2022 Trends Observed in C4S Submission Review


Posted on by Britta Glade

Transform. The RSA Conference 2022 theme captures the past 18+ months, personal and professional. We’ve been challenged and inspired, frustrated and reborn. Systems have changed, teams have shifted, priorities have evolved, and the attackers have dug in. Oh. And Executive Order 14028, Improving the Nation’s Cybersecurity, issued in May 2021, has pretty much impacted … everything (superficially or long term, time will tell). We’ll start there as we look at cybersecurity trends through the lens of RSA Conference 2022 speaking submissions.

  1. Zero Trust: What Is “It”?

    Zero Trust-focused submissions have steadily increased over the years, but the May 2021 directive to “adopt Zero Trust cybersecurity principles and adjust network architectures accordingly” turned up the volume. Vendor-based submissions often seemed rooted in the origin of their primary tool offering—identity, data encryption, network control, endpoint technologies and breadcrumbs of “Zero Trust” could be found far and wide. Debate ensued within the Program Committee as we grappled with where we are on the maturity curve, what problems can be uniquely served with a Zero Trust approach, and what, really, Zero Trust even is, despite the fact that the US Federal Government has been talking about “it” since 2009.

  2. Ripple Effects of the SBOM

    We had two sessions squarely focused on SBOM on the 2021 agenda; 2022 submissions were in the dozens, again responding to the EO’s requirements on third-party software companies. Submissions explored the challenges SBOM creates, concerns around application lifecycle management, the legalities of what it means when partner code fails, and the challenges to really maintaining code, be it commercial or open-source. We also saw discussions related to insider threats and the potential for an insider posting code from the SBOM. Expect sessions touching on SBOM across a variety of tracks, from DevSecOps & Software Integrity to Open Source Tools to Protecting Data & the Supply Chain Ecosystem.

  3. Supply Chain Challenges

    Colonial Pipeline and Kaseya replaced SolarWinds as the main attack callouts. Though the “INAMOIBW” sentiment (it’s not a matter of if but when—introduced in our 2015 trends blog in response to attitude around breaches) related to ransomware attacks ran heavily in proposals. Submitters explored the challenges relative to NPOs and SMBs in the supply chain and exposure points they can create, as well as providing firsthand accounts of experiences and legal, governance and fiduciary challenges introduced by cyber-insurance policies related to the “pay or not” question. The cyber-physical connection has continued to grow as our community grapples with growing threats.

  4. Passwordless Breaks Through

    The shadow of the EO also pushed passwordless into the spotlight. Standard activities assisted this enthusiasm as well as enterprise-grade deployments and architectural strategies. Submissions seemed to push past just MFA conversations and explored sustainable operations, interoperability and legacy challenges, and attack vectors and issues specific to passwordless approaches.

  5. Back to the Basics

    A variety of submissions explored a new return to basics, be it how leaders engage with their teams, achieve security with tools and technologies already in place, and establish clear, consistent hygiene as “fringe cases” became base cases in a pandemic world, and decisions and deployments had to happen fast. Related, we observed an increase in submissions focused on starting security programs from scratch and the first 90 days in the CISO seat.

  6. The Ever-Expanding Cloud

    The year 2021 was definitely cloudy, with a perfect storm of work-from-home immediacy and digital transformation initiatives colliding with a thunderous jolt. The maturation of submissions this year was significant, with sessions that explored new threat modeling approaches along with a call to action for a common vulnerability database, governance challenges, cloud-focused attacks with systemic consequences, and long-kept secrets from CSPs emerging. Shift left approaches and Kubernetes successes are positive signs in the cloud space, though security through obscurity seems to be rearing its ugly head.

  7. Artificial Intelligence & Machine Learning

    The AI/ML-focused sessions took on an interesting business focus this year. Along with submissions about AI-driven hacks (yes, AI appears to be getting smarter), we saw more submissions around ethics and detecting algorithmic bias, along with guidance on how and when to call BS if you’re not a data scientist. Tangible, practical applications emerged alongside discussions of how the global regulatory landscape is evolving.

  8. Risk Takes Center Stage

    It’s been growing bigger and bigger over the past few years, but this year’s discussion of risk edged out security as we looked across the landscape of our submissions. Would-be presenters explored operational technology and the risks specific to it, as well as the positive impact BISOs are making within organizations, spurring innovation and better business connection for cybersecurity teams. Third-party risk was a key theme, as was the impact of privacy considerations, as proposals put forward concrete studies with tangible takeaways, KPIs and metrics tied to business outcomes.

  9. What Do I Really Want to Be When I Grow Up?

    This year+ of working from home has clearly been a source of community reflection. We had a myriad of submissions with guidance on how to transition into consulting, being a board member, writing a book, being a CISO, being an advocate, and the list goes on. And this isn’t side-hustle talk—this is an itch for a change and a move that seems to have taken on a different tone than we’ve previously seen. We also seem to be even more aware of the large field of prospective hires … and it’s looking a little rosier as we recognize the power of diversity and non-traditional hires and the positive impact mentorship can have.

  10. There’s a Framework for That!

We admire frameworks in cybersecurity; a lot. Maybe it’s our roots in math and mapping—if we can plot it on a chart, it makes more sense, and it can be measured. This year the frameworks exploded as we worked on mapping everything to everything, technical and non-technical. We recognized frameworks as key to helping disparate groups communicate, prioritize, measure and report out. There was also a slight rumbling of the emergence of new paradigms and a tone that seems to encourage shifts away from an over-reliance on military terminology and the use of development terms that could be offensive to some.

5G was vulnerable. Quantum was primed to turn the world upside down. Safe Harbors were intriguing. Lizard brains, fuzzing, unintended consequences and IOCs all made themselves known in the submissions. RSA Conference 2022 in June in San Francisco stands to put forward some of the best content yet to help propel our industry. See you there!

Contributors
Britta Glade

Senior Vice President, Content & Communities, RSAC

RSAC Insights

zero trust software integrity supply chain passwordless standards & frameworks risk management artificial intelligence & machine learning cloud security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs