IANS was a research partner and our Faculty presented during multiple sessions at the 2024 RSA Conference in San Francisco. RSAC is the central meeting place for the cybersecurity community, with more than 500 sessions and 40,000 security professionals and luminaries in attendance. Nick Kakolowski and Gina Glendening, two of IANS’ senior research directors, and Mark Clauss, chief product officer, were there and are now sharing their reflections on RSAC 2024.
Five questions with IANS Research team members from RSAC 2024
1. What stood out for you from the keynote stage?
Nick: The presence of Secretary of State Antony Blinken was an eye-opening reminder of just how critical cyber has become in our society. His remarks on the systemic disruption happening in the industry captured the scope of change underway and set the tone for the week.
Gina: I always appreciate the macro-level observations, insights and data from the keynote speakers. These sessions are a great reminder of how the day-to-day operations of the industry relate to the bigger goals at hand. They cover the common challenges and opportunities our peers face and provide collective intel and insight sharing that benefits the community. My annual can’t-miss session is “The 5 Most Dangerous New Attacks” panel moderated by IANS Faculty member Ed Skoudis. Yes, there was obviously mention of AI, but what I found interesting was Johannas Ullrich’s callout of the security impact of tech debt. This is something so many can relate to and, typically, just accept as part of their environment. He reminded the community not just of the technical implications on enterprise security, but also of the impact on the security staff applying the patches—particularly when updates had been skipped for five, 10 or 15 years.
Mark: Community was a theme specifically noted in Hugh Thompson’s conference kickoff but was also a subtle undertone in many of the vendor keynote messages. Community is more important now than ever. Burnout is real, staffing shortages continue and the day-to-day job of the infosec professional keeps getting harder. Lean on peers in the community to help solve challenges—don’t reinvent the wheel; chances are someone else has already figured out a solution. The sharing that took place across many of the RSAC sessions showed the value of community, as did the relationships that were built and reinforced at the conference.
2. What were some of the trending topics at RSA this year?
Nick: RSAC was marked by conversations around burnout and stress in the industry. Hiring continues to be a challenge and resourcing is tight across sectors. It’s creating a dynamic in which existing staff are stretched to the breaking point. Throw in more incidents and increased complexity and the result is a high level of burnout for infosec staff.
Conversations around AI were also unavoidable at the conference. There’s an odd mix happening here—there is real excitement around the potential AI can offer, but there’s also genuine frustration around vendors making big promises they aren’t consistently delivering on. The dichotomy is more evident when security starts interacting with the business. Executive teams are facing pressure to get first-mover advantage on AI, but the technology is moving too quickly for proper risk assessments. Folks are scrambling to update their risk management processes to keep pace.
Mark: I kept hearing infosec leaders voice frustrations around the increasing burden of complying with new regulations. Whether it was the gauntlet of new U.S. state privacy legislation, increasing global regulations or the anticipation of AI-related laws that are to come, infosec leaders struggle to find the time to ensure compliance and satisfy increasing third-party requests for validation of information security. Ironically, this escalating burden is making it harder and harder to spend time on actually securing the organization.
3. What about the topics the industry’s been grappling with for years—did you hear anything new or different?
Gina: There were two presentations that stood out to me: one on cloud security and another on zero trust.
Rich Mogull (IANS Faculty) and Chris Farris introduced what they’ve named the Universal Cloud Threat Model. The basic premise: In the public cloud, we’re generally on the same three platforms and face similar threats. They built a cloud-centric threat model to help orgs focus security efforts on the most-common attacks. They described it as the 90/90—the threat model for 90% of the cloud-related attacks 90% of organizations would experience.
The other session was delivered by IANS Faculty member Jason Garbis and aptly titled “Data Backup and Recovery: An Unexplored Corner of Zero Trust.” Here’s another topic we’ve been talking about for years, but Jason looked at it through the lens of the current threat landscape we live in and, in particular, the prevalence of ransomware. His core premise was that organizations should treat their backup and recovery systems as the critical assets they are, which led to the question: Why don’t we apply the principles of a zero trust approach to data backup and recovery? Even the functions within the data pillar of CISA’s Zero Trust Maturity Model don’t directly relate to data backup and recovery. His session introduced what he called Zero Trust Data Resilience. He then outlined the principles, reference architecture, added maturity model functions and how to apply this to your environment.
4. What was your favorite part about being on site this year?
Nick: Connecting with the people. The passion and selflessness of the infosec community is humbling. Seeing so many practitioners striving to connect, learn and share insights in one place is incredible. Even as the industry copes with persistent stress, folks are constantly willing to help one another and are genuinely invested in making cyber better.
Gina: I agree. This year and every year, it’s always about the people. It’s great to be in person to meet up with colleagues, partners and friends, and meet new ones, too. I’m a firm believer that great people know great people. Having everyone in one place to make those introductions and extend your network… it’s invaluable.
5. What was IANS’ presence at the RSAC this year?
Nick: I had the honor of getting on stage with Faculty member Steve Martano to talk about findings from our 2023 CISO Compensation and Budget Survey. Steve is so uniquely positioned to provide valuable insights on personal career development for CISOs and staffing for cyber teams that it’s always great to pick his brain in front of an audience. The folks attending the session asked fascinating questions and we had a blast.
Mark: IANS Faculty presented again and again across the week, and I had the pleasure of listening to many of them. Jake Williams’ session “Supporting the ‘Have Nots’—Securing the Organization with a Small Budget” stood out to me. For large companies, budgets are not growing as fast as they have in the past, and many smaller companies without significant resources are finding themselves in the crosshairs. So many phones went up in the air taking pictures of his slides throughout his session that it was clear this topic stuck a nerve. If you are in “doing more with less” mode, this is a must-download session.
Gina: In addition to Nick and Steve’s and Jake’s sessions, there were so many IANS Faculty sharing insights on stage at RSAC—from Wolf Goerlich, JJ Minella and Bryson Bort to Masha Sedova and Ismael Valenzuela… I could go on and on. And even more were in attendance.
About the IANS Faculty
Our Faculty comprises more than 125 renowned security practitioners with deep, domain-based knowledge who understand—firsthand—the challenges faced by CISOs and their teams.IANS connects clients with Faculty to help them make better decisions, grow professionally, save time & stay compliant. Get in touch to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.