Learnings & Insights from RSAC 2023

Note: The views presented below are completely my own & does not necessarily reflect those of my employer.

This year I had the opportunity to attend the RSA Security Conference in San Francisco from 24th- 27th April. It was quite unlike any other event that I had attended so far in my career. The sheer expanse of the event at the Moscone centre in downtown San Francisco was a sight to behold. 50,000 people attended the event over the course of 4 days and 605 security companies & organisations put up their exhibits and unique stalls which spread across 2 million sq ft of space! Truly a phenomenal place to be in.

Other than the mind-boggling expanse of the event, what made it truly special for me was the opportunity to connect with so many different people face to face and have free flowing conversations. I got to meet many of my colleagues at Frost & Sullivan face to face for the first time, customers and yesteryear friends. Talking to so many security practitioners in one place, helped me gain some new perspectives of the industry. Whether one is writing about security or sonnets, I think it is never a bad idea to borrow from Shakespeare who famously said- “Brevity is the soul of the wit”. ?Here’s my attempt to concisely capture my discussions & learnings over the 4 days of the RSAC 2023:

1.?????The security industry has been a victim of the self-fulfilling prophecy.

4 letter acronyms & jargons sometimes make security practitioners seem intelligent & ahead of the curve but defeats the purpose of why those acronyms were created in the first place. I can confidently report from the event that SASE meant different things to different people. So did all the new age security acronyms- CSPM, CNAPP, CWPP and I can go on. In my conversations with small & medium businesses earlier & surveys that Frost & Sullivan conducts to understand security needs of end user organisations it was quite clear & evident that much of these acronyms do not mean anything to the CISO or Head of IT unless they are participating in a conference. For their daily security operations, the acronyms sometimes are counterproductive. But after the RSAC, I came away with an understanding that even for some of the security professionals who are responsible for these products, it sometimes gets a little overwhelming.

Bottomline: It is not sexy to create new acronyms in an industry where the gap between security product marketers and security implementers, mirrors, for the lack of a better analogy the Gini index of Sub-Saharan Africa.

2.?????Cloud Security, Cloud based security will continue to dominate the conversation.

Cloud is where the industry has strongly pivoted and there will be no looking back. That said, cloud is never going to be the be all, end all solution that was promised years ago. On-premise infrastructure will continue to stay and enterprises will need to spend on securing them. On-premise security has been commoditised and hence there will be price wars and margin pressures to retain end customer relationships. Newer innovation & product creation will happen on the cloud and that is where enterprises will continue to drive their security spend.

Bottomline: Cloud gives the required scale & efficiency for security operations for enterprises large & small. It is important to convey these benefits without jargons to end users of these products while working with them to secure their on-premise infrastructure.

3.?????Artificial Intelligence (AI) was the talk of the town at the RSAC 2023

Almost every product conversation that I had during the 4 days of RSA began with AI. 4 years ago, AI was an upcoming technology with demonstrated use cases. Today it is as much a reality as wireless calling. There is no doubt that Artificial Intelligence is the new frontier for security. It elevates both offense & defense capabilities to a whole new level. It is clear that in today’s security operations, you cannot take .404 rifle to the fight where the adversary brings a bazooka. Complex threats generated at a machine scale will require AI to detect & prevent them at the gate. The scale at which innovation is happening in security operations and AI being built into security products is transformative. I was mighty impressed by some of the organisations which are leading the space here and am hopeful for the future.

Bottomline: The divide between product marketing and implementation of AI for efficient security operations continues to lessen year on year. With the advancements in generative AI giving the required firepower, security companies now have a powerful tool for their next phase of product development & evolution.

4.?????Vendor Consolidation: Will it or won’t it happen?

This is a touchy topic & has different nuances and layers to it. I will still attempt to cover it here because this is another repetitive term I came across in my meetings with various companies. Many security organisations are dabbling in different areas of security, justifying the costs to the board using the 2 words: “Vendor Consolidation”. It is a belief that, end user organisations will consolidate their security vendor base across end points, network, applications & cloud because it is easier to manage them.

I beg to differ here. If ever there was a domain where the adage- “one size fits all” fails spectacularly it is security. End user organisations will have their own business sensitivity, sectoral differences and needs to adopt different types of cybersecurity capabilities. Since the security industry itself is evolving at a breakneck speed, it is almost impossible for a select few vendors to dominate the entire value chain of security. There is room for multiple players in the market with niche capabilities as the size of the market keeps growing. End user organisations will continue to prioritise their interest and will adopt the solutions that make their security team’s life easier & increase productivity, even with varied & often competing vendors.

Bottom line: As long as the security companies keep their eye on the prize without getting ahead of themselves, there is always a potential market opportunity for them to win. In the long run, a better product will see a greater adoption in the market.

Thanks Toph Whitmore for the click.

It’s just been a week since RSA 2023 and I can’t wait to see what’s new in RSA 2024.

What new trends did you see? As always, your feedback is welcome and appreciated.