I just wrapped up RSA 2026, which means three things:
- I walked more steps in four days than I have in the last month
- I had at least six “quick coffees” that somehow turned into 45-minute conversations (impressive, given I don’t actually drink coffee)
- I’m equal parts energized and questioning my life choices
RSA is always a mix of signal, noise, and things you didn’t plan to carry home. This year felt…different. Not radically so, but enough to notice.
Some things are clearly improving, some feel stuck, and a few are just starting to take shape.
Here are the 10 takeaways that stuck with me.
1. We’ve come a long way. And also…not really.
Yes, we’ve moved past the booth babe era (thank goodness). The floor feels more professional, more inclusive, more reflective of the industry we want to be.
I had a moment this week that really brought that into focus. I was talking to a recent college grad attending her first RSA, and I mentioned what my early conferences were like—booth babes, questionable marketing choices, and a very different vibe. She just stared at me. Totally shocked, slightly confused. Like I was describing a different industry.
It’s easy to forget how much has changed until you see it through someone else’s eyes.
And honestly? That reaction was refreshing. It’s easy to forget how much has changed until you see it through someone else’s eyes.
But zoom out even slightly, and the gaps are still there. More women are in the room, but fewer are on the main stage. Even fewer are treated as the default voice of authority.
The progress is real, but so is the distance left to go.
2. We’re building a strong community for women, but not enough pipeline
There were some genuinely great moments connecting with other women CISOs this year. The support is real and so is the community.
But it also made me wonder, are we building a movement or just a network?
If we want real change... we need to create visibility for women who aren’t already in the room.
A lot of the energy is concentrated around women who’ve already made it. And while that matters, it’s not enough. If we want real change, we need to invest earlier, sponsor more aggressively, and create visibility for women who aren’t already in the room. Otherwise, we’re just making the same table slightly more comfortable.
3. More vendors, more platforms…same underlying problems
There are more security vendors than ever. More categories, more overlap, more “AI-powered” everything. At some point, walking the expo floor starts to feel less like discovery and more like déjà vu. Different logos, same problems, slightly different dashboards. And yet, behind the scenes, most teams are saying the same thing: we already have too many tools.
Which makes RSA a bit of a paradox: the place where we go to solve complexity…by adding more of it.
There are more security vendors than ever... Different logos, same problems, slightly different dashboards. And yet, behind the scenes, most teams are saying the same thing: we already have too many tools.
“Platform” might have been the most overused word this year. Everyone is consolidating, everyone is integrating, everyone is the “single pane of glass.” And yet, most environments still look like security Jenga. We say we want fewer tools, but we keep buying more, one urgent problem at a time. A new risk pops up, a new budget appears, a new tool gets added. Rinse, repeat.
And to be fair, it’s not entirely irrational. When you’re under pressure, incremental fixes are easier than stepping back and re-architecting anything.
But the result is predictable: overlapping capabilities, partial integrations, and a growing tax on the people who have to operate all of it.
At this point, “platform” feels less like a reality and more like a shared aspiration.
4. Security is a team sport (and tools won’t fix that)
The most credible conversations I had weren’t about tools; they were about people. Security has become too complex for any single team (or vendor) to solve in isolation.
The CISOs who seem to be navigating this best are focused on:
- Cross-functional alignment
- Reducing friction with engineering
- Shared ownership across the business
Because in practice, most security failures aren’t caused by a missing tool. They’re caused by gaps between teams, unclear ownership, or priorities that aren’t aligned. The strongest security programs don’t just layer on controls; they make it easier for the rest of the organization to do the right thing by default.
At the end of the day, security isn’t just a technical problem, it’s a coordination problem. The teams that recognize that are the ones making real progress.
5. RSA might be the most expensive echo chamber in tech
Between booths, sponsorships, private events, and dinners, the amount of money spent is staggering. I can’t help but ask, how much of this actually makes us more secure?
RSA is incredible for connection. Some of the best conversations I had all year happened in those few days.
