Thinkst’ers have spoken at a heap of security conferences across careers spanning decades, and yet last year (2017) was the first time any of us actually attended RSAC (https://www.rsaconference.com/), when I attended the expo (almost accidentally). At the time I was surprised by a bunch of things, from its insane size to the bizarre vendor shenanigans. As I walked the expo floor I asked an array of vendors if they felt the show was worth it for them. The answers were mixed but most gravitated towards an uninspiring “We don’t get huge value, but it will send a negative signal if we aren’t here”. While this confirmed my old bias that RSAC is exhibit-A of everything wrong with the industry, I was able to set-up multiple meetings for every one of my days in town and all the folks I met were (or became) Canary customers. Last year’s tiny foray seemed promising and a proper run at the expo was something we had to test ourselves.
So we decided to try a booth for 2018, and figured we’d document our experience (and thoughts) along the way. In this post you’ll find a full breakdown of all our costs for attending and boothing at RSAC, including what it takes to get a space; kitting it out with furniture, equipment, swag and more; staffing the booth; the crazy that is conference pricing; and the logistics for actually making it happen.
The NSA Booth
The costs are just one part of this post. If accounting is not your thing, the second half of the post deals with the lessons we learned, like the fetishization of poor lead capture; the paucity (and value) of good demos; meeting other founders; and, most importantly for this post, whether it was worthwhile. I’ve also sprinkled in a bunch of hot takes to keep things spicy!
Caveat: Privacy advocates and cryptographers are prone to strong feelings on RSA (the company) post the leak of the Dual_EC_DRBG backdoor. I recognise that this is an issue worthy of debate, but will ignore it in this piece.
tl;dr || Quick Takeaway
We found the expo incredibly worthwhile with both intangible benefits (like meeting customers we have never met face to face) and actual sales done over the three days of the show.
The amazing (but accepted) price gouging means that costs can quickly spiral out of control.
Many vendors seem to have an almost insane focus on gimmicks over quality conversations. This means that many companies aren’t getting much of a return for their spend and this further muddies the water. (Interestingly, the focus on gimmicks also serves to drive down the relative value of the event, since attendees are primed to “grab a stress ball” and “win a drone” over possibly meeting product architects and company founders).
Ok.. On with the show..
Booth space starts off costing $140 per square foot, with 6 different size options (that we saw). This puts the humble 10′ x 10′ booth we chose at $14,000 while the largest option comes in at $126,000. [Ed: Haroon ignores the cost associated with the myriad of decisions that needed quantity conversions between metric and that farm-animal-based measurement system.]
Smallest Stand Possible: $14,000
You would be making a mistake, however, if you assumed that this would be the actual booth cost. Your $14k essentially gets you an uncarpeted floor space with black drapes and aluminium frames.
So.. Who needs a carpeted booth?
You do.. apparently. The expo mandates that you must choose from one of the colors on offer (for an additional $300) or will be assigned a default grey (and will be charged $300).
Default Carpet: $300
Sub total: $14,300
You could show up with a carpeted stand, black drapes and a sunny disposition, but that carries a real though subtle risk. Having a cheap looking booth probably sends a stronger signal than not showing up at all. Which means that if it’s your first time “booth’ing” you are now choosing “exhibit packages” from Freeman (the RSAC preferred contractor for all of this). It’s possible to use your own contractor, but you would first need to have them cleared, and have to obey a bunch of rules with limited windows for booth fit-out and tear-down. Freeman are permanently on-site, so they are kinda the main game in town and the rules don’t do anything to encourage competition.
For the most part, they seem to operate in the ransomware zone. It’s cheap enough that you’re better off paying the tax, but you’re constantly being taken advantage of. They are totally on the spot with anything a booth needs, but operate under the same principles as Pauli did in Goodfellas (“@#!$# You! Pay Me”).
Coming back to the booth decoration need, you’re now presented with a dizzying array of very similar looking options for the skeleton which you’ll hang your artwork on:
Costs range from: $3,958 to $10,890.
It’s worth noting that there are reasonable wins to be made here by ordering early and availing yourself of the “early bird discount”. This would take the price range from: $2,700 to $7,779 instead. We went with a basic package.
