AI may have been everywhere, but cybersecurity’s biggest annual event roared back this year with a broad set of themes, including data security posture management, SASE, and the convergence of cloud and application security.
This year, RSA Conference (RSAC) was back, in a big way. By the numbers, the event featured more than 40,000 attendees, the most since the pandemic; 500 exhibitors from 140 countries; and 400 keynotes and breakout sessions presented by more than 650 speakers. High-profile attendees included San Francisco Mayor London Breed, US Deputy Attorney General Lisa Monaco, and even RSAC’s first royal visitor, His Royal Highness Prince Constantijn of the Netherlands.
So, what observations did Omdia take away from the conference?
RSA Conference 2023 took on the theme of “Stronger Together,” and on that it certainly delivered. There was the usual vibrancy and intensity among the conversations, but this year there seemed to be a growing feeling of a collectively maturing industry within the discussions. Omdia believes it serves to demonstrate how cybersecurity is evolving into a mainstream component of the IT function, important enough to no longer be considered a peripheral spinoff. RSAC 2023 showed cybersecurity is now taking up a much stronger, more elevated, front-and-center role within organizational business operations.
Across the expo floor and throughout the presentation sessions, a large number of topics were explored, reflecting how cybersecurity has grown and developed. An escalating threat landscape has incentivized vendors to build out a much wider portfolio of cybersecurity defensive capability across a variety of approaches and perspectives. With niche solutions responding to specific threats all the way up to broader integrated platform solutions, choice was much in evidence, offering end users a wider range of options to address their cybersecurity requirements. Differing starting points aside, there did seem to be an air of collaboration among vendors, uniting to combat a widening threat landscape, as evidenced by events at the conference such as one held by the Open Cybersecurity Schema Framework (OCSF).
No one vendor appeared to stand significantly ahead or apart from the field, and there seemed to be an overall feeling of optimism among exhibitors that in the absence of a single universal solution or front-runner, collaboration and partnering is key. The number of attendees appears to indicate there is plenty of interest and opportunity to go around.
Of the wide diversity of themes being promoted, certainly artificial intelligence (AI) and its role in solutions and the debate over security and ethical concerns was omnipresent. In particular, ChatGPT was much in evidence. Though advocates cite AI as the way to both remove monotony from security-related workflows and simultaneously improve security posture, it is also beginning to attract some notable critics. Omdia will watch developments keenly; more research on the evolving role of AI in cybersecurity is upcoming.
This report will examine some of the specific takeaways emerging from the conference.
AI raised as many questions as it provided answers
AI was a significant component of the agenda at RSAC 2023. Microsoft got the ball rolling the day before the conference kicked off, spending most of the time at its traditional pre-RSA media and analyst event extolling the virtues of its new Security Copilot, a generative AI platform with a chat interface for security analysts. Currently in private preview mode, Copilot is one of the fruits of Microsoft’s $11bn investment ($10bn of which came in January this year) in OpenAI, the company behind ChatGPT. Copilot is built on OpenAI’s GPT-4 large language model (LLM), with another model added by Microsoft to give it cybersecurity specificity.
Microsoft made bold claims for its new platform, calling it a game changer for how security analysts will operate and suggesting that, thanks to its use, tier-1 analysts will be able to work on tier-2 types of problems, since the more mundane stuff should become more readily addressable.
This is all well and good, but Microsoft did acknowledge that LLMs can sometimes simply make things up or “hallucinate,” to use the increasingly popular industry term, if some guardrails are not set up for them (the operative term here being “anchoring”). The company even inserted an example into its demo of Copilot, having it refer to problems in Windows 9, which of course does not exist. However, this begs the question: What if a tier-1 analyst is working on a tier-2 problem, and Copilot hallucinates in a far more plausible way? Could its answers lend credibility to false positives, resulting in entirely undesirable results? Omdia expects a variety of such problems will surface over time, leading to an uneven development of AI in cybersecurity solutions.
Data security moves toward security central
Among the data security conversations and presentations at RSAC 2023, two things seem to emerge: some of the long-standing approaches to protecting data are no longer sufficient, and data is finally beginning to take up its rightful place at the heart of cybersecurity planning. These trends were coalescing in a new, more holistic solution approach to discovering and assessing the security of enterprise data, data security posture management or DSPM.
DSPM places data visibility at the heart of the planning process. Simply, through its acknowledgment that data has differing levels of sensitivities (the notion of not all data being equal) and better understanding of how data is being accessed, used, managed, and stored, DSPM enables a better security posture to be created and managed. DSPM moves the industry away from basic levels of perimeter-based data protection, evolving to embrace the data security posture as a whole, including risk identification and assessment, vulnerability remediation, monitoring of security policy, processes and standards, enhancements, and update implementation to continually ensure defenses are as strong as they can be against known threats.
DSPM and its cloud-based cousin, cloud security posture management (CSPM), bring data and cloud infrastructure security to a new level of focus; both showed significant traction among RSAC 2023 exhibitors. It was clear from the show that while there were vendors yet to adopt or even hear of DSPM, a growing trend is nevertheless present among more early-adopter vendors, which are already advocating or are expecting to migrate toward this wider approach. Omdia can see DSPM becoming mainstream for data security through 2023 and beyond.
Proactive tools continue to mature and consolidate
Omdia has been watching what it calls the “proactive” segments of enterprise cybersecurity operations (SecOps) for several years. Historically, these have been very distinct markets, such as vulnerability management, attack surface management, attack path management, and so on. Thinking about them as a group was useful, because they all focused on prebreach use cases, but that grouping was more philosophical than physical.
That is not to say Omdia has not seen some consolidation of functionality, for example, adding attack surface management (ASM) capabilities into the newer risk-based vulnerability management (RBVM) solutions. But it became apparent at RSAC 2023 that several vendors in this space are ready to take things a step further and build out proactive platforms. Tenable, for one, with its exposure management platform, has already made this bet, but expect to see many more vendors move in this direction.
A serious concern is the current level of market confusion. Vendors have yet to strongly articulate the benefits of a proactive platform play, with every vendor moving in that direction using a different phrase to describe it. Omdia is currently tracking at least a dozen different terms to describe this market but believes proactive security should win the day.
RSAC 2023 from the enterprise security management perspective
Within the AI discussions at RSAC 2023, one topic—LLM AI (namely ChatGPT)—dominated, and enterprise security management was not exempt from the generative wave. While AI was present in many conversations, it was far from the only subject that mattered. Risk, automation, and training were major themes that drove discussions at the event and will drive enterprise security management decisions between now and the next RSA Conference.
- Risk. Risk, its discovery, measurement, management, and impact on business, was the meta subject that informed most other topics. The push to understand and control risk was driven by the need for cyberinsurance at the lowest cost, and insurance promises to drive cybersecurity spending in 2023 just as regulatory compliance did in 2003.
- Automation. The combination of “internet speed” and skills shortages makes machine-based automation an attractive and often necessary component of a cybersecurity architecture. Vendors promised security solutions that automate tier-1 responses while automating the process of bringing the highest-priority events to the attention of human analysts wrapped in context and ready for action.
- Training. Employees with improved skills provide responses to two issues confronting the enterprise. In one case, corporate employee training to recognize and respond to cyberthreats changes the risk calculations and lowers a company's risk profile. In another case, cybersecurity staff with enhanced professional skills are better able to protect the company from threats both internal and external. In both cases, training is showing significant objective return on investment. A variety of training providers are bringing new offerings to companies and individuals that see improved human skills as a necessary ingredient in better cybersecurity.
In all of these areas, vendors were either showing their early efforts in LLM AI inclusion or talking about upcoming products that will include the technology. It is important to note that AI was not discussed as a driver for the coming changes but rather as a tool in the vendor responses to larger industry shifts.
AI was top of minds in identity
AI was once again a significant theme at RSAC 2023 in the identity, authentication, and access (IAA) realm.
In identity security, AI will help to support modern, strong, and streamlined identity security programs. AI has the potential to improve the identity lifecycle and remediation processes. On the flip side, bad actors will use the technology for malicious purposes and human impersonation to generate fraudulent revenue streams.
It was interesting to note that in his keynote, Rohit Ghai, CEO of RSA Security, said that “AI will cause us humans to be totally confused about our role in the world,” and that we are facing a “looming identity crisis.” On the downside, he stated that AI “can already write polymorphic malware.” On the positive side, using AI-driven insights and automation will help to accelerate innovation and create more effective user experiences and help to protect against the growing attack surface.
Time will tell whether AI will be a vehicle for good in the world or whether bad actors will use it for even more nefarious acts. Omdia feels that it will be used for both, but it is too early to predict which side will win this evolving battle.
Infrastructure security: SASE and supply chain and API security were in full view
While the buzz around RSA might indicate otherwise, there is more to cybersecurity than AI. While generative AI and large language models offer tantalizing prospects of greater efficiency and user interactions, there is still significant activity around infrastructure security, with two areas worth calling out: secure access service edge (SASE) and the growing proximity of cloud security and application security.
SASE represents an important paradigm shift in regard to the transformation of security architectures in a way that simplifies management of a distributed security layer that covers many network security and content security use cases. At RSAC 2023, Omdia observed interest in different on-ramps into SASE, be it upgrading existing content proxies, modernizing branch networking, or upgrading remote access capabilities from traditional virtual private networks (VPNs) to zero-trust access (ZTA). Vendors of interest include but are not limited to Palo Alto Networks, Fortinet, Cisco, Netskope, Check Point, Skyhigh Security, Versa Networks, and Axis Security (now part of Aruba).
