CyberWire Daily - Hugh Thompson on Building the RSA Conference [Afternoon Cyber Tea]
Episode Date: May 26, 2025While our team is observing Memorial Day in the United States, please enjoy this episode from the N2K CyberWire network partner, Microsoft Security. You can hear new episodes of Ann Johnson's Afternoo...n Cyber Tea podcast every other Tuesday. Dr. Hugh Thompson, Executive Chairman of RSA Conference and Managing Partner at Crosspoint Capital joins Ann on this week's episode of Afternoon Cyber Tea. They discuss what goes into planning the world’s largest cybersecurity conference—from theme selection to llama-related surprises on the expo floor—and how the RSA community continues to evolve. Hugh also shares how his background in applied math led him from academia to cybersecurity, his thoughts on the human element in security, and what keeps him optimistic about the future of the industry. Resources: View Hugh Thompson on LinkedIn View Ann Johnson on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of N2K media network. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Welcome to Afternoon Cyber Tea, where we explore the intersection of innovation and cybersecurity.
I'm your host, Dan Johnson. From the front lines of digital defense
to groundbreaking advancements shaping our digital future, we will bring you the latest insights,
expert interviews, and captivating stories to stay one step ahead.
Today, I am thrilled to welcome Dr. Hugh Thompson, the managing partner at Crosspoint Capital
Partners and the executive chairman of the RSA Conference.
Hugh is a tenured cybersecurity expert and has written more than 100 publications on
security.
Hugh testified before Congress, and of course, he helps build, execute, and secure the world's largest cybersecurity
conference.
Hugh, I'm not sure there's anyone who knows more about what matters to security leaders
and professionals than you.
Welcome to afternoon cyber tea.
And thanks so much for having me.
So excited to be a part of this. So as we record this, the RSA 2025 conference
wrapped two weeks ago and I was there.
This year's conference attracted almost 44,000 attendees
is my understanding, which was a new conference record.
It was certainly busy as I was walking everywhere.
Yeah.
It was.
It was amazing.
Like crossing the street was just a challenge.
So talk about what goes into building the event.
How far in advance do you start planning each conference?
And so first, it was great to see you there.
Oh my gosh.
It's incredible to think it's already been two weeks since the event, but it is a, it's
a long planning cycle.
You think about 44,000 humans getting together,
there's a lot to pre-plan.
So we start about 18 months in advance of the actual event.
And it's everything from, what is the theme going to be?
How much space do we think we need
for different types of sessions?
What have we learned from, I guess,
the conference two years prior
in order to plan for the one that's coming up
18 months from now?
So it's a long cycle and there's an amazing team
that's been working on this for a long time.
And it's super exciting.
It's a privilege to be able to get this community together.
Wow, 18 months.
I didn't realize that.
So you're actually having to look back on even a conference ago to see what you're going
to do for almost two years later.
That's interesting.
It takes a while.
It really takes it.
It takes a while.
Now, obviously, we learn from the conference that happens in between and we make adjustments
and it's a team that's never satisfied with great.
We always want to make it better and we're so lucky because this community, as you know,
Anne, I mean, you've been a part of it forever, is very, very willing to share,
and they wanna collaborate,
and they're very forthcoming with their views
on how it can be a better experience for them,
and how they can get even more out of it.
So it's such a community effort
to get this conference together.
That's great.
I love to hear that you,
we talked about having a learn-it attitude here at Microsoft and you truly are.
You learn from each conference to take the feedback and to improve the experience for the attendees.
It shows up, right? It shows up when you go that the adjustments, even if you think they're little adjustments, they're really meaningful for those of us who are attending.
So let's talk a little bit about you. I think everyone knows you as the cross point capital person
or the executive chairman of the RSA conference.
We were at an event a couple of weeks ago,
even pre the RSA conference,
and you were showing your degree, your applied mathematics.
By the way, I love your slides.
Someday we'll have to understand who makes your slides
because I want to at least hire that person part-time.
But anyway.
Don't steal the man, don't steal him.
They were great.
But you have an educational background in applied math.
Your bachelor's, your master's, your doctoral degrees
are all in applied mathematics.
How has that shaped the way you think about cybersecurity
and also a large scale event like RSAC?
Yeah, it's interesting. I'd say mathematics to me is just very pure, right? It's an expression
of logic, but it allows you to try and make some structural sense out of what seems like
chaotic activities. You get 44,000 people together and there's a lot of brownie in motion.
Folks are moving around and what patterns are they following? I think it helps a little bit there.
But it really helps you to systematically think through complex problems and break them down.
think through complex problems and break them down.
And it's helped me in my whole career, even though my background's in mathematics,
my whole career has been in cybersecurity.
I'll tell you a quick story.
I always thought that I was gonna be a math professor,
because it's what I loved.
And I was entering the first year of my PhD
and it was almost summertime.
And I'd just gotten, for me, unbelievable news
that my teaching assignment for the summer was calculus three.
I was gonna teach my own section of calculus three,
which is my favorite calculus.
I think it's everybody's favorite calculus.
It's surfaces, triple integrals.
I was just on cloud nine.
And so I went to my favorite Falafel place,
which was right next to the campus.
Sit down, place is packed,
and there's a guy that wanders over, sits next to me,
and he's like, hey, you know, is this seat taken?
Place pretty crowded.
I'm like, yeah, coming down.
And we end up talking for maybe three hours
about graph theory, which he was really into,
I was really into at the time.
And only at the end of this like three hour falafel fast
did I ask him, hey, well, you know, what are you doing here?
Like, did you teach here?
You know, cause he was a little bit older than I was.
And he said, no, I'm a recruiter for Microsoft.
And this is why I share the story with you.
And I'm like, wow, okay, great.
You know, what are you doing?
He's like, well, we're, you know,
looking for bright folks to bring for the summer.
I think this was 1999. And He's like, well, we're, you know, looking for bright folks to bring for the summer. I think this was 1999.
And he's like, you should come.
You gotta come over, come over to the campus.
I look, I would love to come, but you don't understand.
I am teaching calculus three this summer.
This is, you know, you would never
give up an opportunity like that.
And he said he understood,
although I don't think he really did.
But he asked me to just come and for the summer,
meet some of the people.
And it really changed the trajectory of my career.
I went over there and I met so many just curious people
from all kinds of different backgrounds. and I met so many just curious people
from all kinds of different backgrounds. I ended up staying there for the summer, was an intern,
I worked on Microsoft Exchange through Microsoft Research.
It really convicted me that what I wanna do
for the rest of my career is continue to do
what I'd always done as a hobby, which was
break software and find weaknesses and protect people.
I just share that with you because it was a really pivotal moment for me.
So that is really interesting how you made that change.
And I have to tell you, I don't have a favorite calculus subject, but probably because I was
never much of a math person in school.
So it's also fascinating for me to hear you describe, very seriously, calculus three being
your subject and then how you actually, I think it was developed the hunger for cyber,
right?
Because cyber we always describe as a very mission driven field.
So it's just thinking it.
Yeah.
When you get in it and you realize you can change the world, you don't really want to
leave. You don't really want to leave.
You don't, you're right.
It is a mission, it's a calling.
It's something that really fills you up every day
when you know that you're making a difference,
or at least you're trying to make a difference
in such an important area.
So let's pivot from there.
So you chose this career in cyber, which is fantastic.
I'm glad we pulled you out of being a university professor because I know the
industry is greatly, yes, greatly benefited from having you. When you think
about RSAC, what is your approach to choosing a theme? How does that work? How
does it, how do you think about a theme that resonates with such a diverse, such
a global audience? It's tough and there's a lot of debate that goes on internally
around the theme every year.
And we've done a lot over the years, quite diverse.
We had this dragon theme one year.
We had ancient secrets of mythology one year.
And about, I'd say 12 years ago,
we started a track called the human element.
And it was all about how people interact with systems.
And it was really popular.
We got to explore all kinds of different things
inside of that track.
And then the next year when the debate came up,
geez, what's the theme for 18 months from now?
And everybody agreed human element was the right one
because cyber really comes down to people,
whether it's the folks that you're trying to protect,
the folks that are the defenders that are in cyber,
or the attackers. And ever since then, I think you'll notice if you go back over
the last six or seven years, many of the themes have had this human element touch
to it. It's been a real privilege to go through that process. A lot of thought goes into it.
