Print Friendly, PDF & Email


Credit: RSA Conference 2023


Last week was the RSA Conference 2023 in San Francisco, the annual gathering of security vendors and their customers to review the latest in cybersecurity. This year’s theme was “Stronger Together.” According to the conference, it was selected to highlight that when the cybersecurity community works together, it strengthens the community.  Over 600 vendors heeded the call to come together in the vast halls of the Moscone Center.  While I had no intention of meeting with even a tenth of the vendors at RSAC 2023, I did meet with nearly 30 vendors across a swath of the vendor landscape.  (If you are a client of my research services, I will shortly send an email with thoughts from my meetings.)

For me, RSAC 2023 ended up a glass-half-full and half-empty event. While there was tangible progress and innovation, it lacked the same buzz of the 2022 and 2020 editions (2021 was canceled due to the pandemic). In this blog, I examine the three reasons I believe this was.

1) Zero Trust, Data Security, and Software Security were hot buzzwords but no common winner across the show. Meanwhile, SASE/SSE lost some intensity.

 During the worst of the pandemic, the rise of remote/hybrid work and attacks on Internet-based applications caused the industry to rally behind SASE and runtime app security solutions.  But all good parties must start winding down.

SASE appears to have come down from an apex in the last couple of years because, at RSAC 2023, it was no longer a pivotal conversation. Perhaps there is some marketing fatigue, but other externalities are at play, such as a reduced number of full-time remote workers as some have returned to the office full-time.

Similarly, the hot discussion about runtime application security (such as API security) has spread out as part of the “left shift” movement to greater design/coding security.  Now, there’s a greater breadth and depth of solutions to consider as part of a comprehensive cloud application security that inevitably has shifted the conversation to more generalized concepts like data and software security. As a result, cloud application architects now have an abundance of tools to contemplate. But, unfortunately, where to start is daunting, and the market fragmentation isn’t making it any easier.

Beyond what I noted above for SASE and cloud security, there was the factor of increased macroeconomic pessimism. Enterprise IT is no longer on a spending spree as it had been just last year. For vendors, it seems to have led to playing RSAC 2023 conservatively.

2) AI (artificial intelligence)-drive ChatGPT is coming to security, but we’re just scratching the surface of possibilities with AI

Unless living off the grid, you probably have heard, or even have tried, ChatGPT, the chatbot driven by AI technology that eerily feels human. From passing law exams at the University of Minnesota to writing computer code, ChatGPT has shined a bright light on AI and generated many new discussions about the possibilities for AI. So, it wasn’t surprising to hear ChatGPT dropped by more than a few vendors at RSAC 2023.

ChatGPT wasn’t part of the formal vendor marketing messages on the show floor – the arrival of ChatGPT happened too recently have made it into any of the marketing  – but many vendors in discussions talked up adding AI-driven natural language processing (solution-specific ChatGPT-like chatbot engines). Natural language processing promises that it will make solutions easier to use and increase the effectiveness of security admins. For example, rather than hunting through dashboards or reams of events, the security admin will be able to ask questions such as, “Where is my greatest security risk?”

Though ChatGPT brought AI awareness to the masses, AI has been in play for several years in the security industry, specifically in threat detection.  One of the first examples I remember was the 2020 firewall announcement by Palo Alto Network. It added machine learning to the firewall to improve malware and phishing detection.  Since then, I’ve run across other examples of AI-powered threat detection.  Still, the maturity and power of AI-drive detection need to improve. Of course, human security researchers are still vital, but I suspect AI will incrementally enhance and reduce the reliance over time.

3) Applications and IT infrastructure security are still top of mind but were – unfortunately –worlds apart.

It used to be that IT infrastructure teams held the keys to the security kingdom since applications could only get deployed once the infrastructure team did so. Infrastructure owned the servers, storage, and networking that applications relied upon.

From a security perspective, infrastructure teams tended to put significant thought into the application data security lifecycle because, over many years, they had come to understand the security implications of data in motion, in use, and at rest.

However, applications teams hated having to wait for the infrastructure teams. The infrastructure teams lost most of the security control when the cloud-based paradigm arrived with its continuous integration/continuous development (CI/CD) on ephemeral infrastructure (also known as a cloud DevOps culture).  Applications teams could now do as they pleased without involving or waiting for the infrastructure teams.  But unfortunately, cloud application security is far from as mature as it had been in the traditional monolithic days involving the infrastructure team. Consequently, security posture has suffered and led to notable cloud breaches.  However, as the saying goes, necessity is the mother of invention.

The last seven years have seen a bumper crop of new cloud workload security vendors (from acquired startups like Dome9, Twistlock, and PureSec to more recent pure-plays like Lacework, Orca Security, and Wiz).  These vendors are in tune with application developers’ operations and have identified key points in their workflows to insert security. The space is evolving quickly, and seeing how many were represented at RSAC 2023.  For the interested reader, in October 2022, I put out my first Advanced Research Report on Cloud Workload Security detailing market evolution and TAM (total addressable market).