Rental Package: $2,747
Sub total: $17,047
Great.. So now you have floorspace, a carpet, and a minimal exhibition frame. Time to make it look green! Turns out the artwork on the exhibition frame (i.e. the backing posters) is a separate cost too.
Graphics Package: $1,761
Sub total: $18,808
Additional accessory costs (even at the discounted rate) quickly pile on. Want two power outlets? $300.
A few more “small” items:
A literature rack? $200
A 2m x 0.5m cabinet? $1200
A table to demo on? $400
A bar stool? $200
(You almost forget that you are renting them for 3 days, not buying them outright.)
Booth Accessories: $2,000
Sub total: $20,808
Our plan pre-conference was to make use of two large TVs in the booth. One for live demos, and the second to play a mini marketing loop. The expo discourages (but doesn’t disallow) bringing in your own AV equipment, which is always a dangerous sign..
A quick look at their prices shows why:
A 55” TV, rented for 3 days, would cost us over $1000. That’s just offensive. Instead, on the day before the expo opened we walked over to Target and picked up a 55” for $400. This worked fantastically, and the “worst” part of the setup was that at teardown we’d own a 3-day old screen which needed disposal. (Initially we hoped to fly the TV back home with us but those costs were equally nuts.) Someone suggested returning it to Target after the expo for a full refund. Apparently this is a thing?!? While doable, it’s dishonest, so we went for the next best option:
The TV was snapped up pretty quickly, but at least one other charity was recommended by so many people (and responded so politely) that we felt compelled to donate to them too. (We still came in hundreds of dollars cheaper than the rental!)
Price pain didn’t stop with AV. Internet access too proved to be insultingly exorbitant: a 3Mb/s shared link would cost “only” $1400, but if you want a primo dedicated link then be prepare to shell out $5000.
Internet access is a must for our demo since Canaries report their findings to their cloud-hosted console. But our limited needs were comically dwarfed by the Internet options available.
We resolved to “sort out the internet” when we landed. We tested LTE in our booth and found that coverage was decent. We then simply bought a prepaid Cricket Wireless SIM card and paid the $60 needed for a month of “uncapped” LTE data. $10 more allowed us to enable hotspotting and we were good to go. (Side note: we carried three different MiFi-type devices from home, and all failed to work leading to a moment of mild panic. We hopped onto Amazon Prime and ordered an LTE router which never showed up in time.)
Ultimately, we ran a jury rigged setup, taped out of sight under the demo table:
An iPhone with the $70 card in hotspot mode;
A Macbook tethered to the iPhone via USB, sharing its Internet with its Ethernet;
The Ethernet going into a 5-port switch, with Canaries and the demo laptop hanging off the switch.
This worked without a hitch, supporting the demo station staying in constant use over the 3 days.
TV and Internet: $470
Sub total: $21,278
I’ll touch on swag and mixed incentives below, but before then, here are the costs. We took a large selection of gear to hand out and went home with very little so (by that metric) it was a massive success! We also paid for a badge scanner, to collect leads efficiently (more on this later.)
Balls, T-Shirts, Beanies : $2,300
Badge Scanner : $395
Sub total: $23,973
So, in summary we handed over $23,973 of our hard earned ingots and in return got this:
Travel & Accommodation
A booth is pretty pointless if you don’t have people there. Getting folks in and setup for the expo is, as we’ll see, a non-negligible cost.
We flew 4 people (coach) internationally to get there.
Sub total: $34,473
Accommodation in San Francisco is currently a much bigger topic, but a crazy packed tech expo/conference sure doesn’t help things. As Lesley Carhart pointed out, it gets pretty intense.
Anna (who actually did most of the work getting us all there in one piece) did some quick recon, and ended up with a useful heuristic. The green ring in the pic on the left gets you between 0.1km to 0.6km from Moscone at an average cost of about $750 per night.
The second ring gets you about a kilometre away, for an average price of about $300. (Still a touch high, but not insane). With RSAC starting pretty late in the morning (10am) and finishing in the afternoon, a 1km walk to get away from the people doesn’t seem so bad.
RSAC runs effectively from Monday to Thursday. If you have work to do setting up your booth, this means you’re spending at least Sunday to Thursday in SF. (We filled a day on either side of this with customer meetings – but I think five nights would be pretty tight.)
