A Conference Defined by Absence and Adaptation
RSAC 2026 Conference served as a vivid snapshot of an industry in transition. Artificial intelligence, geopolitical instability, and a conspicuous lack of US federal government presence dominated conversations across the event's four days. Dark Reading senior editor Becky Bracken joined Informa TechTarget senior executive editor Jamison Cush and managing editor Sabrina Polin for a wide-ranging discussion — broadcast live from the show floor — that captured the tensions and opportunities defining cybersecurity in 2026.
The exchange, part of the Eye on Tech interview series, covered everything from the EU's growing regulatory influence to the practical challenges facing CISOs navigating boardrooms increasingly anxious about AI risk. What emerged was a portrait of an industry searching for leadership and finding it, for now, in unexpected places.
The Federal Government's Conspicuous No-Show
Perhaps the most striking departure from previous years was the complete absence of US federal government leadership at RSAC 2026. In prior years, the event drew senior cabinet officials: former Secretary of State Anthony Blinken attended, as did former DHS Secretary Alejandro Mayorkas. Last year, then-DHS Secretary Kristi Noem was present. Beyond leadership, CISA rank-and-file staff and federal policymakers had historically shown up in significant numbers to engage with the private sector.
That tradition ended this year. Bracken noted that CISA itself had been cut roughly in half through DOGE-related reductions, with experienced technical personnel displaced from their normal working environments. The disruption was compounded, she said, by reporting from colleague Eric Geller at Cybersecurity Dive: within eight days of RSAC hiring former CISA Director Jen Easterly — who led the agency under the Biden administration — into a leadership role at the conference organization, the entire slate of federal government presenters withdrew from the program.
"We're at war with a known nation-state cyber actor. AI is pretty much upturning all of the tables. We've got quantum right around the corner. So there's a lot to talk about," Bracken said, underscoring the irony of the timing.
The European Union Steps Into the Gap
With Washington effectively absent, European counterparts moved to fill the leadership void. The shift was notable enough that Bracken dedicated significant attention to it in her assessment of the conference's overall themes.
Dr. Richard Horn from the UK's national cyber centre delivered a keynote that directly addressed the private sector, focusing on the risks of so-called vibe coding — AI-assisted code generation that can introduce cybersecurity vulnerabilities if guardrails are not deliberately built in. His message was straightforward: the technology has genuine use cases and will shape the future of software development, but sloppy security practices cannot be allowed to follow it into production environments.
Separately, EU leadership convened a session branded as Brussels at the Bay, where regulators actively engaged with private-sector attendees. Among the topics discussed was the EU Cyber Resiliency Act, legislation currently slated to take effect in December 2027. Regulators framed the forthcoming rules not as an effort to stifle innovation, but as a straightforward articulation of rules of engagement within EU borders. They also signaled that AI regulation would accompany cyber resilience mandates, and they explicitly solicited feedback from industry participants.
Bracken observed that European officials appeared in greater numbers than in previous years — a deliberate effort, she suggested, to forge private-sector partnerships at a moment when their traditional US government counterparts are less engaged.
An Uncomfortable Question About Reliable Partnerships
The geopolitical subtext was impossible to ignore, and Bracken said she pressed EU regulators directly on the question of US reliability as a partner. Asking from the front row — by her own description, the uncomfortable question everyone else was tiptoeing around — she inquired who, exactly, the EU's US counterparts are anymore, and whether America could still be considered a dependable ally in cybersecurity matters.
The responses were telling in their evasiveness. The head of Europol put his head down and declined to answer. A second regulator simply refused to engage with the question. A third opted to quote the EU president, offering only that "the American people will always be our friends."
Bracken interpreted the collective silence as a reflection of the broader political mood: everyone is making careful calculations about the current US administration, nobody wants to be the first to say something definitive, and lobbyists across the industry are working overtime as a result. The cybersecurity community, she concluded, is in a pronounced wait-and-see posture.
CISOs Caught Between Boardrooms and AI Risk
For chief information security officers, the geopolitical dimension is largely background noise compared to the immediate operational pressures landing on their desks. Bracken emphasized that CISOs are pragmatic by nature — focused on what is working and what threats are active — rather than on pending legislation or political maneuvering.
The threat environment itself has shifted materially. SANS Institute, which publishes an annual list of the five most dangerous attack vectors, released a 2026 edition in which all five entries were AI-related. Bracken cautioned against dismissing this as hype: each AI-driven threat category presents a distinct set of challenges, and CISOs are contending with multiple novel problem sets simultaneously within their own organizations.
The specific concerns include adaptive malware that can modify its behavior in real time and machine-speed attacks that outpace human response capacity. These threats demand defenders who are equally sophisticated — and equally fast. The pressure on CISOs to satisfy boardroom expectations around AI adoption while simultaneously protecting organizations from the vulnerabilities AI tools introduce represents a genuine and growing tension.
Quantum Computing and the Encryption Audit Imperative
Looking beyond immediate threats, the conversation at RSAC 2026 also touched on quantum computing as a near-horizon concern. Bracken stressed that organizations should not wait for quantum capabilities to become widely available before acting. The recommended posture involves auditing existing encryption standards now, identifying where current cryptographic protections would be rendered inadequate by quantum decryption, and developing policy frameworks to govern the transition to quantum-resistant alternatives.
The window for preparation exists today, but it is not indefinitely wide.
Cyber Capabilities and Kinetic Warfare
Another thread woven through the RSAC 2026 discussions was the deepening integration of cyber operations into conventional military conflict. The convergence of digital and kinetic warfare represents a doctrinal shift with significant implications for both government and private-sector security teams, particularly those operating critical infrastructure that could become a target in hybrid conflict scenarios.
Resilience as the Defining Theme
Despite the uncertainties on display — a federal government stepping back, adversaries accelerating, quantum looming — Bracken offered a cautiously optimistic closing note. The cybersecurity industry has demonstrated consistent resilience and adaptability across previous disruptions, and the community gathered at RSAC 2026 reflected that capacity once again.
The absence of traditional US government leadership did not paralyze the conference; it created space for new voices, including European regulators and international partners, to shape conversations that will influence policy and practice well beyond the event itself. Whether that realignment proves temporary or marks a more durable shift in global cybersecurity leadership remains, for now, an open question.
Source: Dark Reading