10 hot topics to look for at RSA Conference 2023

1. Macroeconomic impact on cybersecurity

Despite booth tchotchkes and cocktail parties, economic uncertainty will be a persistent elephant in the room. Venture capital funding in the cybersecurity sector was down 39% in 2022, and we can expect it to decrease again this year -- especially in light of the Silicon Valley Bank collapse.

With RSA in Q2 this year, I expect to come away with a better temperature reading on the industry -- security budgets, technology spending priorities and funding activities. It wouldn't surprise me if we saw some major M&A announcements at or just before RSA as skittish investors take their remaining money off the proverbial table rather than continue to bet on the obscene valuations of the past few years.

2. AI security implications

The recent Microsoft Security Copilot was a shot across the bow of the entire security industry, making generative AI a belle of the ball at this year's conference. I hope discussions go beyond obvious ChatGPT use cases for attackers and defenders -- for example, phishing email creation and threat intelligence lookup -- and get more into innovation and the future. I expect every vendor besides Microsoft to balance AI fear, uncertainty and doubt with their own generative AI plans.

3. Passwordless authentication

Current authentication methods using a password or a password plus an additional factor -- i.e., multifactor authentication (MFA) -- are prone to compromise through social engineering. The new kid on the block is phishing-resistant authentication, aka passwordless authentication. Given that more than 80% of breaches involve compromised credentials, according to Verizon's "2022 Data Breach Investigations Report," passwordless authentication adoption has seen a big push. The industry has muddied the waters with a potpourri of passwordless flavors, however, including biometrics, new protocols such as FIDO2 and WebAuthn, and even hardware-based tokens -- lots of options and confusion. My colleague Jack Poller and I will see if RSA 2023 narratives add clarification or more uncertainty.

4. All things cloud security

Many companies are moving most, if not all, of their workloads to the cloud. The speed and volume of releases and the distributed nature of microservices-based applications using ephemeral resources raises oodles of cyber-risk management challenges. Cloud complexity means more things to test and monitor. Organizations need ways to work efficiently, reducing manual, tedious tasks like going through alerts, collecting data and comparing results across spreadsheets and different tools. Security teams are also looking for team collaboration efficiency to eliminate bottlenecks, create faster feedback loops for remediation and react quickly to threats.

At RSA, we'll get the latest on how to address elements that rapidly scale with cloud adoption -- including data, access and identities, the software supply chain and APIs. Is this enough to address cloud security cloud scale and complexity? Hopefully we'll find out in San Francisco.

5. New regulations, frameworks and standards

Whether it's the Cybersecurity Maturity Model Certification, the National Cybersecurity Strategy, the European Union's Network and Information Security 2 Directive, the Security and Exchange Commission's new cybersecurity requirements or multiple new regulations in Asia, CISOs and risk officers have a lot to think about. Key topics include data privacy, software supply chain security, board-level security responsibilities and disclosure requirements. It's been a while since compliance was front-and-center at RSA, but in 2023, what's old is new again.

6. Threat detection and response

This one is a bit self-serving, as my colleague Dave Gruber and I are presenting on threat detection and response at the conference on April 26 at 9:40 am. For the past few years, everyone was gaga over extended detection and response and consolidation, but I see some problems with this story. First, large organizations already have SIEM; security orchestration, automation and response; endpoint detection and response; network detection and response; and many other threat detection tools. Ripping and replacing existing tools isn't happening. Furthermore, organizations are surrounding central security operations centers with dedicated tools for cloud detection and response, identity threat detection and response, data detection and response, and more. A real push-pull dynamic is happening between specialization and centralization. Old Dave and I have our opinions on how this will play out, but we'll be all ears to hear what others are thinking -- especially large, decentralized organizations.

7. Zero trust advancement

As the 2020 NIST-800 paper concluded, zero-trust projects such as MFA and network segmentation have been happening for a while, but that didn't stop the industry from marketing zero trust as a new type of security panacea. We've seen progress and benefits over the years. For instance, research from TechTarget's Enterprise Strategy Group (ESG) indicated 77% of organizations report business and security benefits from zero-trust projects, but it also found that foundational elements of zero trust -- such as checking the health and posture of a device before allowing it to connect to a network, enforcing a least privilege access model and using microsegmentation -- remain lacking in many implementations. My colleague John Grady and I will be on the hunt for true zero-trust progress examples and metrics.

8. Security automation

ESG research found 90% of enterprise organizations are automating security processes but encountering obstacles including a lack of development skills within the security team and process immaturity. Overcoming these barriers requires things such as process reengineering, more granular task automation and low-code/no-code automation tools. And security process automation depends on further cooperation with IT operations, DevOps teams and software developers. Are organizations still automating basic tasks, or have they moved on to automating processes that help them accomplish true business objectives? Hopefully I'll get a better perspective at the conference.

9. Managed services

It's clear to me that next to no one can handle cybersecurity on their own anymore. ESG research revealed that 85% of organizations use managed detection and response services for staff and/or skills augmentation. My assumption is that CISOs will lean more heavily on MSPs -- especially in areas where it's hard to find experienced professionals for hire, such as cloud security and threat intelligence analysis. I hope RSA can shed some light on how CISOs are adjusting to the demands of managing an enterprise cybersecurity program with an increasing dependency on third-party service providers.

10. Security hygiene and posture management

This is a broad category that encompasses an inventory of all assets, an assessment of their status and vulnerabilities, a remediation plan for risk mitigation and security testing for validation. Think Center for Internet Security Critical Controls. Security hygiene and posture management's subcategories include attack surface management, security asset management, vulnerability management and many types of security testing. So how can CISOs get a total picture of cyber-risk across a distributed enterprise, with thousands of assets spread across geographies and "owned" by different groups? I don't think there's an answer to this question, but I'm open to opinions at RSA.

I'll also be giving a presentation on the latest "Life and Times of Cybersecurity Professionals" research with Candy Alexander, president of the Information Systems Security Association, on April 25 at 8:30 am. The whole ESG team will be at the conference, and we'll be sure to report on these and other RSA happenings. Stay tuned for more.