In early April, I wrote about my expectations of hot topics at the upcoming RSA Conference. Between catching up post-RSAC and now planning for Black Hat USA 2023, I thought I'd look back and see how I did with my forecast.
Here's my top 10 list with post-conference analysis.
1. Macroeconomic impact on cybersecurity
You'd never know we are teetering on a recession by RSAC 2023. The event was a pre-pandemic throwback of cocktail parties, crowded restaurants and full hotel occupancy. Still, some vendors described longer sales cycles, while users lamented more security spending scrutiny from CFOs. Yes, things are tighter, but RSA reinforced the fact that cyber-adversaries never sleep, pressing CISOs to continue spending, albeit a bit more tactically.
2. AI security implications
Generative AI was the belle of the RSAC ball as vendors, including Google, Microsoft, Recorded Future and SecurityScorecard, crowed about their AI prowess and impending deliverables. While the industry is gaga over AI, I didn't hear much about AI governance, policies or policy enforcement. As a security professional, I'm worried AI will come through the back door -- "shadow AI," maybe? -- before organizations establish appropriate guardrails. My guess is a slew of AI hacks will be on display as soon as Black Hat and DEF CON. CISOs need to be vigilant here.
3. Passwordless authentication
As I suspected, passwordless authentication was pervasive at RSAC, but I didn't get the sense that things are any less confusing. Organizations continue to treat identity management in a piecemeal fashion, and vendors follow along with fragmented products and services. What's needed is identity modernization, based on a federated, scalable and secure architecture that spans the enterprise. My colleague, Jack Poller, is deep into research in this area.
4. All things cloud security
You couldn't cross Howard Street or cut through the W hotel bar without hearing words like Kubernetes, serverless, infrastructure as code or CI/CD pipeline. A gap still exists between cloud-native development and security, but the divide is narrowing as security pros hone their cloud security skills and work with developers on automation and injecting security into DevOps. Regardless of this progress, cloud security will remain an island. CISOs will need to build effective bridges to integrate cloud security into holistic security programs.
5. New regulations, frameworks and standards
Aside from the occasional reference to the Securities and Exchange Commission's cybersecurity regulatory changes and the Cybersecurity Maturity Model Certification, there was nary a word. I get it -- RSAC is an industry show where technology rules the day, but I did expect a bit more regulatory chatter. Guess I'll have to attend more events in Washington, D.C., to get my fill.
6. Threat detection and response
Much to its detriment, extended detection and response (XDR) remains confusing and alienates enterprise security professionals seeking products and services, not marketing gibberish. To be clear, midmarket and small enterprise organizations are boarding the XDR -- or managed detection and response (MDR) -- train and eschewing SIEM. Those enterprises with SIEM are still trying to figure out if and where XDR fits. Note to enterprise XDR vendors: Think SIEM optimization, not SIEM replacement.
In addition to XDR confusion, I saw evidence at RSAC that SIEM is making a comeback -- although it was never gone -- in a highly scalable, cloud-based, content-driven model. Devo Technology, Exabeam, Google, IBM, Microsoft, Securonix and Splunk used RSA Conference to describe how they adhere to growing enterprise requirements.
7. Zero trust advancement
I was pleased that zero-trust discussions evolved from hype to pragmatism this year. Instead of "zero trust is a security panacea," I heard more about phased projects, metrics and future strategic plans. I had a down-to-earth discussion with Deepen Desai, global CISO at Zscaler, about the types of threats zero-trust technologies can help address, how organizations should proceed with projects and how CISOs can keep executives and the board abreast of associated cyber-risk mitigation. Good, prudent stuff.
8. Security automation
Security automation is everywhere: in analytics tools, cloud-native development methodologies, security testing, scanning systems, etc. What I didn't hear at RSAC were specific discussions about security orchestration, automation and response (SOAR) tools. In many cases, SOAR has become a feature, not a product -- especially in smaller enterprises with limited staff. ServiceNow, for example, has carved out a SOAR niche with tight integration with its IT service management tools. The low-code/no-code gang is making some SOAR inroads with security operations center teams, and SOAR is a must-have for managed security service provider (MSSP) and MDR vendors. But I don't see a lot of other momentum. Everyone needs security operations process automation, but they seem to be satisfied with available functionality rather than dedicated SOAR tools.
9. Managed services
Research from TechTarget's Enterprise Strategy Group indicated 85% of organizations use MDR services for staff and/or skills augmentation. This alone attracted many MSSP and MDR providers to RSA Conference, filling my colleague Dave Gruber's dance card. But while MSPs were spread throughout San Francisco like the fire of 1906, their marketing pitches all sounded the same to me. The standouts I know -- such as AT&T, Arctic Wolf Networks, Mandiant, Ontinue and Red Canary -- distinguish themselves with customer references, not marketing messaging. RSAC might be a good meet-and-greet venue, but CISOs need to do their homework when evaluating MSPs.
10. Security hygiene and posture management
As I expected, security hygiene and posture management was a huge topic at RSAC across lots of subcategories, such as attack surface management, cyber-asset attack surface management, vulnerability management, managed services and security testing. CISOs, who are being encouraged to do more with less, are especially keen on getting their cyber-risk management house in order. Despite all the interest, large organizations still sprinkle their security hygiene and posture management budget all around, and these projects could -- and should -- take several years to coalesce. This will make security hygiene and posture management topical at RSAC 2024 and beyond.
It was great to shed our COVID-19 paranoia and see old friends in San Francisco. RSAC is still a hype machine, but you can find realistic and productive discussions if you look hard enough. See you at Black Hat in August.