Nonetheless, it was disheartening how these two camps, the infrastructure and application security, literally lived in different worlds at RSAC 2023. The north expo hall had the infrastructure security vendors, and the south hall had the applications security vendors.  Enterprise infrastructure and application teams must work together for the common security good. Still, developing beneficial synergies will be impossible if the vendors they rely on occupy different worlds. In addition, because application development moves to be “cloud-native,” it doesn’t eliminate the need and possibilities with the enterprise infrastructure teams.

Yes, the glass was half full and half empty on several fronts at RSAC 2023. But, then again, nothing is ever perfect, nor will it be. So rather than ending on this bittersweet note, I’ll end on a positive and highlight that my conversations at RSAC 2023 were enthusiastic, rich, and insightful, which demonstrated that as we come together, we do get stronger.

I look forward to RSAC 2024.

Print Friendly, PDF & Email

In the new year, the time is ripe to reflect on our 2022 predictions and look to a fresh batch of 2023 predictions. A year ago, we made the following predictions for 2022:

  1. Only a minority of enterprises will fully deploy SASE in 2022, but all will force SASE of their vendors
  2. The physical Firewall market rebound will modulate, while cloud-centric security will continue to grow faster
  3. Firewall-as-a-Service will begin to cannibalize carrier-class Firewall physical appliances

On our first prediction, we believe we were right. SASE, an architectural IT direction to transform and unify WAN-centric networking and security for branches and remote users, continued to gain interest and traction. However, how the enterprises deployed SASE networking versus security technologies remained extremely disaggregated and on different timelines due to the difficulty of changing too many parts simultaneously. The implications for the technology vendors were that irrespective of whether disaggregated or unified–or even whether single-vendor or multi-vendor SASE–they had to demonstrate to customers that they could help them on their SASE journey today and into the future. In other words, vendors were forced to show SASE capability even if customers didn’t yet take advantage.

Our second prediction was a split decision. We were right that cloud-centric security–the SaaS- and virtual-based variants of network security solutions–would grow faster than traditional network security solutions. While there will always be a role for hardware, the ongoing shift to the cloud limits the role that hardware can play in the enterprise, particularly in the data center. However, as corporate networks–or even cloud service provider networks–footprint expands in size, hardware firewalls play a role. We are wrong about how much appetite the market still had in 2022 after robust 2021. 4Q22 numbers haven’t come in, but if current trends hold, the full-year 2022 revenue growth of the hardware firewall market will match the 2021 rates.

Our third and last prediction was the boldest, and we were wrong. We still believe that cloud-based firewalling can and will eventually put pressure on the highest tiers of firewalls (carrier class), but 2022 was a different year. However, at the branch or even small data center level, we did some start on displacing lower-end firewalls.

Gazing in our crystal ball, we have the following three predictions for 2023:

1 – Security spending to remain stable in looming economic storms

Most economists predict that in 2023 the worldwide GDP growth rate will be weaker at 2.1% compared to the actual 6.0% and expected 3.0% growth in 2021 and 2022, respectively.  Put in perspective, 2.1% growth would be the third weakest rate of growth in the last 20 years and only overshadowed by the Great Recession in 2009 and the Covid-19 drop in 2020.

While it would be folly to say security spend will break records in 2023, we expect it to remain stable against increasing economic storminess. Of late, security has and is expected to continue a board-level discussion and hence be a top investment priority. Attacks aren’t stopping even if the economy does. No CEO wants their mugshot on the nightly news because of a security breach.

2 – SASE to keep growing, but a split decision between networking and security components

SASE is the amalgamation of networking (SD-WAN) and security (security service edge [SSE]) technologies. Most enterprises have and will continue to purchase separate SD-WAN and SSE solutions to (eventually) integrate them to achieve the disaggregated form of SASE. We expect enterprises to continue to prioritize the security side of SASE but slow down the networking side as the economic pressure increases. As a result, we foresee the SSE-side of SASE to post another year of solid growth in 2023, but we anticipate that SD-WAN will see a marked deceleration in its growth.

3 – Increased cloud breaches to cause spending on cloud workload security to be over $6 B in 2023, which is over 4x higher than in 2020

This past Fall, we issued our first Advanced Research Report on the cloud workload security market, which goes by various names, including CNAPP, CWPP, and CSPM. We delved into this space because network security vendors have entered cloud workload security as a natural adjacency. We found a market in hypergrowth as enterprises that have or embrace the cloud find many new, thorny security problems. As a result, we expect that enterprises will have to spend the money and lead the cloud workload security market past the $6 B mark, which is 4x higher than in 2020.

A year from now, we’ll reevaluate and see what came true. Until then, all the best in the new year.

Watch This Video:

What’s next for SD-WAN, SASE, and network security in 2023?