RSA Conference 2023: AI everywhere all at once

Introduction

Less than two weeks after the 2020 RSA Conference USA (RSAC) adjourned, a global pandemic was declared. This year, only days before the World Health Organization declared the COVID-19 emergency over, RSAC's 32nd annual edition reflected a return to pre-pandemic levels of participation — but with a stark difference in prevalent trends.

We may not be the only ones invoking this year's Academy Award for Best Picture to characterize the impact of generative artificial intelligence, but it sums up how pervasive the technology was at RSA 2023. Even so, AI was far from the only trend in evidence.

The Take

A number of trends in security are occurring now, with AI among the most visible at RSAC 2023, particularly in security operations. Others aligned with 451 Research's coverage areas include the broad theme of resilience (reflecting concerns including and going beyond cyber), data security and privacy, identity-related themes in threat detection and access control, security for SaaS offerings, the secure access service edge, and security for applications and APIs. At Innovation Sandbox, the consolidation of features for securing cloud-native environments was particularly evident. We expect to provide coverage for each of these areas in more detail throughout 2023 and beyond.

By the numbers

The return of pre-pandemic attendance figures at RSA reflected the enduring buoyancy of the cybersecurity market. Despite macroeconomic challenges, security spending and trends are back to pre-pandemic levels. Almost all respondents (93%) to our Information Security, Budgets and Outlook 2023 survey report plans to increase security spending, with an average increase of 29%.

In-person attendance at RSAC approached "before time" levels, with 2023's attendance exceeding 40,000, close to the all-time high of 43,000 in 2017. Exhibitors didn't return quite as strongly, but far better than in they did in 2022. Nearly 550 were reported for RSAC 2023 compared to 658 at RSAC 2020, but still more than 25% over the 400 last year.

Speakers have remained fairly steady, with over 650 this year, comparing well with 704 in 2020 and exceeding the 600 of 2022. At more than 350, the number of sessions was about the same as 2022, but down compared to 500 sessions at RSAC 2020. When compared to the speaker numbers, this suggests that panels may now be more in vogue than talks presented by individuals.

The flavor of the week — and year

Unquestionably, the dramatic impact of generative AI was felt throughout RSAC 2023. From the winner of the Innovation Sandbox competition to the messaging from nearly every vendor, AI was by far the frothiest theme of the year.

Although AI and machine learning were already prevalent in cybersecurity, the technology has (or is claimed to have) powered much of recent innovation, from analytics and automation to interactive assistants for security operations teams. But in the last few months, OpenAI's ChatGPT, Google's Bard, DALL-E, the new Microsoft Corp. Bing, Stable Diffusion and other AI innovations have mesmerized the security market.

Security vendors large and small made as much of the opportunity as they could at RSAC. Leading the charge were the giants. OpenAI investor Microsoft introduced Security Copilot weeks before the event, while Google announced Google Cloud Security AI Workbench built on Vertex AI and leveraging the threat insight of its Mandiant acquisition.

A handful of startups have already addressed the AI opportunity, with HiddenLayer the winner of the Innovation Sandbox competition. And large consultancies have devoted significant resources. Accenture was Google's launch partner for Google Cloud Security AI Workbench, while KPMG spun off its internal AI security startup as Cranium.

Security operations obviously benefit from AI innovation, but other areas see the potential benefits of generative AI. Application security testing (AST) views vulnerability detection as only part of the equation. Prioritization and remediation are steps many organizations struggle with, given the limited resources to address security issues in code. Rather than providing direct remediation, generative AI currently may provide an explanation of vulnerabilities and their severity as well as modeling, but would not directly apply potential code fixes.

RSAC conversations and recent product announcements suggest application security vendors agree. AI factored into various other aspects of Ops initiatives evident at the event, from MLOps to PrivacyOps. We expect many of these intersections of AI and security to be fertile areas of coverage in 2023 and beyond.

Privacy and security collide with automation

Data privacy and data security continue to be top pain points as enterprises try to become more data-driven; so unsurprisingly, vendors addressing these use cases were well represented at RSAC 2023. Not only are practices such as data privacy, data security and data governance becoming more integrated within organizations, the software used to support these functions is becoming increasingly automated.

However, risk must be balanced with reward. Privacy and security are key business concerns with the evolution of technology such as generative AI; yet paradoxically, automation is needed within the enterprise to manage baseline data privacy and security requirements.

On the vendor side, many providers are attempting to address data governance and data privacy use cases from different architectural approaches. For example, sensitive data discovery and classification has long been a foundational starting point for data privacy efforts. Yet today, vendors from a diverse array of heritages are seeking to tackle this business challenge.

