In this week’s episode of the Virtual CISO podcast, your host John Verry, Pivot Point Security CISO and Managing Partner, shares his valuable insights from the 2023 RSA conference. As the security industry evolves, with an increasing number of vendors and products, John advises against adopting a product-based security strategy. Instead, he recommends having a clear plan to address specific security challenges.
Tune in to this episode to learn John’s eight key takeaways, the latest developments from the 2023 RSA conference, and gain valuable insights to enhance your organization’s security posture.
In this episode join us as we discuss:
- Privacy will drive data governance
- Data security posture management
- Zero trust: a model rather than a product
- AppSec and API security
- 90-day TLS certificates
To hear this episode and many more like it, we encourage you to subscribe to the Virtual CISO Podcast.
Just search for The Virtual CISO Podcast in your favorite podcast player or watch the Podcast on YouTube here.
To stay updated with the newest podcast releases, follow us on LinkedIn here.
See below for the complete transcription of this episode!
Intro Speaker (00:05):
Listening to the virtual CISO podcast, providing the best insight on information security and security IT advice to business leaders everywhere.
John Verry (00:18):
Uh, hey there, and welcome to yet another episode of the virtual CISO podcast, uh, with you as always, John Ver, your host. And I am flying solo today with eight takeaways from the RSA 2023 conference. Uh, first was that it is an absolutely overwhelming show. If you have not been to an RSA conference, it’s hard to describe. Uh, order a magnitude of 40, 45, 50,000 people, 500 plus vendors, literally miles of walking per day, just walking through the booths. Uh, hundreds and hundreds of sessions on different types of security topics. Lots of offsite meetings, lots of offsite activities, dinners, drinks after parties, uh, just absolutely nuts. The second takeaway is security is becoming more and more complex. You know, I’ve been doing this for 20 plus years, uh, and I was walking around the show and I was amazed that probably 10% or 15% of the boots, I wasn’t quite sure what they did.
(01:16):
You know, at some points, I would just put up my hands and go, okay, I give guys, what, what is it that you do? Um, you know, there were 500 plus vendors there, and that’s out of a universe of at least 10 times that. So it’s increasingly difficult for, uh, organizations to figure out what they should be doing or what products they should be using, uh, to solve their security problems. Um, part of this is marketing. Um, what I found was that the messaging was either too vague or too differentiated. Uh, when I was, you know, look, walking around and talking to people, it might start as vague as we do software security, which really doesn’t help. Yeah. Then there might break it down. We do open source software governance, or we do software composition analysis, or we do SBOs, or we do spdx. Those are all effectively the same thing, you know, just different levels of granularity.
(02:03):
But if you’re not familiar with spdx or not familiar with SBOs or software composition analysis, you’re gonna struggle walking around. Uh, another part of that problem is when I’m gonna call product overlap. So there was a lot of clouds, uh, security posture management, which is a hot field in an important field right now. And within CS p m there’s lots of elements, right? There’s asset discovery, there’s asset management, there’s vulnerability management, cloud infrastructure, entitlement management, uh, container security, secrets management, and cloud incident response. And that’s, there’s still a few more than that. Um, what was very interesting to me is you can buy tools that cover just one of those and do a, a very deep dive into that. Or you can buy very complex tools that are able to cover all of those and more, which is also one of the challenges to figuring out what you should be doing.
(02:55):
Um, I’m always looking to try to read tea leaves, uh, you know, when I go to these types of conferences, and it was, uh, that was even challenging. So how can you tell if a certain market sector is, you know, either over or underrepresented? So, as an example, 40 of the roughly 500 vendors there were focused on API security. Um, and let’s say less than 10 were focused on privacy, and there were very few GRC platforms that surprised me. I, I don’t, I think this particular conference, I don’t know if you can read tea leaves or, or are we looking at what companies were funded by venture capital firms in the last couple years? Um, so I would say there was an overrepresentation of venture backed companies looking to make a name. I can’t tell you how many times when I was chatting with people, you’d get the, well, we just recently raised another $5 million in our Series X.
(03:47):
The other thing that was interesting is it’s hard to tell where a company sits in the food chain and how successful they are based on their, their booth, which is used. It used to be a way that I would do it. Um, there were companies that were pre-revenue or generating very little revenue that had six or eight exhibit spaces, multi-floor booths that were like, amazing. They, it must have cost them $500,000 to beat this conference and to create this booth. Yet, uh, I stopped in to see a friend of mine who works at sgs, which is a global $7 billion, uh, company, and they had a very, very modest booth. So interesting.
(04:26):
So trying to figure out whether or not I should go back to RSA next year. And I think that that’s gonna depend, um, you know, whether key partners are there that we’re working with, and there’s an opportunity to build relationships, whether there’s a specific set of products that we need to deliver, uh, that we’re looking for to help deliver our services. That was what I was there this year for, um, you know, we’re looking for private pro, uh, some good products that do automated data discovery in the privacy space. We’re looking at tools to do good cloud security, posture management, and then some, uh, tools that would help us instrument some of our customers, uh, DevSecOps pipelines. Um, so again, if we’re looking for those types of products, it is a very product centric, uh, show. Good place to do that. Uh, um, or if we’re looking for products that we would be able wanted to recommend to our customers, we have this concept of called the trusted ecosystem.
