Last week was the RSA Conference 2023 in San Francisco, the annual gathering of security vendors and their customers to review the latest in cybersecurity. This year’s theme was “Stronger Together.” According to the conference, it was selected to highlight that when the cybersecurity community works together, it strengthens the community. Over 600 vendors heeded the call to come together in the vast halls of the Moscone Center. While I had no intention of meeting with even a tenth of the vendors at RSAC 2023, I did meet with nearly 30 vendors across a swath of the vendor landscape. (If you are a client of my research services, I will shortly send an email with thoughts from my meetings.)
For me, RSAC 2023 ended up a glass-half-full and half-empty event. While there was tangible progress and innovation, it lacked the same buzz of the 2022 and 2020 editions (2021 was canceled due to the pandemic). In this blog, I examine the three reasons I believe this was.
1) Zero Trust, Data Security, and Software Security were hot buzzwords but no common winner across the show. Meanwhile, SASE/SSE lost some intensity.
During the worst of the pandemic, the rise of remote/hybrid work and attacks on Internet-based applications caused the industry to rally behind SASE and runtime app security solutions. But all good parties must start winding down.
SASE appears to have come down from an apex in the last couple of years because, at RSAC 2023, it was no longer a pivotal conversation. Perhaps there is some marketing fatigue, but other externalities are at play, such as a reduced number of full-time remote workers as some have returned to the office full-time.
Similarly, the hot discussion about runtime application security (such as API security) has spread out as part of the “left shift” movement to greater design/coding security. Now, there’s a greater breadth and depth of solutions to consider as part of a comprehensive cloud application security that inevitably has shifted the conversation to more generalized concepts like data and software security. As a result, cloud application architects now have an abundance of tools to contemplate. But, unfortunately, where to start is daunting, and the market fragmentation isn’t making it any easier.
Beyond what I noted above for SASE and cloud security, there was the factor of increased macroeconomic pessimism. Enterprise IT is no longer on a spending spree as it had been just last year. For vendors, it seems to have led to playing RSAC 2023 conservatively.
2) AI (artificial intelligence)-drive ChatGPT is coming to security, but we’re just scratching the surface of possibilities with AI
Unless living off the grid, you probably have heard, or even have tried, ChatGPT, the chatbot driven by AI technology that eerily feels human. From passing law exams at the University of Minnesota to writing computer code, ChatGPT has shined a bright light on AI and generated many new discussions about the possibilities for AI. So, it wasn’t surprising to hear ChatGPT dropped by more than a few vendors at RSAC 2023.
ChatGPT wasn’t part of the formal vendor marketing messages on the show floor – the arrival of ChatGPT happened too recently have made it into any of the marketing – but many vendors in discussions talked up adding AI-driven natural language processing (solution-specific ChatGPT-like chatbot engines). Natural language processing promises that it will make solutions easier to use and increase the effectiveness of security admins. For example, rather than hunting through dashboards or reams of events, the security admin will be able to ask questions such as, “Where is my greatest security risk?”
Though ChatGPT brought AI awareness to the masses, AI has been in play for several years in the security industry, specifically in threat detection. One of the first examples I remember was the 2020 firewall announcement by Palo Alto Network. It added machine learning to the firewall to improve malware and phishing detection. Since then, I’ve run across other examples of AI-powered threat detection. Still, the maturity and power of AI-drive detection need to improve. Of course, human security researchers are still vital, but I suspect AI will incrementally enhance and reduce the reliance over time.
3) Applications and IT infrastructure security are still top of mind but were – unfortunately –worlds apart.
It used to be that IT infrastructure teams held the keys to the security kingdom since applications could only get deployed once the infrastructure team did so. Infrastructure owned the servers, storage, and networking that applications relied upon.
From a security perspective, infrastructure teams tended to put significant thought into the application data security lifecycle because, over many years, they had come to understand the security implications of data in motion, in use, and at rest.
However, applications teams hated having to wait for the infrastructure teams. The infrastructure teams lost most of the security control when the cloud-based paradigm arrived with its continuous integration/continuous development (CI/CD) on ephemeral infrastructure (also known as a cloud DevOps culture). Applications teams could now do as they pleased without involving or waiting for the infrastructure teams. But unfortunately, cloud application security is far from as mature as it had been in the traditional monolithic days involving the infrastructure team. Consequently, security posture has suffered and led to notable cloud breaches. However, as the saying goes, necessity is the mother of invention.
The last seven years have seen a bumper crop of new cloud workload security vendors (from acquired startups like Dome9, Twistlock, and PureSec to more recent pure-plays like Lacework, Orca Security, and Wiz). These vendors are in tune with application developers’ operations and have identified key points in their workflows to insert security. The space is evolving quickly, and seeing how many were represented at RSAC 2023. For the interested reader, in October 2022, I put out my first Advanced Research Report on Cloud Workload Security detailing market evolution and TAM (total addressable market).
Nonetheless, it was disheartening how these two camps, the infrastructure and application security, literally lived in different worlds at RSAC 2023. The north expo hall had the infrastructure security vendors, and the south hall had the applications security vendors. Enterprise infrastructure and application teams must work together for the common security good. Still, developing beneficial synergies will be impossible if the vendors they rely on occupy different worlds. In addition, because application development moves to be “cloud-native,” it doesn’t eliminate the need and possibilities with the enterprise infrastructure teams.
Yes, the glass was half full and half empty on several fronts at RSAC 2023. But, then again, nothing is ever perfect, nor will it be. So rather than ending on this bittersweet note, I’ll end on a positive and highlight that my conversations at RSAC 2023 were enthusiastic, rich, and insightful, which demonstrated that as we come together, we do get stronger.
I look forward to RSAC 2024.