It was AMAZING to see so many of you at RSA Conference 2022. The energy in the hallways was palpable. We truly embraced being Stronger Together because, well … we are. It’s clear we’re already craving the energy of togetherness in 2023 with the record number of submissions we received, which bubbled up some very interesting trends.
Ukraine vs. Russia
The impact of the ongoing war is being felt across every area of our community, with many having personal connections to the region. Submissions reflected upon relationships between business decisions and geopolitical factors, unique attacks launched from the region (perhaps influenced by economic sanctions), the polarization of the cybercrime underground, cyber hacktivism, and even the impact on cyber insurance policies. The collision of cyber and physical security came into focus in a rudimentary way with the tracking of smartphones on the war field, as the first war ever fought in all five military domains has forever changed the threat landscape—and caused us to collectively wonder what a China-Taiwan escalation could bring to bear.
Great Scott! Quantum Has Arrived
Quantum has been a footnote for several years in our trends roundup—those who mentioned it were passionate, but they were few and far between with this “out there on the horizon” issue. We appear to have taken a quantum leap forward as 2023 submissions put a spotlight on quantum. From NSA requirements to Nobel Prize winners to new NIST algorithms, we seem to have finally reached a tipping point that would make Doc Brown proud as we consider quantum-specific attacks, Shor’s algorithm, and how PQC might materially impact business and society in the future.
How Do We Think About “Us”?
We’ve recognized for many years the need to grow our community, both in terms of numbers and diversity. This year, we saw an explosion in truly inspiring and innovative approaches to changing the face of the future of our workforce, evolving the hiring process, strategies for building or augmenting apprenticeship/internship programs, and ways to attract and retain diverse talent. We’re recognizing diversity as a front-line defense that’s reshaping teams and approaches, as well as motivating more to join our ranks. Maybe there is cause for optimism!
Shifting Right and Shifting Left: Can We Find Center
Past years saw an influx in “shift left” dialogue. This year, the rallying cry of “shift right” was loud, with a concerted interest in ensuring performance, resilience, and reliability, which seemed to bring with it more discussion in and around application security in the broadest sense. The movement to cloud-native constructs also seems to demand the adoption of both shift-left and shift-right strategies, and we’re clearly eager for some better CI/CD approaches with better visibility, hygiene, and security.
Open-Source Open Season
The focus on SBOMs coupled with application-centric attacks that are having crippling impacts (we’re still not done talking about SolarWinds, Colonial Pipeline, or Kaseya) has us front-and-center examining open-source code and dependencies. And it’s not pretty. The overt focus on the “cons” around open-source code and manipulation, attacks, and targeting of it seems to be giving birth to new efforts to mitigate associated risk, both with development processes and reports, as well as technology. We’re also reviewing anew our approaches around build vs. buy, with introspection and some good learnings to share around software development, SDLC, and the supply chain as a whole. And leaning into the “BOM” … 2023 brought lots of BOMs: XBOM, HBOM, DBOM, PBOM, and CBOM. “Da BOM” has exploded new lines of thinking around transparency of “what’s inside,” with the hope that visibility will help better protect and defend.
Communication: Do You Really Hear Me?
Every year, a new segment of our community seems to take a turn for the “alone island,” feeling like no one understands them or their processes. Application Security seems to be taking its turn in the alone cone this year. In an effort to break through the silos, we’ve seen the rise of Security Champions (out in force this year!) and BISOs to help close gaps of understanding. We’re working hard to align tools and processes against risk profiles and development teams and, likewise, thinking deeply about culture. Our SOC comrades, in particular, seem to merit extra consideration as they face extreme burnout and recruiting issues. Unpacking “what’s worked,” communication is key and using the language that resonates with the audience at hand, be it the board, other departments, or customers. Storytelling has emerged as both an art and a science to break through communication barriers and help to reinforce key points, so much so that it appeared in more submissions than Sun Tzu this year. Cinderella’s “Just because it’s what’s done doesn’t mean it’s what should be done!” may belong in The Art of War after all.
Achilles’ Heels … Lots and Lots of Heels
While on that theme of storytelling, moving on to Greek mythology, we seem to have many Achilles’ heels. If you ask the 2023 submitters, APIs are under constant attack and represent the best way to defeat 2FA, Zero Trust, vulnerability management … and the list goes on. There was a great deal of discussion around API security and associated vulnerabilities and how their increased use and expanded functionality directly impact attack surfaces as the leading vector for breaches. We’re exploring policy as code, low code/no code options, reporting structures, scanning and testing options, and service mesh for communication management, among many other approaches. We also remain concerned about SMBs as weak points, and we’re trying to shore up our responsibilities to them from a digital poverty standpoint to remove this Achilles’ heel in our supply chains. And there was a concerted focus on security risks around M&A when new companies are brought on board, as well as identifying the security weaknesses of potential acquisitions, with examples of these Achilles’ heels on the overall security posture of the acquiring entity. Our focus on evaluation, measurement, and articulation of third-party risk, no matter what “heel” created it, is of utmost importance, and we’re considering if consolidation of some of the frameworks that have been put forward might help with better assessments and protection.
Intelligence & Threat Modeling
We observed a deeper and broader analysis of the attack surface this year. There seemed to be a renewed focus on intelligence: gathering and sharing, as well as deception. Active hunting is on the uptick, with an observed distinct shift to offensive vs. purely defensive when considering the threat posture. When faced with modeling those threats, different approaches, philosophies, and alignment to risk indicators came through, which explored impacts on teams and how information is shared, as well as reporting structures and approaches—it’s not just about the tools. Graph-modeled hunting, boosted by machine learning, made its presence known. We seem to be more “comfortable” with the fact that breaches are a constant, and we observed some shifted emphasis to response, containment, and analysis of depth.
CISOs Have a Lot on Their Minds
We’ve always celebrated tremendous engagement from the CISO community at RSA Conference, with a willingness to share experiences and perspectives. This year saw a surge in submissions from CISOs on a wide range of topics. It also saw a long shadow of major “CISO in the news” moments, with reflections on the conviction of Joe Sullivan, the former CISO of Uber, as well as blunt whistleblower testimony on Capitol Hill from Peiter “Mudge” Zatko, the former CISO of Twitter, both of which clearly influenced how we think about the role of the CISO and accountability and responsibility. Related, several submissions gave the nod to SEC regulations for cybersecurity oversight, expected in spring 2023.
Constant Threats
It wouldn’t be an RSA Conference without a hard look at the threats. Ransomware losses continue to climb, and some of the attacks are evolving from encryption to extortion. Browser-based attacks are making their mark. Focused attacks on containers are causing us to think about them differently. Passwordless has quickly gained adopters but with it new perils. The prevalence of multi-cloud and associated vulnerabilities seem to be triggering unique attacks. Phishing isn’t going away, either. Bots are proliferating, and their impact is being felt. And Web3 and the metaverse open up a whole new dimension of possibilities.
Skepticism around ML/AI is healthy. Zero Trust references run far and wide. ESG (environmental, social, governance) is on the radar as we view sustainability and associated privacy and risk beyond just environmental issues. ICS and OT concerns are growing deeper, and we’re thinking hard about what IT can learn from OT and vice versa. Workflows and best practices are under further review. The community is seeking better ways to make their organizations, and the world, stronger together. We look forward to you being part of RSA Conference 2023.