Are trade shows like RSA getting so big that there’s not enough economic value for a CISO to attend? Or do these events have enough industry gravity to justify the spend?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. Joining us is our special guest Lee Parrish, CISO, Newell Brands.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Censys
Full Transcript
[David Spark] Are huge security conferences becoming too big that they’re unaffordable to attend? Everyone sees value in security professionals coming together, but what specific value does a huge expo like RSA deliver?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me for this very episode, it’s Geoff Belknap. He’s the CISO of LinkedIn. Geoff, talk to the audience.
[Geoff Belknap] Hello, audience, and thank you for being a listener.
[David Spark] Our sponsor for today’s episode is Censys, the leading internet intelligence platform for threat hunting and exposure management. More about Censys later in the show. Now, I’m going to apologize if my voice sounds a little raspy on today’s episode. I just got back from Black Hat, another huge security conference, and my voice is a little talked out, if you will, because we did a lot of interviewing.
But I’m going to say are huge conferences, Geoff, like Black Hat, like RSA becoming too big that there’s not economic value for CISOs, the target of the vendors, to attend?
Now, this was the question that Lital Asher-Dotan of Hunters posed on LinkedIn, and this is a discussion that comes up again and again. She pointed out the cost of flights and hotel rooms is so extraordinary – and this may be specific to San Francisco which, by the way, there’s lots of talk that it’s going to move – but they say it’s so extraordinary that she doesn’t know who can get the budget to attend.
But what I saw is the discussion boiled down to is it worth it to get a booth on the trade show floor and that the event itself has so much gravity that it just drives everyone to this one physical area. Geoff, what’s the value of RSA to you?
[Geoff Belknap] You know, David, I think the value of these large security events in general for practitioners, to be clear, is the sense of community. The InfoSec space is very difficult and having that community to exchange and engage with ideas is really valuable. But I think our guest today can talk to us about the other half of that equation, and I think that’s a really important part of this discussion.
[David Spark] Yeah, this guest is perfect for this discussion because he was for six years a member of the program committee that helped choose the sessions and also for one year was a vendor that had a booth on the floor and is now a CISO, so he’s touched kind of every aspect. And by the way, on the program committee specifically for RSA.
Anyways, a frequent guest we’ve had on before, it’s the CISO of Newell Brands, Lee Parrish. Lee, thank you so much for joining us.
[Lee Parrish] It’s wonderful to be back again. Thank you.
What’s the return on investment?
2:44.513
[David Spark] Sarah Breathnach of Hunters said, “When you look at the cost of having a booth on the show floor versus the pipeline that’s generated, the ROI is just not there. Will FOMO, fear of missing out, continue to force vendors to sponsor big shows like RSA?” She questions that. And Jacques Benkoski of US Venture Partners said, “Conferences have a natural tendency to grow until they suddenly cannot provide ROI and then they become supernovas.” And David Baeza of Buttered Toast – love that – said, “They become the magnet for the industry but the real conference and biz development takes place on the periphery.” So, we heard that all the time.
Geoff, what’s your thought about sort of the value of it and is really the conference on the periphery not the heart of the show?
[Geoff Belknap] I think that is the most unspoken open secret of all of these conferences, whether it be RSA or Hacker Summer Camp in Las Vegas, the real conference for practitioners, and really I think for corp dev and VC and salespeople, are it’s not the conference, it’s not the show floor. The conference value is outside the conference.
It’s where everyone’s going to have lunch or a dinner or going to grab a quick meeting in the St. Regis lobby or whatever it might be, that’s where the real magic is happening. I do think it’s still very expensive to go, people have to man those show floors and give away those tchotchkes or whatever they’re giving away to allegedly attract people to the booth, but the real magic is not actually happening at the conference.
[David Spark] Lee, why do you think companies still sponsor if they feel, and I don’t know, I know we had one Haru Mir [Phonetic 00:04:40] who actually did this detailed study and said, “Yes. There is ROI for getting a 10 by 10 booth at RSA,” which is the smallest you can get. Why do you think companies just keep spending?
Because that floor is packed with sponsors every year.