(05:16):
There was are products that we vetted and seen, uh, and comfortable, were comfortable with and we’ve seen success with, with other customers. Uh, so looking for products to fit into our trusted ecosystem as well. One of the questions you might have is, should you be thinking about going to rsa, uh, next year as sort of the TA third takeaway, if you’re going to go to rsa, it’s, and make it worthwhile. You really need very, I think, specific reasons to attend and a ton of planning. As I said, it’s very product centric. So if you’re going there to find consulting services or you’re looking for, you know, something like you’re looking for penetration testing or you’re looking for, uh, someone to do external auditing and things of that nature, not really the right place to be. Another caveat is I found that it’s a very global 2000 focused show. You know, most of the products are servicing that space or servicing that space first. So I would not think this is the best show for SMEs and definitely not for SMBs. Um, it is very end user organization focus. So if you’re a service provider like Pivot Point Security, someone who’s an mssp, someone who’s a managed cyber security compliance provider, um, looking for products and platforms for delivering your services, I would say that there was limited picking for that type of, uh, circumstance. Uh, there are a tremendous number and diversity of learning options. So if you were looking to go to Up your Knowledge, probably a good place to go.
(06:44):
Uh, if you do choose to go, uh, some things I did wrong, book your hotel early. I thought I booked early, I booked months ahead. Uh, and yet I was in a, in a not great hotel, uh, 20 plus minutes away, uh, which definitely impacted, uh, you know, getting around, losing time, things of that nature. Uh, have a plan, and I mean, a very specific plan. Um, you know, whether it’s around education, whether it’s running technologies, whether it’s about meeting with specific vendors. Um, book as much of this as you can in advance, book all your meetings. I booked a bunch of meetings and still didn’t book enough. Uh, and there was certain products and services that I was not able to actually meet with the people there. I’ll have to kind of follow up offsite. Uh, also be aware that, uh, there are a lot of off conference meetings.
(07:28):
So, you know, I met multiple times with, with companies that were not actually at the conference, but they, uh, they were backed by venture capital firms that had suites at major hotels like the Marriott Union Square, and you were going over there to see the product over there, or talk to their product engineers there. Um, have a plan for evening events. I didn’t do as good a job there as I could have. Uh, there is a lot going on in the evening. Lots of different vendors, host lots of different, uh, get togethers for different reasons. Make sure that you’ve, uh, you you’re planning well. And then also have a plan for travel, whether it’s buses, how are you going to get where you need to get. Um, I was overreliant on Uber and, uh, you know, coming out of a conference one day at six o’clock, uh, with surge pricing, uh, a ride that should have cost me $12, cost me $50 <laugh>.
(08:14):
So, uh, fourth point, and now more than ever, I think a product strategy is dangerous. I’ve always said that, um, when you meet a CISO and you ask ’em about their information security program, if they outline a group of products, that that’s probably not a very good ciso, cuz products are not what solves products are not the answer to the security. It’s a, you know, it’s a security strategy, it’s understanding risk, and then it’s selecting products or subsets of products that match up with the, with those particular risks. So I would encourage you to go to market with very specific problems. Um, don’t get caught up in the nice to have, remember we talked about the, these like, so as an example, if you look at Wiz and whether one of the cloud security, posture management tools, they’re an amazing tool in terms of all of those areas that I outlined before.
(09:02):
And then some are things that they can cover and your tendency would be like, well, why don’t I use that? I only need, I only need, uh, uh, the discovery and asset management and vulnerability management right now. But it does all these other things. I would say concentrate on the need to have, not on the nice to have. Cuz what you find in practice every day is that you really never have the time to get it implemented. I can’t tell you how many of, uh, you know, what percentage of expenditures and products that have been implemented in client environments really are not, uh, heavily utilized or not, you know, they’re not taking advantage near advantage of the full product suite. Um, unless you are very well staffed and funded. One of the observations is, uh, that platform vendors are the way to go. Um, best of breed approaches are wonderful, but they’re very, very hard to execute.
(09:55):
Uh, without encountering, you know, what I’ll call product gap, a knowledge gap or coverage gaps. Um, the idea of keeping up with the training, the integration, uh, the complexity of managing, um, up to, you know, 50 to a hundred products. So, so I, I saw a talk with a financial analyst analyst out there and he was talking about their research shows that some of the larger companies, global 2000 will have 50 plus. Some of them have a hundred plus different security products. Uh, just keeping track of that, keeping up to speed on it, keeping them all operational, making sure people are getting changes, uh, keeping those products updated as new releases come out, uh, makes it, you know, almost impossible. Even smaller companies that we work with have dozens of products. Um, so, you know, the idea of going to a, a platform vendor with a robust strategy, um, is going, is growing I think an importance in that space.
