I have watched on silently from the sidelines as the "boycott RSA Conference" story has played out. Now that we are a month or so away from the conference, "where the world talks security," I just can't hold it in any longer. I really think the few outliers who have announced they are boycotting and not speaking or attending this year's RSA Conference have gotten more than their 15 minutes worth. I think the whole effort is a misplaced endeavor blaming the wrong people for the wrong transgression.
First of all, for you folks not familiar with this matter, about 9 of the over 500 speakers at this year's RSA Conference (in full disclosure I am one of those 500+ speakers) have announced they will not be attending and speaking at the conference this year. Their reasons are tied to the story of how RSA supposedly accepted a $10 million payment from the NSA for a backdoor into the RSA programs.
The first person to come out and announce their boycott was Mikko Hypponen, of F-Secure. I respected Mikko's decision. Considering he's a non-U.S. citizen, I understood his displeasure over a U.S. company working with the U.S. government to potentially gain a backdoor into other people's data. Mikko was soon joined by 8 or so other speakers of various persuasions, and so in our social media frenzied world a movement was born. Next came word that these 9 or speakers and those who support them were setting up an anti-conference across the street from RSA Conference called Trustycon. Then came word that Microsoft and Cloudflare would sponsor Trustycon.
So now I feel compelled to say, "let's stop the insanity." Boycotting the RSA Conference is not the same as not supporting or buying RSA tokens. For anyone who doesn't already know, RSA Conference is pretty much a separate entity from RSA and their token business. In fact, they work really hard to keep a "firewall" (no pun intended) between the two organizations.
Yesterday, I spoke to Hugh Thompson, program committee chairman of RSA Conference. Hugh told me that the fact is many of the people who work on RSA Conference are not in fact RSA employees at all and don't have anything to do with RSA itself. They work hard year-round making the RSA Conferences the best and biggest security conferences in the world. Dragging them into this mess, in Hugh's opinion, is just misplaced.
On top of this, RSA Conference has always prided itself on pitching a big enough tent to give everyone a bully pulpit to speak. If anyone with issues around the NSA/RSA story wanted to speak out about it, the RSA Conference folks would have been glad to give them a forum to do so. Instead, they chose to just boycott the conference.
For me, another issue is if you are going to punish RSA, what about the other companies who cooperated at some level with the NSA? Should we stop using Microsoft, Google, Apple or Facebook? Because they have done their best "Captain Renault: I'm shocked, shocked to find that gambling is going on in here!" imitations, are they immune from our wrath? For one of these companies to now go and sponsor Trustycon seems pretty nervy to me. Is it a way to sooth a guilty conscience?
I spoke to my friend Rajat Bhargava, CEO of JumpCloud, about what he thought about the RSA Conference boycott. Raj feels that if people don't want to buy RSA products because of the NSA story, that is their right to do so. There are other products (including JumpClouds) that can do the job. But to not attend the conference isn't the right response. Better to go to the conference and make your voice heard.
I agree with Raj on this one. For those people who are genuinely outraged by RSA's dealings with NSA, being a part of the conversation at RSA Conference would have been a lot more impactful. For those people who are boycotting or supporting the boycott for their own monetary gain, I think we know what that is about. I will leave it to you to decide.
How do you feel? Do you think boycotting RSA Conference is the right response?
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.