This year, the theme was many voices, one community.
I don't think that there's ever been a more important time
for the community to come together.
And everybody has a voice in this community.
It's incredible to see the unexpected places that great contributions come from.
So I'm really, really happy with the theme this year. Last year was the art of possibility.
So we always try and inject some hope into the themes too.
I love that. And I remember because I was privileged to be at RSA, the company,
starting in 2000,
but we had this woman, Louise Johnson,
that would build our booths
and they would be these unbelievable.
She would envision and take the conference theme
and RSA had these unbelievable booths.
I don't know if you remember that.
Oh, I do.
I do. They were incredible.
They're incredible.
And a multi-story, if I remember correctly.
Yes, they were.
But I love the human aspect.
I love the pivot because as you're modernizing
the conference, right,
and meeting people where they are,
cyber is about human beings, right?
It's about the humans that attend.
It's about the humans that speak.
It's about the humans that secure the world,
which brings me to your programming.
The conference has a really diverse set of content
to appeal to all different types of humans.
I've been privileged to be able to speak at the conference.
I understand there were over 450 sessions this year.
How do you strike that balance?
How do you strike the balance
between meeting deeply technical people
where they are with content,
and then sessions that are accessible
to non-technical attendees, maybe policy people
or people that want to talk about the business of cybersecurity.
Yeah, it's a difficult balance because as you know, there's so many different types
of people that comprise our community.
Some are technical, some aren't technical, some are policymakers.
So we have an open call for speakers that happens every year. This year we had
a record number of submissions, I think just over 2,800. And this is from around the world.
I mean, you wouldn't believe how diverse the pool is of submissions that come in. Typically,
they're very detailed, right? There's a short abstract that says, here's what I'm gonna talk about.
And then there's this more detailed one
that here's point by point the things
that we don't wanna hit that we think are important.
And here's why we think that we're the right people
to talk about it.
And then those 2,800 get narrowed down
by an independent program committee.
So it's content that comes from the community
that then gets adjudicated by the community.
And we've got two to three chairs for each track.
And I can tell you, Anne, those program committee meetings
and specifically the track meetings,
they can get pretty wild.
I mean, people come into it as like great friends
and then they have their favorite session
and they're like, there's no way I'm gonna put my name
on this track if this session doesn't get on there.
I just love the passion.
But it really comes down to setting what those tracks are to
make sure that we do have the content that touches everybody. So we've got a track on policy and
government, for example. We've got multiple hackers and threats tracks, for example, for very
technical content. This year, we partnered with Usenix
to have breaking research tracks
that are focused on two to five years from now.
And then I've just got to hand it
to our amazing program committee
that dedicates so much time
into not just reading these submissions,
but really passionately
advocating for the ones that they think matter. It's, I don't know, I walk away from
that process every year just so blown away by how passionate this community is
and how willing they are to give back. Yeah, and that's, I think your program committee
is outstanding and I know they worked tremendous hours
in reviewing all of the content.
Yeah, and pulling it all together.
And this is a side job for them.
They aren't a full-time program committee.
So they deserve a lot of recognition
for the work that they do.
Oh my gosh, I couldn't agree with you more.
And like you said, it's a hobby for them.
And they put so much of themselves in it.
And that's something that I don't think folks
outside of security understand,
which is how open this community is,
how willing they are to share with each other.
And that's evident by the response
to the call for speakers, for example,
but also how willing they are to give their time
to make the industry better and help to shape it.
I've never seen anything like it.
It is amazing, amazing to watch every year.
It really is. And speaking of being amazing, the speakers, right? You get these speakers
that have such high profiles. You also get everything from hackers to CEOs. So how do
you ensure the programming again appeals to all levels of experience as you work through
those program committee decisions? Yeah, great question. So as part of the submission, there is a level rating of how technical do
you have to be to really get something out of this talk. And what we aim for, depending
on the track, is to match up the level of technical sophistication with the track.
So let me give you an example.
In policy and government, there are sessions that are really deep in the weeds, not technically,
but in policy and government. like based on case X, Y, Z, we're seeing the transformation of, you know,
how regulation Q is being interpreted.