[Lee Parrish] Absolutely, yeah. I don’t necessarily think it’s a fear of missing out, and certainly I don’t know if there’s a certain financial benefit to it as far as ROI for getting leads and things like that. As mentioned by Geoff, you don’t know which leads are there to actually learn more about the product and want to talk more about it or who just wanted a free t-shirt or a koozie or something like that.
So, I think that it’s just a presence. I think that if you’re a major cybersecurity corporation and you’re not at one of the largest security conferences, that sends a message. I think it’s all about presence.
[David Spark] Okay. So, I want to dig into that just one more level. This is my theory. If you are a huge company, say like a CrowdStrike, a Palo Alto Networks, a Trend Micro, someone of that level, and you do not sponsor Black Hat and RSA, then that gives the avenue for your competition to tell your story saying, “Oh, you heard the reason they’re not here is because of blank.” Do you think that’s what their fear is?
It’s not the missing out, of the fear of someone talking bad about you.
[Lee Parrish] Yeah. I think you’re right, yeah. It’s a fear of just not having a presence there. And it’s unique for me because I see at different conferences and maybe you’ve seen the same thing is you go to some conferences like RSA and the same security company will have this massive booth and then you go to another conference that’s maybe not so big, there’s still a presence there but their presence is much smaller, the booth is smaller.
It’s just having that presence there. For me, it’s been interesting over the years to see these small companies on the edges of the Moscone Center with a little table and a sheet over it, and they’re just talking about this new technology that they have and then several years later all of a sudden they’re one of the big players, and I’ve seen that a couple times in my career.
Yeah, I think presence, it’s all about presence.
[David Spark] Geoff?
[Geoff Belknap] I wonder how much of that is based in the origins of RSA. Because when RSA started, this was the way for you as a product company to communicate to your analysts and sort of the industry communications folks about what you were doing, what your roadmap was going to be, and today you have social media, you have your website, you have email campaigns.
You have so many ways to communicate to your potential customers and your existing customers about what you’re doing that I don’t know if the big conference presence is as important as far as that’s concerned as it used to be.
[David Spark] I will tell you that I was just at Black Hat and just saw ludicrous displays in booths and lots of giveaways, and here’s my feeling about the giveaways. When you scan the person for a badge, for a t-shirt, you know what you’ve qualified? That person’s willing to wait in line for a t-shirt.
[Geoff Belknap] [Laughter] This person is patient.
[David Spark] Exactly.
What do most people think it is, and what’s the reality?
7:45.926
[David Spark] So, this segment, Geoff, is all speaking to what you said at the beginning of the show – the open secret of what RSA and these other big shows are. And Simon Wigfield who’s from AWS says the following, and I want to qualify because Lee and I were chatting about this and we didn’t know if he was saying the word “contract” or “contacts” and I think he’s alluding to the fact that the beginning of contracts happen here and I’m setting this up as I read his quote.
Simon says, “For my mindset, expos are for awareness, conferences are for contracts.” I don’t think they get signed there but I think that sort of the beginning rumblings happen in smaller conferences. But Simon goes on to say, “Regarding RSA specifically, all the CISOs a vendor would want to connect with were in San Francisco this week.
They just had pre-arranged meetings outside of the expo hall. Why ‘run the expo gauntlet’ if you can maximize your time by only connecting with those you want to?” I mean, that boils it down right there, Geoff, doesn’t it, what Simon says?
[Geoff Belknap] It really does. I don’t know if I completely agree with this but I think that, yeah, I’d certainly take Simon’s word for it as a vendor. But actually, now that I think about it, I have signed a contract, not at RSA but at Black Hat before. Although I feel like that’s more a result of everyone’s just there that you’ve got.
[David Spark] Right. But I mean, I’m sure you were already in a number of months of communications before that, right?
[Geoff Belknap] Yeah. I think it was literally just the culmination of a bunch of hard negotiation and we finally said, “Look, we’ll both be in Las Vegas this week. Let’s just do it there.”
[David Spark] I think it was already decided you were going to sign the contract before you even showed up.
