Industry's favorite skeptics are meeting in San Francisco this week for the RSA Conference. The drama is palpable.
Last week the Dell Technologies sold the conference's parent company RSA Security to a consortium for just over $2 billion. Verizon, IBM and AT&T Cybersecurity, joined 11 organizations in withdrawing from the conference over concerns around the Novel Coronavirus.
For the rest of attendees — last year's numbers reached 42,000 — the conference will shed light on the headlines of the last year:
Ransomware targeting municipalities
Record-setting data breaches
Security's role in data privacy
Automation and algorithms woven into threat detection
And, what keeps security leaders up at night
CIO Dive asked RSA Conference attendees what they are most eager to see and what they want their peers to learn. Here is what they said via email:
Some responses have been lightly edited for clarity and brevity.
Michael Covington, VP of product at Wandera:
I am hoping to hear more of an enablement story. Traditionally, security has been about blocking bad guys and restricting users. As we see a continued emphasis placed on digital transformation, it's important that security tools also embrace usability, remote work and productivity; these are elements of the modern workplace that were previously ignored by the industry.
Protecting and respecting user privacy is an adjacent theme that I know has already started to impact product design. As a result, I expect the human side of security to be on full display at this year's conference.
Jeff Williams, CTO and co-founder of Contrast Security:
I'm hearing about a focus on accelerating digital transformation while improving security. Generally it's DevSecOps across all the layers of the stack:
Cloud, container, Kubernetes — including "move to cloud" initiatives
Web apps and APIs
Open source security
I think the theme is that there simply aren't enough security experts to keep up with security tools that aren't really fully automated. That is, they require security experts to use them.
Everyone is trying to figure out how to "shift left" to leverage the big machinery of software development to get the security job done too.
Amie Christianson, director of operations application security at Spirent Communications:
Consumers expect companies to not only have strong security practices internally, but also guide the consumer to make good security decisions, such as setting passwords.
Passwords being cracked are heavily dependent on the simplicity or complexity that the consumer chooses, yet consumers feel the burden is on the company to make sure they make good decisions.
Ring was the most recent example of this, and although the breach was due to a consumer setting a weak password, Ring still got negative press as a result.
Richard Henderson, head of global threat intelligence at Lastline:
I'm excited to put on my good shoes and walk the floor for hours to see what's new and interesting from my peers and colleagues …
Security leaders at organizations should be thinking a lot about consolidation of tools and finding solutions that lighten their staff's load as opposed to adding to it. Tools should be replacing one or more existing legacy products, and finding ways to do things faster. …
Staff burnout and low morale leads to employees finding greener pastures … and we all know how difficult it can be to find replacement staff.
Mike Wyatt, identity leader and principal in Deloitte Cyber:
I want to see what solutions are available for organizations to navigate the patchwork of privacy legislation — GDPR [and] CCPA.
For commercial clients, who are attempting to navigate the changing legislative landscape, the challenge of first tracking the legislation and second validating their processes and systems are compliant is daunting.
For our government clients, they want to understand how privacy legislation affects the ability for commercial entities to do business as well as what are the various approaches across the landscape that other entities are pursuing to improve privacy.
Steve Schlarman, director, risk portfolio strategist at RSA:
Attendees should be looking for technologies that incorporate risk-based methodologies and are triggered off business context — what the involved technical components mean to the business. …
Technology is reaching deeper into the organization — connecting external customers and partners with internal systems. The convergence of IoT, OT and IT increases the number of endpoints and connectivity, and stitching together legacy and emerging tech can create a fragility within business operations. Attendees should consider their organizations' strategy on digital expansion and keep an eye on solutions that help traverse the digital infrastructure.
The hype of moving to the "passwordless" world will be significant but this will be a journey for organizations. As identity and access management needs continue to evolve, attendees should look to explore the unprecedented identity risks related to digital transformation.
Joe Saunders, founder and CEO at RunSafe Security:
I am excited to really dive in to discuss and explore the topics of supply chain security and DevSecOps. I can envision a day where software factories have security built into every container, and [original equipment manufacturers] and end customers can trust the code shipped at every stage.
John Gelinne, Deloitte Cyber managing director:
I think cyber risk quantification will be top of mind this year at RSA. The reason? Recent advances in AI to inform how we distribute insights coupled with data collection practices are quickly paving the way for the use of advanced modeling techniques for quantifying cyber risk.
Careful application of these modeling techniques can help target an organization's cyber investments to reduce the ever-growing risks in today's increasingly hostile cyber environment.
Kowsik Guruswamy, CTO at Menlo Security:
Security budgets continue to increase, but companies don't seem to feel any safer. What are this year's biggest innovations that can really change the tide and help the good guys gain the upper edge?
There is a lot of buzz around AI and machine learning, but are these ready for prime time, and will they be game changing products or just incremental improvements?
Zvi Guterman, founder and CEO of CloudShare:
On the commercial side, the old guard will be under a lot of pressure and challenges from up-and-coming unicorns. For example, the latest news of RSA being acquired, and on the other hand, new players such as SentinelOne raising $200M to fuel growth.
It is a time of transition and I would not be surprised if we learn of another $1 billion M&A deal during RSA.
Srini Subramanian, state and local government sector leader, Deloitte Cyber:
State and local governments continue to struggle to make progress with escalating threats like ransomware being targeted at the state and local government organizations; and the state government level spending has not increased since 2010 …
I'll be looking for reactions to the promise of federal government grants and challenges that may come with it; for instance the recently introduced one in US congress that promise cyber grants to the tune of $400M per year for the next five years and beyond, administered by federal DHS/CISA to state & local governments across the country.
Surag Patel, chief strategy officer of Contrast Security:
Consolidation of cloud workload protection and how various players are pulling together features and capabilities to provide a solution from development through operations.
Serverless and security will be a key topic. Given serverless continues to mature and be used more widely, how are companies and vendors re-defining security in this environment?
Hal Lonas, CTO and SVP of Webroot:
Even though we embrace advanced technologies like machine learning and automation to secure our customers, we also believe in the critical contributions of the human element of security. I'm excited to see the messaging around this year's RSA theme.