Hotel Rooms (4 Rooms, 7 nights): $14,600
The careful reader (naturally you!) would have noticed the hotel bill was the single largest expense on the trip for us.
It being our first year, we learned a ton about boothing. Some of this may be old hat to folks who’ve been on the circuit for years, but newcomers can avoid the pains we experienced.
The complete RSAC floor plan is huge! (and apparently will be even larger next year). How huge?
That’s us (bottom left corner). It may seem like Siberia, but it actually worked out pretty well for us in terms of traffic. Most times of the day, we could have done with an extra staff member (we had four) or an extra demo station to present at.
So why isn’t a piece of advice “make sure you get a good location”? Because you probably have little to no choice for where you end up. Last year we applied for a booth as soon as I got back from visiting the conference. We were told that booking would open in May:
In May, we were told mid June:
In July, we were finally notified that booking was open, and that the following slots were available on a first come, first served basis (open slots in yellow):
At that point, there wasn’t much to choose from. This year, as an exhibitor we got to see why. During the expo the RSAC staff assign you a predefined slot, when you can go to the reservations hall to reserve your booth for next year. When we visited (during our appointed slot) the best we were able to do was to move one up for the corner. They sell out crazily quickly.
It’s a great play by RSA. I’m sure many of the booths will renew quickly just to avoid losing their spot.
For the most part, we were ok with the size of our booth. If we had to spend more money, we’d rather take more people and have more demo stations. (Live demos work super well for us, because for the most part, Canary is a fairly well understood concept with the pain removed. So with 10 minutes of demo’ing it’s easy for customers to see the win, and if they stick around for 10 more, it’s easy to be impressive. We had a bunch of “I’ve been playing with honeypots for years” folks convert from disinterested to “wow” within 10 minutes).
Number of staff
We took four people to the event. (The booth fee comes with 10 expo tickets so there’s no extra cost there). Flights, accommodation and opportunity costs quickly pile up which is why some booths appear to be staffed with rent-a-student type labour. This makes no sense for us; the benefit of visiting our stand is a chance to actually chat with some of our senior team members. Bradley and I disappeared for brief stretches as we handled pre-arranged meetings, at which point the two folks at the stand were left a little ragged. Over the course of the three days though, taking four people seemed about right.
Aside for the 1km to and from the event every day, you end up walking a fair bit. I averaged about 25,000 steps per day for the week, which means you should probably choose comfortable shoes.
What about the talks?
Frankly, I have no idea. I’ve been speaking at conferences for a long time (my first Blackhat was in 2002) and I’ve never bothered to submit to RSA. I polled a few friends and got very similar results: “Who cares about the talks?”
Having said that, I’ve seen workshops given by the likes of Mark Russinovich and this year featured people like Dino Dai Zovi, Ryan Huber, Adrian Sanabria, Richoh and the folks from Senrio. All people I’d cross the street to listen to. In truth, I don’t think anybody seriously expects ground breaking talks at RSA. It’s not a secret that sponsor packages come with a keynote speaking slot or that most talks given at RSA will be duplicates of talks given elsewhere.
Curious fact: RSA2018 had 17 keynotes.
If a keynote is supposed to be the central theme of the conference, and if we have 17 central themes, we might have some clue why people are so confused.
Matt Green from Johns Hopkins might have summarised things best when he tweeted:
There are many, many reasons to hate RSAC. In many ways, it brings out the very worst in vendors. The trade floor is packed with shockingly bad promotional gags trying to lead you towards booths that have made sure to highlight this years catch phrases (the dark web is out, big data is out, ML and AI survived with Threat Intel, and GDPR holding strong). I’ve mentioned before that I think there’s something more insidiously wrong with RSAC, and that’s that it lends itself very strongly to being led by vendors. If you walk past 20 vendors who promise to “detonate” your malware in their sandbox, by the 21st you start comparing feature-sets without asking if “detonating malware” is really what your network needs.
Vendors have long ago learned that big booths and ridiculous gimmicks “create brand awareness” and they spend hundreds of thousands of dollars on booths, swag and entertainment when many of them would have been better served by investing smaller sums of money on actual product development or security. It’s pretty annoying to see big AV companies burn all that money while still failing to implement decades old sandboxing techniques in their scanners. But this is a different rant for a different day.