And that's not accessible to the average person,
but we need some of that content
for folks that are in the legal department, for example,
or maybe a chief privacy officer.
And we always strike the balance between things that are very specific to a field and also
things that can be accessible by just a wide variety of folks that are just curious and
want to learn more.
One of the activities that we do is before the call for speakers even opens, is we ask those
track chairs to do a blue sky exercise.
So you don't know what's coming in.
But what ideally, what topics would you want covered at what level?
And just them thinking through that process is super helpful
because then when you get the flood of submissions in,
it really regrounds you to not just get enamored
with every AI talk that shows up
and turn the whole track that way.
So I think that process has gotten honed very well
over 34 years now.
So you've been leading the conference for quite a while. process has gotten home very well over 34 years now.
So you've been leading the conference for quite a while. Can you talk about how the cybersecurity conversation
has changed since you first started programming RSAC?
Yeah, I think it's changed quite a bit.
There's a lot more consequence to cyber today
than there was going back,
let's say 20 years ago.
You know, at that time, it was a pretty obscure field
for the average person, right?
The way that I judge this is I travel quite a bit
and you know, you sit next to somebody
and you know you're about to be sitting next to them
for the next 10 hours on a flight
and you have the normal just intro conversation like hey geez weather looks good today great
and then eventually you get to well what do you do for a living and everybody I sit next to seems
to always have something very interesting that they do right I'm a veterinarian or, you know, I captain a ship or, and then I say, well, I'm in cybersecurity.
And 20 years ago, I always got the same response from the
person sitting next to me, which was, well, geez, I just picked
up this really great book at the airport. And I'm looking forward
to reading it during the flight.
Meaning, meaning we won't be talking during the flight because that sounds
really boring. But today it's completely different. I think the average person has
interacted with some kind of cyber incident. like it's relevant in their lives.
They've maybe personally suffered
some kind of ransomware attack,
some virus that's hit their system,
something that's wiped out
all of their personal photographs, for example, or a scam.
We've seen the elevation of security in society,
and you can see RSA conference evolving that way too.
So you've got key government officials, for example,
that show up every year at the conference.
You've got folks that are leaders,
not just the chief information security officers,
but CIOs and CEOs of very large companies
that come because they realize they
need to understand what really is this cyber risk,
like what's the dimensionality of it.
And so it's been an expansion of our programming
to not just have some of the very technical sessions, but also have these higher level
philosophical futures
policy sessions too and it really is a testament to how
important this industry has become in society.
I think that's great and I used say, because I started in the industry 25
years ago, that people spend more on their coffee budgets
than they spent on the security budgets at that point in time.
Yeah.
And now we're in boardroom conversation, right?
We're on the front page of papers.
Some organizations have billion dollar security budgets.
So I think we've come into our own, Hugh,
but that becomes great responsibility, right?
Now that people know who we are.
Oh, and I can tell you, Anne,
and I know you feel the same way.
I feel the weight of that responsibility every single day.
I know the role that RSA Conference plays in the world,
and I can't tell you how much of a privilege,
but also how much of a burden it is
to know that every session that we have,
every activity, it really matters.
Like it's probably going to touch someone
and change how they do something.
And that could have serious implications for a company,
a person, a business, a country, for society.
It's an amazing thing to watch,
but it's also an awesome responsibility.
It really is an awesome responsibility
because you don't only bring in the world's top cyber minds,
you bring in people like Jamie Foxx.
So can you talk, yeah, can you talk a little bit about,
there's celebrities that come to the RSA conference.
How do you decide what celebrities to bring in
and how do you get them to come?
Oh my gosh, again, we've got such an amazing team.
So Linda Gray Martin and Britta Glade
are two of the folks that I call out in particular here.
And I think you've met both of them.
I've worked with both of them.
They're fantastic, right?
They are.
Just like us, just so passionate about this field,
obviously about this event.
And every year we sit down and we say, geez,
who is it that we can add to the conversation
that is gonna offer something new that's
not necessarily cyber?
Maybe it's a lesson on leadership.
Maybe it's a lesson on personal growth or recovery or how do you deal with massive amounts
of stress, for example, which is a big part of being in cybersecurity.
It's a very interesting process.
So this year, and you called out Jamie Foxx
and I thought it was fantastic.