[Geoff Belknap] Maybe, maybe not. But I think the point is it is valuable to have a significant presence there, but I think the reality is like not at the booth. I think if I go back to Haru Mir’s point, a 10 by 10 booth, and let’s be honest at RSA, those 10 by 10 booths are almost impossible to find, they’re sort of hidden in the outside wings of the conference.
[David Spark] Although every CISO we speak with, that’s where they want to go.
[Geoff Belknap] That is right. Which sort of tells you what people like Lee and I value from that conference is not really what the conference organizers are trying to provide, right? They’re trying to provide a mechanism for product marketing folks to really lay down their dollars and get some ROI on that.
RSA is no longer geared towards me. It’s really geared towards sponsors of the show. And I think there’s value there but it skews the experience. I would say Black Hat and DEF CON, that’s much more aimed at people like me, or at least today it is, we’ll see how far it goes.
[David Spark] Lee, I mean, I got to assume that your greatest value is off the show floor, but let’s go back to the time one year you were a vendor of the show. What value was it for you?
[Lee Parrish] It was an opportunity for me to share my vision for what I wanted to do with my product. I did get a lot of good interest and people were like, “What are you looking to solve?”
[David Spark] Sorry, did you have a 10 by 10 booth?
[Lee Parrish] No, no. Actually I had a little bit larger one, it was a little bit larger. But yeah, it was just a chance for people to come up and say, “What are you working on?” and I would tell them. So I would have a few people reach out afterwards but, again, the ROI, I think companies should not leverage conferences as the sole means of generating leads.
There’s so much more that they need to do besides the conferences. It’s just an opportunity for those people to have direct access to the customer and understand what their feedback is and what their pains are. That’s the big thing.
[David Spark] I’m sorry, did you get ROI out of your sponsorship at RSA?
[Lee Parrish] It was good. I learned a lot from it, I got a lot of feedback and things like that. As far as ROI from getting 7,000 leads and people who ultimately bought something, no. But it was a good chance for me to learn more about what they wanted to see in the product and what wasn’t going to work and what was going to work.
So that was the benefit for me.
[David Spark] I don’t even know how many years ago, were the hotel prices and airfare off the charts at that time or no?
[Lee Parrish] I think they’ve always been off the charts out there but one of the things I’ve done is in the back of the book – when you first register and you check in, they give you a book – and near the back of the book on the bottom half of the book somewhere on one of the pages, there’s a thing that says, “Save the date for next year’s RSA,” and it gives you the actual date.
And so I use that and I’ve made hotel reservations a year in advance before and what that does is you might get a better rate but also it eliminates the need for hurrying up and trying to find a hotel room at the last minute which, of course, the only thing left is a thousand bucks a night.
[David Spark] Well, as of recording this, I don’t know if we even know where RSA’s going to be next year because there’s a lot of talk it’s not going to be…
[Lee Parrish] I have it down as San Francisco. That’s what they published in the bulletin last year.
[Geoff Belknap] I just Googled it and it says Chicago.
[David Spark] I’ve heard Boston, I’ve heard Chicago. Yeah, I heard McCormick, it’s going to be the McCormick. I don’t know. I have no idea.
[Geoff Belknap] I guess we’ll see.
[David Spark] I guess it’s Chicago.
[Lee Parrish] You know that thing you mentioned earlier, David, is they have been talking about do we move it outside of San Francisco because of the sheer size and stuff but that conversation’s been going on for many years now.
[David Spark] Well, the complaint has been security has been the issue, and security sadly, San Francisco’s been getting a bad rap as of late.
Sponsor – Censys
13:28.918
[David Spark] Before I go on any further, I do want to mention our sponsor, Censys. Now, protecting your company from a cyberattack is a pretty monumental task, and not only do you have to stay a step ahead of threat actors who, let’s face it, are getting increasingly good at what they do, you have to secure a technology landscape that’s becoming more vast, complex, and fragmented.
And that’s why we have a lot more vendors, like what we’re talking about on this show.
So, think about all of your company’s internet-connected tech. We’re talking about assets living in the cloud, your software and web properties, remote devices, not to mention all the shadow IT you don’t even know about. As your digital footprint grows, it becomes more challenging to identify, monitor, and defend all that you own, and just one unknown or under-managed asset can be an attacker’s point of entry to your network.
