The Badge Problem: When the Cybersecurity Industry Forgets the Basics

Jay Allen

Jay Allen

2 min read
The Badge Problem: When the Cybersecurity Industry Forgets the Basics
© 2026 RSA Conference LLC. All rights reserved.

March 2026 | San Francisco

RSA Conference 2026 is in full swing in San Francisco, and the Moscone Center is doing what it does every year: pulling in tens of thousands of security professionals, vendors, analysts, and policymakers from across the globe. The conversations inside are in full flow. The keynotes are polished. The vendor stands competing for your attention. The threat intelligence is current.

Then everyone steps outside.

Walk down Howard Street, grab a coffee on Mission, or queue at a food truck anywhere near the venue, and you will see something that should not exist at the world's largest cybersecurity conference: hundreds of people wandering around with their full name, job title, and employer displayed on a lanyard around their neck, readable from several metres away.

This is not a minor oversight. This is the kind of behaviour that would appear in the first slide of a social engineering awareness training.

What a Conference Badge Actually Tells a Bad Actor

Let us be precise about what is on display. A standard RSAC badge carries your full name, your organisation, and often a role indicator. At a conference drawing CISOs, intelligence analysts, government officials, critical infrastructure operators, and senior executives from major defence and technology firms, that is a remarkably useful data set for anyone with bad intentions.

Consider what you can do with that information in real time:

Targeting for social engineering. You now know who someone is and where they work. Approach them confidently, drop a name, reference a shared session, and you have an opening. Physical social engineering is trivially easy when your target is already advertising their identity.

Competitive intelligence gathering. Vendor relationships, procurement interests, and strategic priorities can all be inferred from who is at the conference and what their badges say. Competitors pay attention.

Nation-state interest. RSAC often attracts a meaningful number of people working on sensitive programmes, cleared contractors, and government cyber officials. Foreign intelligence services do not need to compromise a network if they can photograph a badge queue outside a lunch venue.

Correlation attacks. Match a badge photo to a LinkedIn profile, add a location timestamp from social media, and you have started building a pattern of life for someone who almost certainly did not consent to it.

None of this is theoretical. Social engineering, physical surveillance, and conference-environment targeting are well-documented tradecraft. The information security community knows this. It teaches this.

The Irony Is Difficult to Ignore

There is something particular about this happening at RSAC. This is not a trade show for plumbers or estate agents. The people wearing their badges to lunch are, in many cases, the same people who brief boards on insider threat programmes, design zero-trust architectures, and publish research on human factors in security failures.

The fundamental principle at play here is simple: minimise the information you share with people who have not been vetted. When you leave a secured environment, you reduce your surface area. You do not carry credentials you do not need.

Flipping a badge over costs nothing. Removing a lanyard and putting it in a pocket takes three seconds.

A Simple Ask

If you are at RSAC this week, flip your badge when you step outside the venue. It is not paranoia. It is the most basic application of the principles you probably spend your working life promoting.

The conference hall is a controlled environment. The street is not.

We would not accept this from users in an organisation we were responsible for securing. We should not accept it from ourselves.

Read more