Hugh Thompson on Building the RSA Conference [Afternoon Cyber Tea]

Dan Johnson

You're listening to the Cyberwire network powered by N2K. Welcome to Afternoon Cybertea, where we explore the intersection of innovation and cybersecurity. I'm your host, Dan Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews and captivating stories. To stay one step ahead today, I am thrilled to welcome Dr. Hugh Thompson, the Managing partner at Crosspoint Capital Partners and the Executive Chairman of the RSA Conference. Hugh is a tenured cybersecurity expert and has written more than 100 publications on security. Hugh testified before Congress and of course, he helps build, execute and secure the world's largest cybersecurity conference. Hugh, I'm not sure there's anyone who knows more about what matters to security leaders and professionals than you. Welcome to Afternoon cybertea and thanks so.

Dr. Hugh Thompson

Much for having me. So excited to be a part of this.

Dan Johnson

So as we record this. The RSA 2025 conference wrapped two weeks ago and I was there. This year's conference attracted almost 44,000 attendees, is my understanding, which was a new conference record. It was certainly busy as I was walking everywhere. Yeah. So I wanted. It was amazing. Like crossing the street was just a challenge. So talk about what goes into building the event. How far in advance do you start planning each conference?

Dr. Hugh Thompson

And so first, it was great to see you there. Oh my gosh. It's incredible to think it's already been two weeks since the event. But it's a long planning cycle. You think about 44,000 humans getting together. There's a lot to pre plan. So we start about 18 months in advance of the actual event. And it's everything from what is the theme going to be? How much space do we think we need for different types of sessions? What have we learned from, I guess the conference two years prior in order to plan for the one that's coming up 18 months from now? So it's a long cycle and there's an amazing team that's been working on this for a long time and it's super exciting. It's a privilege to be able to get this community together.

Dan Johnson

Wow, 18 months. I didn't realize that. So you're actually having to look back on even a conference ago to see what you're going to do for almost two years later. That's interesting.

Dr. Hugh Thompson

It takes a while. It really takes. It takes a while. Now obviously we learn from the conference that happens in between and we make adjustments and it's a team that's never satisfied with Great. We always want to make it better and we're so lucky because this community, as you know, Ann, I mean, you've been a part of it forever, is very, very willing to share and they want to collaborate and they're very forthcoming their views on how it can be a better experience for them and how they can get even more out of it. So it's such a community effort to get this conference together.

Dan Johnson

That's great. I love to hear that. We talk about having a learn it all attitude here at Microsoft. And you truly are. You learn from each conference to take the feedback and to improve the experience for the attendees. It shows up, right? It shows up when you go that the adjustments, even if you think they're little adjustments, they're really meaningful for those of us who are attending. So let's talk a little bit about you. I think everyone knows you as the crosspoint capital person or the executive chairman of the RSA conference. We were at an event a couple of weeks ago, even pre the RSA conference, and you were showing your degree, your applied mathematics. By the way, I love your slides. Someday I'll have to understand who makes your slides because I want to at least hire that person part time. But anyway, don't steal the man.

Dr. Hugh Thompson

Don't steal.

Dan Johnson

They were great. But you have an educational background in applied math. Your bachelor's, your master's, your doctoral degrees are all in applied mathematics. How has that shaped the way you think about cybersecurity and also a large scale event like rsac?

