In this special report from the RSA Conference, we hear from seven of the team who were there at the event. It’s a set of quick takes on the latest trends and take aways from the conference in discussions with host Eric Hanselman. Whether it’s AI, cybersecurity or M&A, there was a lot going on and a lot to sort out.
Guests:
Scott Crawford, Research director for information security
Garrett Bekker, Principal research analyst
Dan Kennedy, Principal research analyst
Paige Bartley, Senior research analyst
Mark Ehr, Principal research analyst
Justin Lam, Senior research analyst
Brenon Daly, Research director, M&A
Subscribe to Next in Tech
SubscribeEric Hanselman
Welcome to Next in Tech, an S&P Global Market Intelligence podcast where the world of emerging tech lives. I'm your host, Eric Hanselman, Chief Analyst for Technology, Media and Telecom at S&P Global Market Intelligence.
And today, we're doing a special edition of the Next in Tech podcast, coming to you from the RSA Security Conference in San Francisco. And we're getting highlights from the analyst team who is out here with me about what they're seeing at the conference, what their quick takes are, what their thoughts are about some of the important and impactful things that are happening.
With that, I'll turn it over to the analyst team live from the RSA conference. So Scott Crawford, the Research Director of our Information Security team, Scott, what are your thoughts about RSA so far, now that we're here in the middle of it.
Scott Crawford
We are definitely in the middle of it, Eric. The madness is fully underway and much of it is what we always expected from RSA. It's great networking opportunity, great opportunity to see what's going on in the business of technology. There's a lot of hype. There's a certain circus atmosphere to this as well, too, but that is the overall experience.
Overall trends that we've seen, we did expect AI to be very much front and center in front of the audience this year. That is the same, but there's some differences now. I wouldn't say it's necessarily more subdued, but the initial hype seems to be getting more into how do you actually integrate this with productivity, how do you actually make it pay off.
Eric Hanselman
Real delivered value for some of the lofty ambitions that we've heard coming into this.
Scott Crawford
As opposed to assumed crash positions, which is what we went into 2023. We see a lot of that. We've also seen some elaboration as well, too. Large language models, next major iterations are probably coming out this year. But one of the topics that I haven't heard a lot about that is the rise of small language models and more focused, more trainable, not so large because they're fit to purpose.
That's a good thing in and of itself, but it poses challenges for security people as well, too, because there's going to be a lot of them. Models sprawl the control of data. All these things are factoring into the rise of AI and security. And you've seen much of the same thing, I know, in your talks that you've been doing this with.
Eric Hanselman
That, we have indeed. All right, we'll have to see what else shakes out. But thanks and hang on to those steps. We'll get moving for the rest of the conference.
Scott Crawford
All right. Will do. Thank you very much, Eric.
Eric Hanselman
I'm with Garrett Becker, part of the analyst team. Garrett, what are your thoughts about RSA so far?
Garrett Becker
It's overwhelming, to some extent. It's getting bigger and bigger every year. I can't believe I've been coming here for -- what do they call it if you've been doing more than 20 or 25 years? A legacy member or something, so you get you a little pin. So that's fine. But I cover identity, so I've got a vested interest in all things identity. And it's just impressed upon me how identity seems to be everywhere, even in unforeseen places. Most of the talks I go to, you'd be surprised where identity comes up as an issue, whether identity being part of an attack and a credential being stolen or what have you.
Eric Hanselman
it's certainly something that's come to the fore with ransomware, now with AI and access, all the control pieces.
Garrett Becker
Yes, 100%. In fact, even in unexpected places, like when I got on the elevator the other day. In my hotel, you have to use a swipe card to pick your floor and get up in the elevator. Invariably, you get into the elevator, and somebody in the elevator doesn't have their card.
So you reach over and swipe before them, which I joked to one of my elevator passengers that it's basically the equivalent of a shared password, right? So I'm basically trusting -- it's the opposite of zero trust. I'm basically trusting this person that they're worthy of going up to their hotel room.
Eric Hanselman
Maybe we should be going to password-less in hotels.
