First in-person RSAC since 2020 delivers a mixed experience

Introdution

The RSA Conference (RSAC) is one of the premier events in the cybersecurity vendor community – a combination trade show, reunion for industry participants, learning venue and showcase for one of the most active fields of emerging technology. After a digital-only version in 2021, this year's edition was the first in-person RSAC since the 2020 event, which took place only days before the World Health Organization declared COVID-19 a pandemic, but this year's gathering wasn't free of that shadow.

The Take

The first in-person RSAC in two years was eagerly anticipated. The highly social cybersecurity community always embraces the opportunity to network, enhance tradecraft and learn about new developments in security technology. Our data indicates that security spending is likely to remain strong, with 94% of respondents to our recent Voice of the Enterprise: Information Security, Budgets & Outlook study indicating that they will increase their security spending, at an average increase of 26% over 2021. This remains consistent with the 27% increase reported in 2021.

Health concerns likely dampened RSAC attendance, which came in at only 60% of the record number set in 2017. For those unable to attend, the so-called "digital experience" fell short, not even delivering a standard for content familiar from pre-pandemic RSACs. Nor did innovation seem as robust this year. Despite record M&A investment and emerging concerns such as threat detection and the nascent field of protecting cloud applications, a technology similar to long-established precedent offerings won the RSAC's Innovation Sandbox competition.

Context

At the last in-person RSAC in 2020, there was not yet the mass defection away from in-person events that soon followed, although major vendors, such as IBM Corp., pulled their 2020 participation completely as the virus began to spread more widely. Even so, RSAC 2020 saw conference attendance of 36,000, but that was down from the 40,000-plus high-water mark of the 2016-2019 era.

RSAC 2022 was significantly less well attended. At 26,000, attendance was 72% of 2020 and only 60% of 2017. The number of exhibitors fell similarly: The 400 at RSA 2022 were only 61% of the 658 at RSAC 2020. The number of speakers was not as severely affected, with the 600 presenters at RSAC 2022 at 85% of the 2020 slate – but the 350 sessions offered were only two-thirds the number of those given at RSAC 2020.

COVID-19 concerns continue to weigh on participation, with attendee attitudes varying from maximum prevention, including masking (vaccination or testing was required of attendees), to behavior that would seem to shout, "COVID's in the rear-view mirror!" The biggest question for all such events, however, is whether the risk of exposure at major in-person conferences would affect future participation. In an informal Twitter poll conducted by user and security researcher @RayRedacted, 22.3% of the 1,164 voluntary respondents, all of whom reported attending RSAC, said they had gotten COVID-19 at the conference as of June 15. Another 41.2% said they were "unsure." This is far from a scientific sampling, but many post-conference discussions have already surfaced concerns about future events.

For those who stayed away but still wanted to participate, RSAC offered a "digital experience," but it was far inferior to the 2021 all-virtual conference, which turned major venues such as the Innovation Sandbox competition into a highly accessible event streamed live online. The streaming aspect was a continuation of RSAC practice in previous years. This year, however, the on-demand recording of the Innovation Sandbox competition could only be viewed after the fact. The intent was to deliver the benefit of the in-person experience – the lifeblood of such events – for those making the effort to attend, but the upshot was to make digital participants into second-class attendees – and that sent a message to those who couldn't attend, whatever the reason. Teams with some members on-site and some streaming could not discuss sessions in real time, a use case inherent with those who are at higher risk for poor outcomes with COVID-19 or who live with someone who is. Whether intended or not, the message was the opposite of accessibility and inclusion, and not likely to be forgotten by the many who rely on digital interaction – particularly if circumstances force future events to be more hybrid or virtual than they are aspiring to be in 2022.

Prevalent themes

The RSA Conference was characterized by a number of themes throughout the event. Among those that stood out for our analysts:

• "Risk" continues to be one of the most popular words in cybersecurity, extending a trend that has been evident in the field for some time. It is not, however, just the increased prevalence of risk-based approaches in tools and technologies often seen in current vendor buzz. The credible measurement of security and prioritization of risk mitigation are among the drivers for this trend, with a more proactive approach to risk management and advocacy within the organization frequently emphasized.
• People were a common theme at RSA. An increasing number of companies are offering both SaaS platforms and managed detection and response, looking to the increasing complexity of security challenges, as well as difficulty in securing talent to manage them to increase demand for professional services. Additionally, vendors are focused on using automation and low-code development to help empower the millions of new analysts that will be tasked with securing the enterprise of the future. User experience was also a prevalent theme in many discussions and session tracks, particularly within the context of zero-trust and passwordless authentication.
• The rise of a variety of approaches to the emerging problem of mitigating threats to cloud-native environments was also dominant, evident particularly at the RSAC Innovation Sandbox (discussed below). Among the significant questions raised by this trend: How do security operations teams embrace cloud threat detection and response, or do they? Is this more the province of those most engaged in DevOps tools and practices, or will security operations teams, long engaged primarily in operations affecting users and the distributed environment, become literate in threats to cloud-native assets with which they may be less familiar? We expect this theme to continue to evolve in practices and techniques over the coming months and years.
• Software supply chain security and various aspects of mitigating third-party risks in IT are closely related themes. API security is an example of the latter, representing technical dependencies on functionality not under the direct control of a relying organization. Software supply chain security, meanwhile, appeared in different forms – from the evaluation of third-party vendor products to the assessment of open-source risk and emerging regulatory requirements. It was the topic of at least four different RSAC presentations, and the primary offering of one Innovation Sandbox finalist.
• Many "security shift left" vendors are waking up to "engineering shift right" customers. Activity apparent at RSAC indicates that those organizations that have undergone digital transformation are proactively developing, integrating and maintaining their own application stacks, and are increasingly building in security and privacy for data, applications, APIs and infrastructure, in addition to more classic use cases such as code scanning and application fuzzing. Vendors in evidence serving these themes are increasingly embracing strong, simple developer experiences and easy-to-consume offerings.
• Zero-trust messaging was present in many RSA presentations and booth displays, along with a fair amount of the inevitable "zero-trust washing." Compared with several years ago, when "zero trust" was mainly a buzzword, there are signs of progress, buoyed by the need to secure an increased scale of remote work. Recent survey data from 451 Research shows that 23% of organizations now have zero-trust network access in use, while another 21% have zero-trust projects currently underway and another 35% plan to in the next 6-24 months. Still, the tenor of several tracks on zero trust made clear that we are still in the early stages of evolution, and many firms are still grappling with exactly what zero trust means for their organization and, more importantly, how to go about achieving it.
• When it comes to privacy and regulation, it would seem from RSAC impressions that the technology lawyers shall inherit the earth (at least for now). In today's proliferating landscape of data-driven regulations, cyber-insurance negotiation and third-party risk management efforts, seemingly esoteric topics such as, "Can regulation coexist with innovation?" often boil down to which business party can write more favorable contract terms. The U.S., in particular, currently lacks federal data protection and data privacy regulation, and individual company frameworks for data ethics, privacy and security are often only enforceable by contract. While robust legal teams have always been a staple for the enterprise, especially for organizations operating in multiple jurisdictions, their importance today is rising to a crescendo as organizations grapple with ambiguities in existing technology laws or absence of technology laws altogether.

Innovation Sandbox

RSAC's Innovation Sandbox competition continues to serve as a bellwether of startup activity and the sensitivity of the judging panel to the value of emerging approaches. This year, however, the judges' take on "innovation" was a bit of a head-scratcher, given that the winner offered a variation on something that has been in the market for some time.

The 10 vendors named as finalists were: Araali Networks, a provider of technology for detecting and blocking threats to cloud-native environments; BastionZero, which offers zero-trust remote access to cloud-native infrastructure for management teams; Cado Security, which offers incident investigation, forensic and response tools for cloud-native environments; Cycode in software supply chain security; Dasera and its data governance platform; Lightspin's graph-based analytics for attack path exposure in cloud-native environments; Neosec's technology for mitigating API exposures and threats; Sevco and its focus on comprehensive asset inventory; Talon Cyber Security's secure enterprise browser; and Torq's no-code security process automation system.

Given that at least half the nominees target aspects of the emerging field of threat detection and mitigation for cloud-native applications and environments, it was surprising that Talon won the event, with a technology that represents a variant on securing the browser that has been broadly evident in the market for years. This, however, may speak to an ongoing need that the judges see as still not yet completely addressed. The points at which technology interacts with people remain a high concern to organizations in many ways. Browser use and the exploitation of the browser fall within this domain, and despite the long-standing presence of vendors in fields such as browser isolation, the Innovation Sandbox panel apparently still sees the need to secure this environment as preeminent. This is not the first time judges have opted for solutions to what they see as some of security's less glamourous but more enduring problems. It is still surprising, given existing options in this space, when compared with startups taking on opportunities in more nascent, still-emerging fields.

What next?

With RSAC 2022 now in the rear-view mirror, vendors, participants and organizers now look forward to a compressed security industry conference schedule, with several vendor events and InfoSec Europe following immediately on RSAC's heels, and the industry's "summer camp" of the events surrounding Black Hat and DEF CON only weeks away. Will participation at these events be similarly affected? Will innovation be more apparent as conferences overcome the initial adjustments in the wake of COVID-19? We will be watching these upcoming conferences closely for evidence of what such gatherings may become.