RSA Conference is where the world talks security, but what are the security conversations the industry is having this year? To understand what matters most to practitioners and decision makers, we looked to the proposals that came in through the RSAC Call for Submissions, a rich collection of proposals revealing the ideas, techniques, challenges, and topics that are trending across the larger community. 

The runners among the community will appreciate the RSA Conference team’s joy at achieving another PR (ok, it’s not a personal but a team record, but the analogy sort of works). In 2023, we received a record number of submissions, which was incredibly exciting in a post-pandemic world. This year, the Program Committee reviewed an unprecedented number of submissions, more than 2,700 proposals, with subject matter experts offering sessions on everything from generative AI to tokenization and privacy. 

The reality is that the breadth of topics submitted through this process is vast and will differ from the industry trends spotlighted in the sessions delivered on the big stage in May. Still, here’s a look at topics proposed frequently enough to give them trend-worthy status.

Community Matters

Perhaps it was the RSA Conference 2024 theme, The Art of Possible, that stimulated submitters to reflect on all that can be achieved when people come together, but community—and all things related to a collective mindfulness--really resonated in this year's sessions. So many session topics underscored the power of people coming together, sharing knowledge, and collectively addressing cybersecurity challenges. Beyond technical discussions, there was a notable emphasis on recognizing and leading initiatives to tackle mental health issues and burnout within the community. This acknowledgment harkened back to a previous RSAC theme, Human Element. 

Thinking Differently About Humans and Technology

While Steve Jobs may have flouted the rules of grammar in Apple’s “Think Different” campaign, many submitters suggested that the industry needs to think differently about the relationship between humans and technology. Whether the proposal was aimed at hacking the human, securing the human, or bringing the human into awareness training, many submissions shared inspirational ideas for fostering a more collaborative, empowered, and inclusive cybersecurity culture as a way to mitigate human risk. 

Impact of Legislation & Policy

The recent SEC ruling mandating cybersecurity disclosure laws will impact security teams from CISOs and Governance, Risk, and Compliance specialists. Several Executive Orders have spurred discussions around Zero Trust principles, leading to increased attention on Software Bill of Materials (SBOMs) and securing the software supply chain. Impactful legislation has transcended US borders, and global investors are keen to understand cybersecurity disclosure laws, which may impact their investment decisions. In the EU, privacy, information security, and resilience laws, from GDPR to DORA and NIC2 have reshaped policies for global business for nearly a decade. Undeniably, these and pending legislation around the world will impact third party risk management and approaches to cyber insurance as organizations endeavor to harmonize security, privacy, and compliance. 

AI and Everything

Hundreds of this year’s submissions touched upon AI, with the spectrum of topics spanning from using AI for code analysis and development to application security testing and addressing ethical considerations with the deployment of AI in hacking tools. AI for resilience, AI for workforce development, AI for threat mitigation. And that’s not even scratching the surface. Of course, there were plenty of talks on AI and the large language models (LLM) used to build the tools--even more on OpenAI, GenAI, and trustworthy AI. Many proposals expressed concern regarding the integrity of AI tool outputs, while others highlighted the growing awareness of the potential risks and challenges associated with increased reliance on AI. We’ve even started to personify AI, giving the technologies human characteristics, such as shadows, hallucinations, and states of being hypnotized. Despite these nuanced discussions, there's a notable absence of fear, uncertainty, and doubt (FUD). Instead, submissions highlighted thoughtful and practical applications of AI, showcasing a balanced exploration of the opportunities and responsibilities that come with integrating AI across diverse facets of technology and business.

Secure by Design

In the wake of SBOMs, developers are increasingly relying on OWASP resources to secure applications, contributing to the principles and processes promoted by CISA’s Secure by Design guidance. Various OWASP frameworks have had widespread adoption given their efficacy in addressing risk and common vulnerabilities. Submissions indicated that organizations are extending the secure design principles to Infrastructure as Code, Detection as Code, Security as Code—well, everything as code! Strong is the need to know what's in your code; thus, threat modeling has become more commonplace, allowing developers to identify threats and potential vulnerabilities in order to mitigate risk.

How to Approach Threat Modeling

A process that is applied across the software development lifecycle, threat modeling aims to first identify potential threats in a wide range of subjects and then define countermeasures. Because the techniques of threat modeling are so varied, submissions focused on threat modeling were equally diverse. Some examined the challenges of adopting threat modeling, while others focused on using threat intelligence as part of the threat modeling process, discussed how to derive business value from threat modeling, or even applied threat modeling to human behavior.

A Privacy-First Mindset

Organizations have come to realize that a commitment to privacy is a trust-building measure, yet building a robust privacy program requires a comprehensive understanding of evolving data protection laws across different geographical regions. Given that organizations are grappling with varying privacy frameworks and regulations, the concept of "privacy by design" has gained prominence. Submitters proposed ways to strengthen relationships between privacy and security teams and how to create a “privacy-first mindset,” rather than trying to solve for privacy considerations as an afterthought.

Ransomware Rises Again

With some reports predicting payments could soar to nearly $900 million, ransomware is trending, again. Yes, law enforcement had success dismantling ransomware groups, but some members were undeterred and simply went on to form offshoots or join new factions. The frequency of attacks intensified, leaving a notable impact on critical infrastructure and healthcare sectors, but the affect was not exclusive to these sectors. High-profile victims like MGM and Caesar's garnered extensive attention, underscoring the urgency of fortifying cybersecurity measures. Still, organizations are grappling with the ethical and financial implications inherent in the perennial dilemma of whether to pay the ransom or not. 

In response, numerous submissions emphasized the importance of ransomware readiness checklists, likely prompted by MOVEit and other notorious incidents. Additionally, security practitioners are recognizing the critical need for small and medium-sized businesses (SMBs) and managed service providers (MSPs) to craft effective ransomware response strategies. 

Telecommunications and Security in the Cosmos

Telecommunications providers have been experiencing a rise in targeted attacks, which prompted many submitters to consider the security implications of extensive network API exposure. Additionally, with a looming transition from 5G to 6G, the interconnection of telecoms and enterprises has resulted in a deeper examination of the impact of Quantum in telecommunications. 

The communications sector is only one of the entities that falls under critical infrastructure, and the increased evidence of vulnerabilities inherent in industrial control systems (ICS), operational technologies (OT), satellites, space, and other critical infrastructure systems has heightened the need for safeguarding interconnected cyber-physical systems. Visibility and access control are key to navigating the challenges of securing these complex systems, which affirms that identity remains an important trend to follow in 2024.

Security’s Identity Shield

Increasingly, security teams are acknowledging that identity is the most important thing to secure. But how and where? Targeted attacks and bypassing Multi-Factor Authentication (MFA) have proven once again that there is a dark side to identity, but threats can be mitigated with a focus on authentication, access management, and a zero trust strategy. Given the reliance on web applications and cloud-based services, browser security, passwordless, and adoption of tokens and tokenization are trending as identity protection techniques. Not surprisingly, many submissions projected the use of AI to transform identity, but overwhelmingly, the proposed sessions affirmed that addressing the gap between identity and security teams is critical.

And That’s Not All…

Practitioners are increasingly dependent upon reliable and actionable intelligence to achieve both security and compliance. Overwhelmingly, it felt like there was an understanding that security teams can make better use of threat intelligence if they know what to prioritize and where to fuse it into investigations. To that end, many submissions seemed to be searching for the “story” in their intelligence. Join us at RSA Conference 2024 to hear those stories and embrace The Art of Possible.