The RSAC Earthquake: When Government Walks Away from the Industry's Biggest Stage
Let's be honest—nobody saw this coming. Not like this. The RSA Conference has been the cybersecurity industry's Super Bowl for decades. Government agencies showing up? That was a given. CISA setting up shop in the expo hall? Standard operating procedure. But in January 2026, the rules changed overnight.
The Cybersecurity and Infrastructure Security Agency announced it would cease all participation at RSAC. No keynote speeches. No panels. No booth. No nothing. The reason? Jen Easterly—former CISA director under President Biden—had just been named RSA Conference's new CEO. And that single personnel decision triggered what might be the most significant rift between government cybersecurity leadership and the private sector in recent memory.
But here's what really matters: This isn't just bureaucratic drama. This decision ripples through every aspect of our industry—from how policies get made to where you'll actually learn the most useful information next year. I've been attending these conferences since the early 2010s, and I can tell you: This changes everything.
Background: How We Got Here—The Easterly Legacy and RSAC's Evolution
To understand why this matters, you need to understand who Jen Easterly is—and what RSAC has become. Easterly wasn't just another government official. During her tenure at CISA from 2021 through late 2025, she transformed the agency from a relatively obscure part of DHS into what many considered the operational backbone of national cybersecurity defense. Her "secure by design" initiative pushed vendors harder than any previous administration. She called out specific companies for poor security practices. She wasn't afraid to make enemies in the vendor community if it meant better security outcomes.
Meanwhile, RSAC has been undergoing its own transformation. What started as a cryptography conference in 1991 has become... well, something else entirely. The 2025 conference featured over 600 exhibitors in a sprawling Moscone Center. Sessions ranged from deeply technical to what many called "security theater"—flashy presentations with little substance. The vendor presence became overwhelming, with some government officials privately complaining that meaningful dialogue was getting drowned out by sales pitches.
From what I've observed attending the last five RSACs, the tension had been building. Government speakers would talk about regulation and responsibility. Vendor keynotes would tout their latest AI-powered silver bullets. The disconnect was palpable. Easterly's move to RSAC wasn't just a career change—it was a collision of these two worlds that many saw as fundamentally incompatible.
The Core Conflict: Independence vs. Influence in Cybersecurity Governance
Here's where things get really interesting. CISA's statement cited "the importance of maintaining clear boundaries between current government officials and former officials in industry roles." Translation: We can't have our former boss now running the conference where we're supposed to maintain objective, arm's-length relationships with vendors.
But let's peel that back a layer. The concern isn't really about Easterly personally—it's about perception and precedent. If the former head of the nation's top cybersecurity agency is now CEO of the industry's largest vendor showcase, how does that look? When CISA officials sit down with vendors at RSAC 2026, will they be talking to potential regulated entities or the CEO's business partners?
I've spoken with several current government cybersecurity professionals since the announcement (off the record, obviously), and their concerns are practical. "How do I have a frank conversation about a company's security failures when that company is paying the salary of my former director?" one asked me. Another pointed out: "The revolving door has always existed, but this isn't a company—it's the entire industry's platform."
The irony? Easterly was known for being tough on vendors. Her "secure by design" principles forced real changes. Now she's leading an organization funded by those same vendors. The cognitive dissonance is staggering.
Practical Implications: Where Will Real Cybersecurity Collaboration Happen Now?
So what actually changes for cybersecurity professionals? Quite a bit, actually. CISA's presence at RSAC wasn't just ceremonial. They ran the "CISA Central" booth where you could get direct help with incident reporting. They conducted live demonstrations of their free tools and services. They hosted unclassified briefings on current threat landscapes that were often more useful than the paid sessions.
Now that's gone. And it creates a vacuum. Where will that government-industry interaction happen? Black Hat still exists, of course. But it's different—more technical, less policy-focused. DEF CON has its "Village" structure, but it's not where CISOs of major corporations typically mingle with government officials.
Here's my prediction: We're going to see a proliferation of smaller, more focused events. Industry-specific gatherings. Regional conferences. Invitation-only roundtables. The era of the mega-conference serving all masters might be ending. And honestly? That could be a good thing. The most valuable conversations I've had at security events have always been in smaller rooms, not on the main stage.
Practical tip for 2026: Start looking beyond RSAC for your professional development and networking. Check out sector-specific events like FS-ISAC for financial services or H-ISAC for healthcare. The landscape is fragmenting, and you need to be strategic about where you invest your time and travel budget.
The Vendor Dilemma: When Your Conference CEO Used to Regulate You
Let's talk about the elephant in the room—the vendors who fund RSAC through six-figure booth packages and sponsorship deals. How do they feel about their new CEO being someone who recently had regulatory authority over them?
Mixed reactions, from what I'm hearing. Some see it as an opportunity—better access, more influence. Others are deeply uncomfortable. "It feels like having your former principal as your new club president," one vendor relations manager told me. "There's history there. And not all of it good."
Here's the real concern vendors have expressed to me: Will RSAC become an extension of government policy? Will sessions be curated to align with CISA's priorities (even if Easterly is no longer there)? Will certain topics get suppressed because they're politically sensitive?
And then there's the competitive aspect. If you're a vendor who clashed with CISA during Easterly's tenure, do you now have a disadvantage at the industry's biggest event? Perception matters. Even if Easterly recuses herself from specific decisions (as she's promised), the appearance of conflict remains.
What does this mean for you as a practitioner? Be more critical of what you see at RSAC 2026. Ask harder questions about vendor claims. Remember that the conference structure itself now has a different relationship to regulatory bodies. That doesn't mean the information is bad—but it does mean the context has changed.
Alternative Platforms: Where Government Cybersecurity Will Show Up Instead
With CISA out of RSAC, where will they redirect their resources? Based on my analysis of their recent moves and conversations with insiders, here's what to expect:
First, look for expanded presence at sector-specific events. CISA has already been increasing their engagement with ISACs (Information Sharing and Analysis Centers). These sector-based organizations allow for more targeted, relevant conversations. The financial sector's FS-ISAC annual summit, for example, might see much heavier CISA participation in 2026.
Second, expect more CISA-run events. They've been experimenting with their own "CISA Cybersecurity Summit" concept. Without RSAC as their main platform, they'll likely scale these up significantly. These events tend to be more operational, less flashy—and honestly, often more useful for actual defense work.
Third, watch for increased digital engagement. CISA's virtual briefings became surprisingly effective during the pandemic years. They might double down on this approach, offering regular unclassified threat briefings via secure webinars rather than waiting for conference season.
Practical advice: Update your event calendar. If government perspective matters to your work (and it should), you'll need to look beyond San Francisco in February. The ecosystem is diversifying, and your learning opportunities should too.
Long-Term Impact: What This Means for Cybersecurity Culture and Careers
This isn't just about one conference. It's about the relationship between public and private sectors in cybersecurity—a relationship that's already fragile. The U.S. faces persistent threats from nation-state actors. Critical infrastructure remains vulnerable. We need collaboration, not fragmentation.
But here's the uncomfortable truth: Maybe the old model wasn't working as well as we thought. Maybe the vendor-dominated trade show floor wasn't the best place for serious government-industry dialogue. Maybe separating these functions will lead to more honest conversations elsewhere.
For cybersecurity professionals, this signals a broader shift. The days of "one conference to rule them all" might be ending. Your professional development will need to be more intentional. You might attend RSAC for vendor updates and Black Hat for technical depth and smaller events for policy discussions.
Career-wise, pay attention to where the conversations are happening. The most valuable connections I've made recently haven't been on expo floors—they've been in working groups, virtual collaboratives, and specialized training sessions. The landscape is changing, and your networking strategy should too.
Common Questions and Concerns from the Community
Since this news broke, I've been tracking the questions from practitioners. Here are the most common ones—with my take based on twenty years in this field:
"Should I still go to RSAC 2026?"
Probably, but with adjusted expectations. The technical sessions will still be there. The vendor exhibits will still be massive. But the government perspective will be absent. If your goal is to see the latest tools, it's still valuable. If you need policy insights, look elsewhere.
"Will other agencies follow CISA's lead?"
Unlikely in the short term. NSA, FBI Cyber—they have different missions and different relationships with industry. But they'll be watching closely. If RSAC becomes perceived as "vendor-only" space, broader government participation might gradually decline.
"Is this good or bad for the industry overall?"
Both. It's bad because it fragments important conversations. But it might be good if it forces us to create better venues for those conversations. Sometimes disruption leads to improvement—even if it's painful initially.
"What should vendors do now?"
Engage more directly with government through proper channels. Attend CISA's own events. Participate in working groups. The path to influence shouldn't run through a conference CEO's office anyway.
Looking Ahead: The New Cybersecurity Conference Landscape
By the time RSAC 2026 rolls around, we'll be living in a different world. The mega-conference model will face its first real test without government participation. Vendors will need to justify their massive investments without the draw of "meeting with CISA." Attendees will need to be more selective about which sessions offer real value versus sales pitches.
Meanwhile, alternative platforms will emerge. Some will succeed. Others will fail. The market will decide what format works best for genuine knowledge sharing versus marketing.
My advice? Stay flexible. Don't assume the 2025 conference model will work in 2026. Be willing to try new events. Allocate your professional development budget across multiple venues. And most importantly—focus on substance over spectacle. The best cybersecurity insights often come from unexpected places.
The CISA-RSAC split isn't the end of anything. It's a recalibration. And in an industry that changes as fast as cybersecurity does, maybe that's exactly what we need. The tools will keep evolving. The threats will keep adapting. And how we come together to address them? That needs to evolve too.
Keep your eyes open. The landscape is shifting beneath our feet. And the most adaptable professionals will be the ones who thrive in what comes next.
