Denys Rudyi - Fotolia

Supply chain cybersecurity is a hot topic for RSAC 2019

Following years of AI climbing the hype wheel at RSA Conference, the topic is no longer one of the most prevalent as supply chain and infrastructure fears take focus at RSAC 2019.

The focus of submissions for the RSA Conference this year turned away from hyped future technology and focused more supply chain cybersecurity and third-party risk.

The RSA Conference 2019 will take place March 4 to 8 at the Moscone Center in San Francisco.

RSAC 2019 received more than 2,200 speaker submissions and the hype-beast topic of AI dropped from the number one topic submission for RSAC 2018 all the way to number nine this year.

According to a blog post by Britta Glade, senior content manager for RSAC, the biggest topic submissions this year were: third-party risk and supply chain cybersecurity; network architecture and infrastructure changes; geopolitics; privacy; and frameworks. This year's conference agenda lists seven sessions that primarily focus on supply chain issues, as well as several other sessions that deal with related threats and defensive strategies.

Glade said it appeared that risk is "becoming the most important letter of the GRC acronym, dwarfing conversations about Governance and Compliance."

"Concern about third-party risk, officially hit the tipping point, fueled by cloud adoption and overall architectural changes, geopolitical conditions, GDPR and similar regulations, and everything-as-a-service, which has removed traditional borders and opened organizations up to possible attacks from previously unexpected sources and locations," Glade wrote. "Organizations are thinking differently about managing software supply chains, third parties and their risk management posture as a whole."

Overall, Glade noted that the major themes of RSAC 2019 are more intertwined and "one could argue chicken and egg implications across all of these trends." The dissolution of network boundaries has led to the end of traditional network environments, geopolitics influenced cyberattacks and major regulatory efforts, especially considering the still-unfolding ramifications of GDPR.

Chris Wysopal, CTO of Veracode, said supply chain cybersecurity has always been an issue, but it is "heating up as businesses shift to more SaaS applications and outsource the maintenance of on-premise software and appliances."

"We've recently seen breaches at online providers impact local governments and healthcare. Supply chain risk is also impacting enterprise development teams and ISVs as they build their application with open source components that inevitably contribute vulnerabilities they didn't create but must manage," Wysopal said. "Nation-state botnets leveraging social media to target propaganda is a major new area, as is stealing or fraudulently obtaining personal data to target social media and direct attacks like phishing. Government has a unique ability to use policy and regulation to help secure areas where the market has failed."

Supply chain security timeline

Other hot topics

Katie Moussouris, founder and CEO of Luta Security, said she hopes RSAC 2019 is less about "buzzword-worthy" topics and more about "mature themes of building sustainable security through risk management." Although, she did admit that "it's hard to even say those words without falling asleep a little, so I get why we haven't been very successful as an industry in actually doing it."

Related to the ideas of privacy and GDPR, a number of experts also said the topic of identity should be one that pervades RSAC 2019.

Bob Noel, vice president of strategic relationships for network security vendor Plixer, said RSAC 2019 "will provide a platform for discussions around the protection of personally identifiable information (PII) and people's rights as it pertains to their data."

"[GDPR] legislation challenged traditional jurisdictional boundaries by focusing on a person's data, not where the data is compromised. In addition to GDPR, 2018 saw the passing of the California Consumer Privacy Act, which will give California citizens the right to know how their data is being used, demand the deletion of their data, and opt out of having their data sold," Noel said. "We now live in a big data world where companies are monetizing PII. Consumer rights surrounding that data and legislative awareness of the problem will only increase over time."

Organizations are thinking differently about managing software supply chains, third parties and their risk management posture as a whole.
Britta Gladesenior content manager, RSAC

Beyond the expected major themes like supply chain cybersecurity, experts also thought this might be the year that IoT security made more waves.

Jake Williams, founder and CEO of Rendition Infosec, said manufacturing and healthcare were two specific industries that "will have lots of IoT and a shifting IoT landscape that will benefit most from IoT-specific management solutions."

Colin Bastable, CEO of cybersecurity test and training company Lucy Security, said IoT security is important because "securing data that is captured, stored and communicated by inherently insecure devices is a major challenge for the IT security industry."

"IoT devices and the code that enables them are designed for ease of use, and as we know, plug and play technologies enable admins to forgo essential security measures. It's easy for employees to add IoT-capable devices to networks and company infrastructure, introducing potentially malicious code, while also opening the network to potential hackers," Bastable said. "Most IT security professionals still think in terms of security boundaries, but the challenge is to attach the security to the data, as it travels across boundaries." 

Agenda highlights

While attendance for RSAC seems to have leveled off over the past few years, the conference continues to expand its scope of sessions, speakers and keynote addresses.

RSA Conference Stats





RSAC 2014




RSAC 2015




RSAC 2016




RSAC 2017




RSAC 2018




An RSAC spokesperson said the final attendance count for RSAC 2019 will be released in the closing press release published on March 8.

For the tens of thousands of attendees expected to make their way to RSAC 2019 one of the most stark differences compared to recent years may be that the construction that began in November 2014 at the Moscone Center is finally complete.

Linda Gray Martin, director and COO for RSAC, said this means attendees with be able to "enjoy the Expo in one continuous space, a covered pedestrian footbridge between Moscone North and South, an expanded keynote program, and even more space for networking."

Given that RSAC has attracted more than 40,000 attendees each of the past three years, this should make for easier commutes between this year's 31 keynotes and 783 track sessions on the agenda.

Gray Martin said RSAC 2019 expanded the keynote program because attendees requested "keynote-level sessions that delve more in-depth into topics like hacks, research and attacks, and to have this opened to all passes rather than just full conference pass holders."

"West Stage keynotes will continue to feature sponsor keynotes, panels and esteemed guest speakers, and South Stage keynotes will utilize the newly opened Moscone Center South to bring highly coveted sessions from industry experts to a broader audience," Gray Martin said. "The audience of both West and South Stage keynotes is the same, but the broadening of more keynote-level content to two stages opens more coveted content to more attendees than ever before. The West Stage keynotes are focused on high-level, inspirational presentations in a shorter format (20 minutes) and the South Stage keynotes are more in-depth with a longer format (50 minutes)."

Special events

Beyond the keynotes, sessions and tutorials, RSAC 2019 will once again feature a number of special events, including the Innovation Sandbox Contest and Learning Labs. But Gray Martin said there are new events to expect as well, such as the CISO Boot Camp, which she described as a program bringing 100 CISOs together "for candid conversations around trends, tactics, learnings, challenges and more."

"The first-ever RSAC Launch Pad will take place on Tuesday of the conference. RSAC Launch Pad is designed to give new cybersecurity talent the opportunity to pitch their new business to three high-profile venture capitalists -- Theresia Gouw, co-founder of Aspect Ventures; Enrique Salem, partner at Bain Capital Ventures; and Ted Schlein, managing and general partner at Kleiner Perkins Caufield & Byers -- in a live, Shark Tank-style format.

If the VCs believe in the company's solution, participants may receive VC funding and/or mentorship support," Gray Martin said. "We're also partnering with Bruce Schneier and the Ford Foundation to bring a full-day Bridging the Gap: Cybersecurity + Public Interest Tech track on Thursday. The track is designed to dive in to the emerging field of public interest technology, which is comprised of individuals using their skills in technology to change the world for the better."

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing