There’s one quote from the 2024 RSA conference that I can’t stop thinking about, even though it was originally uttered by Kobe Bryant. Here’s the quote:
“Why do you think I’m the best in the world? Because I never get bored with the basics."
That (possibly apocryphal) bit of wisdom was delivered by Etay Maor, Chief Security Strategist at Cato Networks, in a talk called “The Price is WRONG–An Analysis of Security Complexity.” Maor’s message was that as our digital infrastructure has ballooned in size and complexity, so has our attack surface, and too often, security vendors offer siloed, rather than holistic, solutions.
That’s an excellent point, but the quote has broader implications for security and IT professionals, and it’s a message I saw repeated over and over at RSA. Don’t get so excited by shiny new tech that you forget about your most basic obligations. Don’t assume you can automate your way out of every problem. Don’t get bored with the basics.
Of course, RSAC is a massive security conference, so that rather subtle message had to compete with a lot of shiny objects, plus the charms of San Francisco and special guests including Jason Sudeikis and Alicia Keys.
So let’s look back on RSAC 2024 and share the stories you might have missed (even if you were there).
AI, AI everywhere (but not a drop to drink)
It should shock absolutely no one that AI was the biggest star of RSAC 2024 (apologies to Jason Sudeikis). It was the topic of over 50 presentations and panel discussions, and even when exasperated speakers promised they weren’t going to talk about AI, it inevitably came up anyway.
Many of the speakers and attendees were AI evangelists and enthusiasts who were excited to show off the LLM-based tools they’d designed to help them operate more efficiently. Others were more preoccupied with AI’s security threats than its promise–deepfakes got a fair amount of attention. Still others split the difference and maintained that the only way to stop a bad guy with an AI is a good guy with an (even better) AI.
My favorite AI-related insights were delivered by Lauren McIlvenny and Gregory Touhill, security experts from Carnegie Mellon University. They discussed their process for creating an AI Security Incident Response Team (AISIRT) and diagnosing AI/ML vulnerabilities from the chip hardware to the risks of bias and prompt manipulation.
Here’s the key quote, from Touhill:
“We as cyber professionals and AI professionals really need to be open and transparent as to what some of those risks are, and set clear guidelines and rules for our fellow employees…as to how to handle PII (personally identifiable information), but also trade secrets, intellectual property, things like that."
“Be transparent and set clear policies” is great, back-to-basics advice for security and IT professionals, but it also speaks to the dangers of employees using “shadow AI.” After all, it doesn’t do much good to be transparent with employees about the dangers of AI if they’re not transparent with you about how they’re using it.
There oughta be a law (security regulations and legal actions)
Many RSA sessions concerned, or at least touched on, the looming specter of legal and regulatory accountability for lax security.
One session focused on dealing with the SEC’s new cybersecurity rules, especially regarding breach disclosures. Another held a mock trial that imagined a case in which an AI-powered gossip blog published news that was stolen in a data breach (the attendees overwhelmingly voted that the blog should not be held liable).
The session Regulation on the Horizon: What You Wish Your Lawyer Had Told You About was particularly juicy, since it featured both in-house counsels from tech companies as well as Stacey Schesser, from the Privacy Unit of the California Attorney General. Naturally, these two groups had rather different perspectives on the subject of legal accountability.
The in-house counsels persuasively argued that new regulations put CISOs in the impossible position of raising security concerns internally while communicating confidence to external stakeholders. Schesser countered (and I’m paraphrasing here) that her job is to safeguard the personal data of Californians, and you’re only in an impossible position if you fail to do that and then lie about it.
The session’s choicest quote came from moderator Beth George:
“When I see a client panicking around new regulations, it tends to be a symptom of a more immature security program than it is about how onerous the regulations are."
RSA announcements
Naturally, a lot of companies use RSAC as a launchpad for big announcements, and this year was no exception.
The biggest headline grabber was a public commitment from 68 tech companies – including such giants as Google, Microsoft, and AWS–to implement secure-by-design development, building security into every aspect of their products' lifecycles. Of course, there’s a case to be made that tech leaders should have been practicing this all along, but better late than never.
There were also plenty of vendors unveiling new products, not least of which was us! 1Password Extended Access Management debuted just a few days before the start of the conference, and we were extremely excited to talk about it both in the booth and onstage.
XAM is an access management solution that secures every login and device, even the Shadow IT apps and BYOD endpoints that fall outside traditional security solutions. It’s a new approach to solving for zero trust, but it’s also a return to the fundamentals of good security.
Best RSAC booth award
The expo floor of the Moscone Center was bursting with vendors, showing off their wares and creative instincts. There were carnival games, cotton candy, and at least two close-up magicians. But there was also one clear winner when it came to pure spectacle.
The coolest booth on that expo floor belonged to Wiz, which had an amazingly high-concept, security grocery store, with gleaming displays of fake products. While other security vendors often rely on doom and gloom to get their message across, this one radiated the kind of joy and optimism that comes with a $12 billion dollar valuation.
I’m still not entirely sure what Wiz does, but whatever it is, I want one.
That being said, I do believe that the 1Password booth had the friendliest people, the best product, and the coolest t-shirt.
All in all, the 2024 RSA Conference was one of the most illuminating experiences I’ve had since I started writing about security, and I can’t wait for next year. (Assuming we haven’t learned how to stop all breaches with AI by then.)
Tweet about this post