With RSA 2023 a few weeks ago, now is a good time to think about what I saw, the things I learned, the questions I left with. I had more than 30 meetings, a dozen or so meals, and walked 60,000 steps around dozens of booths. As I reflect, several themes come to mind.
First, it’s good to see we’re talking about security as a state of the business to be invested in, rather than Fear-Uncertainty-Doubt (FUD)-driven dialogs. Supply chain, ransomware, and AI were topics as previous years, but none felt like we’re jumping into the deep end. Rather it felt like, hey, these things are here to stay, we need to learn how to deal with them.
Of course, vendors are always going to lean into scare tactic messaging. In the vendor hall, the messaging was much more FUD-based than on stage. I’m not sure it was warranted. The level of panic around dollars vanishing, money being tight, budgets going away, was continual.
But we’re not seeing huge swaths of dollars disappear. Money is more expensive: interest rates are up, so money gets tighter. VCs loan less, and so less is available for startups. But this disproportionately affects Silicon Valley. We’re not seeing corporations post huge losses. We’re not seeing huge layoffs after the layoffs in Silicon Valley.
Sure, total tech spend in general, and across AI and data is being hit pretty hard. But this is mostly because organizations didn’t really get the ROI they expected. The data science-y things they did were too fragile and required too much support in most cases for them to get the scalability and the ROI that they expected.
We’ll definitely see a reduction in overall IT spend, but I don’t think we’ll see large-scale drops in security spend, mostly because we remain on an uncharacteristic uptrend. I think we’re likely to see a three percent overall improvement, down from seven percent, but not going negative. Most companies have underspent on security year over year, and managing that is still going to be high priority.
Another cool theme I’m really happy to see is a real look at standardization frameworks. NIST and MITRE, academically, are very, very good but they don’t really align with how we implement, what we do, or what vendors produce. It’s almost an after effect.
A vendor creates a solution that feels innovative in the space, they produce a product to answer a challenge. Then afterwards, they go, we think this fits in NIST this way, same with MITRE. “This solves section 5.1.,” etc. It doesn’t really, but that’s the closest they can find.
This square peg, round hole situation ultimately doesn’t serve customers very well but the blame can’t be all put on the vendors. Honestly, I don’t think cyber security for most companies is yet a truly strategic initiative. It still feels like we’re under attack, batting down the hatches, everybody move as quickly as possible. So, while vendors are talking FUD, organizations aren’t helping themselves.
In response, we need to start seeing security as a tech leadership strategy. The CTO running software development cannot escape security as a strategic imperative within the context of what they do. The CIO has likely been better at it for a while. But enterprise architecture-level security conversations are where organizations are going to find the most improvement.
What are your global standards? Do they make sense? Do they handle the challenge? And are we thinking about these things in a way that is cohesive and coherent and defensible, and considers both the state of the market and the capabilities of the organization?
This brings to workforce. It’s easier to hire IT people and cloud people right now, but security is still a nightmare, right? So thinking about what the impact of any change will be to the very people that have to run it, I think is going to be really important.
Any good reason to stray away from leaping towards a technology that may look cool or interesting, because the workforce transformation necessary for some of these tools is never insignificant. It may range from low to high, but should always be a consideration.
I would also say if you’re doing application modernization or cloud native, security needs to be front and center. And I don’t mean it needs to be front and center because it’s more important than software development.
In cloud native you’ve probably figured out the service mesh-y components, and you’ve probably figured out your containerization strategy. But software development teams need to start focusing more and more active energy on learning and understanding security and networking.
Within cloud native, network and security go hand in hand. What bothers people that developers work with is the lack of understanding on how these work, and I would recommend investing time on both. I did a webinar recently where I recommended that DevOps engineers get the equivalent of a network plus or CCNA education, or that level.
Given that it’s hard to find security practitioners, the company InfoSec really interested me this year. InfoSec does training and certification for security analysts, but now also have a placement agency. As part of the placement, they will do the certification. So, if someone says something on their resume, you know they’ve been tested and certified to have it.
Additionally, let’s say you need 10 people today, your budget’s a little bit low, and you want to grow them over time into positions, Infosec also have an ‘on-the-job training’ program where they place them immediately, start a training program with them.
They come in at a lower rate, train over a year or two years, and get raises throughout? Your cost matches their capabilities, but you get people right away, and they get to grow and evolve with your growing and evolving security practice. We didn’t talk about pricing but we did discuss how important it is for them to be competitive with other agencies.
A few other companies jumped out. Nokia, for example, who took a neat view of where they sit in the market, effectively saying, telco is where we specialize. A company that can say, “This is our market, it’s narrow, and we want to focus on it,” gives me a lot of confidence.
OpenText continues to surprise me: a company that could be monolithic and hard to work with, really seems focused on not being hard to work with, on buying good products, connecting them cohesively, and delivering an outcome that’s useful and workable for organizations. They tend to skew towards the large side of the mid-market, which is a good place to be.
I liked the way SyxSense approaches unified patch management, WIB’s technologist-driven approach to API security, and Keeper’s rapid delivery against its roadmap for password management. HackerOne’s penetration testing as a service has a lot of value, especially if you combine it with a bug bounty program, and Splunk (not the same company it once was) is worth checking out for SIEM.
Overall, the conference was about getting the job done – which means thinking about security strategically rather than rushing round shutting stable doors. Instead, making security a business conversation, which will engender the right conversations, the standards, and the right products from the right kinds of vendors.
If you’re responsible for security strategy, you can consider this market shift and how it affects your organization, and look into how standardization frameworks align with your company’s needs. In terms of concrete actions, I recommend you evaluate the impact of workforce transformation on your employees, and consider how to cross-skill and upskill for the multi-cloud world.
RSA was a fantastic conference, and I plan on logging in and watching as many of the sessions as I can. Hopefully you found this helpful, and I’ll talk to you all later.