I don't know if you were at that session, but.
I wasn't, unfortunately,
and I was really disappointed, just so you know.
Oh my gosh.
It was, I don't want to make you feel bad,
but it was epic.
It was epic.
Like, you know, he gets up on the mic, he starts singing,
he brings people up to the stage and people are dancing.
And it's like, it was almost a,
just a wonderful community bonding event, right?
That was the beginning part of it.
And then when I sat down with him and we started to talk,
I asked him about how he got where he was
and what has he learned about community,
like his own community of actors and comedians
that he'd grown up with and how did they shape him.
At the very end, he had been in the news
for about a year or so,
but he'd suffered a major medical incident
and he was just very open about, you know,
just recovery and what matters in life.
And he was so sincere and vulnerable.
And I think at the end of the day, the people in the crowd,
even though they're in cybersecurity, they're people first.
And you need to nurture those human beings.
It comes back to this human element point.
We also had Magic Johnson this year
and that guy's just incredible.
I mean, he was roaming the seats
and bringing people in for selfies.
He challenged somebody in the audience
who was very surprised by the way
to a chest bump jack competition.
That's wild. to a chest bump jack competition.
Which is wild. It was, oh my gosh, it was incredible.
And, you know, I'm thinking about things like,
geez, what's our insurance policy like?
And does it cover this?
And, you know, but it was just awesome.
And he talked about leadership and his time in the NBA
and how he helped to lead a team into victory.
And one of the lines that,
cause I learned something in every one of these talks,
one of the lines he came out with
that's gonna stick with me for a long time is,
if you go into anything, and in his case, a game,
and you think you're gonna lose, you're gonna lose.
And that's actually so profound when you think about it.
It comes so much down to mindset.
And the mindset we approach what we do every day with
and how important it is to understand and believe
that, no, we're gonna win.
Even though we've got this active adversary
on the other side,
even though the odds are stacked against us,
we're gonna win.
It's amazing and it's become an important part
of the conference.
That's really great.
How do you think about the exhibition floor
and the experience there
and how that factors into the programming?
And I'm going to combine another question
since we're talking about the exhibition floor.
There were puppies this year, which was amazing,
but there were also goats this year.
Can you talk a little about the most unusual
vendor requests you've received and was it the goats?
It was not the goats.
Although, I mean, those dwarf goats were just amazing
and people really gravitated towards them.
And there were multiple puppy booths this year.
So that was sort of an animal trend this year.
The weirdest request that we got,
and I'm not gonna name names
for reasons that'll become obvious.
It wasn't really a request.
It just showed up on the show floor.
So apparently this one company had smuggled a llama into-
A llama?
Yeah.
Yeah.
And I don't know how much time you spent with llamas,
but they're-
No, they're not the friendliest creatures.
No, no, that would be accurate.
They are not the friendliest creatures.
They are quite large and very unpredictable.
And so suddenly this llama just shows up, right,
inside of a booth.
And, you know, that was a very interesting conversation,
not just with that particular exhibitor, but police and others.
Apparently, you cannot get a permit for a llama inside of the Moscone Center,
which is something that I now know after that event.
I never even thought about that.
I know that was,
so now when you read some of the contracts,
there's like a no llama policy.
You don't think you have to call this stuff out specifically,
but just to get back to your earlier question,
I think the show floor,
look, there's a lot of new people that come
into cyber every year and they are just looking for some kind of wayfinding of who are the
vendors that can help because you can't do it without vendors.
And I think for those folks, there's great value in just the time savings of having all of those vendors
in one spot and you can go in and yes,
some people spin a wheel and just want a t-shirt
and that's true.
But then there's others that really are about to make
a decision on behalf of their company of a new technology
and they can visit 10 vendors that have competing products
for them very quickly.
And so I think that that's a huge benefit for attendees.
I think it's a great benefit for the vendors themselves,
and it's an important part of the conference.
So I know you have delivered a keynote every year since 2007.
I have a couple of questions for you.
Juan, do you ever get to experience the conference
like as an attendee,
do you get to walk the floor and be an attendee?
And then when you're thinking about your keynote,
how do you keep it fresh every year?
We're what, 17 years into it, 18 years into it,
how do you keep it fresh?