One of the the most amazing things to me about how (many) vendors do RSAC, is watching how much time, and money is wasted because of crazily mixed incentives. For example:
Most booths pay the conference for Badge Scanners ($395 each). They then incentivise temp staff or students to scan as many badges as possible. These poor folks either act as gatekeepers to swag with their scanners, or wait desperately for someone walking past to make eye-contact, at which point they pounce. They’ve won! They’ve scanned your badge.
Post RSAC, the company now has a fat database of badges. These are then fed (depending on their sales processes) to people who mass email “captured badges” and then whittle down the list to possible leads and opportunities. THIS. IS. INSANE.
We had these cool sky-bounce balls made for the event, and also had some Canary t-shirts and Beanies for people who wanted them.
Over the three days this vignette played out repeatedly. Someone walking past would say, “Can I have a ball? You can scan my badge!”. Our response was always the same: “Take the ball, but don’t make us scan your badge if you don’t want us to ping you on our product”. It makes zero sense for us to grab details of someone who really only wanted a ball, to then create more work for people down the line to reach out/qualify the “lead”. We hired a badge scanning device, but only ever whipped it out as a shortcut when somebody said: “Please contact me so we can kick this off” or something to that effect. (Nb: there were plenty of those, the scanner was worth it).
I’m pretty shocked when I see vendors splurge on $156,000 worth of booth space, only to use the space to put up their RSA gimmick (like a hall of mirrors or 3D version of the Norse pew-pew map).
It seems double insane to me that vendors paid full blown entertainers to juggle, do magic tricks and solve Rubik’s cubes in front of their audiences (who were mostly just waiting for their free t-shirts.)
The longevity of some of these companies means that these silly stunts probably do get them results, but as a general rule I figure you can use the number of demo stations per square meter as a heuristic for the sort of company you are dealing with:
If a company dedicates 90% of their floorspace to their RSAC gimmick, and just 10% to one demo station where they can show you their product in action, then there’s a company that’s aiming to win you over with their marketing department instead of what they’ve built.
Was it worth it (for us)?
When we originally pondered tracking our RSA experience, we wondered how we’d measure the ROI to weigh against the costs. Bradley was huge on direct sales and always leaps to this quickly. By the end of day-1 it was clear that we worried about this unnecessarily: the trip was clearly worth it.
We had a number of people go from demo to “order” right in the booth. This was pretty great, both because it never stops feeling awesome to have new customers sign up, and because it handled the direct-revenue-return question quickly and decisively.
It’s always going to be product specific, but we’re fortunate to have a crazy high conversion rate with our demos. (This means that once someone watches our demo, there’s a ridiculously high chance of them becoming a customer). Over the course of the three days, we managed to do over 100 demos. I’m sure our conversion rate will drop compared to our regular rate (which is primarily with people who mail us already interested in Canary) but I don’t expect the delta to be super dramatic. This bodes really well (and if anything, has us trying to figure out how to comfortably add a second demo booth to our stall next year.)
A good portion of our time was spent just chatting with existing customers. We do most of our sales completely over the Internet which means that we’ve had some customers for more than two years that we’ve never met. Although we try to keep in touch via email, speaking to them face to face was priceless. (e.g.. we finally met Nick face-to-face, who has now taken Canary into three completely different Silicon Valley Unicorns! -waves at Nick-)
Customers as social proof:
Something that we didn’t expect (but that was a huge, huge benefit) was the strong social proof that came through. Customers would come through to the booth, just to say “Hi!”, and would end up sticking around a little while longer to tell other visitors how much they love Canary. Every interaction like that created more interest with passersby and totally organic conversations ended up being the absolute highlight of our show.
On Monday, Bradley and I had breakfast with one of our customers from Mountain View. The meeting was scheduled with the company CSO. He also brought the company CTO, and later we were joined by two of their engineers. They’ve been great customers since almost day-1 and told us happy tales of Canaries catching their pen-testers (both official and, as they called them, “unofficial” ones). Now you can meet customers for breakfast any time, and customers can say nice things about you anytime, but the concentration of infosec people in town during RSAC week, means that all of this happens while other customers, or potential customers are close by. Customers are generally skittish to have us add their logos onto our website (so we don’t even ask) but both the CSO and the CTO happily told passers by that they use us. Again, nothing beats social proof and this sort of feedback (at least for us) is absolutely golden.