(10:48):
There was a lot of push where, uh, XDR and SIM are being combined, uh, just for that reason. A lot of talk there. Uh, a lot of emphasis there with regards to that. And I think that’s a great example of, of two products that ideally you would purchase together and they would work seamlessly together. So I do think you’re going to see certain companies benefit from this increased complexity, uh, groups like Microsoft or Palo Alto or Cisco or Fornet, just to name a few. Um, a secondary benefit to kind of investing in these more tried and true platform vendors is they’ve been around the block a little bit. Um, and, you know, investing in a hot startup, you know, one of these new, you know, new products of the year type products, um, can be risk. So I was speaking with an analyst at the conference.
(11:34):
Uh, one of the companies he follows at last year’s conference, they had just hit a $3 billion evaluation. Um, they just had to go to market and raise a hundred million dollars cuz they, they, they’re burning through cash and they haven’t hit run rate yet. Uh, that a hundred million was now at a 300 million valuation. I know that sounds like a lot, you’re talking about a company that lost 10 x valuation in a short period of time, and this particular analyst’s opinion is that their long-term prospects are not good. Uh, so the other thing that I thought was very interesting is the same analyst, uh, that I was talking with and a secondary analyst that I was talking with was kind of odd. I kept running into financial guys, uh, and having long conversations about the business side of the business. Um, but one of the lines that he said, and, uh, specifically was, you know, quote unquote, the current number of vendors in this market is unsustainable.
(12:27):
Uh, a sixth point that I noticed is AI is coming, but it is not here. That was one of the things that I was really looking to see is what was gonna happen. Had a lot of interesting conversation with folks on who is going to benefit more from ai, uh, will it be the bad guys or the good guys? I tend to lean towards the good guys. If you think about one of the main benefits of artificial intelligence and machine learning is that it makes finding needles and haystacks easier, which is really what the detection or the early detection of security incidents are. So I think we are going to benefit a little bit more than the bad guys. Uh, there were a couple interesting use cases of, um, of ml, you know, large language models that I did see while I was there. Uh, so it’s starting to get there.
(13:10):
One was automatic grouping of potentially related events into an incident. So, uh, that was interesting. So, you know, as you pulled up an event, they would say, these, based on our so-and-so engine, we believe these might be related events, which was very helpful and very cool. The other one was the natural language processing of, uh, of querys. So rather than having a query, so let’s say you’re worried about crypto bott and you know, with a current tool, what you would do is you would maybe search for indicators of compromise and you’d have to know what the syntax is and what field that that might be stored in. Or you’d be maybe looking at the ports that it’s known to communicate on, or maybe you would be, uh, looking for, whether it was communicating with an FQDN or IP address, uh, for a command and control center, or maybe there’s a communication periodicity you’re looking for, uh, with natural language processing.
(14:01):
What you’re able to say is, are, is there any evidence of crypto bot, uh, in my, in my environment? And the artificial intelligence would run those search is smart enough to know that and would run those searches in such a way and bring back all that data. I thought that was pretty cool and pretty promising. Uh, seven Takeaway was privacy will definitely drive data governance. This is something I’ve been talking about for a while. Once you get to a point where you know exactly what you know, what information you have, exactly where it’s being kept, how to retrieve it, how to delete it, how to manage it, which is what the requirements are. If you’re gonna process data, subject X or requests, you know, with from GDPR or ccpa, why wouldn’t you wanna do that with all of your sensitive data? So there was a lot more talk about, um, data governance, information governance.
(14:48):
Uh, there is a new buzzword for it. And again, this is one of ones where I had to ask, okay, hey, I give what does this mean? Uh, but we hear people using the term data, data security, posture management, which I thought was, was interesting. Um, so that, uh, that’s interesting and I think that is something that we will see, uh, increasingly, uh, important over the next couple years. Uh, there was a growing recognition in this particular conference that zero trust is a model, not a product. Too often you see people painting their products as being zero trust products. So I thought it was positive development that there was less hype, uh, and there was a much more, uh, strong illustration of how these tools, right, these products could help someone support and implement a zero trust architecture. Uh, eighth takeaway was shift left is in full swing.
(15:37):
You know, we talked about, uh, AppSec was probably the largest subset of the conference. Uh, you know, especially API security. There were, uh, somebody said they counted that there were 39 pure play API security, uh, vendors at the conference, which was amazing to me. Uh, there was a, an interesting level of talk with regards to what I’m gonna call security automation. Uh, uh, I think this is more and more critical, uh, given the global shortage of cybersecurity professionals. One of the, one of the companies there was promoting the fact that that number has gone up there. We, there are currently 3.4 million, 3.4 million jobs, excuse me, that are, uh, open right now. So this idea of automation, this idea of using technology intelligently, uh, to manage our cybersecurity programs, manage our compliance programs, definitely something critical. And then the last thing that I picked up on, which was news to me, is that 90 day TLS certificates are coming.
(16:41):
And, um, I think that’s going to drive the importance of automated certificate lifecycle management. We certainly don’t want anyone that is in the e in the, uh, e-commerce space or anybody that has a lot of, uh, drives revenue through their website, you know, the idea or, or anyone that’s a product vendor and, and clients are logging into a SaaS application. Um, certainly the idea that a TLS certificate expires is going to, uh, you know, reduce the number of people that actually, uh, get to your site. So, uh, with that, those are my eight takeaways from rsa. I hope you found ’em helpful.