Transform. The RSA Conference 2022 theme captures the past 18+ months, personal and professional. We’ve been challenged and inspired, frustrated and reborn. Systems have changed, teams have shifted, priorities have evolved, and the attackers have dug in. Oh. And Executive Order 14028, Improving the Nation’s Cybersecurity, issued in May 2021, has pretty much impacted … everything (superficially or long term, time will tell). We’ll start there as we look at cybersecurity trends through the lens of RSA Conference 2022 speaking submissions.
- Zero Trust: What Is “It”?
Zero Trust-focused submissions have steadily increased over the years, but the May 2021 directive to “adopt Zero Trust cybersecurity principles and adjust network architectures accordingly” turned up the volume. Vendor-based submissions often seemed rooted in the origin of their primary tool offering—identity, data encryption, network control, endpoint technologies and breadcrumbs of “Zero Trust” could be found far and wide. Debate ensued within the Program Committee as we grappled with where we are on the maturity curve, what problems can be uniquely served with a Zero Trust approach, and what, really, Zero Trust even is, despite the fact that the US Federal Government has been talking about “it” since 2009.
- Ripple Effects of the SBOM
We had two sessions squarely focused on SBOM on the 2021 agenda; 2022 submissions were in the dozens, again responding to the EO’s requirements on third-party software companies. Submissions explored the challenges SBOM creates, concerns around application lifecycle management, the legalities of what it means when partner code fails, and the challenges to really maintaining code, be it commercial or open-source. We also saw discussions related to insider threats and the potential for an insider posting code from the SBOM. Expect sessions touching on SBOM across a variety of tracks, from DevSecOps & Software Integrity to Open Source Tools to Protecting Data & the Supply Chain Ecosystem.
- Supply Chain Challenges
Colonial Pipeline and Kaseya replaced SolarWinds as the main attack callouts. Though the “INAMOIBW” sentiment (it’s not a matter of if but when—introduced in our 2015 trends blog in response to attitude around breaches) related to ransomware attacks ran heavily in proposals. Submitters explored the challenges relative to NPOs and SMBs in the supply chain and exposure points they can create, as well as providing firsthand accounts of experiences and legal, governance and fiduciary challenges introduced by cyber-insurance policies related to the “pay or not” question. The cyber-physical connection has continued to grow as our community grapples with growing threats.
- Passwordless Breaks Through
The shadow of the EO also pushed passwordless into the spotlight. Standard activities assisted this enthusiasm as well as enterprise-grade deployments and architectural strategies. Submissions seemed to push past just MFA conversations and explored sustainable operations, interoperability and legacy challenges, and attack vectors and issues specific to passwordless approaches.
- Back to the Basics
A variety of submissions explored a new return to basics, be it how leaders engage with their teams, achieve security with tools and technologies already in place, and establish clear, consistent hygiene as “fringe cases” became base cases in a pandemic world, and decisions and deployments had to happen fast. Related, we observed an increase in submissions focused on starting security programs from scratch and the first 90 days in the CISO seat.
- The Ever-Expanding Cloud
The year 2021 was definitely cloudy, with a perfect storm of work-from-home immediacy and digital transformation initiatives colliding with a thunderous jolt. The maturation of submissions this year was significant, with sessions that explored new threat modeling approaches along with a call to action for a common vulnerability database, governance challenges, cloud-focused attacks with systemic consequences, and long-kept secrets from CSPs emerging. Shift left approaches and Kubernetes successes are positive signs in the cloud space, though security through obscurity seems to be rearing its ugly head.
- Artificial Intelligence & Machine Learning
The AI/ML-focused sessions took on an interesting business focus this year. Along with submissions about AI-driven hacks (yes, AI appears to be getting smarter), we saw more submissions around ethics and detecting algorithmic bias, along with guidance on how and when to call BS if you’re not a data scientist. Tangible, practical applications emerged alongside discussions of how the global regulatory landscape is evolving.
- Risk Takes Center Stage
It’s been growing bigger and bigger over the past few years, but this year’s discussion of risk edged out security as we looked across the landscape of our submissions. Would-be presenters explored operational technology and the risks specific to it, as well as the positive impact BISOs are making within organizations, spurring innovation and better business connection for cybersecurity teams. Third-party risk was a key theme, as was the impact of privacy considerations, as proposals put forward concrete studies with tangible takeaways, KPIs and metrics tied to business outcomes.
- What Do I Really Want to Be When I Grow Up?
This year+ of working from home has clearly been a source of community reflection. We had a myriad of submissions with guidance on how to transition into consulting, being a board member, writing a book, being a CISO, being an advocate, and the list goes on. And this isn’t side-hustle talk—this is an itch for a change and a move that seems to have taken on a different tone than we’ve previously seen. We also seem to be even more aware of the large field of prospective hires … and it’s looking a little rosier as we recognize the power of diversity and non-traditional hires and the positive impact mentorship can have.
- There’s a Framework for That!
We admire frameworks in cybersecurity; a lot. Maybe it’s our roots in math and mapping—if we can plot it on a chart, it makes more sense, and it can be measured. This year the frameworks exploded as we worked on mapping everything to everything, technical and non-technical. We recognized frameworks as key to helping disparate groups communicate, prioritize, measure and report out. There was also a slight rumbling of the emergence of new paradigms and a tone that seems to encourage shifts away from an over-reliance on military terminology and the use of development terms that could be offensive to some.
5G was vulnerable. Quantum was primed to turn the world upside down. Safe Harbors were intriguing. Lizard brains, fuzzing, unintended consequences and IOCs all made themselves known in the submissions. RSA Conference 2022 in June in San Francisco stands to put forward some of the best content yet to help propel our industry. See you there!