Dr. Hugh Thompson

It's interesting, I'd say mathematics to me is just very pure. It's an expression of logic, but it allows you to try and make some structural sense out of what seems like chaotic activities. You get 44, 4,000 people together and there's a lot of Brownie in motion. Folks are moving around and what patterns are they following? I think it helps a little bit there, but it really helps you to systematically think through complex problems and break them down. And it's helped me in my whole career. Even though my background's in mathematics, my whole career has been in cybersecurity. I'll tell you a quick story. I always thought that I was going to be a math professor, right? Because it's what I loved. And I was entering the first year of my PhD and it was almost summertime and I'd just gotten for me unbelievable news that my teaching assignment for the summer was Calculus three. I was going to teach my own section of calculus 3, which is my favorite calculus. I think it's everybody's favorite calculus. It's surfaces, triple integrals. I was just on cloud nine. And so I went to my favorite falafel place, which was right next to the campus. Sit down, place is packed. And there's a guy that wanders over, sits next to me, and he's like, hey, is this seat taken? Place pretty crowded. I'm like, yeah, come on down. And we end up talking for maybe three hours about graph theory, which he was really into, I was really into at the time. And only at the end of this like 3 hour falafel fast did I ask him, hey, well, you know, what are you doing here? Like teach here? Because he was a little bit older than I was and he said, no, I'm a recruiter for Microsoft and this is why I share the story with you. And I'm like, wow, okay, great, you know, what are you doing? He's like, well, we're looking for bright folks to bring for the summer. I think this was 1999. And he's like, you should come. You gotta come over. Come over to the campus. I look, I would love to come, but you don't understand. I am teaching calculus three this summer. This is, you know, you would never give up an opportunity like that. And he said he understood, although I don't think he really did. But he asked me to just come and for the summer meet some of the people and it really changed the trajectory of my career. I went over there and I met so many just curious people from all kinds of different backgrounds. I ended up staying there for the summer, was an intern. I worked on Microsoft Exchange through Microsoft Research. It really convicted me that what I want to do for the rest of my career is continue to do what I'd always done as a hobby, which was break software and find weaknesses and protect people. I just share that with you because it was a really pivotal moment for me.

Dan Johnson

So that is really interesting how you made that change. And I have to tell you, I don't have a favorite calculus subject, but probably because I was never much of a math person in school. So it's also fascinating for me to hear you described very seriously calculus 3 being your subject and then how you actually, I think it was developed the hunger for cyber. Right. Because cyber we always describe as a very mission driven field. So just thinking, yeah, when you get in it and you realize you can change the world, you don't really want to leave.

Dr. Hugh Thompson

You don't. You're right. It is a mission, it's a calling. It's something that really fills you up every day when you know that you're making a difference or at least you're trying to make a difference in such an important area.

Dan Johnson

So let's pivot from there. So you chose this career in cyber, which is fantastic. I'm glad we pulled you out of being a university professor because I know the industry is greatly, yes, greatly benefited from having you. When you think about rsac, what is your approach to choosing a theme? How does that work? How do you think about a theme that resonates with such a diverse, such a global audience?

Dr. Hugh Thompson

It's tough and there's a lot of debate that goes on internally around the theme every year. And we've done a lot over the years, quite diverse. You know, we had this, you know, dragon theme one year. We had a, you know, Ancient Secrets of Mythology one year. And about, I'd say 12 years ago we started a track called the Human Element and it was all about how people interact with systems and it was really popular. We got to explore all kinds of different things inside of that track. And then the next year when the debate came up, you know, geez, what's the theme for 18 months from now? And everybody agreed Human Element was the right one because cyber really comes down to people, whether it's the folks that you're trying to protect, the folks that are the defenders that are in cyber, or the attackers. And ever since then, I think you'll notice if you go back over the last six or seven years, many of the themes have had this human element touch to it. It's been a real privilege to go through that process. A lot of thought goes into it. This year the theme was Many Voices, one community. I don't think that there's ever been a more important time for the community to come together and everybody has a voice in this community. It's incredible to see the unexpected places the great contributions come from. So I'm really, really happy with the theme this year. Last year was the Art of Possibility. So we always try and inject some hope into the themes too.

Dan Johnson

I love that. And I remember because I was privileged to be at RSA, the company starting in 2000, but we had this woman, Louise Johnson, that would build our booths and they would be these unbelievable she would envision and you know, take the conference theme and RSA had these unbelievable booths. I don't know if you remember that.

Dr. Hugh Thompson

Oh, I do, I do. They were incredible. They're incredible. And a multi story if I remember correctly.

