provide it as a service. I’ve been interested in that idea for years and, in fact, still own the domain though never did anything with it because I’m a classic underachiever. Maybe what is needed is “achievement-as-a-service.”

12 p.m. — Artificial Intelligence Security and Privacy Legal Threats and Opportunity

Moscone West LAW-W07

That fact that Winn Schwartau is on this panel was enough to gain my interest. The discussion looks to include a lively set of topics around AI, robots, disasters, and lawyers. Hey, that sounds like it could be a great broadway musical! The next Hamilton could be a singing robot!

1:30 p.m. — The Network Is Going Dark: Why Decryption Matters for SecOps

Moscone West ACB-W09

The shadow of cryptography falls across this list again. Here’s a discussion on how TLS 1.3 might impact network monitoring. All modern browsers support forward secrecy already, and 98% of internet servers prefer it, so the idea of decrypting this “uncrackable” crypto already has value even before TLS 1.3 becomes mainstream.

2:50 p.m. — All That Glitters? Debunking Fool’s Marketing of ML and AI

Moscone West MLAI-W11

As an analyst, I hear claims of AI/machine learning all day long, like it’s a deus ex machina to address every difficult problem a vendor might run into. In my dreams, this talk will be about how to ask questions that could differentiate truth from falsehood. We’ll see.

2:50 p.m. — API Security Exposure for Gift Card Fraud: A 15-Year-Old’s Guide

Moscone West HT-W11

I don’t know about you, but when I was 15, I was pretty much a complete idiot. I was not giving talks about API security exposure at the world’s biggest security conferences. But this kid is, and if for no other reason, I hope to be there to cheer him on. The topic looks goods, too! Note: This conflicts with the previous talk.

4:10 p.m. — Cyber-Litigation 2020: Recent Cases in the Courts and Agencies

Moscone West LAW-W13

The docket for this session will include cyberinsurance, cyberconflict, and encryption controls. No lawyers will be harmed during this session.


8 a.m. — Fully Homomorphic Encryption

Moscone West CRYP-R01

Cryptography again, yet this is the first of the truly hardcore crypto talks I might attend. Partly that’s because, unless you are a crypto practitioner and/or have a brain so big it needs external cooling, these cyrp talks can be tad inaccessible. Homomorphic encryption is a bit of a Holy Grail but hasn’t proven itself yetControversy creates interest, hence its appearance on this list.

9:20 a.m. — Zero Trust: The Buzz, the Myths and the Facts

Moscone West STR-R02

As a Forrester analyst supporting the principles of Zero Trust, I’m more than a little curious about what the buzz, myths, and facts are all about, at least as perceived by this Microsoft CISO. Honestly, I have no idea what to expect and am hoping to be pleasantly surprised.

2:50 p.m. — My Botnet Always Beats Yours: A Honeypot to Massive Bot Fight Scenes

Moscone West OST-R09

Bots killing bots. A man creates a honeypot arena to watch it all. What’s not to love about that? Also, it’s been a little quiet for IoT bots since Mirai. I’m there.


8:30 a.m. — I Find Your Lack of Security Strategy Disturbing

Moscone West CX0-F01

Some security leaders can’t get enough budget to build out their security program. Being able to elocute a strong security strategy can go some way to getting those Benjamins. My colleague, Dr. Chase Cunningham, says every security leader should be able to recite their security strategy on demand, and it’s hard to argue with that or with Chase, actually. Also, I’m a sucker for riffs on Star Wars: Episode IV‘s most memorable quotes.

There will be 100 great talks at RSA this year, and there’s no way we can see them all. Hopefully, my list can help you build a plan (even at the last minute) for talks that are both informative and interesting.

While you’re at RSA, consider coming to Forrester’s meet and greet on Tuesday night if you’re a client. You’ll be able to talk to me, Chase, Laura, and many other analysts on the Forrester security and risk team. Contact your account rep and ask what they’ve done for you lately, and see what they say about getting you in.