Garrett Becker
100%. So when I think about password-less and how I think, one, we need to do a better job of getting multifactor authentication everywhere because, in most firms, it's still not that widely adopted. There's still a lot of room for growth. So there's my take.
Eric Hanselman
Goal, thank you. Well, get back out into the show. Thanks.
Garrett Becker
Thanks, Eric. It was a pleasure.
Eric Hanselman
I'm here with Mark Ehr, a part of our security team. Mark, what are your thoughts about RSA?
Mark Ehr
Yes, it's been an interesting conference. I've been spending a lot of time with the CNAPP, Cloud Native Application Protection Platform, vendors which are in 3 camps right now. We've got the established start-ups, a couple of which have gotten well over $1 billion in funding, and they're spending it all over the place. There's lots of cool booths and doughnuts and t-shirts and all that sort of thing.
Eric Hanselman
All of the essentials for cloud protection.
Mark Ehr
Yes, and for drawing hordes of people to your booth, right? I know we've got the hyperscalers which are coming up, they're a little bit behind, but they're all building their own CNAPPs. So the interesting thing is you got the startups saying, "This is why you should go with us and not with the hyperscalers." The main message is really around do you want to be multi-cloud or do you want to go single cloud.
And then we've got literally dozens and dozens of true startups that all provide a tiny little piece of CNAPP, but they're calling themselves CNAPPs. So my whole message, I think, is if you're a CNAPP player, it's got to be really confusing out there, now not only trying to depict the vendor to go with, who's going to be around and not be acquired in a couple of months, versus going with the tried and true and maybe with a supervisor or a [ stamped ] vendor.
Eric Hanselman
Goal. Thank you very much. And there's much more to see in the show.
Mark Ehr
Oh, yes. It's going to be great.
Eric Hanselman
Thanks, Mark.
Mark Ehr
Thanks, Eric.
Eric Hanselman
All right. I'm here with Paige Bartley. Paige, there's a ton of things going on at RSA in your area. What are you seeing? And what are your takes?
Paige Bartley
Of course. So the hot topic du jour is AI and gen AI.
Eric Hanselman
I've heard of that.
Paige Bartley
Yes. I think we all have at this point. And last year, it was a hot topic as well. But this year, I think with the vendor community, the messaging around gen AI has been toned down a little bit in terms of product functionality. So the way the technology is utilizing gen AI or AI has been muted a little bit because the attendees, the purchasers of technology, have become a little bit bored of the hype, right?
Eric Hanselman
There has been no shortage.
Paige Bartley
Yes. They need more materiality in the functionality of their products. And what organizations are trying to do today is that there's technology AI in the sense of the organization is trying to build and utilize AI, but they're also trying to purchase AI as well.
So on the purchase side, the AI messaging is a little bit muted, but that in no way is decelerating how organizations are trying to build and accelerate their AI outcome. So I think the focus has shifted to how organizations are implementing, building their own AI, addressing the cultural and technical issues there.
So when it comes to data privacy and data governance, how are you going to govern your data, govern your culture implement the privacy controls that are necessary, especially around unstructured data and content as organizations are looking around the dusty corners of their organization for new data sources or, rather, newly utilized data sources.
We're looking at e-mail archives, things that maybe have not been touched in years to interact or interface with these technologies as sources of data for prompts, for model building. If you're looking at something like an archive, it may not have the controls around it for privacy, for governance, that are needed because historically, these have been used for storage optimization, for things like eDiscovery. They're not built for supporting data processing.
And so these are the issues that are arising now, how do we optimize these environments, these repositories that historically have not been built for an era where gen AI and data processing is the focus.
Eric Hanselman
Yes. It presents some significant challenges because these are data sources where, to your point, we've got to manage access controls that are there and data quality.
Paige Bartley
Absolutely.
Eric Hanselman
Well, a lot of things to tackle at this RSA, but I guess a lot more to see.
Paige Bartley
Yes, both cultural and technical and process-oriented.
Eric Hanselman
Aren't those always the problems we face in regulatory environment?
Paige Bartley
Of course.
Eric Hanselman
Thank you. I'm here with Dan Kennedy. Dan, what are your thoughts about RSA?