That’s why continuous visibility into your entire attack surface and larger threat landscape is critical. To prevent an attack, you need visibility that’s informed by a comprehensive, highly contextualized set of internet intelligence for both proactive and reactive security analysis at scale. You need visibility into all the exposures an attacker could exploit.
And this is exactly the kind of visibility Censys provides. With the Censys Internet Intelligence Platform, your security team can access the most comprehensive, accurate, and up-to-date internet data available, so that you can take down threats in as close to real-time as possible, with no deployment or configuration required.
Governments, enterprises, and researchers around the world use Censys to defend their attack surfaces and hunt for threats, including the US government and over half of the Fortune 500. You can learn more about Censys on their website, it’s spelled censys.com. Go check it out.
Does anyone have a better solution?
15:36.266
[David Spark] Uri Rivner of Refine Intelligence said, “CISOs and their senior staffers do visit RSA. They do go to keynotes, track sessions, side events, and networking opportunities. They just wouldn’t spend much time in the vendor bazaar. This is why getting a speaking slot is 10 times more effective than having a booth in terms of actual lead generation.” Lee, you worked with speakers.
What do you say to that?
[Lee Parrish] Yeah. During my time there at the RSA Conference Committee, I do know that the conference spends a lot of time and a lot of energy to make sure that the speaker, the quality of the speakers, is very, very high. The actual average tenure of one of the attendees is over 10 years, I believe it is, it might be higher now.
The attendees are not going to put up with a lot of sales pitches so they do tend to be very diligent in weeding out marketing fluff and things like that, things that they anticipate might be a sales pitch. Plus the attendees score the sessions and RSA takes those scores very seriously, and so if somebody does slip by with a marketing fluff type general session, they probably won’t be able to do it again.
[David Spark] No, but this person’s saying, Uri is saying that still, I mean, even if it’s not marketing fluff that it could still turn into lead generation. Whether somebody gets up there and speaks and does not pitch their company can definitely turn into leads.
[Lee Parrish] Yeah. As long as there’s not a pitch then that’s fine. We all speak on behalf of our companies and things like that. So, yeah, that’s good, but if there’s any whiff of any kind of, “Hey, here’s our product,” then it’s just going to shut down by the attendees.
[David Spark] Do you hear from the speakers about the value it is for them to speak at the event?
[Lee Parrish] Yeah. I’ve spoken at a couple of them myself including one in London – RSA Europe – and it’s really valuable, I mean, and RSA does a really good job taking care of their speakers – there’s a speaker dinner and there’s a community there. So, yeah, they do a really good job of that. So, yeah, it’s very, very valuable.
I encourage my staff all the time, “Hey, put in a session. Try to get out there and get your name out there.” So, yeah, it’s very helpful.
[David Spark] Geoff, have you spoken at RSA before?
[Geoff Belknap] I haven’t spoken at a keynote but I’ve certainly done several panels which is code for I’m very… Well, I was going to say I’m very lazy, which is not really true, but what it really is it takes a lot of effort and preparation to do a great speech or a great talk at one of these big conferences, and [Laughter] I think I’m much more akin to like, “Let’s roll into a panel and just speak our minds.”
But I will echo what Lee is saying here and I think there’s two really important points. One, it is really valuable to present a session, but I want to underscore especially my sales friends that are listening, it is not inherently valuable just to get a presales engineer up there to talk about your product in a session.
It is inherently valuable for people like me or people on my staff that are attending these talks to hear new ideas and new approaches to old problems. That is what we’re looking for. We are not looking for new vendors. We are looking for new solutions, new takes, new perspectives. That is refreshing and new, we’re excited about that.
And the other thing to keep in mind is what Uri underscores and I really want to draw it out again. People, practitioners, are primarily not attending these big events to go to the vendor bazaar. They are attending them to go to the side events and the networking opportunities and to listen to what people have to say that is new and interesting.
[David Spark] During the actual sessions themselves?
[Geoff Belknap] Well, I think during the sessions themselves but during the conference, most of the effort, most of my attention, is going to be on the networking events and sort of the non-session events sometimes. In San Francisco if you try to go to a restaurant or a bar during RSA, it’s impossible because they’re all rented out.
