Looking back at RSA Conference week, I’m sorting through notes on everything I heard and saw in speaking sessions, media and analyst interviews and coffee line chatter at the show. As I noted a couple weeks ago, RSA is big and noisy and our team was among more than 42,500 attendees, 740 speakers and 700 exhibitors in San Francisco’s Moscone Center and Marriott Marquis hotel. It made for a full week with a lot to take in, but three themes jumped out at me for communicators, vendors and other stakeholders in the security industry.
1.) CISOs are obsessed with hygiene – but no one sells this as a “solution”
Almost every corporate security buyer/leader I spoke with or saw on stage at RSA gave buzzword staples like “machine learning” and “automation” a cool reception. These pros said that – more than adopting new technology – they prioritize achieving security “hygiene” – or mastering fundamentals like improving software patching, getting better visibility over the kinds of devices on their networks and measuring their progress in containing the spread of inevitable intrusions and disruptions.
At RSA’s Public Sector Day on March 4, I attended the “CISO and CIO Perspectives” panel moderated by Forescout Vice President Ellen Sundra, with federal, state and local government CISO-type leaders, including Paul Cunningham (U.S. Dept. of Veterans Affairs), Michael Dent (Fairfax County, VA), Peter Liebert (State of California) and Nancy Rainosek (State of Texas). The panel’s consensus was that new, cutting-edge security products are interesting to study – but often return little value if an organization does not already have strong security hygiene; without fundamental hygiene data in place, agencies have little to help them guide and tune products’ deployments or keep their alerts and responses actionable. It was so striking to hear hygiene on so many security buyers’ minds, and yet no one seems to sell “hygiene” as a “solution” on the show floor. Many products deliver one or two key hygiene measures, like patching, discovering or measuring things – but it is fundamentally a multi-product/technology/discipline imperative.
I think this is where news cycles, marketing and other forces, which tend to crown new “it” security technologies or theories, collide with reality a bit. No CISO I met expects automation, virtualization, cloud-native things or AI to save them. Instead they seek steady, incremental progress on a host of existing control and compliance measures – and that itself is a tall order.
2.) Are cybersecurity companies solving problems – or coining markets?
“All these companies on the expo floor sound the same” – a phrase we hear each year. It was true in 2002 (“firewalls”) and today with “threat intelligence-” “automation-” and “AI-” affixed to booths, much like “small batch,” “artisan” and “earth friendly” have taken over grocery aisles and restaurant menus. What does this all mean? Security vendors have to counterbalance the breathless excitement they have for code and jargon with a net-net business value: What are you shining a light on, to dispel executives’ uncertainty? What issue plaguing IT help-desks and security operations centers are you resolving? What time-suck in the incident response queue are you slashing? More importantly, up-level to point at how these security and IT gains move a company forward. This will be a communications priority for start-ups like Axonius, an IT asset discovery and management play on the hygiene side of the vendor spectrum, which won the RSA Innovation Sandbox this year.
3.) In the Cloud Era we are talking more about APIs, instead of APTs
Perhaps the biggest shift I saw at RSA this year was less talk about awe-inspiring threat actors, like so-called “advanced persistent threat” (APT) malware campaigns. Instead there were a lot of sobering conversations about how we confront imminent and wider data breaches through the digital plumbing of cloud computing, APIs and third-party business partners corporations of all sizes rely on and take for granted – until they are exploited by competitors or criminals.
Being methodically targeted and compromised with malware and techniques that “break in,” is still a very real threat, but when you spend a few hours at RSA, you realize there is a much wider swath of companies at greater risk of leaking their own data through the very tools they rely on for productivity and collaboration. Look at Facebook’s Cambridge Analytica scandal hinging on an API and a developer’s overreach. I think it’s no coincidence the Innovation Sandbox was chock-full of start-ups with “cloud” or “API” in the first breath of their three-minute pitch sessions.
You do not need a zero-day exploit to pull off a digital Ocean’s Eleven scale heist. It might suffice to just guess where companies store their team collaboration folders in the cloud and see if you can access those links or trick an employee into forwarding them to you. Not only was this threat model in a lot of RSA chatter, it was proved just days after the show ended by all the reports of corporate data being exposed through Box accounts.
Security is always about reconsidering assets and risk tolerance and making (informed) hard decisions on trade-offs. But this year the shake-ups really made RSA feel like a 1990’s party with so many talks about identifying assets, discovering Internet connectivity and measuring security in the first place. Decades of conference talks prescribing tidy layered security strategies to these fundamentals are almost entirely obsolete now because of the cloud and third-parties.
Talking risk to stand apart
As jarring as it can feel to see cybersecurity professionals racing to re-learn playing defense, it is a helpful reminder that C-Suites, boards, investors, policymakers and other decision-makers – who do not hang out in SOCs, the Innovation Sandbox or Cryptographers’ Panel – have never dwelled on the “it” technologies each year. They will always focus on what’s timeless: Existential risks and how we confront them. In a way it is liberating for security founders, researchers and communicators to focus on telling a higher-end risk management story, because it forces you to think of net-net business impacts, instead of buzzwords and technical minutiae. RSA is still as loud as ever, but pitching value pegged to the times we’re in is a good way to stand out.