Dan Johnson

They were. But I love the Human aspect. I love the pivot because as you're modernizing the conference and meeting people where they are. Cyber is about human beings, right? It's about the humans that attend. It's about the humans that speak. It's about the humans that secure the world. Which brings me to your programming. The conference has a really diverse set of content to appeal to all different types of humans. I've been privileged to be able to speak at the conference. I understand There were over 450 sessions in this year. How do you strike that balance? How do you strike the balance between meeting deeply technical people where they are with content, and then sessions that are accessible to non technical attendees? Maybe policy people or people that want to talk about the business of cybersecurity?

Dr. Hugh Thompson

Yeah, it's a difficult balance because as you know, there's so many different types of people that comprise our community. Some are technical, some aren't technical, some are policymakers. So we have an open call for speakers that happens every year. This year we had a record number of submissions. I think just over 2,800. And this is from around the world. I mean, you wouldn't believe how diverse the pool is of submissions that come in. Typically they're very detailed, right. There's a short abstract that says, here's what I'm going to talk about. And then there's this more detailed one that here's point by point, the things that we don't want to hit that we think are important and here's why we think that we're the right people to talk about it. And then those 2,800 get narrowed down by an independent program committee. So it's content that comes from the community that then gets adjudicated by the community. And we've got two to three chairs for each track. And I can tell you, and those program committee meetings, and specifically the track meetings, they can get pretty wild. I mean, you know, people come into it as like great friends and, you know, then they, they have their favorite session and they're like, there's no way I'm going to put my name on this track if this session doesn't get in there. I just love the passion. But it really comes down to setting what those tracks are to make sure that we do have the content that touches everybody. So we've got a track on policy and government, for example. We've got multiple hackers and threats tracks for examp, example for very technical content. This year we partnered with Usenix to have breaking research tracks that are focused on two to five years from now. And then I've just gotta hand it to our amazing program committee that dedicates so much time into not just reading these submissions, but really passionately advocating for the ones that they think matter. It's. I don't know. I walk away from that process every year just so blown away by how passionate this community is and how willing they are to give back.

Dan Johnson

Yeah. And that's. I think your program committee is outstanding. And I know they work tremendous hours in reviewing all of the content. Yeah. And pulling it all together. And this is a side job for them. They aren't a fan a full time program committee, so they deserve a lot of recognition for the work that they do.

Dr. Hugh Thompson

Oh my gosh, I couldn't agree with you more. And like you said, it's a. It's a hobby for them and they put so much of themselves in it. And that's something that I don't think folks outside of security understand, which is how open this community is, how willing they are to share with each other. And that's evident by the response to the call for speakers, for example, but also how willing they are to give their time to make the industry better and help to shape it. I've never seen anything like it. It is amazing. Amazing to watch every year.

Dan Johnson

It really is. And speaking of being amazing, the speakers. Right. You get these speakers that have such high profiles. You also get everything from hackers to CEOs. So how do you ensure the program again, appeals to all levels of experience as you work through those program committee decisions?

Dr. Hugh Thompson

Yeah, great question. So as part of the submission, there is a level rating of how technical do you have to be to really get something out of this talk? And what we aim for, depending on the track, is to match up the level of technical sophistication with the track. So let me give you an example. In policy and government, there are sessions that are really deep in the weeds. Not technically, but in policy and government, like based on case xyz, we're seeing the trans transformation of how regulation Q is being interpreted. And that's not accessible to the average person. But we need some of that content for folks that are in the legal department, for example, or maybe a chief Privacy officer. And we always strike the balance between things that are very specific to a field and also things that can be accessible by just a wide variety of folks that are just curious and want to learn more. One of the activities that we do is, before the call for speakers even opens, is we ask those track chairs to do A blue sky exercise. So you don't know what's coming in, but what ideally, what topics would you want covered at what level? And just them. Thinking through that process is super helpful because then when you get the flood of submissions in, it really regrounds you to not just get enamored with every AI talk that shows up and turn the whole track that way. So I think that process has gotten honed very well over 34 years now.