VC’s, Finance & Biz Dev people
A few years ago, Dave Aitel toured the RSA floor and proclaimed that RSAC isn’t worth it if you are trying to sell your product – only if you are trying to sell your company. The line is funny and memorable but not quite true.
While the floor was abuzz with “finance folks” and hotel suites in all the surrounding hotels were filled with young companies pitching VC’s, we found that the expo floor did perfectly well for selling our product too. Last year I took a few meetings with VC’s and finance people and decided that since we aren’t actively looking for funding, we’d completely avoid those sorts of meetings this year. I responded to a few meeting requests with a polite “let’s do Skype next week / later this month?” Time was short, and we were much, much better served meeting customers and potential customers.
Random Hot Takes
One of our customers said: “I come here to meet some of our vendors. What kind of CISO would I be if I were surprised by a product on the expo floor?” It’s an interesting reminder that if you are a vendor, you shouldn’t be planning on using RSAC (or any expo) to be “discovered”.
It’s a huge floor and people are going to be pretty worn out with random pitches. Ideally they would have heard of you somewhere before. (We had a bunch of people recognize Canary from our chats on Risky.Biz!)
What if we are a brand new product?
I don’t think things are hopeless. We had lots of people show up at the booth who’ve never heard of us, and a bunch of them opened with a variation of: “So what do you do?” If you are a new company/product, I think you’d be well served to prep hard with the following:
A 30 second answer: “We solve problem-X by doing Y”.
Now it’s possible that the person you are speaking to really doesn’t have problem-X. Maybe they move on, maybe they grab a stress-ball, or maybe they make some small talk. It’s ok. For those whose interest you managed to pique, you want to get to:
A demo that shows that you actually do what you say you do.
I know some things are tough to demo, but if you were smart enough to build a product that solves a serious problem, I’m willing to bet you could come up with a demo that shows some win.
Some sort of follow-up plan. (After our demo, we had a bunch of people go: “Please, contact me, we need to talk”, or some variation of “Please scan my badge”.)
Chatting with other hackers / founders
This year I had several chats/coffees with other founders (or just other aging hackers). As first-world-problemy as it sounds, transitioning from full-time hax0r to running a company comes with some pain (and at the risk of going full emo, is sometimes lonely). Even a 20-minute chat with a @zanelackey, @dinodaizovi or @dugsong is super powerful (and amazingly cathartic).
All this analysis for $50k? Are you cheap?
Ultimately, our RSAC adventure ended up costing us just under $50k (and this included flights & accommodation). This isn’t insane money when you consider what tech / security companies spend on marketing. All things considered, it’s probably no worse than all the ad spend by AntiVirus & EndPoint protection suites at popular airports. So why the micro focus? Are we just cheap?
This goes to the heart of 3 things that are super important to us:
A habit of wasting money: When advocating for bootstrapping, Jason Fried and DHH often remind us to be careful of the habits we build. (They posit that funded companies learn to be loose with spending while bootstrapped companies learn to make money). We try hard to make sure that what we do adds value, which makes us judicious with how we use our money (and our time).
A culture of learning: We are inherently a learning company. It’s easy to miss important lessons unless we are deliberate about them (so we wanted to be meticulous about this).
We Care: One of our deeply held beliefs, is to “care more”. We push for this attention to detail in Canary, in how we handle support, and inevitably in how we’d do an expo. It’s fundamentally how we roll.
Ultimately, we spent a shade under $50k on our RSAC expedition and are confident about the value we got back from it. There’s certainly a crazy amount of insanity and noise on the vendor floor and I personally think some vendors would do better to just make piles of their investors money and light them on fire for the spectacle. But all of this seemed to work in our favour. People seemed to appreciate relatively low-key talk and an honest demo (or a hundred). We’ll be back and, for the most part, hope the craziness doesn’t kill what’s an otherwise useful opportunity to talk to interested people.