They’re running side talks, there’s side events, or parties or whatever it might be. And as extravagant and indulgent as those parties might seem, that’s where you’re meeting and making connections with people in the industry, and that’s where I’ve met and engaged with salespeople because it’s sort of a neutral territory away from the show floor and it feels like you can actually have a conversation, assuming you can hear yourself speak over the 1,000-decibel music happening at any given moment.
[Lee Parrish] There is value, at least for me, in going to the expo, spending at least some time on the expo as a CISO and I run into other CISOs. It’s almost like a family reunion sometimes, these conferences, but it’s a chance to see what’s on the horizon. And again, I go to the outsides of the expo center, see what the new companies are doing.
Just being able to understand that’s valuable for me. So, I don’t necessarily agree that the assumption that CISOs don’t spend time on there in the comments, but I do think is Geoff is right on. There is a lot going on outside of that that’s very valuable as well.
[David Spark] I will throw this little funny addition to it. Because of the success of this show, I have had to bake in more time in between meetings, so I will set up lots of meetings at shows like this, at Black Hat and RSA – RSA more so than Black Hat – because I run into so many people as I go from one meeting to the next meeting.
And I don’t in any way want to blow anybody off and so I have to bake in that time of, “I’m going to run into people, I’m going to say hello, we’re going to schmooze for a moment or two before I go to the next meeting.” Which is I think a wonderful benefit of just attending for umpteen years as I have to this conference.
I’m assuming you know a lot more now than you did at year one, both of you, yes?
[Geoff Belknap] Oh, absolutely, yeah.
Sometimes there’s a really easy solution.
21:29.388
[David Spark] So, we’re going to bring this back full circle. Sarah Granger of SFFILM said, “A lot of people also come into the city for meetings and don’t register for RSA, they just meet on the fringes.” Kind of what we’ve been talking about. Zachary Ash of Gartner said, “Face-to-face engagement with clients, partners, and prospects is irreplaceable,” and that’s why people see this value.
And Vadim Sedletsky of Checkmarx said, “Sometimes in our business, like in other businesses, there are things you just need to do. RSA, or for this matter Gartner, are just like that.” So, I mean, is just RSA something you need to do? Because I know, and I’m going to say this and I hear this all the time, people say it with dread like, “Oh, I’m not going to RSA, I’m avoiding that thankfully,” or “I’m avoiding Black Hat,” which I don’t know if that’s elitist, I have no idea what it’s coming from, but it is exhausting.
I mean, my voice has suffered from it, but I do thoroughly enjoy the events. Geoff, what say you?
[Geoff Belknap] I’ll tell you, when I was a vendor, I would speak like that. Not because I thought it was a terrible event but it is so much work. So, side note – if you ever worked for a vendor and you have ever done the gauntlet of RSA and then Black Hat and DEF CON or BSides or any of these major big conferences, I salute you.
Because I have lost my voice, I have driven myself crazy. It’s just an incredible amount of work between setting up a booth, tearing it down, doing all the conversations, all the meetings, everything. It is a lot of work. Conversely, if you are a practitioner attending these events, it is a lot trying to set up the schedule.
And I am now, for better or for worse, one of these people that I don’t register for the event. I’m very lucky in that I have office space nearby the event, at least for RSA. So usually what I’ll do is I’ll – similarly I’ll be very busy – I’ll fill my week with meetings with the people that are in town for RSA.
[David Spark] And people will come to you.
[Geoff Belknap] And people will come to me, it’s a block away, it’s nice and quiet.
[David Spark] Well, you’ve got a unique benefit.
[Geoff Belknap] I’m very lucky and blessed to have that opportunity because otherwise I’d have to sort of weave my way through everything and it is not easy. And at the same time, I have met none of my peers that are like, “RSA is a waste of time.” That is not the case. But it is an immense usage of that time and you have to be smart about how you use that time.
[David Spark] Lee, is RSA like a must-attend for you? I believe you got sick on the last one, didn’t you?
[Lee Parrish] Yeah, I got food poisoning. We were supposed to meet.