Yeah, well, yeah, so a couple of things.
So first on the enjoying the conference.
Yeah, absolutely.
I make sure to carve out some amount of time.
Obviously it's very busy during the conference week,
but some amount of time to walk the show floor,
because it's very important to go to at least two sessions
where I don't know the person
and it's something that's very interesting to me.
And it's something that I feel like
I don't know very much about,
even though I've been insecurity my whole career
and have written three books on it,
you can always learn something from somebody else
no matter who they are.
So I do carve out time for that.
And in terms of the keynotes,
I have the great benefit and blessing
of having five young kids.
And the reason that I bring that up
is just strange things happen
when you have such a high volume of kids.
And so I think about security all the time, and we always run into these bizarre, usually
harrowing kind of safety incidents.
And they, you know, they often help shape my thinking of, is this a way, is sharing this story, is sharing this experience, a way to help convey a complex security concept or topic
to a broad audience that has very, very, very diverse
backgrounds and people think in stories.
That's what they remember.
That's how information was passed down
for hundreds of thousands of years.
And I'm fortunate enough that my kids helped to get us
in predicaments that lead to stories
that I think are helpful to relate concepts
that matter to people right now.
It's such a privilege every year.
It's so much fun and it's wonderful.
It's wonderful.
That's fantastic.
And you do such an amazing job
and it's good to hear that you get a lot of your inspiration
from your family.
It's just a great way to connect it.
Even though I'm sure that there's having five,
I only have one, but having five children,
I'm sure there's a lot of hijinks that happen.
Even with one, there were entertaining experiences.
My child actually password surfed me once.
Oh, tell me about that.
Yeah, when they were about 11,
they shoulder surfed my iTunes password
and downloaded about $100 worth of music.
Oh wow.
And I kept getting alerts and I'm like, what is going on?
And finally, you know, I went and found the child
and they owned up to it.
So we can eat no matter how long you've been in cyber,
we all have opportunities to learn.
Oh my God.
I'm so happy you shared that story.
And I'm going to advertise for the next year's 2026
conference.
There is a track called the insider threat.
There you go. Cause that was is a track called the insider threat.
There you go, because that was an insider.
That's so funny.
It's an insider.
It's an insider.
Very much.
Well, I always close afternoon cyber tea with a bit of optimism with that in mind.
And I know you're an optimist like me.
So yeah, I'd love to hear what your optimistic about when it comes to the future of cybersecurity? You know, look, you can't walk away from RSA conference,
especially this past year,
and not be optimistic about what we can accomplish
if we band together as a community.
You just can't, because you see the ethos of the people
that are in the fight with you.
They're folks that really care.
They actually care.
Like it is a mission for them.
It is a calling.
And when you have smart people that are aligned together
with a mission against a common enemy,
amazing things can happen.
That's been true throughout history.
It predates technology.
We have that as in such abundance
inside of our cybersecurity community.
How could you not be optimistic about the future?
Now we've got to organize better.
We've got to make sure that the right things are in place
for people to share and collaborate,
which we're working on, others are working on.
But it is a field that I believe
that the folks that are in it
and they see that communal aspect of it,
you cannot not be an optimist.
I love that.
And thank you for joining me.
I know you need some downtime post the conference.
I hope you get that downtime.
And I appreciate you making the time
because I know how incredibly busy you are.
And thanks so much.
It's just a privilege to be a part of it.
And thank you for everything that you've done
for this industry, all the advocacy,
the leadership that you've given.
I can't thank you enough.
Thank you.
And many thanks to our audience for tuning in.
Join us next time on afternoon cyber tea.
I invited you to join me because RSA Conference
is the largest and most influential cybersecurity
conference.
It is a massive undertaking involving multiple site locations, tens of thousands of attendees
and hundreds of exhibitors.
Hugh has so much knowledge to share about the industry, about the conference, the way
it all comes together, and also about the cybersecurity lessons he and his team put
in place to protect and to secure every attendee.
This week on the Blue Hat Podcast, we welcome Felix Boulet, where we discuss hacker memes, zero-day quests, and how he unwinds with springtime gardening.
Be sure to listen in and follow us at BlueHatpodcast.com or wherever you get your favorite podcasts.