FBI Assistant Director Bryan Vorndran: Hello, everyone. Bryan Vorndran here, assistant director of the FBI Cyber Division. It’s great to be here at RSA 2025, in San Francisco. As always, I’m with my colleague Jamil Farshchi, chief technology officer at Equifax. And to my right is Hugh Thompson. And I will let Hugh give an introduction of himself and then we're going to get into the history of RSA, as well as the future of RSA.

Hugh Thompson, Executive Chairman, RSA Conference: Great. Hey, Bryan, Jamil. Thanks so much for having me. And just a quick background. So, I’ve been, program chair for RSA conference for 17 years now. Wow. Really long time. And executive chairman now of the conference. And so excited for this week. You know, it’s—at least the way that I view it—it’s a Super Bowl of cybersecurity.

Thompson: That’s where our community gets to really come together, interact with each other, learn. It’s been an amazing, amazing week.

Vorndran: Great. We were commenting before we started our interview in our chat here about the strength of this community. Right? And the security community, specifically. And it’s just wonderful to be part of it. Everybody’s been so accepting of the FBI and myself and so many of my colleagues. And it’s great to be here so.

FBI Strategic Engagement Advisor Jamil Farshchi: And for decades, too. Yeah, I mean, I’ve been coming to this thing since … I don’t know, I feel like, well, since I had hair. And every time it’s, you know, meeting fantastic people, learning a bunch, it’s just, an amazing atmosphere. And, you know, kudos to you for helping to orchestrate this entire thing.

Thompson: Oh, my gosh, this is an amazing team. But, you know, more importantly and you hit on it right at the beginning, Bryan. It’s like, this community is so open to share. I think that’s such a defining characteristic of cyber. You could have two companies that are mortal enemies, right? in the marketplace; two retailers, for example. But I would bet you the two chief security officers of those two companies, they talk to each other.

Vorndran: Absolutely.

Thompson: They calibrate. They collaborate.

Farshchi: Yup.

Thompson: It’s very, very, very unique. And you see that spirit in full display here and other places too. It’s just really heartwarming, right? Because we’ve got a common adversary on the other side.

Vorndran: Yep, yep. So, let’s go back 17 years.

Thompson: Oh boy. All right.

Vorndran: 2008 roughly. So, where was RSA in 2008? And just maybe a couple of years after that, where were you and how have you seen the programing, the content, the environment evolve?

Thompson: You know, I want to say, back at that point, we would have been around 15,000 attendees, roughly, if I remember right. And it felt big. I mean, 15,000 people. That’s a lot of people, right? And there were a significant number of human beings in the cybersecurity profession. There’s a lot of leaders, a lot of executives. And then you had, you know, several folks that were in emerging areas at that time in cyber.

To see how it’s evolved over the years … you know, it’s not just the folks that are working every day in cyber security, it’s the whole ecosystem around them: Like boards of directors that feel like they need to come and understand more about cyber in order to properly fulfill their duties. We’ve seen just great collaboration with law enforcement, for example, and that’s strengthened over the years, which is so important.

Thompson: Right? We’re absolutely reliant on it. We’ve also seen this whole ecosystem around the investment community come together, again vital to our space. We’ve got an active adversary that’s well-financed. We need to be ready and prepared with new innovative solutions. So, all those things have helped, I think, driven the growth for what RSAC is today. And this year we’ve got over 44,000 people here, which is incredible.

Vorndran: Oh, wow.

Farshchi: That is … so I have a secret. I never do this, but on the flight over here, I actually put together some questions.

Thompson: Okay! Bring it on.

Farshchi: And somehow, you ask the first one that I actually have on my list here.

Vorndran: There you go.

Farshchi: All right … Hugh, so you get hundreds of submissions for this, for people to come speak every single year.

Thompson: Two thousand eight hundred this year. 2,800.

Farshchi: Wow, so that even makes this more. Okay. So then out of all of these things that you see and all the talks that you select and then you watch yourself, what are the key elements of what a good security talk is about?

Thompson: Oh my gosh. That’s such a great question. So first, maybe, let me go through the process of what happens to those 2,800 because it will then get to the answer to your question. So, folks, submit from all over the world … 2,800 is a lot because it’s not like a question of what’s your title? And then, you know, good luck.

And we’re going to figure out who it is. There’s a title. There's a short abstract, there’s a detailed abstract that basically is trying to convince a judge that says the short abstract is a promise. Like, “I want to tell you about new and innovative ways to apply Agentic AI,” for example, which would be a common one this particular year.

The long abstract is to give you enough details to convince you that I can fulfill that promise when I come on stage. And we have such a vibrant community that's willing to give, first of all, 2,800 people willing to fill out submissions. But then we have a program committee that’s all completely volunteer from the community all over the place.

And you’d be shocked: chief security officers that it would take you probably months to get a half hour on their calendar. They spend 40 hours going through a whole bunch of submissions on a track. And what is it that they look for? So, what makes a successful submission? I think, is it unique? Does it offer something new into the discussion?

Is it from a set of people where you believe that they’ve actually implemented something? Like, things that come from practitioners, that are actually working in the field trying to solve real problems? Those are the ones that you’re like, “Oh my gosh, I think that the whole community is going to benefit from this because according to their description, they’re willing to share the good, the bad and the ugly.”

This work, this didn’t work. We made this mistake. And then here’s how we adjust it. So those are the kinds of things that folks look for in this independent program committee, as they narrow down from the 2,800-funnel to the 400 to 600 sessions that we actually have at the conference.

Farshchi: Pro tip for anyone out there who wants to submit.

Thompson: Yeah, sure. Be practical.

Vorndran: So, Hugh, the value of whether it’s the FBI or government, domestic U.S. government versus international government, how does the selection committee look at the value proposition of that in speaking engagements?

Thompson: Massively so. I mean, this is a space where you’re dealing with criminals as your adversaries, primarily. Also, nation states. There are domains that companies that are, you know … and financial services and retail and anything … they have certain authorities and capabilities. They can buy technologies, they can hire people, they can do threat intelligence, but they cannot do it alone without law enforcement.

Thompson: They just can’t. Law enforcement knows things that they don’t know. Law enforcement is also incredibly helpful when there is an issue. How do I get some wayfinding on this issue? Like, how do I know what to do? How do I know how to address it? And there are authorities of law enforcement, not just in the U.S. but in other places that are absolutely essential in the process of a person that's dealing with the responsibilities and weight of cyber.

Vorndran: Okay.

Thompson: So, we actively seek out not just law enforcement, but every aspect of government inside of RSAC. In fact, our attendees find it one of the most important pieces of RSAC: “How can I calibrate with governments to understand where’s regulation going next?” Right? You don't want to make decisions today that you might have to unwind six months or 12 months from now, because there’s going to be a new regulation that says, “You can’t do that thing that you just actually implemented and rolled out.” Never has that been more true than in the world of AI.

Vorndran: Okay.

Farshchi: Wow. There is … you got to have a balance. I assume you have to have it balancing act here. We’ve … I mean, I’m looking around: We’ve got every security company imaginable represented here in some way, shape or form. How do you balance the pure play security content that’s going to help people learn and grow and improve with the sort of commercial aspects of our sec as well?

Thompson: It’s a great question. So, think about us as … and it’s actually such an insightful question because I’ve had people outside of the cyber space and who are in the advanced space, and they ask us to categorize what kind of event are we? And they only know a couple of different kinds of events. One would be an expo, and an expo is where you have a ton of vendors, and they’re there and they’re talking about, you know, what do they do?

Do we have that? Yes, we have very big one. But then there’s other conferences that are pure learning conferences. So, it’s all educational sessions. We’re very unique in the sense that we have both and they’re actually quite separated. So, if you go downstairs from where we are right now, there is a huge expo floor. You’ll find every vendor imaginable, as you said, and you’ll be able to understand and talk to them about what they do and how they do it.

It’s important because in security, it’s not like you’re going to build your own endpoint agent, for example. Like, you actually need these vendors. Separate from that, there’s an educational program that happens here, which is massive, and it’s that 2,800 submissions that come in. One of the most important criteria when these judges select them, there can be nothing commercial in those submissions.

So, let’s imagine you were in a company, and you were truly excited about the product that you had to offer, like genuinely. And you think the whole world could benefit from hearing about that product. If that goes into the funnel of the 2,800, that’s not going to come out as accepted.

Vorndran: Okay.

Thompson: Instead, what are the judges looking for?

They’re looking for vendor-neutral, vendor-agnostic things that actually enlighten the community. So, you’ve got this educational track that’s almost separated from what is the expo floor downstairs. And then folks piecing those things together: “How can I get smarter about this space in general? And then how can I find my partners here that are going to help us make this happen?”

Farshchi: Fantastic, that was great.

Vorndran: I mean, one of the best things about being here is the number of people that I can take time to meet with to advance the FBI’s mission. I mean, it’s measured literally. I’m back-to-back-to-back all day.

Thompson: I’m sure you are!

Vorndran: Trying to meet with people, talk to people, advance the FBI’s mission, but that goes for the entire cyber community or the security community.

Okay. Greatest hits. So, my best memory of RSA in the last four years...

Thompson: Oh yeah, tell me, tell me.

Vorndran: … is former FBI executive Herb Stapleton, with his brother Chris Stapleton, with Hany Farid talking about synthetic content.

Thompson: Legendary!

Vorndran: So that is my best memory of just like, fascinating content with fascinating people. With two brothers from a great family getting to reconvene in San Francisco. I know their mom was really proud. And so that’s a very serious statement.

But you’ve seen 17 years. What are some of your best hits?

Thompson: Look, I’m telling you, that one cracks the top 10.

Vorndran: Okay.

Thompson: No, it really does, right? Because it all came together so beautifully. It’s such an important topic, such an important discussion. But, as you’ll probably remember, that was the exact same year that Chris Stapleton had just sung the National Anthem at the Super Bowl.

Vorndran: I know that because my Eagles lost that Super Bowl.

Thompson: Oh, I’m sorry to bring up a painful memory. Sorry about that. But we’re like, “Oh my gosh, this is incredible.” And it came through that funnel of, you know, what was it that year? Probably 2,400 submissions that came in.

Vorndran: And your staff called me like, “This shouldn’t be a general submission, Bryan.”

Thompson: Yeah, exactly, exactly.

Vorndran: This should come through the friends and family submission.

Thompson: That was fantastic. You know, I’d say we’ve had some of the cryptographers panel, which has evolved over the years. It’s been there from the beginning. The roots of RSA Conference lie in cryptography. Right? So, every year we have a cryptographers panel. It has on it folks like Adi Shamir. And, you know, in the past, Ron Rivest. It’s also had, you know, usually every year with (Whitfield) Diffie.

But it isn’t just cryptography that they cover. And I remember a couple of years where those panels just got really controversial, like there was some serious disagreement among incredible experts. And those are the moments to me that are just amazing.

Farshchi: I believe it.

Thompson: Like here. Brilliant people. They can disagree, but they can come together here to disagree publicly and state their opinion.

That’s what I love. And in fact, when we think about the program, we think about can we get these differing points of view together so that you can go and you can draw your own conclusions, right? So that … there’s a couple of those that definitely stand out to me. You know, there was a year … this was many years ago now … when Eugene Kaspersky was here to give a talk.

And there was just a lot of really interesting commentary. From the audience. So that was a memory. And, you know, some of the keynotes that we've had over the years like this … folks that were incredibly inspiring. This is going to sound like it shouldn’t make the top 10, and it’s … but it did for me. We had last year Jason Sudeikis, right?

And he had done a show called “Ted Lasso” that you know, you may have seen. But it was right in the heart of Covid. And people were at home. Nobody could leave the house. You know, it’s just a really, really difficult time for humanity, I would say. And it was this sort of like spark of positivity during that time. Bringing him here and just, like, having a discussion with him to folks that are in the battle every single day and had also just gone through that Covid experience, that was an amazing moment for me.

Vorndran: Yeah.

Thompson: It’s like, how do we take these people that have dedicated their careers to something that’s really hard … and in cyber, there’s not a lot of accolades, right? You’re usually just giving bad news to people. How do you inspire them?

Vorndran: Yeah.

Thompson: How do you kind of brighten things in their lives, and how can you shift a mindset? That was a big highlight to me.

Vorndran: My favorite Ted Lasso scene is …

Thompson: Oh, you’ve seen it?

Vorndran: … is the darts scene, right? Be curious, not judgmental.

Thompson: Yes, yes, that was amazing. When the other guy breaks out his own personal darts and he’s throwing them and Ted’s like, boom, boom, boom, boom, boom and just crushes it.

Vorndran: “Should ask some questions like, ‘Have you played a lot of darts, Ted?’”

Thompson: Yeah, maybe?

Vorndran: All right. We got to get back on track. Jamil, what’s next on those cards?

Farshchi: I love these.

Thompson: Now we go to the clip, Ted Lasso clip. Yeah, which we did play during the keynote.

Farshchi: Can we get the rights to that? Yeah, that would be fantastic. All right I’m going to transition. You sort of touched on this a little bit, when we were talking before. The Innovation Sandbox Alumni—and I think the stat is right—have raised over $12 billion throughout the years.

Thompson: I think it’s up to $18 billion.

Farshchi: Oh, is it $18 (billion)? Oh, so my information is dated.

Thompson: I think it’s up to $18 billion according to Crunchbase. Yeah.

Farshchi: All right. So, $18 billion. What signals do you see the sort … that suggests that this … these companies are going to be successful? What are a handful of things that you would think really differentiate them and position them for long term success?

Thompson: You know, it’s a very unique program. So, this is the 20th year; it’s a 20th anniversary of hosting Innovation Sandbox. What you see in here is just incredibly innovative entrepreneurs, right? They’re really driven; some super unique different approaches to cyber. And I think the thing that’s special about it, or maybe that’s driven to that number that you’re talking about, is that it is adjudicated by the community.

So, we have a panel of independent judges, and they represent different roles, like we have a chief security officer, and we’ve got, you know, somebody that’s with government. And then we’ve got, you know, all of these different folks that play a piece in cyber, and they adjudicate over these submissions that companies come in with and then you get down to this unbelievable top 10.

And it is a fundamental faith that we have here at RSAC that the community knows the right answer. And so those judges bring it down from a pool of this year; we had a record, we had 200 …

Vorndran: Oh my gosh.

Thompson: … brand new cybersecurity startups that enter that top of funnel.

Vorndran: Oh, wow.

Thompson: And we got down to a top 10. In fact, we had that competition earlier this week.

Some of these companies will just blow your mind. It’s absolutely fascinating. So, you know what’s led to that kind of outcome, I think, is the fact that the community knows. And if you trust the community, great things will happen.

Farshchi: And I think, I can attest, and I won’t name names, but several of the companies that have come through that program, I’ve ended up using myself at various companies that I’ve worked for. Like, we’re now customers of theirs. So, it’s a fantastic program that really does generate a ton of meaningful innovation for the community.

Thompson: And we see it as a responsibility at RSAC to fuel the innovation in cyber to help facilitate it. We have to. We have to. We’re going to lose if we don’t do that, right? And if there’s not new ideas constantly coming into the funnel of cybersecurity, we know there are on the side of the bad guys, right? They’re very well resourced.

They’re well-funded. In some cases, nation-state capabilities. We’ve got to do whatever we can to help these entrepreneurs.

Farshchi: Yeah.

Vorndran: Got some more or you want me?

Farshchi: No. Yes, I have one. This is one where I am very excited to ask you.

Thompson: Yeah, go tell me.

Farshchi: So, complete this sentence.

Thompson: Okay.

Farshchi: There’s thousands and thousands of people all around us. And right over here. If every attendee that attends this this week, if they did “blank” when they got home, then, what would it be to be able to drive the entire ecosystem and tilt it toward a more secure ecosystem at large? What is the one thing people could do?

Thompson: Huh, that’s interesting. To tilt it to a more secure ecosystem. I believe that everybody has a trap set of knowledge in cyber, and they don’t even know what’s trapped inside of them. Like little puzzle pieces. I think the simple thing that they could do is reach out to three people that I hope that they met while they were here. Not people they already knew and they’re, like, catching up. And, “Hey, great to see you.” Like, three brand new human beings and then followed up with them after the conference and just continued to learn from those people and have exchanges.