Newer, specialized DSPM (data security posture management) providers often focus on cloud-based data sources, while more established providers from the data governance sector take a more hybrid architectural approach. This can lead to rifts in positioning, with newer or more specialized providers commonly using the term "legacy" to refer to their incumbent competitors. Further specialized offerings for data security within SaaS systems will lead to further positioning rifts with both legacy providers and other categories within SaaS security posture management (SSPM) and secure access service edge (SASE). Often, these providers differ not so much in the core business outcomes they provide, but rather in the economic influencer they target within the purchasing organization.

Cultural challenges remain in data security and data privacy, and were highlighted at the conference. Legal team incentives — particularly for ensuring privileged protection of forensic breach reporting — are often misaligned with the broader cybersecurity community's objective of sharing (and learning from) the mistakes of other organizations. CISOs increasingly face the threat of personal or even criminal liability for their decisions, and often must carefully balance the interests of their employer with their own interests as a private citizen. We plan to follow up on broader data privacy, data security and data governance trends in a subsequent report.

Innovation Sandbox competition: The suite life returns

Innovation Sandbox competition winner HiddenLayer represents a category of vendors in security for AI that we expect to see proliferate, thanks to the high visibility and capability of large-model AI and its breadth of risks, many of which have yet to become fully recognized. HiddenLayer links this opportunity to the ever-popular "detection and response" label by applying it to machine learning, calling it MLDR.

The narrow focus on threat detection for ML exemplifies a risk of commercializing innovation (perhaps inherent to the security market), where the latest concern often quickly turns into a set of too-small segments we could think of as feature shards. At some point, each of these minor segments may one day aggregate into becoming features of a larger offering. Early-stage entrants, however, often focus on the buzz of one aspect of this fragmentation.

That contrasts, however, with many of the other finalists in this year's Innovation Sandbox, where the trend was clearly toward consolidation of features into a suite of functionality focused on a specific use case. Not as broad or comprehensive as a platform covering multiple technology segments, these suites combine multiple related functionalities systematically into a single offering, providing a response to user frustration with the sheer number of security tools and vendors.

Representative of this group of finalists was Pangea (the second place finisher), consolidating access control, audit logging, secrets management, licensing and other foundational security functionalities for developers; AnChain.AI, offering a range of security functionalities for Web3 ecosystems; Dazz, providing acceleration for resolving cloud-native security issues leveraging code-to-cloud tools and processes; Endor Labs, consolidating functionality for addressing open-source security; SafeBase, automating trust-relevant information management and sharing between an organization and its stakeholders; and Valence Security, an example of what we sometimes refer to as CASB 2.0, offering automation for SSPM and mitigating access control, configuration and data-sharing risks for SaaS applications.

Valence and the rise of SSPM are representative of similar trends already seen in other aspects of security. SSPM has been spurred by the need to systematically manage security across many SaaS applications. SASE is another area where complexity encourages vendors that can cover multiple bases (access control, SD-WAN, CASB, secure web gateway, etc.) to offer a single-vendor approach.

The rise of cloud-native application protection platforms represents yet another consolidation of multiple functionalities for securing cloud resources. Extended detection and response is an area where new technologies keep emerging to contribute to the overall priority. Identity threat detection and response was one such example evident at RSAC, spurred by the critical role played by identity as both a security control and prime target of attackers.

Other Innovation Sandbox finalists included Astrix Security, providing security for non-human, machine-to-machine interactions such as those with APIs or service accounts; Zama and its open-source tools for integrating privacy-protecting homomorphic encryption more readily into applications; and Relyance AI for streamlining PrivacyOps. The emphasis on AI, evident not only among many Innovation Sandbox finalists but among exhibitors overall, underscores the coattails of AI that so much of the security market is riding in 2023.

Party like it's 2019

More than innovation, trends and buzz, the RSA Conference is also an opportunity for the information security community to renew old friendships and make new ones. For many, it has been years since they had that in-person opportunity. Although the movement toward remote work is here to stay, a return to the face-to-face experience was not only refreshing, it was a workout for forgotten conference skills.

For some, the frequency of that workout is about to accelerate. Historically held in February, RSAC 2022 was postponed to June due to that year's wave of the omicron COVID-19 variant. This year, it moved to April — but that still puts it only a quarter out from the Las Vegas "security summer camp" that will gather at Black Hat and DEF CON in early August. Attendees, keep those comfy shoes handy!