The RSA Conference, often regarded as the cybersecurity industry’s premier event, once again served as a critical barometer for emerging trends and ongoing challenges in 2025. With over 40,000 attendees and thousands more participating in surrounding events, this year’s conference highlighted a clear shift in focus and the pervasive influence of new technologies. In a recent episode of CISO Insights, host Swapnil Bhartiya delved into these developments with Steve Winterfeld, Advisory CISO at Akamai, to unpack the most significant takeaways.

AI Takes Center Stage

Unsurprisingly, artificial intelligence (AI) dominated the discussions at RSA. Winterfeld noted that AI was “by far the biggest topic,” encompassing a wide range of concerns. Conversations revolved around protecting employees’ use of AI, securing organizational AI applications, and, crucially, understanding how threat actors are leveraging AI for nefarious purposes, such as social engineering and phishing emails. The concept of “agentic AI,” where AI systems are permitted to make autonomous decisions, was a particularly significant research area. This emphasis underscores the industry’s rapid adaptation to AI’s dual nature as both a powerful tool and a potent threat vector.

Beyond AI: APIs, Quantum, and Community

While AI held the spotlight, API security emerged as the second most discussed topic, reflecting the growing understanding of APIs as critical attack surfaces. Quantum computing also featured in discussions, with experts emphasizing the need for proactive measures to protect data against future quantum decryption capabilities, even though the technology is not yet fully realized. Beyond technical trends, RSA is actively cultivating a “365 community” through online discussions and webcasts, aiming to foster continuous engagement among cybersecurity professionals.

A notable new track at the conference focused on “protecting your home and family,” a vital area often overlooked in corporate security dialogues but highly relevant for every individual. Winterfeld highlighted the continued evolution of the CISO role, emphasizing the increasing need for security leaders to function as strategic business partners rather than solely technical advisors.

What Was Missing?

Despite the breadth of topics, Winterfeld pointed out a recurring absence in the conference’s main discourse: supply chain and insider threats. While these issues periodically gain traction after significant incidents, they often recede from the forefront of budget and strategic planning. This oversight is concerning, given the devastating impact these low-level threats can have when they materialize.

Akamai’s Contributions and Industry Takeaways

Akamai, like many vendors, used RSA as a platform to unveil new products and research. They launched a new protection for APIs around a firewall for large language models and released their web and AI State of the Internet Report. Discussions with customers often centered on the increasing adoption of large language models and the critical need for their protection, aligning with OWASP’s evolving top vulnerabilities lists.

For attendees, whether in person or virtual, the key takeaway from RSA should be actionable insights. Winterfeld advises reviewing vendor research and new features, using the insights for training and red teaming exercises, and leveraging free content from the conference for team discussions.

Looking Ahead: Other Key Conferences

Beyond RSA, other significant conferences for the security community include Black Hat and DEF CON, both long-established events offering deep technical insights. Regional conferences and B-Sides events are also crucial for networking and nurturing emerging talent. Ultimately, selecting the right conference depends on individual goals, whether it’s networking, continuing education, or specific training. The cybersecurity landscape is dynamic, and continuous learning through these pivotal events remains essential for staying ahead of evolving threats.

Transcript

Swapnil Bhartiya: Welcome back to CISO Insights, where we analyze the cybersecurity landscape through the lens of industry leaders and security professionals. I’m your host, Swapnil Bhartiya, and joining me today is once again Steve Winterfeld, Advisory CISO at Akamai. Today we are diving deep into the major trends and developments that emerged from this year’s RSA Conference. With cybersecurity threats evolving at an unprecedented pace and new technologies reshaping the security landscape, RSA continues to serve as a critical barometer for where our industry is heading. Steve will share his first-hand observations from the conference, highlighting the breakthrough research, innovative products, and emerging trends that caught his attention. We will explore what was prominently featured at the conference. We’ll also talk about what might have been notably absent, and most importantly, how security leaders can translate these insights into actionable strategies for their organizations. From AI security to artificial intelligence applications, we will examine the full spectrum of developments that are shaping the future of cybersecurity. Of course, we will also look ahead to other key conferences and events that should be on every CISO’s radar. So let’s get started. Steve, it’s good to have you back on the show.

Steve Winterfeld: I’m happy to be here.

Swapnil Bhartiya: It’s my pleasure. Let’s get started, Steve. What are some of the big trends that you saw this year at the conference?