I do believe that the bonds that get formed—trust first in person and then, you know, kind of connecting afterwards—unbelievable things happen that you don’t even know, you can’t even see, you can’t even control.

And they’re going to influence the very fabric of how society thinks about cyber.

Farshchi: Amen.

Thompson: You know, if we can keep cyber as a top-of-mind topic for the average citizen and make them the first line of defense, we would be in such a better place and we’re going to get there. We’re going to get there.

Farshchi: Yeah. Collectively secure. Yeah.

Thompson: Collectively secure.

Vorndran: So, switch gears. Where are you going with RSA? Advance three years. Five years. How do you see it evolving?

Thompson: You know it’s …

Vorndran: It’s hard to think with the current workload, right?

Thompson: Yeah, you know we’re in the middle of a gigantic one. But, you know, we have been thinking about this obviously for a long time, right? And one of the things that has always bothered me is that we get together. It’s great. You know, you get to see all kinds of people. You get to reunite.

And to your point, Bryan, earlier, you get the efficiency of having so many meetings and discussions in person, right?

Vorndran: Yup.

Thompson: But then that the week ends, and now what happens in the other like 51 weeks? So, one of the things that we have been working on, and you’ll see it around in here, is the beginnings of what we call a community platform. So, a way that people can connect with each other throughout the rest of the year.

Vorndran: Ok.

Thompson: And I bring that up and as an answer to how do I see, you know, RSAC changing, I see us as also being a facilitator of the conversations that are critical in cyber, not just physically while you’re here. So earlier at the beginning of this week, I asked, you know, during the opening keynote, “Hey, is this is your first time at RSA Conference?”

You know, “please stand” and it’s half the room.

Vorndran: Oh, really?

Thompson: But it’s like that every year. Most people don’t know that. And is it because the people went the last year didn’t want to come back? No. That’s almost never the reason. It’s because, you know, they are part of a big security team at, let’s say, I’m just going to pick a random company, Walmart, for example. And it was their turn to go, but now it’s next year.

It’s travel budget. It’s getting to San Francisco. It’s the flight. It’s all of it. And so, it’s not your turn this year and it’s somebody else’s turn. In one way, that’s wonderful, right? Because there’s a lot of new people that come into the ecosystem. But it’s not like those other people that aren’t here don’t need the same benefits.

Farshchi: Yeah.

Thompson: And I am excited to work with the community on ways that we as an organization can help keep them more connected throughout the year.

Vorndran: Okay.

Thompson: And you’ll see us put a lot of time investment everything into that mission.

Vorndran: Okay. That’s great.

Farshchi: Is there a thought around expanding it, not just making it more accessible to those teams, but doing it more consistently throughout the year? So, it’s not a one-time event?

Thompson: One-hundred percent. And that’s baked into this idea of this platform. So can … you can imagine a call for submission that’s not just an episodic, “Okay, guys it closes on ‘x’ date, it’s done.” And then we’re going … Imagine that kind of thing being continuous. We do it a little bit today in a program we call 365 where we have webinars that happen throughout the year.

But I think we could do something way more profound because things change all the time. They change all the time.

Farshchi: Yup.

Thompson: And the only way we’re going to be successful in doing that is hand-in-hand with the community. Everything we do here is community driven. Community picks the program; the community picks the startups. The community is going to decide what they want or don’t want inside of this platform. And I’m excited to discover …

Farshchi: Yeah.

Thompson: … what do they want? What do they like? What do they not like? But just beginning that journey is awesome.

Vorndran: So, I mentioned to you before we got started, there’s some rumors floating around town …

Thompson: Tell me, man. Tell me.

Vorndran: RSA in San Francisco. Now I know we got 2026 already on the books, right?

Thompson: 2026. In fact, you know, it’s weird. People ask me this all the time. It’s like, I think I may have mentioned it to you before. Somebody come up to me and said, “Hey, RSAC is moving to Vegas.” This was last year.

Vorndran: I heard this yesterday!

Farshchi: That’s what he was just telling me.

