A skeptical stroll through the RSA expo floor

So, the RSA conference – sessions, keynotes, expo, parties, etc… – wrapped up last week. I’m still working on summaries for the sessions I attended, but I wanted to discuss something else: the influence/persuasion techniques on the expo floor.

  • I did not watch the keynotes, so I may have missed any specific set-up done by the larger vendors in their original pitches.
  • The company I work for did not have a booth, so my skepticism might seem self-serving. Besides assuring you it is not, not much else I can do…
  • Reminder: As always, opinions are my own 🙂
Before I jump into this post, a shout-out to Andrew Plato from the Anitian blog for a great blog series on the conference. Highly recommended! His crisis of leadership post is pure gold! I hope my small contributions on economics are but a small nudge in the right direction.

(Also, Dr.Anton Chuvakin from Gartner had a great post on his take at RSA as well 🙂 )

By now, it should be obvious to many of us that expo floors are really meant to influence visitors. This post is meant to bring this to light, through a point-by-point example of how common influence principles are applied.

Why write it? Because not many in InfoSec think consciously about these kind of influences. I strongly believe we can all benefit if we understand how these games are played and can spend our efforts on creating *and* deploying secure solutions.

Before getting into it, a little background. Robert Cialdini’s “Influence: The Psychology of Persuasion” is one of the most influential books I’ve ever read (yes, pun fully intended). In it, Cialdini – a noted researcher on persuasion – describes 6 “weapons” of influence that are often used. These are elements that tend to lead to higher compliance with a request. They include:
  • Authority – a request or message coming from someone of [perceived] authority yields better compliance. Think ‘people in lab coats discussing medical products on TV’.
  • Scarcity – if something is framed as being in short supply (units or time), or otherwise restricted, will yield better influence. “Only good for 24hrs!” kind of messaging.
  • Liking – if the person or entity requesting something is someone we “like”, we tend to comply a lot more often.
  • Social Proof – the effect (real or not) of someone similar to you resonates extremely well.
  • Reciprocity – should you receive a ‘gift’ from someone, your receptiveness to their requests increases significantly.
  • Consistency – finally, if someone is able to frame a request in a way that is compatible with how you perceive yourself, there’s a higher likelihood you’ll comply.
With that in mind, let’s take a stroll through the expo floor…

Elements exploring the “Authority” principle:
  • IMG_1066Suits. Suits everywhere. Anyone working in a “senior” capacity in business development, sales, etc… was likely wearing a suit. Some of the smaller booths had senior people in the standard booth uniform, but to me that was meant to signal something else – that the company has enough people – so it’s understandable.
  • An interesting observation on authority. As I walked the floor, I looked at the wording and visual aspects in the various booths. Larger booths from more familiar brands had very clear messages that were just the brand itself or basic functionality about their offering (“DDoS Protection”, “Malware Analysis”, “User Behaviour Analytics”, …). Smaller booths – disproportionally housing smaller companies- however, had much more emphatic messages: “Leader” in this, “Complete Security” in that, “Best of “ in whatever. This, to me,  is a clear appeal to authority.
    Funny enough, though, there were at least two exceptions that I thought were noticeable:
  • A very prominent software vendor had a relatively large floor presence in the North Hall, but their message carried the same “look at me” style of messaging by calling themselves “the global leader in…”.
  • A very large software company comfortably situated in the Fortune 100 list had a *tiny* booth on the North Hall, alongside upstarts. It also had the same messaging as upstarts (“Maximum security”). Frankly, if they couldn’t afford to pay for at least a mid-sized booth, what where they even doing there?
Scarcity was also easy to explore:
  • Every vendor was unique. Vendors seem to dislike being framed in the same category as others. Every one has a peculiar element that makes them unique. This is extremely useful when trying to explore ‘scarcity’ as a trigger. “We’re the only UBA with strong crypto analytics and threat intel feeds” or something along those lines. If you believe that vendor to be unique, how will you consider alternatives?

Liking is inherent to a trade show:

  • You’d be hard pressed to find a “sad” face in all the expo floor. Sure, some organizations (such as government agencies or non-commercial firms such as business development offices) may have less appetite for easy banter, but mostly everyone else was “happy”.IMG_1070
  • Liking also extended to the vendor allowing you to do nice things, such as going ‘Office Space [slightly NSFW]’ on older equipment, shooting Nerf guns, or letting you meet a trendy actor.

Reciprocity is quite easy to pick up as well:IMG_1063
  • Conference Tchotchke/Trinkets. From Star Wars lightsabers, to USB fans, to drones, to stress balls, to pens, … one could fill volumes of luggage with all the giveaways. They are a clear appeal to reciprocity, along with the drinks/popcorn/… served throughout the expo floor. Personally, I liked the popcorn. 🙂
  • Conference Events/Parties. Sure, not only enjoy the giveaways at the expo floor, but come join your vendor for a bash afterwards.
Appeals to Social Proof and Consistency:
  • Social Proof was in display in every mention of how many thousand people attend the conference, as well as the consistency in the overall materials – from the Norse lanyards to many “(ISC)2” ribbons attached to the badges. The message is clear: “you’re all part of the same community”. Not a bad message overall, of course, but also a nudge that if people are looking at a particular demo/booth, hey, you’re not so different from them and maybe you should too…
  • Consistency seems to come afterwards. After you scan your badge at the booths – either as a condition to get the aforementioned trinket or just because you’re around watching a demo – the inevitable post-RSA email arrives: “You visited our booth and had interest in our solution. How would you like to schedule a sales call/demo?” (thanks to @MeneghelAna for helping me dissect this usage).


Just rounding up random observations:IMG_1084
  • Quite a few vendors – large & small – had presence on BOTH North and South expo halls. Marketing budgets must have been plenty this year…
  • Lots of ‘Endpoint’ solutions, alongside ‘Analytics’.
  • Too many ‘pew pew’ maps, including in 3D!


So, in essence, a skeptical walk through the expo floor sees many examples of influence. Be aware (and beware…) of it, at RSA and elsewhere.

Lots of people (particularly in our echo chamber) have very negative opinions on the conference. I’m not one of them. I really like the opportunity to learn interesting perspectives from the sessions (sure, some may be ‘basic’, but we’re not all experts at everything, are we?) and I *love* the opportunity to catch up with people I only see at conferences.

That being said, I struggle to find value in the expo floor. Sure, it is a great arena to run into folks, but for other interactions (looking at new products/technologies, chatting up with your friendly vendor, …) there are better options, IMHO.

This is no longer the age of COMDEX.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s