According to organizers, over 41,000 attendees came to San Francisco for the 2024 edition of the RSA Conference US in early May, confirming the post-pandemic interest of the cybersecurity community in one of its largest events of the year. Attendance in 2024 slightly exceeded the reported total for 2023 and put the conference once again in the territory of 2016 to 2019, when the attendance record was set with a reported 43,000 in 2017.

Not all vendors were equally motivated to participate, however. While the 600 exhibitors reported for 2024 topped the conference's 2023 report of 550, at least one major vendor's absence was noteworthy, especially in light of its actions the week following the conference that contributed to events shaking up an entire segment of cybersecurity.

The level of activity and participation at this year's RSA Conference (RSAC) echoes the continued strong spending indicated by respondents to 451 Research's Voice of the Enterprise: Information Security, Budgets & Outlook 2024 survey. With only one exception, for the COVID-19-affected year of 2020, more than 85% of respondents have told us each year since 2019 that they expect their security budgets to increase, with the average expected increase this year at 30%.

Context

The environment for cybersecurity vendors remains challenging on several fronts. For startups facing shorter runways, the end of cheap money may prove to be a test of their sustainability. For others, the evolving demands of cybersecurity may pose an existential challenge to their ability to adapt. Already, the landscape has changed. Just after RSAC, two security information and event management (SIEM) vendors — LogRhythm and Exabeam — merged, while on the same day, International Business Machines Corp., once an SIEM heavyweight, exited its QRadar SaaS business altogether through a partnership with Palo Alto Networks Inc.

Notably, Palo Alto Networks, one of the industry's largest vendors, opted out of having a booth on the RSAC expo floor, apparently well before the conference, although it did have a base nearby, which suggests that vendors are scrutinizing the benefits of investing in RSAC directly while still maintaining a presence near the venue. "Near," however, is getting progressively farther away from the Moscone Center for many. RSAC organizers would be well advised to consider the blowback from attendees who no longer want to travel that widely if conference costs are leading to "conference sprawl" on the part of vendors that still want a piece of the RSAC action.

Overview

As in 2023, the dominant theme of RSAC 2024 was the continued impact of AI and the evolution of generative AI. Rather than last year's reaction to the introduction of ChatGPT in November 2023, the 2024 conference themes revolved around protecting the enterprise from risks presented by generative AI, such as sensitive content exposure and privacy, or the security of the open software on which much AI functionality is built. It also gave vendors making investments in AI for security the opportunity to showcase their most recent innovations.

Other highlights also drew attention — but not always for reasons those involved might have preferred. The public sector was highly evident, particularly with US Secretary of State Antony Blinken giving a keynote address. The public sector also made its impact felt when Microsoft Corp., taken to task in an April report of the US Cyber Safety Review Board, pledged at its highest levels to make security its top priority the week before the event and emphasized this commitment at RSAC. Many information security vendors also committed to CISA's Secure by Design pledge.

At RSAC's Innovation Sandbox competition, always a highlight of the conference, the intersections of AI and data security and integrity figured prominently among finalists, as we see with the first take from our analysts on their RSAC 2024 experiences.

Takeaways from our analyst team

Justin Lam, Senior Research Analyst, Information Security: Data security was heavily featured as a key enabler for AI security. At Innovation Sandbox, four competitors looked to limit AI security dangers such as excessive agency and sensitive information disclosure. Retrieval-augmented generation will also likely drive enterprises to take better stock of the data risks they have when augmenting large language models, especially if those additional knowledge sources are sensitive. Announcements ranged from Microsoft to startups looking to add data security guardrails to broader AI adoption. While most data security principles have focused on availability and confidentiality, data integrity came to the forefront with Reality Defender winning the Innovation Sandbox competition with its approach to deepfake detection — a vivid example of new types of threats introduced by the abuse of generative AI.

Eric Hanselman, Chief Analyst: Enterprises are maturing in their understanding of real resilience, but the idea that much of what is needed to improve their footing can be accomplished with tools they have at hand, contrary to the messaging on the RSAC exhibit floor, is still new. Complex hybrid threats demand action. Basic hygiene tasks like backups and automation are powerful, foundational elements but often are not implemented well. Telemetry from infrastructure, like DNS and identity activity, can deliver insight and deepen context but is not being effectively integrated into security tooling. The same is true of access and data controls for AI use, where existing secure access service edge capabilities can do so much. We need to better leverage what we have already.