Thompson: No, no, somebody told it to me last … Like informed me that, that’s what was happening.

Vorndran: As the chief production guy!

Thompson: Now, and, what, you know … but what was really ironic about it is we were standing right next to a sign that had the dates for 2025 in San Francisco. Right? Which is … so, I don’t know how this rumor, like, keeps happening every single year. It will be here in San Francisco in 2026. We have the dates; I can’t remember them off the top of my head … they’re the end of March. So, it’s moving, like, maybe five weeks earlier.

And, you know, there is so much of a technology ecosystem here in San Francisco. And I’d say that this city is really trying, like, you know, we continue to have a good partnership with the city and making things better for attendees. And, you know, San Francisco and our history are pretty intertwined.

Vorndran: Yeah. I mean, just from somebody who’s attended for the last four or five years, I can’t imagine it being somewhere besides here. That’s very difficult for me …

Farshchi: I know.

Vorndran: … to get my head wrapped around because of the incubator that this area is.

Thompson: Yes. So, yes, I agree with you.

Vorndran: Jamil. What do you got? Anything else?

Farshchi: I have one last question, and it ties into the interweaving of RSAC with the city and things like that. But this one is more around the public-private partnership aspect.

Thompson: Yeah.

Farshchi: How important is it to have people, you know, like Bryan, from the government participate in RSAC and build that partnership amongst the community itself and have the relationship with RSAC as well?

Thompson: It’s fundamental. It’s not optional. It’s essential, right? And I think everybody in this community knows that. And which is why we so actively not just try and foster those relationships but encourage it and try and feature those government organizations from the U.S. and around the world. Like, for example, this year, for the very first time, we had the seeded director of GCHQ (Government Communications Headquarters) here.

Vorndran: Okay.

Thompson: Which was great, right?

Vondran: Yeah.

Thompson: It’s fantastic. It’s another perspective on how we can help? Because that’s the mentality that I think most people in cyber have. “How can we help?” You’re in law enforcement, how can we help you? You're a regulator, how can we inform you, maybe? How can we help, inform you? But we certainly want to understand where you’re going next and we want you to be a part of the conversation, that's for sure. That is absolutely essential to all of the people that participate in cyber. We understand that very deeply and are absolutely committed to it. And you can see it by our actions.

Farshchi: Yeah.

Vorndran: Yeah. So, Jamil, I’ll go to you and then Hugh, you, for closing thought, and then I’ll end cap it from there. Jamil?

Farshchi: No, I’m good. This has been a fantastic year. Just as always. I love coming to San Francisco. I love this event. All the people everywhere, all the old friends that I get to reunite with, and all of the new people that I get to meet as well.

So huge kudos to you and your team for all of … doing all of this work year in and year out. It makes the community … it makes us all safer. And it … makes us better prepared to be able to fight the good fight. Thank you.

Thompson: I appreciate you saying that. And you know what? I get so inspired by this week. I’ll be honest with you, right? Like it’s exhausting, like it is for everybody. But … security … I would argue it’s something that you are, not necessarily something that you do. Like, you … if you believe in the mission of protecting and defending, then it’s not work. It’s like who you are. It’s like baked into your ethos. And it is always so heartening during this week to see how this community can come together under that same common mission.

That’s the thing that to me is like stunning. It blows me away every year. And it’s a feeling, it’s an atmosphere and it’s here in abundance.

Vorndran: Great. Well, I will close. I want to thank you. And I want to thank your staff. You have been so supportive of the FBI. As a person, as a colleague, your staff of us, as an organization over so many years. But during my time here, during the last four years … and so supportive of me and what we’re trying to accomplish in the FBI Cyber program, and I just want to say a very, very sincere thank you.

You’re one of the most kind and genuine people I’ve ever met. And just appreciate you having our back.

Thompson: Bryan, that is so kind of you. And, you know … and you and I have had this conversation before many times. We are here to help. And I can’t thank you enough for your service to this country.

Vorndran: Yeah, well, I just happened to be here representing a lot of really good people. So, thank you Hugh. Thank you, Jamil.

Farshchi: Thank you. Appreciate it.

Thompson: All right. Thanks, guys.