Daniel Kennedy
It's always something every year. I guess there's about 40,000 people here. So crowded would be my first thought compared to when I started coming here a number of years ago. The conference has a lot of success, a lot of interesting products on the floor.
We do the end user studies here, voice of the enterprise. I'm always matching up pain points, which I tend to get to data back right before this conference. It's in my head what CISOs are complaining about or where their challenges are, and then I'm approaching the show floor and the vendors I meet with that in mind.
But one of the key pain points that came out just is generative AI. And there's a couple of flavors to it. It's securing employee use of generative AI, and it's a lot of enterprises creating their own LLM-based products for internal use and trying to understand how to test these things.
And I'm hearing stories, bringing traditional red teamers, them interacting with developers who are working on these systems. And there is friction. It's the classic, "Developers don't always understand all the security implications." But now it's a type of developer. It's a developer on steroids that are working on these AI systems. So the interactions are very interesting.
I've seen solutions. It's funny, a lot of vendors are finding themselves able to offer generative AI answers to employ usage based on existing products that sit at the perimeter and measure traffic. So they're saying, "Okay, just surface all the times the requests are going to Open AI and capture them. We want to see what employees are doing, what are they putting in, what data are they giving to these LLMs."
All the concerns you can imagine that came up last year, folks are starting to meet that with solutions. Some of them are -- it's funny. They're not that complicated. But they're answering our critical need.
Eric Hanselman
And in fact, you can do what you need to get done from at least a first principles perspective with some of the capabilities you already have in your environment and the kind of things that you're working with in terms of what you've actually got in terms of available. That seems to go against maybe a lot of the AI-specific security capabilities that are out there. Maybe you can get it done with something that's a little simpler?
Daniel Kennedy
It's interesting. A lot of the communication are API requests. If you have something monitoring your APIs, all of a sudden, "You know what, surface all the ones that are going to a popular generative AI input screen. Show me that people aren't putting in our customer list, our intellectual property," so on and so forth.
So it is interesting. You can start to see requests from the outside that look like attempts at mild poisoning. So you can do it both ways. And yes, it's nice for me because when I see that critical pain point and then I see the industry trying to do something about it, I think, okay, we're not there yet, we're on our way there.
Eric Hanselman
We're on the right path to be able to address some of this stuff. Goal, thank you, and clearly, much more to see out there at the conference.
Daniel Kennedy
Very good. Thank you, Rick.
Eric Hanselman
And I'm here with Brenon Daly who heads up our M&A team. Brenon, what are your thoughts about what you're seeing in RSA?
Brenon Daly
I'd say it's a difficult RSA for many of the vendors. And I think we're seeing that kind of reflected with a few clouds over the sunny skies, otherwise sunny skies, here at Moscone Center. And I think it largely comes from still working through some of the extravagances and the overhang from 2021.
So when we think about RSA 2024, it's the inverse of RSA 2021. RSA 2021, valuations were up. We were minting 40, 50 unicorns in the information security market; now, not so much. In fact, we're selling off those unicorns at a half-off sale.
So it's very different, it's a change in environment. It's the first real down cycle, I would suggest, that the information security market has hit. Markets are cyclical. And up to this point, information security, probably more than any other industry, has had a favorable run. And now it's hit a tough time.
Eric Hanselman
But it's not exactly a bargain bin out there, right?
Brenon Daly
It's not, no. It's still a premium category, probably always will be, at least in our working lifetime. So there is some downside protection, but the initial balloon is off. And that's important because we got well ahead of ourselves. We got overextended, the industry, both in terms of funding valuations, M&A valuations, assumed growth rates. Whatever metric you looked at was probably too high 3 years ago.
Now it's probably about half of what it was before, both in terms of exit valuations and assumed growth rates, right? When we think about some of the larger cap publicly traded companies, growing 30%, 40%, 50% in 2021, now maybe growing 15%, 20%. It's that sort of deceleration, which not only slows the business, slows the M&A appetite, lowers the valuation but, most importantly, and I'd suggest this has been my takeaway at 2024 RSA here is, what does the go-forward rate look like?