Some of the best conversations I had all year happened in those few days.
But there’s also a layer of performance you can’t ignore. Announcements timed for the week, messaging that converges into the same handful of buzzwords, everyone trying to stand out and somehow ending up sounding the same.
It doesn’t make it meaningless, but you have to be intentional about filtering out the noise.
6. Even the AI-free zones aren’t AI-free
You couldn’t walk 10 feet without hearing about AI and agents.
Some of it is real; a lot of it is existing workflows with an LLM layered in. A better UX, not necessarily a fundamentally new capability. However, there is a real shift to be acknowledged: autonomous agents operating without humans in the loop, decisions happening asynchronously, more machine-to-machine interaction than human-to-machine interaction. This has real implications for how we think about control, visibility, and failure modes. We’re not fully there yet.
There is a real shift to be acknowledged: autonomous agents operating without humans in the loop...
I did appreciate Wiz’s “No AI Zone.” It was a clever nod to the fatigue a lot of us are feeling. Also very clearly an ad for their AI.
A little ironic and a pretty accurate snapshot of the industry right now.
7. AI security is still a moving target
This was one of the most consistent themes in conversations with other CISOs: no one has this fully figured out.
The risks are evolving quickly and the attack surface is changing just as fast. What feels like a reasonable control today can be outdated in a matter of months. That makes it hard to approach AI security with a traditional long-term architecture mindset.
No one has this fully figured out.
Most teams are adapting in real time—testing, iterating, and trying to stay grounded in fundamentals while the landscape shifts underneath them.
There’s no steady state yet; just a moving target.
8. The real value is in the relationships
For all the scale, production, and noise, RSA is still, at its core, about people.
It’s reconnecting with colleagues you haven’t seen in a year.
It’s finally meeting someone in person after months of Zoom calls.
It’s the conversations that start as “quick catch-ups” and turn into something much more meaningful.
The longer you’re in this field, the more you realize that security runs on relationships.
We need trusted people who will give you the unfiltered version of what’s actually working and what isn’t.
Trust between teams. Trusted peers you can call when something goes sideways. People who will give you the unfiltered version of what’s actually working and what isn’t.
RSA is one of the few places where all of that comes together and that part never gets old.
And, if we’re being honest, some of the best relationships aren’t built in conference rooms; they’re built at the bar at the Four Seasons. It’s where the conversations get a little more candid, a little less polished, and a lot more useful.
9. The unofficial RSA fitness challenge
A brief but important observation: RSA might be the most accidental wellness event of the year.
Between Moscone, hotel meetings, offsite dinners, and “it’s just a 12-minute walk” directions that turn into 25, you end up moving constantly. You don’t really notice it until day three, when your feet hurt and your step count is doing numbers you haven’t seen in months.
Some of the best conversations and best ideas don’t happen in sessions; they happen walking between them.
But it’s also a good reminder of something we don’t talk about enough in this field, clear thinking requires a little space. Some of the best conversations and best ideas don’t happen in sessions; they happen walking between them.
At RSA, a lot of the value lives in those in-between moments.
10. The best part of RSA still isn’t RSA
It’s the walks between meetings. The coffee that runs long. The side conversations that weren’t planned.
That’s where people drop the polished narratives and say what they actually think:
- what they regret buying
- what’s not working
- what they’re worried about
For all the production and polish, the real value of RSA is still the honesty between practitioners.
If I had to sum up RSA this year:
We’re getting better at talking about the right problems; we’re just not always as good at solving them.
There’s real progress—on representation, on community, on how we think about security as a discipline. But there’s also a lot of noise, a lot of repetition, and a tendency to add complexity faster than we remove it.
What stuck with me most weren’t the keynotes or the launches; it was the conversations in between, the honest ones. The ones where people said what’s actually working, what isn’t, and where they’re still figuring it out.
That’s the part of RSA that still feels real. What matters is what we take away and what actually changes now that the week is over.