Steve Winterfeld: So, you know, RSA is probably the largest cybersecurity conference. It had, I think, 44,000 people this year, and then there are another 10,000 doing surround conferences that aren’t actually in it. But recently, I’ve seen more and more storefronts rented and hotels and just more and more around events. Over 700 speakers, over 600 vendors, and this year, for the first time, the conference actually hosted a page that tracked all the parties you could go to. So that was weird. Another thing that was crazy is there were goats and puppies at vendor booths for petting, which I’d never seen before. DARPA actually came and had a side venue where they rented out another building and ran their cyber challenge. So again, there were three or four other conferences next to the conference that were loosely affiliated. Of course, the biggest topic there was AI: agentic AI, or agents, non-human identities, assistants, typical large language model security and threat usage. So by far the biggest topic, right behind that was probably APIs, some talk on quantum, you know, we have that in a lot of, you know, “it’s coming, it’s coming, it’s going to have a big impact.” And then the fourth topic was RSA is trying to make a 365 community. You’ve seen them in the past where they have 365 webcasts. Now they’re trying to develop an online community, and that was a big push to try to get everybody into these discussions. There was one new track I was really excited about: a track focused on protecting your home and family. I personally, as a CISO, find that is my most attended security course. You know how to protect your loved ones. And so it’s great to see a track on that. If you have access or can go watch some of those videos, it’s a great way to turn around and turn that into a training program because people will attend that. You know, for me, I think I really enjoyed all the discussions around the CISO role, what’s changing, where budgets are being spent, and that continued focus on CISOs needing to be better business partners and less technical advisors. Kind of a long answer, but it’s a huge show.

Swapnil Bhartiya: You mentioned there was some focus on the family and all that. AI is one of the hottest topics. Was AI there at all?

Steve Winterfeld: Yeah, around AI, you know, you’ve got really protecting your employees from using AI, protecting your use of AI, and if you have AI involved in your product, that’s a different protective schematic. And then a lot of this was around agentic AI: where are you allowing AIs to make decisions? And then finally, how the threat is using AI. I’ve seen it, you know, in some examples, would be social engineering, phishing emails. One thing I found fascinating, and on the friendly side, I watched a talk on someone who used AI to win a Capture the Flag. And it was brilliant. I mean, they literally would just take questions out of Capture the Flag, put it into AI, and with the right prompts, were getting the answers.

Swapnil Bhartiya: Any interesting research products that were announced at the conference? As you said, it was not just one conference. It was more or less like a kind of conference of conferences there. So it may be a bit hard to track all the announcements, research work, but what was really interesting to you?

Steve Winterfeld: Well, I mean, it’s true of so many vendors, of so many academic organizations. This is a chance, you know, to roll out what’s new, roll out your research. You know, it’s just the biggest market, and so it’s a cluttered market, but it’s where a lot of people do it. I would say the second opportunity is probably Black Hat, and the third is vendor-specific conferences. For this one, Akamai was no exception. You know, Akamai has a protection for APIs around a firewall for large language models. So we launched a new product, and then we also put out our web and AI State of the Internet Report. And so we did, just like so many, put that out. You know, a lot of this research right now is out there around AI. Agentic AI was a big research topic. If you are going to go watch the videos, I’d encourage you to watch Bruce Schneier’s keynote. It was a great insight on AI and where we’re going at the larger policy level. He’s always been amazing at talking and thinking at the big picture. Quantum, you know, is still out there. It’s, it’s, a lot of people are predicting the impact, and there are real impacts. And so there are things we should do now that, you know, protecting our data. So when quantum comes out, that it’s protected against quantum. So a lot of threats are harvesting data now with the vision of breaking it when quantum capabilities come out. So there are things to think about, even though quantum isn’t here yet. But ultimately, I think the trick here is to make sure that, you know, you’re looking at all this research that came out recently and just, you know, put an hour on your calendar to go read some of the research, or read some of the new developments that are out there.

Swapnil Bhartiya: And when you look at, you know, all these announcements, or, you know, as you talked about activities that were going on at the event, was there something that you felt was missing?

Steve Winterfeld: It’s a great conference because it does both policy, technical, you know, across the spectrum. It has something for everybody, but the ones I see are the ones that year after year tend to fade to the back, which is, you know, supply chain and insider threat. And we’ll have a huge supply chain issue hit, especially vulnerable to ransomware, or we’ll have a big insider news story, and it’ll get big for a while, but it doesn’t seem to be something we really focus on. And for most of us, when we look at our risk profile, it’s below the budget line. And so those would be the two areas where I really didn’t see a lot of new insights. And it is that low-level threat that when it hits, it’s devastating, but just doesn’t seem to be top of mind. It is. It’s, it was fascinating that, you know, we, we continue to every year say, “Oh, well, that’s a big hit. We all need to pay attention to it.” And then by the time the budget cycle comes around, most of us don’t.

Swapnil Bhartiya: What kind of presence was there of Akamai there, and what kind of discussions you folks had with the attendees?

Steve Winterfeld: It’s interesting going out, and a lot of our engagement with the media was around our research coming out with the AI. You know, AI is newer. You know, there’s a lot, a challenge around discovering AI, because we have zombie APIs that were put out and forgotten about. We have rogue APIs, or ghost APIs, where somebody went out and purchased something or published a capability without going through security controls. We still have the normal set of web pages out there. We have people hitting our APIs with DDoS attacks. And so a lot of this is, if you go look at our State of the Internet Report insights on, you know, you can go back and look at the research and say, “Okay, now that I understand this risk, have I made the right mitigation decisions for my infrastructure based on, you know, certain aspects of my infrastructure going down?” And then, you know, our discussions with customers continue to see them slowly moving into large language models being valuable and how to protect them. I mean, you know, and it really kind of maps back to that OWASP thought process of OWASP had a top 10 vulnerabilities for web pages, then for APIs, now for large language models. And when you see those, those are the kind of things Akamai is moving to protect because the industry is moving to make those more and more important, which means there are bigger and bigger impacts on you. And then at the end of the day, you know, we’re understanding what we should be able to do to protect people if everything breaks down through segmentation, but that’s just a high-level look at security.

Swapnil Bhartiya: As you and I have discussed, that’s why we run this show here as well. What should be the takeaway for folks who attend the conference, whether it’s in person or virtual? How can they use this information that they gather at this conference?

Steve Winterfeld: So I’m a big believer in action. So anything that I’m reading, anything that I’m studying, that doesn’t lead with my ability to make a decision or take an action is ultimately something that’s not a good investment in my time. So as you think through this, you know, go look for research from vendors or from institutions that make recommendations on best practices. Go right now and look through all your vendors and say, “Did any of the vendors I use, let’s say the top five vendors I spend money with, did they release research?” There might be some best practices in there. “Did they release new features?” Because, again, this is a big time of the year to release new features, and have I optimized those new features to make sure I’m getting the most out of my tools? Think about this research and, you know, use it as a training aid. You know, new threats or new threat models, are we going to use them in our red teams? Understanding the changes in DDoS attacks or AI attacks or large language model attacks allows me to war game and make sure my security is there. And finally, think about picking four or five talks from this and pushing it out to your team. It’s free training. You know, we, we always think about training being, you know, costing us something. But here’s an opportunity to, you know, just have our team go out, get some of this content that RSA puts out, be it through the webinars or the conference, bring it in, have a discussion with the team around it, and take advantage of some of that free training.

Swapnil Bhartiya: Of course, you know RSA is wrapped. What are the other conferences that are coming up, which you feel are really of importance for the security community?

Steve Winterfeld: Well, as we said, RSA is, with the surrounding conferences, close to 50,000. The next one would probably be Black Hat and DEF CON, which are about half that size. Interestingly enough, RSA has been around for over 30 years. DEF CON has been around for over 30 years. Black Hat just under 30 years. So, I mean, these are well-established conferences. You know, Black Hat, I like, if you’re not aware, Black Hat and DEF CON are kind of teamed together. So if you go to Vegas for one, you can stay for the other. But really it depends on what your goals are. I’m a big fan of going to your regional conferences so you can make local connections, build out your network. If you’re younger, more junior, go to B-Sides. If you’re a corporation, support B-Sides. B-Sides is where we’re developing the next group. It’s junior people have an opportunity to go speak, a lot more technical in nature, just generally. There’s a number of vendor-specific and industry-specific. And again, if, if you’re heavily invested in one vendor, it might make sense to go to their conference to optimize your capabilities. If you’re, if you’re really interested in what’s going on across the industry, Forrester and Gartner put on specific conferences that are analyst-driven. Ultimately, I think you’ve got to ask, are you, do you want to do better networking? Do you want to just get your continuing education points, or do you want to train on something specific to take action on?

Swapnil Bhartiya: Steve, again, thank you so much for joining me and giving us an update on the conference, and as of July, look forward to the next official. Thank you.

Steve Winterfeld: Always enjoy talking to you. Thank you.