May 16, 2023
The security community is becoming more and more interdependent. We need each other to stay on top of an ever-changing threat landscape. To this end, many of us go to RSA to invest in existing relationships with other members of the security community and to stay on top of the latest and greatest trends around people, process, and technology. That said, the people are the most important part of RSA to me, and to many others.
Here are a few takeaways from my perspective at RSA:
A call for Fractional CISOs. Many of our portfolio companies are trying to improve their security posture. They need the expertise of a full-time CISO, but can't afford to invest in one in addition to a full-on security function.
Enter, "The Fractional CISO.” These folks have already had a CISO career in security but are now able to consult and give back their real-world experiences. Thus, by choosing to invest in a Fractional CISO, you get the benefits of both their successes and failures at a fraction of the cost. Consistent with the RSA theme of "Stronger Together," I reached out to Ed Skoudis, the President of the SANS Technology Institute, a long-time friend of mine, a highly respected security professional, and an ethical hacker. Ed connected me with two fantastic Fractional CISOs—Todd Inskeep and Russell Eubanks, both of whom have incredible backgrounds and experiences. Todd has built a small consulting firm (Incovate Solutions) with several other former CISOs, and Russell does fractional and consulting work as an independent. Both these folks bring the kind of value our portfolio companies need. I could easily justify the trip on the strength of my meetings with Ed Skoudis, Russell Eubanks, and Todd Inskeep alone. Thus, proving RSA’s theme, Stronger Together.
Edison PortCos in action. It was great to finally meet both Andrew Loschmann and Matt Holland, cofounders at Field Effect, one of our infosec portcos delivering enterprise-class managed security services to the middle market. We met during diligence about a year ago, but purely via Zoom. It was so nice to meet them in-person! Since that time, they have made some amazing additions to their executive team, adding a CRO, CTO, and CPO. Field Effect was not present on the show floor but were attending to network and present at an emerging-growth-company conference, conveniently timed to coincide with RSA.
I was also able to stop by SPHERE’s booth—another Edison security portco with a laser-like focus on Identity Management Hygiene. Their booth was swamped as SPHERE is solving a very thorny problem associated with unknown and unmanaged permissions/privileges, and have recently announced partnerships with BigID and CyberArk—both of which carried a large, visible presence on the RSA show floor. No doubt, they’re Stronger Together.
Generative AI. What kind of tech conference would be complete without some mention of large language models, ChatGPT, or Generative AI? RSA didn't miss a beat in this regard. To me, the most interesting take was with respect to AI being used to augment/replace hackers for both technical threat vectors and social engineering hacks.
The threat landscape is constantly evolving and will continue to become more challenging thanks to AI. For example ,the CEO at Zscaler was able to snuff out a spear phishing attempt where he was the target of an AI perpetrator. Whether it be social engineering augmentation or technical hacking augmentation, companies need to keep a watchful eye.
As you would expect, the good guys are also gearing up to leverage AI to thwart bad actors. Stay tuned for a blog on who's leveraging AI in interesting ways to protect us from both real and synthetic bad actors. Net/net, there was a lot of buzz in and around RSA with reference to Generative AI.
Healthcare Security. I was able to connect with another long-time friend, Errol Weiss, the CISO at the Healthcare Information Sharing and Analysis Center (HISAC). Errol has been pioneering ISAC programs across functional areas (financial services, infrastructure, etc.) bootstrapped and funded dating back to his time at SAIC in the late 90s. He's a serious security professional with a passion for community and bringing people together to thwart adversaries—I’d argue that he’s one of the largest LinkedIn security practitioner networks in our industry! For those unfamiliar with the ISAC, it's a structured, vertically oriented community of organizations who agree to share best practices, learnings/experiences, and real-time intelligence pertaining to new and active security threats. My interest in this area, on behalf of Edison, is the opportunity to leverage the strength and experience of ISAC for our healthcare and fintech portcos. This is yet another way for smaller growth companies to benefit from larger, more connected organizations in the spirit of improving security and reducing risk. Once again, driving home the theme, Stronger Together.
All the Noise! I spent some time walking the show floor and frankly don't envy the marketing and sales folks trying to get their categories and product offerings to stand out. I've been around security products and services since the late 90s, both as a product/service developer and as a buyer of said products and services. Even if you know enough about the categories and products to be dangerous, they all seem to be saying the same things while doing their best to home in on their special sauce or differentiation.
This year, I focused on Cloud Security Posture Management, API Security, and Container Orchestration Security. Watch this space for a quick write-up on my observations. The good news is that each of these categories is important to solving real security problems. Take API security for example—if software has already "eaten the world," then APIs have eaten software. Thus, APIs better be secure. However, trying to determine whether companies like Salt, Noname, ThreatX, or fill-in-the blank is different, better, worse, etc. is challenging for both buyers and sellers.
Check out this article by ThreatX titled, "Definitive Guide to API Attack Protection" that proposes criterion for evaluating API protection solutions. It’s well worth a read. Staying on top of API attacks and understanding the digital security climate makes us...Stronger Together.