Brenon Daly, Research Director, Financials: Coming into this year's RSAC, the information security industry looked more like the rest of tech than it ever has. No longer sailing above the austerity that has grounded the overall IT market, information security vendors have had to recalibrate their businesses to "do more with less." Growth rates for some cyber vendors are half of what where they were in boom times, and while some valuations in information security remain elevated, others have followed suit. Down-round fundings and discounted deals have arrived in a market that has only really known an up-and-to-the-right trajectory. For those players, cyclicality has come to the information security market.

Daniel Kennedy, Principal Research Analyst, Information Security: Two application security themes came up over and over in conference conversations: application security posture management and generative AI. The rise of ASPM is predicated on a few factors: a desire to have a real-time risk posture for the applications and enterprise codes and builds, orchestration of the number of tools that facilitate application security testing, and the need for targeted prioritization of identified issues to correct. The second, larger conversation regarded generative AI, both its integration as a tool in application security and the complexities of testing internal generative AI applications or monitoring employee usage of the same, sometimes through the same tools that provide API security. The generation of code fixes for vulnerabilities, analysis of open-source suggestions and even the potential ability of generative AI to analyze requests and generate code all offer potential for more expedient resolution of vulnerabilities.

Garrett Bekker, Principal Research Analyst, Information Security: Unsurprisingly, many conversations inevitably arrived at the impact of AI on identity and access management (IAM). While AI will likely help attackers with deep fakes and more realistic phishing attacks, the early consensus is that AI will be most helpful for automating manual processes, such as user access requests and reviews, and assigning and managing roles in role-based access control scenarios. Another discussion topic was the "democratization of privileged access management" — PAM for a wider range of users, IT resources and use cases, as well as new approaches to remote privileged access that do not involve a VPN, and also the need to account for machine identities, which one vendor estimated outnumber human identities by a 45-to-1 ratio. We noted a growing realization that business-to-business use cases are distinct from traditional workforce IAM and customer IAM scenarios and thus require a separate technical approach.

Paige Bartley, Senior Research Analyst, Data Management: PrivacyOps and data governance "pure play" vendors had a relatively modest footprint at this year's RSAC, but that does not mean that related product functionality was not widely represented among providers. Data privacy and data governance have just as much (or even more) business emphasis than in the past, but budget allocation and resources are shifting. With the wider adoption of generative AI and AI-enabled enterprise software, privacy and data governance initiatives are often searching for procurement funding from novel sources, such as project-specific funds and discretionary funds for AI initiatives. Rather than being relegated to a backroom, data privacy and data governance teams have broadened the scope of collaboration and discussion, emphasizing these functions as an accelerator for value via the safe and guided use of enterprise data in the era of AI.

Mark Ehr, Principal Research Analyst, Information Security: With regard to cloud security, RSAC 2024 was intense, and cloud-native application protection platform (CNAPP) vendors did not disappoint. Heavy investment and M&A activity continued, with a $1 billion funding round announced and acquisition rumors flying. Vendor partnerships are blossoming as former competitors seek to flesh out their platforms, and AI is now seemingly baked into everything. Agent-based versus agentless architectural wars have softened, with vendors gradually accepting that blended approaches work best for many — agents are required for use cases that require deep, real-time telemetry. The intersection of CNAPP and security operations technologies is another trend seen at RSAC and beyond, which we expect to explore in more detail in upcoming research.

The conference around the conference

RSAC proper is not the only draw for the cybersecurity community in San Francisco during this week. A number of worthwhile events surround the conference, particularly among those that speak to practitioners in both the cyber professional and investor camps. 451 Research analysts participated in the annual America's Growth Capital cyber-focused event earlier in the week, while BSidesSF and other adjacent events featured keynote sessions balancing the realities of generative AI usage for both defenders and adversaries. It is not just threats to, or from, generative AI that were highlighted. Speakers at RSAC sessions as well as elsewhere noted the potential of generative AI not only to broaden context but also to facilitate the automation of integrations between different tools and processes.

These events add to the richness of the RSAC experience, but the conference itself has gotten stricter about unrelated events at nearby venues, which, in some cases, has forced some vendors even farther away from the Moscone Center. This continues a trend that, frankly, places a hardship on attendees who must shuttle across a wider area to get to what they need to see and do. This, as well as the cost and concerns about hosting what is becoming a far-flung event in San Francisco, may lead attendees to mirror exhibitors and scrutinize more closely their return on the RSAC investment. This would ultimately be bad not only for RSAC but also for those who are positive about the conference and have voted with their (well-worn) feet to keep returning. We would hope in coming years to see RSAC itself respond to these issues and continue to keep the conference what it has been for so long: a high point of the year centered on the activity — and venue — of one of information security's first and most successful annual events.

This article was published by S&P Global Market Intelligence and not by S&P Global Ratings, which is a separately managed division of S&P Global.