Okay, if we're not going to grow at 30% or 40%, are we going to continue growing in the mid-teens or 20%? Do we split the difference and go back up to 30%? What is the sort of new normal or the natural level of growth in the industry? And that still is very much in flux. I think whether it's a public company, a large cap or a private company just getting started in a start-up land, it's really difficult to see what the growth rate for 2024, the balance of 2024, and even into 2025 what that would be.
Eric Hanselman
I guess we'll have to see how this pans out, but a lot more to pay attention to. Thank you.
Brenon Daly
Absolutely, Eric. Good to see you again.
Eric Hanselman
I'm with Justin Lam, a senior analyst on our security team. Justin, what are your thoughts about what you've been seeing at the RSA conference?
Justin Lam
Hey, it's been a really great conference so far. Just lots of innovations going on. And I think one of the things that's most intriguing for my area of research is the sheer amount of opportunity that's out there. I think that there are just newer and newer use cases that are coming out around securing data.
And in general, I think that there's a challenge for our data security providers and data security practitioners out there to be able to seek other audiences who have to work with or live with new controls in an ever-changing environment. There's many great controls that are out there, many great technologies that are out there. The trick is really operationalizing them over time and having them be operational within the different lines of business, among the different technology stacks.
And so it'll be really interested to see how that all pans out as we go further on, especially in the advent of many different lines of business wanting to use and further extend their usage of generative AI. Being able to have a secure foundation for the data as I go use that generative AI, that's going to be imperative. So those are the things that we'll be looking out for after RSA in the coming weeks and months.
Eric Hanselman
Especially when we look at all of the challenges that we're facing with data controls around AI, a lot to do there.
Justin Lam
Yes, for sure. 4 out of 10 vendors, by my estimation, are about AI, generative AI and data security from the innovation sandbox. And there's many more who are looking to not necessarily convey a sense of fitness around data security but more or less around readiness. And I think that's an imperative difference to explore in the coming weeks and months.
Eric Hanselman
And we got to be able to put this to work. We'll see where this goes. Thank you, Justin.
Justin Lam
For sure. You got it. Thanks, Eric.
Eric Hanselman
And that's that from our team at the RSA conference. I hope they're interesting perspectives. And thank you for staying with us. Thanks to our production team, including Caroline Wright, Sophie Carr and Kate Aspland of the Marketing and Events teams; and our agency partner, the One Nine Nine.
Please keep in mind that statements made by persons who are not S&P Global Market Intelligence employees represent their own views and are not necessarily the views of S&P Global Market Intelligence. I hope you'll join us for our next episode where we're going to be discussing AI, data management and strategies. I hope you'll join us then because there is always something Next in Tech.
Copyright © 2024 by S&P Global Market Intelligence, a division of S&P Global Inc. All rights reserved.
These materials have been prepared solely for information purposes based upon information generally available to the public and from sources believed to be reliable. No content (including index data, ratings, credit-related analyses and data, research, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of S&P Global Market Intelligence or its affiliates (collectively, S&P Global). The Content shall not be used for any unlawful or unauthorized purposes. S&P Global and any third-party providers, (collectively S&P Global Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Global Parties are not responsible for any errors or omissions, regardless of the cause, for the results obtained from the use of the Content. THE CONTENT IS PROVIDED ON "AS IS" BASIS. S&P GLOBAL PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT'S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Global Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages. S&P Global Market Intelligence's opinions, quotes and credit-related and other analyses are statements of opinion as of the date they are expressed and not statements of fact or recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P Global Market Intelligence may provide index data. Direct investment in an index is not possible. Exposure to an asset class represented by an index is available through investable instruments based on that index. S&P Global Market Intelligence assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P Global Market Intelligence does not act as a fiduciary or an investment advisor except where registered as such. S&P Global keeps certain activities of its divisions separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain divisions of S&P Global may have information that is not available to other S&P Global divisions. S&P Global has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P Global may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P Global reserves the right to disseminate its opinions and analyses. S&P Global's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P Global publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
© 2024 S&P Global Market Intelligence.
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor's Financial Services LLC or its affiliates (collectively, S&P).