[David Spark] Yeah, we were supposed to have dinner together.
[Lee Parrish] That’s right, yeah, I apologize for that. So, yeah, it’s something that, in the comments, it says there’s things that you just need to do. Well, for me, I think it comes down what attributes make up that perceived need. So you figure out what contributes to what you feel the need is and then there’s your answer right there on whether you should attend or no.
I think there’s knowledge to be gained by attending and learning more about the industry. I think it’s a wonderful opportunity to do it. But being forced to go? No. You either go or you don’t go, but for me the value has been phenomenal over the course of the last 11 years that I’ve been attending it.
[David Spark] Well, I’ll tell you, it’s always been very valuable for me as well, so I still appreciate it. As tough as it is from all the different angles, it has always been worth it, and I do appreciate running into people as well.
Closing
25:09.321
[David Spark] All right. We come to that point of the show where I ask you, which was your favorite quote and why, and I’m going to start with you, Lee. Which quote did you like – all good ones in here – which one was your favorite?
[Lee Parrish] There were some good ones. I think I zeroed in on Zachary Ash from Gartner with, “Face-to-face engagement with clients, partners, and prospects is irreplaceable.” I completely agree. For vendors, this is business school 101. I mean, you just have to spend time with your customers, and you have to learn what their pain points are and what their feedback is.
For security practitioners, it’s coming together for several days of intense conversation on cybersecurity topics and sharing best practices, asking questions, and having a little bit of fun at the same time, getting to know people outside of the office, so there’s nothing better.
[David Spark] I learned this from an extremely successful salesman, I said, “What makes a salesman succeed and one doesn’t?” And he just said, “Pressing flesh, shaking hands. It just comes down to that, boils it down.” Geoff, your favorite quote and why.
[Geoff Belknap] I’m going to go with Jacques Benkoski from US Venture Partners who said, “Conferences have a natural tendency to grow until they suddenly cannot provide ROI and they become supernovas.” I feel like this is kind of where RSA is right now, San Francisco economics have never been great, either for the conference organizers, the sponsors, or the attendees, and this is where it feels like RSA is going.
It’s really expensive to get to RSA, to stay at RSA, stay anywhere near it. I know I think I gave you a ride back from one of the events this time and you were staying 25, 40 minutes away. It’s really tough because the value of attending RSA is still there, putting aside sort of the vendor bazaar. The value of attending and being there in person is still there.
The cost of that value is ever rising and it feels like at some point we’ll have to make a decision to move this thing to a less expensive city.
[Lee Parrish] A quick tip though – if you become a speaker at RSA, typically they give you a free conference pass, so that’s however much off of the total expense report.
[David Spark] It also helps if you’re press as well.
[Lee Parrish] Exactly.
[Geoff Belknap] It doesn’t cover the cost of the hotel…
[David Spark] No, it doesn’t.
[Geoff Belknap] …meals though.
[David Spark] That brings us to the end of the show. Hopefully, by the time people are hearing this episode, we will all know where RSA is because this is going to drop in October. I want to thank our guest Lee Parrish who is with Newell. Are you hiring over there at Newell?
[Lee Parrish] We are. We do have a few cybersecurity slots open so check them out.
[David Spark] Check them out and maybe contact you via LinkedIn, yes?
[Lee Parrish] Sure.
[David Spark] All right. And mention they heard you here on the CISO Series and who knows what that’ll get you. By the way, if you see me at a conference, definitely come up and say hello. I always give out now stickers for all our shows because we now have stickers to all our shows. Oh, he’s got them as well.
[Geoff Belknap] Look at that.
[David Spark] Look at that. They should be not in a bag; they should be stuck on something.
[Geoff Belknap] Stick them to something, Lee.
[David Spark] Stick them onto a computer. In fact, speaking of that, look at this. They’re on my computer. Can everyone in the podcast see that? Thank you very much and I want a huge thanks to our sponsor, Censys. Remember Censys – the leading internet intelligence platform for threat hunting and exposure management.
They can be found at censys.com. Thank you again to Lee, thank you again to Geoff, and thank you to our audience. We greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.