Using the almost 2,200 submissions as a proxy for the state of the industry, the cybersecurity community appears to be vibrant and ready to engage in detail we don’t recall seeing before, with enterprise users in particular willing to share more depth and specifics. In a word, to quote our theme, we appear to be better than we’ve ever been in terms of interest in sharing, engaging, and really enabling our collective community to learn and improve, positioning 2019 to be the best Conference yet. Let’s dig into some of the specific trends that bubbled up in the review of the 2019 submissions.
Part one of this blog mini-series looks at the first five trends.
1. Supply chain and managing third party risk
Kirstjen Nielson, Secretary of US Homeland Security, addressed the RSA Conference 2018 crowd from the keynote stage last year, citing, among other things, concerns about Supply Chain Risk Management. The audience clearly heard the message. 2019 may be the year the Supply Chain Ecosystem, and concern about third party risk, officially hit the tipping point, fueled by cloud adoption and overall architectural changes (see #2), geopolitical conditions, GDPR and similar regulations, and everything-as-a-service, which has removed traditional borders and opened organizations up to possible attacks from previously unexpected sources and locations. Organizations are thinking differently about managing software supply chains, third parties and their risk management posture as a whole, with Risk, measured in many different ways, becoming the most important letter of the GRC acronym, dwarfing conversations about Governance and Compliance. Submissions harkened back to Target and Equifax as “ground zero” in putting a face on this risk, uptick in IoT vulnerabilities adding salt to the wound, and NotPetya being the final “whack over the head” as organizations dig deeper into understanding the risks inherent in their business relationships with third parties. Our 2019 agenda reflects this interest, designating a new track to explore this key theme: Protecting Data & the Supply Chain Ecosystem.
2. Architectural and infrastructure changes
We also noted major architecture and infrastructure shifts, which one could argue chicken and egg implications across all of these trends, but taken together, this was definitely a big theme in 2019 submissions. We had extensive conversations within our Program Committee as we explored the implications of cloud adoption (and the various stages of that adoption) across enterprises, noting that there was no more “cloudy with a chance of…” (a 2015 noted trend) anywhere: cloud is no longer niche, it’s a given. Now we are in that “messy middle state” where many companies, at various stages of that journey, are trying to straddle security of a “traditional” environment as their cloud adoption accelerates (with different primary security drivers in each world). We noted two key themes, which are reflected in the carefully curated content of the Cloud & Virtualization Security track content: 1) industry/vendors seem to be way ahead in their conversations than companies actually are with their transitions….but they are definitely headed there, and 2) the rise of cloud applications and mobile devices has allowed for content to be created and consumed completely outside the corporate network. Kubernetes Security, as a component of this drive to the cloud, seems to be replacing Docker almost 100% in the container part of this conversation. From an overall architecture standpoint, we also noted another leading indicator of disruption, at least from the vendor messaging world: Zero Trust. Lots—and lots!—of zero trust. As organizations work toward a more holistic approach to their cybersecurity posture that seeks to limit risk and increase automated detection and response and achieve strengthened data security, zero trust is positioned as a 2019 industry silver bullet. We saw many submissions from vendors on this topic, but not many from our enterprise audience, though we anticipate rapid maturity in this space. We also noted an increase in sessions that covered physical security, speculating this is driven by closer integration of IT and OT security within organizations and CISO charters changing to include physical security, with accompanying reporting functions within companies changing as well. Mark this up, too, to the continued ripple effect of NotPetya.
Geopolitical tension shadowed 2019 submissions, from attack implications to attribution to the regulatory environment to how (and if!) threat intelligence is even shared. We reviewed many submissions discussing direct hits fueled by geopolitical threats, some detailing attacks that have shut down tens of thousands of servers within minutes, others that interrupted manufacturing processes with production facilities taken offline, and still others that cost corporations hundreds of millions of dollars in recovery costs and reputational damage. Submissions also bemoaned election meddling—past, present, and future—as actors attempt physical and psychological disruption in order to affect outcomes. This is a time of tremendous turmoil in legislation being put forth internationally that CISOs are having to deal with, resulting in regulations that are sometimes in direct conflict with one another, forcing CISOs to trade off risk of compliance in one country with non-compliance in another. Disruptions on the scale of PCI, SOX, and HIPAA are now happening monthly in different countries, with GDPR just one example of many new regulations to enter the global scene. The discussion around attribution is also heating up, with some governments pushing hard for nation state perpetrators to be rapidly named, but enterprise (and some vendors) reluctant and concerned that mistakes are being made which may further splinter fragile relationships, and/or not valuing attribution at all. This concern has also impacted threat intelligence sharing as new walls are emerging vs being eliminated. As nations, and the companies operating inside of nations, are broad-stroke labelled “friend” or “foe”, there’s concern that this balkanization is having unknown implications on the supply chain and the security of the supply chain, as directly reflected in the widely debated Bloomberg story about Chinese hacking of microcomputers. Geopolitics is casting a long shadow over the cybersecurity industry, a shadow that doesn’t seem to be going anywhere anytime soon.
Privacy has held a regular seat on our top 10 trends list, a constant companion to a complete assessment of the cybersecurity landscape. 2019 is no exception. GDPR, which went into effect May 25, 2018, is very top of mind for organizations, with some citing unintended consequences and a negative impact on threat tracking effectiveness by limiting collection of critical data (feels like early day arguments in the medical research world when HIPAA was introduced, negatively impacting some scientists, particularly in research areas with small patient populations). Organizations have also struggled to understand what “appropriate use” is, a challenge that is playing out between legal, business, marketing and privacy teams. Not to be outdone on the world legislative stage (see #3 above, with CISOs wading in the “new norm” of an ever-expanding sea of legislation), just a month after GDPR went into effect the California legislature passed the most sweeping privacy legislation in U.S. history. The California Consumer Privacy Act of 2018 (CCPA), which takes effect January 2020, has been in constant amendment state almost since it was passed, and will likely become the model for legislation at the U.S. national level. The not-always-positive relationship between security and privacy is getting tighter and tighter with even more data protection laws anticipated globally in the not too distant future (see #3 above...again...) as organizations are needing to think hard about security best practices that can also serve as compliance measures without interfering with business. CCPA will be the theme of a special Monday seminar organized by IAPP and also covered in many sessions across several tracks.
Frameworks are no stranger to our trends list. Just as automation has helped processes to speed up and freed humans to do the “intelligent stuff”, frameworks are helping organizations to “speak the same language”, internally and externally, benefiting the industry as a whole. There is no brighter star on the framework horizon, it would seem, than the NIST Cybersecurity Framework. We were impressed with the number of enterprise-submitted sessions that detailed their use of the CSF and how they are implementing it (or their derivative version of it) as a standard across their organizations, achieving real business results, increased productivity, and better knowledge transfer. We also noted a significant number of submissions around MITRE’s ATT&CK (Adversary Tactics Techniques and Common Knowledge) Framework, utilized for classifying tactics and techniques used by adversaries. What isn’t clear in the framework discussion, however, is what solution there is for what appears to be louder and louder threat intelligence “noise”, with enterprises struggling how to understand and value all of the different “things” being shared, and vendors seemingly fanning the flames as they try to differentiate their solutions and approach to consuming and creating intelligence feeds.
See topics 6 through 10 in part two of our 2019 trends blog mini-series.