Dan Johnson

So. So you've been leading the conference for quite a while. Can you talk about how the cybersecurity conversation has changed since you first started programming rsac?

Dr. Hugh Thompson

Yeah, I think it's changed quite a bit. There's a lot more consequence to cyber today than there was going back, let's say 20 years ago. @ that time it was a pretty obscure field for the average person. The way that I judge this is I travel quite a bit and you sit next to somebody and you know you're about to be sitting next to them for the next 10 hours on a flight and you have the normal just intro conversation like, hey, geez, weather looks good today, Great. And then eventually you get to, well, what do you do for a living? And everybody I sit next to seems to always have something very interesting that they do, right? A veterinarian or I captain a ship. And then I say, well, I'm in cybersecurity and 20 years ago I always got the same response from the person sitting next to me, which was, well, jeez, I just picked up this really great book at the airport and I'm looking forward to reading it during the flight. Meaning we won't be talking during the flight, because that sounds really boring. But today it's completely different. I think the average person has interacted with some kind of cyber incident, like it's relevant in their lives. They've maybe personally suffered some kind of ransomware attack, some virus that's hit their system, something that's wiped out all of their personal photographs, for example, or a scam. We've seen the elevation of security in society and you can see RSA conference evolving that way too. So you've got key government officials, for example, that show up every year at the conference. You've got folks that are leaders, not just the chief information security officers, but CIOs and CEOs of very large companies that come because they realize they need to understand what really is this cyber risk, like, what's the dimensionality of it. And so it's been an expansion of our programming to not just have some of the very technical sessions, but also have these higher level philosophical futures policy sessions too. And it really is a testament to how important, important this industry has become in society.

Dan Johnson

I think that's great. And I used to say, because I started in the industry 25 years ago, that people spend more on their coffee budgets than they spent on the security budgets at that point in time. Yeah. And now we're a boardroom conversation. Right. We're on the front page of papers. Some organizations have billion dollar security budgets. So I think we've come into our own, Hugh. But with, you know, that becomes great responsibility right. Now that people know who we are.

Dr. Hugh Thompson

Oh, and I can tell you, Ann, and I know you feel the same way. I feel the weight of that responsibility every single day. I know the role that RSA conference plays in the world. And I can't tell you how much of a privilege, but also how much of a burden it is to know that every session that we have, every activity, it really matters. Like it's probably going to touch someone and change how they do something. And that could have serious implications for a company, a person, a business, a country, for society. It's an amazing thing to watch, but it's also an awesome responsibility.

Dan Johnson

It really is an awesome responsibility because you not only bring in the world's top cyber minds, you bring in people like Jamie Foxx. So can you talk. Yeah. Talk a little bit about there's celebrities that come to the RSA conference. How do you decide what celebrities to bring in and how do you get them to come?

Dr. Hugh Thompson

Oh my gosh, again, we've got such an amazing team. So Linda Gray Martin and Britta Glade are two of the folks that I'd call out in particular here. And I think you've met both of them.

Dan Johnson

I've worked with both of them.

Dr. Hugh Thompson

They're fantastic. Right? They are, you know, just like us, just so passionate about this field, obviously about this event. And every year we sit down and we say, geez, who is it that we can add to the conversation that is going to offer something new that's not necessarily cyber? Maybe it's a lesson on leadership, maybe it's a lesson on personal growth or recovery or how do you deal with massive amounts of stress, for example, which is a big deal, big part of being in cybersecurity. It's a very interesting process. So this year, and you called out Jamie Foxx and I thought it was fantastic. I don't know if you, you were.

Dan Johnson

At that session, but I wasn't, unfortunately, and I was really disappointed. Just so you know.

Dr. Hugh Thompson

Oh, my gosh. It was. I don't want to make you feel bad, but it was epic. It was epic. Like, you know, he gets up on the mic, he starts singing, he brings people up to the stage, and people are dancing, dancing. And it's like it was almost a. Just a wonderful community bonding event, right? That was the beginning part of it. And then when I sat down with him and we started to talk, I asked him about how he got where he was and, you know, what has he learned about community, like his own community of actors and comedians that he'd grown up with, and how did they shape him at the very end? He had been in the news for about a year or so, but he'd suffered a major medical incident. And he was just very open about just recovery and what matters in life. And he was so sincere and vulnerable. And I think at the end of the day, the people in the crowd, even though they're in cybersecurity, they're people first, and you need to nurture those human beings. It comes back to this human element point. We also had Magic Johnson this year, and that guy's just incredible. I mean, he was roaming the seats and bringing people in for selfies. He challenged somebody in the audience who is very surprised, by the way, to a chest Bump Jack competition.

Dan Johnson

That's wild.

Dr. Hugh Thompson

It was. Oh, my gosh, it was. It was incredible. And, you know, I'm thinking about things like, geez, what's our insurance policy like? And does it cover this? And, you know, but, you know, it was just awesome. And he talked about leadership and his time in the NBA and how he helped to lead a team into victory. And one of the lines that, you know, because I learned something in every one of these talks, one of the lines he came out with that's going to stick with me for a long time is if you go into anything and in his case, a game, and you think you're going to lose, you're going to lose, and that's actually so profound when you think about it. It comes so much down to mindset and the mindset we approach what we do every day with and how important it is to understand and believe that, no, we're going to win, even though we've got this active adversary on the other side, even though the odds are stacked against us, we're going to win. It's amazing. And it's become an important part of the conference.

Dan Johnson

That's really great. How do you think about the exhibition floor and the experience There and how that factors into the programming. And I'm going to combine another question since we're talking about the exhibition floor. There were puppies this year, which was amazing, but there were also goats this year. Can you talk a little about the most unusual vendor request you've received? And was it the goats?

Dr. Hugh Thompson

It was not the goats. Although, I mean, those dwarfs goats were just amazing and people really gravitated towards them. And there were multiple puppy booths this year. So that was sort of an animal trend this year. The weirdest request that we got, and I'm not going to name names for reasons that'll become obvious. It wasn't really a request. It just showed up on the show floor. So apparently this one company had smuggled a llama in. Yeah, yeah. And I don't know how you spent.

Dan Johnson

With llamas, but no, they're not the friendliest creatures.

Dr. Hugh Thompson

No, no, that would be accurate. They are not the friendliest creatures. They're quite large and, you know, very unpredictable. And so suddenly this llama just shows up right inside of a booth. And, you know, that was a very. In conversation, not just with that particular exhibitor, but, you know, police and others. Apparently you cannot get a permit for a llama inside of the Moscone center, which is something that I now know.

Dan Johnson

After that, I never even thought about that.

Dr. Hugh Thompson

I know. That was. So now, you know, when you read some of the contracts, there's like a no llama policy. You don't think you have to call this stuff out specifically. But just to get back to your earlier question, I think to show floor, look, there's a lot of new people that come into cyber every year, and they are just looking for some kind of wayfinding of who are the vendors that can help. Because you can't do it without vendors. And I think for those folks, there's great value in just the time savings of having all of those vendors in one spot.

Dan Johnson

And.

Dr. Hugh Thompson

And you can go in and yes, some people spin a wheel and just want a T shirt. And that's true. But then there's others that really are about to make a decision on behalf of their company of a new technology. And they can visit 10 vendors that have competing products for them very quickly. And so I think that that's a huge benefit for attendees. I think it's a great benefit for the vendors themselves. And it's an important part of the conference.

Dan Johnson

So I know you have delivered a keynote every year since 2007. I have a couple questions for you. One, do you ever get to experience the conference, like, as an attendee, do you get to walk the floor and be an attendee? And then when you're thinking about your keynote, how do you keep it fresh? Every year we're what, 17 years into it, 18 years into it, how do you keep it fresh?

Dr. Hugh Thompson

Yeah, well, yeah, So a couple of things. So first, on the Enjoying the conference? Yeah, absolutely. I make sure to carve out some amount of time. Obviously it's very busy during the conference week, but some amount of time to walk the show floor because it's very important to go to at least two sessions where I don't know the person. And it's something that's very interesting to me, and it's something that I feel like I don't know very much about. Even though I've been in security my whole career and have written three books on it, you can always learn something from somebody else, no matter who they are. So I do carve out time for that. And in terms of the keynotes, I have the great benefit and blessing of having five young kids. And the reason that I bring that up is just strange things happen when you have such a high volume of kids. And so I think about security all the time. And we always run into these bizarre, usually harrowing kind of safety incidents. And they often help shape my thinking of. Is this a way. Is sharing this story? Is sharing this experience a way to help convey a complex security concept or topic to a broad audience that has very, very, very diverse backgrounds? And people think in stories, that's what they remember. That's, you know, that's how information was passed down for hundreds of thousands of years. And I'm fortunate enough that my kids help to get us in predicaments that lead to stories that I think are helpful to relate concepts that matter to people right now. It's such a privilege every year. It's so much fun. And it's wonderful. It's wonderful.

Dan Johnson

That's fantastic. And you do such an amazing job. And it's good to hear that you get a lot of your inspiration from your family. It's just a great way to connect it. Even though I'm sure that there's having five. I only have one, but having five children, I'm sure there's a lot of hijinks that happen even with one. There are entertaining experiences. My child actually password surfed me once. Oh, they were? Yeah. When they were about 11, they shoulder surf my iTunes password and downloaded about $100 worth of music. Oh, wow. And I kept getting alerts and I'm like, what is going on? And finally, you know, I went and found the child and they owned up to it. So we can no how long you've been in cyber. We all have opportunities to learn.

Dr. Hugh Thompson

Oh, my God, I'm so happy you shared that story. And I'm gonna advertise for the next year's 2026 conference. There is a track called the Insider Threat.

Dan Johnson

There you go. Because that was an insider. That's so funny.

Dr. Hugh Thompson

It's an insider. It's an insider.

Dan Johnson

Very much. Well, I always close afternoon Cyber Tea with a bit of optimism with that in mind. And I know you're an optimist like me, so, yeah, I'd love to hear what you're optimistic about when it comes to the future of cybersecurity.

Dr. Hugh Thompson

You know, look, you can't walk away from RSA conference, especially this past year, and not be optimistic about what we can accomplish if we band together as a community. You just can't. Because you see the ethos of the people that are in the fight with you. They're folks that really care. They actually care. It is a mission for them. It is a calling. And when you have smart people that are aligned together with a mission against a common enemy, amazing things can happen. That's been true throughout history. It predates technology. We have that as, in such a way, abundance inside of our cybersecurity community. How could you not be optimistic about the future? Now we've got to organize better. We've got to make sure that the right things are in place for people to share and collaborate, which we're working on, others are working on. But it is a field that I believe that the folks that are in it and they see that communal aspect of it, you cannot not be an optimist.

Dan Johnson

I love that and thank you for joining me. I know you need some downtime post the conference. I hope you get that downtime and I appreciate you making the time because I know how incredibly busy you are.

Dr. Hugh Thompson

And thanks so much. It's just a privilege to be a part of it. And thank you for everything that you've done for this industry, all the advocacy, the leadership that you've given. I can't thank you enough.

Dan Johnson

Thank you and many thanks to our audience for tuning in. Join us next time on Afternoon cybertea. I invited you to join me because RSA Conference is the largest and most influential cybersecurity conference. It is a massive undertaking involving multiple site locations, tens of thousands of attendees, and hundreds of exhibitors. Q has so much knowledge to share about the industry, about the conference, the way it all comes together, and also about the cybersecurity lessons he and his team put in place to protect and to secure Every attendee.

Unknown

This week on the Microsoft Threat Intelligence podcast, come check out a threat actor overview of Sapphire, Sleet and Seashell Blizzard. Be sure to listen in and follow us@mstreatintelpodcast.com or wherever you get your favorite podcasts.