Introduction

As we approach one of the biggest events in the cybersecurity year, our analysts share their perspectives on what they will be looking out for at the 2024 US edition of the RSA Conference (RSAC), coming up in May in San Francisco. What began as a gathering primarily for cryptographers has long since evolved into one of cybersecurity's landmark annual gatherings, with policymakers and industry leaders alike leveraging its role as a platform to call out the field's key themes — and the S&P Global Market Intelligence 451 Research team will be there for it in force.

The Take

The past year has been momentous for technology well beyond cybersecurity. Generative AI refocused strategic initiatives throughout the sector, while the broad economy came to grips with a combination of secular factors — from rising interest rates that sharply contrasted with the nearly-free credit of the pandemic era, to conflict and geopolitical tensions rising across the globe. Public sector entities have shown greater interest in weighing in on everything from holding public companies accountable for material cybersecurity breaches, to the security practices of major vendors and taking a stance on the evolution of AI. As always, cybersecurity has both been affected by and played a role in all of these, and the RSA Conference continues to serve as one of the primary venues where these topics and more will shape conversations across the security industry. Our analysts summarize those to which they expect to be particularly attuned at RSAC 2024.

Analyst perspectives

Scott Crawford, Research Director, Information Security: In 2023, our TL;DR on RSAC was "AI everywhere, all at once." This year we expect much of the same, especially given that many cybersecurity vendors have now introduced their generative AI assistants. To be dismissive of the hype would run the risk of obscuring an important fact: In many ways, the management of cybersecurity has grown beyond human scale. AI and automation hold promise for addressing such problems, in security and well beyond. The question is no longer whether AI will make a difference, but rather: Will we have confidence in it? Can we? And are organizations truly ready to take advantage? Their concerns about AI security, risk and safety are among the most frequently cited issues in our surveys — and in AI's case, the technology is advancing faster than we can consolidate its impact. At RSAC 2024, we expect the public sector, as well as businesses of all sizes, to be looking closely at what comes next.

Brenon Daly, Research Director, Financials: From a financial perspective, no other tech sector got further ahead of itself than information security. Both in terms of capitalization and valuations, information security soared above all others on the view that security budgets would never come down. But the days of effortlessly attracting top-dollar funding and premium multiples are coming under pressure from the economic reset that is playing out in the broader IT industry. Information security has only really done business in an "up and to the right" market. While the growth is still there, the pace has slowed. How will information security, which views outperformance as a birthright, handle a significant deceleration? What happens to all the priced-for-perfection information security vendors when a business turns less than perfect?

Eric Hanselman, Chief Analyst, 451 Research: The call to arms in the RSA overview talks about challenging the status quo, and there is a lot of entrenched security focus that could stand a bit of rethinking. Shifting security imperatives to business resilience is a good start. The technical aspects of security are often debated in isolation from business impacts. We have to think about protections for the business, not just the bits. It is a change that can address the ongoing issues that exist with user experience in access technologies. It is addressing the operational complexities that still exist in secure access service edge deployments. There is much more that we could be doing to make the integration of our siloed tool approaches easier to manage and better able to share context to enhance our effectiveness. Platform approaches sound nifty, but there is significant transition work for most to get there. I hope to find options at RSA that can make this shift real.

Dan Kennedy, Principal Research Analyst, Information Security: The theme of RSA 2024 is "The Art of Possible," with the description highlighting that "we must go beyond ones and zeroes." Ones and zeroes, an allusion to binary or on/off states, is an excellent metaphor for some of the challenges we face in application security, and the shift in issue prioritization we are seeing emerge in an operating space where there are too few hands on both the development and security side to address the number of issues our scanners are throwing off. No longer can the answer be "the CVE (common vulnerabilities and exposure) score is this," or "the scanner found this signature." Issues require risk-based context: Is the vulnerability reachable or exploitable? Is it being exploited, or is the code where it is present even used? Is the vulnerability exposed to the public networks? Answers to these and a host of other questions allow teams stretched thin to know where to allocate their time. At RSA, I will be paying close attention to application security solutions that have adjusted to this new usability requirement and have a coherent story around prioritization that goes beyond "a public database says this." 

Paige Bartley, Senior Analyst, Data, AI & Analytics: It is tempting to dismiss conference taglines, but this year's RSAC theme — The Art of Possible — strikes a harmonious chord. As businesses seek to maximize data-derived insight and innovation, they must also balance data-derived risk. Yet there is rapidly diminishing tolerance for information security practices that create undue friction in the enterprise effort to leverage and generate business value from data. Hence, "the art of possible" underscores the proactive role that information security efforts and technologies should play in facilitating net-benefit business results. With workers rapidly adopting AI-enabled tooling and businesses seeking to gain competitive advantage via differentiated insight, there is more need than ever for security processes and technologies that will provide facilitating guardrails (not speedbumps) in the business effort to continuously innovate with data. Data privacy, data governance and data security practices are notably converging with the customer experience function, providing evolving opportunities to engage and build lasting relationships. 

Garrett Bekker, Principal Analyst, Information Security: The RSA Conference has always provided a lens into the cutting edge of the latest security trends, and in that sense this year's conference will likely shed light on several recent and emerging identity-related topics, such as passwordless authentication and the rise of multi-device passkeys, new authorization approaches and standards for access control, the exponential growth of nonhuman or machine identities, the need to "shift left" and incorporate identity concepts earlier in the development process, and the growing importance of new methods that deal with the tricky problem of managing permissions and entitlements, particularly in cloud environments. Each of these new developments reflects the reality that 1) attacks on our identity assets and resources play a central role in most attacks and breaches, and 2) identity has thus gone from a largely operational tool to become a centerpiece of modern security strategies.

Justin Lam, Research Analyst, Information Security: Data security continues to blur the lines, involving a greater variety of stakeholders within and beyond the enterprise. While certain segments, such as data security posture management, have garnered large amounts of attention and funding, longer-term challenges remain for enterprises to properly correct and proactively prevent data security risks. No one doubts the vast quantities of risky data within an enterprise, or the legal and compliance responsibilities for stewarding it. The underlying fixes may be more difficult, and new controls might significantly affect end users, developers and consumers alike. As enterprises look to leverage generative AI through tools like Microsoft Corp.'s Copilot offerings, the underlying datasets users and their AI functionalities are "grounded in" should be a wake-up call for enterprises to understand and correct what data is being accessed and how. At RSAC 2024, we expect to see corrective measures fall into areas such as identity management, DevOps and even external applications where risk can be transferred.

Mark Ehr, Principal Analyst, Information Security: Cloud security has become a key foundational requirement as the pace of cloud adoption continues to increase. Cloud-native application protection platforms (CNAPPs) — which are composed of an integrated set of security capabilities including cloud infrastructure entitlements management, cloud security posture management, runtime cloud workload protection, infrastructure-as-code and container scanning — represent a hot market. CNAPP adoption rates are increasing, with 30-plus vendors standing ready to capitalize on opportunities — although sorting through the dizzying set of potential solutions is daunting. CNAPP M&A is active: 12 companies since 2021; nine of them in 2023 and 2024. Hyperscalers are also entering the market, seeking to leverage their position as technology and platform incumbents. Unsurprisingly, AI is being leveraged everywhere, from generative AI "assistants" to classic AI/ML. At RSA, I will be looking to vet CNAPP vendors' competitive advantages, road maps and strategic partnerships.