RSA Conference wrap-up: The state of cybersecurity disconnect
The cybersecurity industry isn't prepared for massive changes in play. It needs to focus more on the mission rather than cybersecurity technology widgets.
RSA Conference in early May felt a lot like a pre-pandemic industry party. More than 40,000 people attended, and San Francisco was awash with self-driving cars, cybersecurity product advertisements, venture capital events and cocktail parties galore. Industry CEOs participated as well, delivering keynotes trumpeting cybersecurity platforms and the marvels of generative AI for cybersecurity.
While the industry was busy patting itself on the back, I caught a rather sobering presentation from U.S. Secretary of State Antony Blinken. Blinken reminded attendees that cybercrime is a trillion-dollar industry, and state-sponsored adversaries are relentlessly attacking U.S. critical infrastructure, compromising leading public and private organizations and essentially seeding the battlefield in case of future hostilities. Reading between the lines, Blinken was saying we might lose the cyberwar if we aren't resolute and diligent in our efforts.
Blinken's presentation was a hard slap in the face. I thought to myself, "Secretary Blinken is reminding us that we are here to talk about how we can better protect all our digital assets, not celebrate all the glories of cybersecurity technology innovation."
Challenges in the state of cybersecurity
With this in mind, I became a bit more thoughtful about assessing the state of the industry through an RSA Conference lens. Regrettably, I left San Francisco more pessimistic than when I arrived for the following reasons:
- The state of the CISO position. Despite a wave of new cybersecurity regulations, including SEC and NIS2, many strong CISO candidates I spoke with at RSAC were out of work and found themselves competing for every open position with dozens of others. When CISOs do get offers, they find the average salary ranges from $150,000 to $180,000 -- inappropriate for someone tasked with cyber-risk management and protecting digital assets that tend to anchor every business process. Little wonder why research from TechTarget's Enterprise Strategy Group and the Information Systems Security Association indicated 72% of CISOs find their job is stressful at least half the time and 40% of CISOs have considered leaving the cybersecurity profession entirely. Until business leaders, HR managers and recruiters gain a better understanding of what CISOs do and the value they provide, we are all vulnerable.
- The limitations of cybersecurity platforms. We've relied on an army of cybersecurity point tools for years, leading to inefficiencies and ineffectiveness. In response, large vendors at RSAC pitched beefy security platforms, integrating point tools into a whole cybersecurity suite. This makes sense on the surface, but I see some choppy waters ahead. First, platforms tend to subscribe to an "inch-deep, mile-wide" design point. Point products in areas such as cloud detection and response, data detection and response, and identity threat detection and response might be far more effective, especially for large enterprises. Similarly, consolidated products always have gaps in cutting-edge areas, such as API security and AI security, leaving organizations vulnerable or forced to buy point tools anyway. Vendor platform migration takes months or years, requiring valuable time, resources and cybersecurity organizational focus, and large organizations always have multiple platforms they need to operate and integrate. Platforms might be effective for smaller organizations, but I see too many holes at the enterprise level.
- Small enterprise and SMB vulnerabilities. Industry messaging at RSAC tended to assume that every security organization resembles Facebook, Goldman Sachs or the National Security Agency. This couldn't be further from the truth. SMBs typically employ a CISO and a security team of five to 10 people -- that's it. While some do an admirable job, many remain extremely vulnerable. Adversaries also see these organizations as a gateway to bigger and more lucrative targets. This is the rationale behind the Cybersecurity Maturity Model Certification program associated with the U.S. Department of Defense's information security requirements for defense industrial base partners. For the most part, RSAC ignored this incredibly important and increasingly vulnerable market segment.
- The pace and scale of cybersecurity. In my mind, I see a curve where cybersecurity efficacy and efficiency improve incrementally over time. Generative AI will provide a "vertical leap" here, but improvements will still be incremental. The problem is that the cybersecurity domain and staff responsibilities are growing at a much faster velocity. Cybersecurity teams are now responsible for monitoring digital risks to executives and the brand, keeping tabs on a growing and ever-changing attack surface, perusing all forms of threat intelligence, bridging IT and OT threat prevention, detection and response, and so on. We live in a world where most, if not all, threats contain a cyber component -- placing more emphasis on an effective cybersecurity program and the individuals involved. I just don't see the themes and messages at RSAC reflecting this reality.
Many organizations see these things coming, throw up their hands and surrender aspects of cybersecurity to service providers. That situation was loud and clear at RSA Conference, with managed security service providers (MSSPs) and managed detection and response vendors around every corner. That makes sense, but MSSPs face the same dynamic realities. Are they built for massive scale? Can they automate effectively? Do they have the resources and technology architectures for growing cybersecurity responsibilities? Many won't have the wherewithal for the long term, leading to failures, mergers and more.
How to improve the state of cybersecurity
What needs to happen? If I were an omnipotent overlord of cybersecurity, I would do the following:
- Mandate CISO education to corporate boards, executives and hiring managers. This is an easy one to recognize, and it tends to occur organically after a major cybersecurity event. But that's too little, too late. Perhaps further regulation will drive this, but it needs to happen. Note to directors and CEOs: A bump in CISO compensation -- with directors and officers insurance -- is a lot cheaper than the cost of a data breach.
- Think architecture, not platforms. Whether you adhere to Enterprise Strategy Group's security operations and analytics platform architecture or Gartner's cybersecurity mesh architecture, security technologies must be built for integration and composability. I'd like to see more industry cooperation on open standards here because it's everyone's job to protect all our digital assets.
- Prepare for advanced analytics. Future cybersecurity investigations will require more on-demand data sources, better visualization and sophisticated analytics capabilities. Think Palantir-like link analysis for cybersecurity.
- Push zero trust everywhere. Job No. 1, or 1a, for every organization should be constantly reducing the attack surface. Zero trust can help, end to end. The U.S. federal government recognizes this. By Sept. 30, 2024, U.S. government agencies are required to have completed 19 specific tasks aligned with the five pillars -- identity, devices, networks, applications and workloads, and data -- of CISA's Zero Trust Maturity Model. Private sector firms should follow the federal government's lead.
Yes, I know, RSA Conference is supposed to be a party and I sound like an old curmudgeon. It's worth accepting this title for the chance to remind the industry at large of the mission we are all a part of.
Jon Oltsik is analyst emeritus and founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.