Forrester’s RSAC 2024 Themes, Takeaways, And Observations

5 months ago 10
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

RSA Conference (RSAC) 2024 boasted 41,000 attendees, 600 exhibitors on the show floor, 425 sessions, and plenty of dashing around Moscone Center and its surrounding area for our analysts. The event, still the top dog of cybersecurity events, was packed with announcements and press releases galore. This blog contains some of the key themes we noticed and takeaways from the Forrester security & risk analysts who attended.

The US Federal Government Was Everywhere

For the first time, RSAC played host to not one but two sitting US cabinet secretaries. We’ve become accustomed to seeing the Secretary of Homeland Security on the RSAC mainstage given his oversight of the Cybersecurity and Infrastructure Security Agency (CISA), but Antony J. Blinken is the first Secretary of State to keynote at the conference while in office. Attendees could find experts from many different parts of the US federal government throughout the conference delivering keynotes and track sessions on topics ranging from the impact of cyberintelligence on the war in Ukraine to standardizing practices for managing end-of-life software. Some highlights included the following:

  • CISA Director Jen Easterly participated in two keynote panels — one alongside her predecessor Chris Krebs and the other with her former fellow officers with whom she worked to stand up US Cyber Command when she was in the military. Director Easterly and the CISA team promoted CISA’s “Secure By Design” initiative (including at CISA’s popular booth on the expo floor), and they announced that 68 software manufacturers had taken the “Secure By Design” pledge.
  • Department of Homeland Security Secretary Alejandro Mayorkas sat down with Rumman Chowdhury, the US Science Envoy for AI, to discuss the responsible implementation of AI in US critical infrastructure and on defending that critical infrastructure from the malicious use of AI.
  • Secretary Blinken focused on technology’s impact on foreign policy, including digital future and solidarity. Blinken emphasized the importance of: 1) moving/keeping integrated circuit chip supplies to/in the US; 2) the US leading AI/generative AI as well as post-quantum security research efforts; and 3) the critical minerals supply for clean technologies.

Vendor Themes

RSAC is always a good leading indicator of which vendor marketing promises will clog your inboxes in the foreseeable future. Happily, some sponsors in the expo reported a good ratio of serious security buyers with lists of their desired security outcomes to swag baggers cruising for loot.

  • You can’t spell RS(AI)C without AI. AI appeared at the beginning and end of every sentence. Every security product now includes AI (“being AI-driven,” “AI-powered,” or “AI-native”), and every product name (or vendor URL) probably includes AI, too. It’s embedded in every product, and everything will soon be autonomous — if you believe the pitches, that is.
  • Platforms abound. If a vendor brings more than two products or services to market in a vaguely connected manner, it has a platform. Platforms are ubiquitous — so ubiquitous that the term remains undefined, suiting vendor messaging well. But saying the word “platform” excites investors and placates shareholders.
  • Cybersecurity took an etiquette class, and now everyone cares about posture. There’s posture management of all types. Everywhere we looked, vendors promised they could ensure that our servers, endpoints, applications, workloads, and clouds keep their chins up and shoulders back.
  • The software supply chain came into focus. Driven by US and international cyberagencies such as CISA and BSI (the German Federal Office for Information Security), the emphasis on secure and well-maintained software throughout the supply chain was a prominent topic. Sessions addressed the management of software bills of materials (SBOMs), end-of-life code, insecure development pipelines, and industry best practices. Software supply chain is a complex challenge that requires a risk-based, companywide approach — vendors marketing themselves as software supply chain solutions tend to address only discrete pieces of the problem and should not be treated as a holistic solution.
  • Competitors of Microsoft hope the Cyber Safety Review Board report erodes its market share. Most of these same vendors are also partners — begrudgingly — of the behemoth, but they are all hoping the scathing report and the subsequent Secure Future Initiative announcements shortly before RSAC will do some damage to the giant’s momentum. This is unlikely to happen, as our research demonstrates.
  • Cybersecurity’s love story — burnout — took center stage at RSAC 2024. This comes not a moment too soon. Discussions on burnout were notably absent from RSA’s 2023 agenda, which was rectified in 2024, when three formal sessions on the topic made it on the agenda. RSAC Executive Chairman and Conference Program Committee Leader Hugh Thompson also brought the topic to the mainstage in his opening keynote — this visibility de-taboos this significant issue, which has plagued security since the beginning of time.

Coverage Area-Specific Observations

Forrester analysts who attended RSAC 2024 share their observations about the specific coverage area topics that they specialize in below:

Securing generative AI. Even though the primary attackers against large language models remain security researchers, students, and professors attempting to obtain tenure (aka APT: Ph.D.), there was plenty of talk about this. From protecting against prompt injection all the way to preventing inference attacks, this category is emerging and will own some of your cybersecurity budget in 2025.

Application security posture management (ASPM). ASPM is the latest application security acronym being used to attract security leaders’ budgets. ASPM falls into two related categories. The first set of tools evaluates the security posture of a workload and its technical stack in runtime, enabling real-time security monitoring. The second set of tools consolidates application security testing data and controls from various sources to prioritize findings based on exploitability and impact, with the goal to provide visibility into application risk. ASPM has potential to become a lasting feature of application security platforms, but its future as a separate market, that commands its own budget, remains to be seen.

Human risk management. Forrester announced the move to human risk management (HRM) in 2024 to reflect the technological, mindset, and human-centered disruption that is occurring. HRM vendors unashamedly embraced the terminology and capability in their demos and booth messaging. Track sessions evolved toward a deeper analysis of why employees attract danger, or dodge it, setting the scene for the significance of risk-based interventions, instead of blanket training for all.

Email, collaboration, and messaging security. Email security vendors are learning to play nicely with the two major email infrastructure providers (though one was mentioned far more than the other) and leaning into the layered approach their customers now require. Messaging focused on areas of or attempts at differentiation, including authentication and incident response services, explainable AI detections, outbound, account takeover, and business email compromise protections. Integrations with larger proprietary “platforms” and with — along with acquisitions of — the new hotness, human risk management solutions, were also prominently featured.

SecOps, XDR, SIEM, and the “autonomous” SOC. There was much less hype around XDR this year as vendors focused on the promise of AI to deliver security outcomes. Vendors striving to deliver the autonomous SOC were plentiful, although the autonomous SOC is largely a pipe dream. Still, many SIEM, SecOps, and XDR vendors are positioning combinations of AI and automation to deliver more automated threat detection, investigation, and response. These are much-needed, long-awaited improvements to be sure, although the marketing language about becoming autonomous is overstated.

Data security, privacy-preserving tech, and confidential computing. The RSAC expo showcased the widest range of options for data security I’ve seen in years. Vendors delivered with understated elegance, as far as marketing in the expo at RSAC goes. DLP was sprinkled everywhere like glitter, from stalwarts to those with a heavier insider risk focus. There were a notable number of encryption and privacy-preserving tech vendors exhibiting, spanning capabilities from encrypted search to secure enclaves and confidential computing. In addition, there were also many quantum security vendors, giving much attention to the need to prepare for post-quantum security.

Post-quantum security. Yes, post-quantum security is exciting (which makes life harder). The RSAC 2024 “Cryptographers’ Panel” discussed the recent academic paper claiming to be able to use a quantum computer to render lattice-based cryptosystems vulnerable. This matters because three of the four post-quantum algorithms selected by NIST are lattice-based, as is homomorphic encryption. Others have since found a bug in the paper’s algorithm, so the claim no longer holds. Overall, this means that the advice we distilled from the 2023 incarnation of this panel still holds. Further, you should follow post-quantum cryptography developments closely and prioritize designing your infrastructure for cryptographic agility.

Data resilience and backup. It was good to see data resilience and backup vendors exhibiting this year, such as Druva, Commvault, Cohesity, Rubrik, and Veeam. We know how important recovery is to a holistic ransomware defense, but it still doesn’t get the attention that it deserves — not only when it comes to data protection and recovery tools but in how we integrate the cooperation and processes between SecOps and ITOps. Much of the focus remains on prevention and rapid detection. But when prevention fails, and detection isn’t fast enough to stop the compromise of our most sensitive data, the ability to rapidly recover from a data vault is the difference between a hiccup in the business and major outage.

GenAI in cloud security. Vendors focused on extensive multicloud detection and response controls, including 1) copilots for natural language queries, reports, and remediation policy authoring and 2) better threat detection using large transaction models (LTMs). LTMs are 1) sets of synthetically created attributes generated by genAI and added to each transaction’s (file change, policy change, RBAC change, etc.) native attributes and 2) traditional machine learning models (supervised and unsupervised) learning and making higher-accuracy decisions based on synthetic plus native transaction attributes, rather than only on native attributes.

Innovation and investors. Innovation Sandbox remains a useful gauge of investor sentiment in cybersecurity. Per PitchBook, since 2009, Innovation Sandbox finalists have raised over $11 billion in venture capital, and several have gone on to billion-dollar exits. Exhibit A for this year’s enthusiasm: Wiz, a finalist in the 2021 Innovation Sandbox, takes on new funding while eyeing a possible 2025 IPO. Investor exuberance in cybersecurity must be tempered with the reality that there are so many cybersecurity companies globally, meaning that M&A is still very much part of the cybersecurity milieu.

Zero Trust, SASE, and network security. Three years ago, Zero Trust was the darling of RSAC. Banners and hawkers trumpeted ZT all over the show floor. Security practitioners never liked ZT as a marketing vehicle, so that’s fine. The good news for ZT is that there’s a significant undercurrent of interest from end users and demos from vendors around microsegmentation. Every major switch manufacturer had a booth at RSAC, demoing their latest or beta-est solution. SASE, the darling of RSAC two years ago, has been similarly shadowed: nowhere to be seen on booth displays this year. That doesn’t mean that SASE is dead, per se; it’s just not top of mind for marketers.

Read Entire Article