Cristin Flynn Goodwin
June 11, 2025; also available on the Advanced Cyber Law blog
I have been meaning to share some thoughts on my time at RSA. It was a really intense week, and I had an amazing time catching up with so many people and meeting many new folks too. I am a real fan of RSA, not just because of the connections with people, but also the chance to meet with a lot of companies and learn about a lot of what’s coming in technology in cybersecurity.
RSA is when we as an industry put our best foot forward, when we’re meeting with investors and potential customers. I really love to spend some time on the floor and hear what companies want customers to know about their technology or what’s coming. And I love to see the “outer ring” companies that over time become future leaders – for me, that’s where the most exciting changes happen.
I had a few key takeaways as I reflected on the week. As a long-time cybersecurity lawyer, I’m really surprised by seeing the shift from “risk management services” to” exposure management services”. That showed up in numerous places on the Expo floor and in countless conversations. Risk is bigger when you’re thinking about exposure as opposed to the risk itself, which seems a little bit smaller. So exposure widens the aperture.
What will be really interesting is if we see that catch on from a regulation standpoint. We do have some incident notification laws that talk about requirements to notify regulators if there is a potential threat. So the “exposure” concept is already taking root. Let’s see how it expands over time in regulation and in products and services.
The second theme was one that I had to reflect on for a while. There’s a major part of our security market that now sells technology aimed at data loss protection, information protection, or insider threat protection through more proactive employee monitoring. It is now big business, moving into RSA’s “inner ring”. In talking to a number of companies, it was described as a “productivity suite management” or “over employment or workforce abuse detection”, leveraging AI and data analytics for customers. It’s interesting from a security perspective; protecting the assets and technology of the company makes a lot of sense. Despite the movement of privacy law towards cybersecurity law, it surprises me how little we’re seeing written about this shift. It will be an interesting question for young people who are going to grow up and work in corporate environments where there will always be an expectation of an employer being able to know every keystroke entered by an employee – from the websites every employee visits to data that sent from an employee’s account. It may even become a boardroom debate for some companies. Time will tell.
I think the third takeaway that struck me was that identity solutions are everywhere, but we still haven’t really solved the problem. Obviously, identity is a huge problem across the entire cybersecurity sector. I saw some really interesting efforts at device identity that I thought were really interesting. While AI was everywhere and being widely used as a tool to help manage identity, I didn’t see anybody leaning into the topic of agentic identity and ways to provide assurance that the agents that customers will interact with will have attributable and secure identities.
I appreciate that the problem is nuanced. That said, I’m a real nerd for how we are going to deal with software assurance and assurance writ large for AI and AI agents. And I think identity has to be part of that conversation, along with software assurance and code signing. The identity community, at least on the RSA floor and in the folks I was speaking with over the week hadn’t really gotten there, but it was an active debate and interesting RSA conversation.
I think the big fourth takeaway is that quantum hasn’t really hit RSA yet. It’s still an outer ring technology and topic from an RSA perspective, but I think that’s short lived. In the next five years, we’re going to see that move more and more and more into the center. That’s just a matter of time. If companies aren’t preparing for post-quantum encryption and starting to think about the ways in which their competitors are going to use quantum computing to solve bigger problems, then that’s going to be something they’re going to have to put on their radars in the not-so-distant future.
On the fun side of RSA, it was fantastic to get to catch up with so many people, even a few that I’ve worked with for several years and had not had the opportunity to meet in person. I appreciate all of the folks who worked the RSA floor and had to answer lots of my questions.
On a more somber note, I missed our dear friend Amit Yoran while I was walking the Expo floor. After I moved from DC to Redmond, RSA was our annual catch-up and his big bear hugs on the Expo floor were always special. Amit was such a life force and friend, and we’re all better for having him in our security community. He will be forever missed.
Until RSA 2026, friends. See you there. I can’t wait!
