Another RSA Conference has wrapped, and as usual, I have overwhelming FOMO (even though I went), I’m tagged in many selfie-photo posts, and I have more than 50 follow-up emails to send. Here’s my opinionated, AI-saturated breakdown of RSA 2025.
Got feedback? Join the conversation on LinkedIn.
COOL and Maybe NOT-SO-COOL: The rise and claims of agentic AI
Last year was all about generative AI—fun, flashy, and easy to demo. Images and articles created in seconds with text prompts. How awesome is that? Too bad that’s last year’s AI. This year, it’s about agentic AI—tools that do things for you. It’s more useful, but also more opaque. You can demo agentic AI, but can you believe it? Will it work in your environment and with your tools? You have to test it, implement it, and live with it. While I want to say cool, I’m hedging temporarily that the early sales pitch might be “not so cool,” but I want to be wrong.
It’s COOL, Accept It: Everyone’s already in the AI pool
Debating whether to “embrace AI” is not your choice. The tools you already use are baking in AI just to survive. Saying “we use AI” is table stakes. The bar has moved—explain what your AI does, not just that it exists.
This reminds me of RSA 2011, where I asked attendees what the most overhyped issue in security was, and everyone answered “cloud.”
Like the cloud was 15 years ago, you’re in AI whether or not you want to be. Embrace it.
NOT-SO-COOL: The plague of vendor-splaining
“Is cybersecurity important to you?” “Do you know that identity attacks are the number one vector hackers use to break into your system?” If you are in any way trying to explain fundamental cybersecurity concerns to a CISO or any cybersecurity professional, please stop. It’s outright insulting. It’s like asking a doctor if they’re concerned with the health of their patients.
Want to connect with a CISO? Articulate what your product does and what makes it unique. Don’t waste time defining the category. Talk to a CISO like they understand cybersecurity (because they do).
COOL: Wrapping up RSA week on Daily Tech News Show
For at least 15 years, if not longer, I’ve been making a regular end-of-week wrap-up review of the RSA Conference on The Daily Tech News Show (DTNS) with Tom Merritt, Sarah Lane, and Roger Chang. I got to do it again this year. Give the show a watch.
NOT-SO-COOL: Pitching when I don’t want to listen
If someone you’re pitching is waiting for you to shut up, maybe… stop talking? I had way too many conversations where I was clearly waiting for the vendor to stop talking. This wasn’t a situation of me walking up to a booth where a pitch was expected. These were situations where I’d run into someone, and their agenda spat out of their mouth, without me asking for it.
Read the person in front of you. Are they leaning in? Are they nodding? Or are they waiting for you to finish? Instead, ask questions. Have a conversation. If they express interest, then explain, but in small bites. Don’t just unload a monologue and hope something sticks.
COOL: Appreciate the FOMO
Attending RSA means you will miss something amazing. Accept it. I missed sessions. I missed people. I missed parties. But I also had a lot of fantastic experiences and conversations. Be present wherever you are. Chasing the “next thing” means you never fully connect in the moment.
COOL, but really NOT-SO-COOL: Booth spectacle vs. booth substance
Yes, I saw the goats. Yes, I spun the giant “Price is Right” wheel. Yes, Grave Digger (the actual monster truck) was on the show floor. It all felt like a fever dream. It’s fun. It’s memorable. But let’s not confuse attention with intention. While they attract an audience, all you’ve done is qualify someone as easily distracted, not a serious buyer. If someone is in your booth because of a floating astronaut, you’re not any closer to knowing if they’re interested in your XDR platform.
NOT-SO-COOL: The food was… a problem (speak up vendors)
In the past, food at RSA for the press and the attendees has been quite good. But not this year.
I don’t want to be that guy, but the food was bad. Like, really bad. And I wasn’t the only one complaining. And that’s more than an inconvenience—it’s an ecosystem disruptor.
When you serve crappy food, people will leave the venue to find better food. And because of the gravity that RSA drives, attendees can discover a whole other RSA happening beyond the walls of Moscone. There are plenty of lunches, parties, and other enticements not to return. I’d be furious if I were a vendor paying big bucks for booth traffic. Come on RSA, feed your attendees and the press well. Think like a casino. Give them a reason to stay.
NOT-SO-COOL: Not knowing your story or your differentiator
“We do AI better than the competition” is not your story, nor does it differentiate you from the competition. I had too many meetings with vendors who could not articulate what made them unique from the competition. Understandably, every vendor has something AI-enabled, but I’ve yet to hear any articulate how their solution is better than the competition. And given the speed at which AI is evolving, maybe they shouldn’t.
Know your story. And figure out a way to tell your AI story that sets you apart from your competition. That’s the best you can do. It will be impossible to prove that you’re “better.”
COOL, but eh maybe NOT-SO-COOL: Productivity, prices, and the AI paradox
Here’s the tension: AI promises productivity gains. But when you can do more, expectations rise—and prices fall. I had dinner with a radiologist who now uses AI to read more scans per day. Great, right? Until insurance companies got wind of the productivity gains and lowered their payouts, because, hey, you’re more efficient now.
The same thing will happen in the cybersecurity industry, but we’ll see a new problem. AI might help us find threats faster, but if junior roles get automated away, it could also hollow out the career ladder. If AI takes over basic tasks, how do we train the next generation? If we skip the “multiplication and long division” phase of cyber education and just hand them a calculator (or ChatGPT), they won’t understand the fundamentals. It’s a challenge our industry must confront—soon. We need to rethink how we train, grow, and sustain security talent.
NOT-SO-COOL: Nobody has a crystal ball for good reason
In every panel discussion that’s ever been produced, there has never been a good answer to the question, “Look into your crystal ball and tell us what you see for the industry five years from now.”
No one knows. It’s a lazy, uninspired question that a poor moderator would ask. All the answers are entirely useless. If you did know the answer, you wouldn’t tell a random audience.
I heard that this very question was asked during an AI discussion. The panelists responded, “Five years? I don’t know what’s going to happen in five months!”
It’s just filler. Instead, highlight the best insights from the conference or ask, “What didn’t we cover that we should have?”
COOL: And yes… I still love RSA
With all the complaints, RSA still matters. It’s still the cybersecurity industry’s annual center of gravity. The sessions are thoughtfully curated, the hallway conversations are rich, and the sheer density of people and ideas in San Francisco that week is unmatched.
Don’t complain. Embrace the chaos. Accept that you’ll miss something great. And if you’re not exhausted every night, you’re not doing it right.