Securing the software supply chain and securing application programming interfaces (APIs) emerges as a key theme as well. Interestingly, these themes act as a “glue” between many vendors working in both cloud security and application security. Omdia has participated in several conversations on how the industry is maturing its approach to building and consuming software bills of materials (“SBOMs”) and how API security emerges as a key concern once basic cloud security posture is addressed. Vendors to watch in this space include Palo Alto Networks, Salt Security, Cequence, Cloudflare, and Neosec (now part of Akamai).
IoT cybersecurity becoming a “must have” technology
Internet of Things (IoT) security was increasingly pulled out in overarching IT solutions as a coverage area or area of expertise. We saw this in ASM products, as an example, with enterprise IoT being included in order to cover the full stack and thus enhance and contextualize risk metrics. IoT is often covered by IT security solutions to some extent, but it is encouraging to see vendors explicitly call this out and recognize the importance of securing IoT devices within enterprise security.
That said, vertical-specific solutions were also heavily discussed with product enhancements and technology development, especially in the operational technology (OT) and industrial control system (ICS) space. Exhibitors even included Rockwell Automation, showcasing its cybersecurity capabilities. The OT security market has been moving toward more active solutions, and we saw more vendors offering active techniques as expected but also more focus on preventive solutions at the device level.
Though it is still a niche market, the range of technologies are creating an ecosystem encompassing visibility and response (which make up the bulk of the market) as well as solutions promoting resilience of OT networks and devices, covering off a wider range of cybersecurity capabilities for industrial customers. Partnerships and knowledge sharing is therefore key, not only for comprehensive OT security coverage but also for the industry in general. Emerging THreat Open Sharing, or ETHOS, was launched at RSAC 2023. The open source knowledge-sharing platform with founding members across key OT security and industry players is likely to have a notable impact on the evolution of various solutions.
Cloud security overlapping AppSec at many levels
As expected, cloud security was a key topic at RSA. Interestingly, the common theme around cloud security this year was cloud-native application protection platforms (CNAPP) but also a broader convergence of cloud security with application security. It was notable how easily conversations starting at the application security level moved to cloud-native application security. Some of the challenges highlighted in conversations were the “shift left” to “shift right” (or pre- and post-runtime application security) efforts, how to implement DevSecOps approaches, and ways to bridge the gap between the security and development teams. With skill shortages still top of mind for cloud security, vendors were focused on being able to provide developer-oriented and easy-to-use products. Amid these challenges, the discussion of the convergence of application security—including API, supply chain, infrastructure-as-code, and cloud security; cloud workload protection platform (CWPP); CSPM; CNAPP; and others—is expected to remain a key topic moving forward.
Omdia sees the cloud security space expanding to include a mixture of different kinds of vendors. Large vendors such as Palo Alto Networks, Fortinet, and Check Point come to market with the strengths of their existing product lines, often building up a cloud platform to become a one-stop shop, some organically and some through M&A activity. On the other hand, newer vendors such as Orca, Wiz, and Lacework among others come to market with a similar platform approach, though often working collaboratively in partnership with other vendors in the ecosystem. Both sets of vendors continue to refine their approaches to solving the ever-present cybersecurity challenges for cloud environments.
Though AI was a topic driving many conversations, few cloud and application security vendors demonstrated a strong position around AI-driven automation at product level.
The basics matter
The show floor did not have “generative AI” plastered everywhere, but it was certainly a topic of conversation. Less of a topic and even less evident on the show floor, but even more important, were the discussions about the basics of cybersecurity. Knowing what an organization needs to protect, the relative importance of those assets related to the core purpose of the organization, and how they must be protected was described as “boring but essential,” and Omdia could not agree more.
Cyberattacks continue to proliferate. These are not new types of attacks; the majority are based on tried and tested methods. Vulnerabilities that were around two years ago are still being exploited today, because organizations are failing to manage those vulnerabilities. Threat actors continue to exploit those vulnerabilities, not because they are clever but because they can. Most would agree that security is difficult and complex, but getting the basics right—good, solid cyberhygiene—can seriously reduce the risk to organizations from security incidents and breaches. Furthermore, being prepared for the inevitable means that when an attack does happen, there is a process in place that means the incident might not turn into a breach, or if it does, it is shut down quickly.
In comparison with the overall spend on cybersecurity, these are not the most expensive components of what needs to be done, but they could return significant value. It is very well worth reviewing the basics.
“It is good to be back: What did we learn at RSA 2022?” (June 2022)
Adam Strange, Principal Analyst, Data Security
Andrew Braunberg, Principal Analyst, Security Operations
Curtis Franklin, Principal Analyst, Data Security
Don Tait, Senior Analyst, Identity, Authentication, Access
Fernando Montenegro, Senior Principal Analyst, Infrastructure Security
Hollie Hennessy, Senior Analyst, IoT Cybersecurity
Ketaki Borade, Senior Analyst, Infrastructure Security
Maxine Holt, Senior Director, Cybersecurity
Rik Turner, Senior Principal Analyst, Emerging Cybersecurity