It was attended by companies, practitioners, and investors focused on cybersecurity, including members of the Cervin team. It’s impossible to capture all the sights and sounds of the conference, so here is a brief recap of our RSA 2022 experience:
Key Insights/Takeaways
“And in this moment, I am happy.” - Incubus, "Wish You Were Here" | RSAC FOMO Party
- RSA conference adjourned last week, accompanied by satellite conferences like BSidesSF and the AGC Conference. In many ways, it felt like in-person conferences are coming full circle, after a two and a half years of hiatus, with many vendors continuing from RSAC to other conferences in the tour such as Snowflake Summit and Splunk .conf22. The energy was evident everywhere, with a record number of vendors and events. One of the questions that we repeatedly posed to vendors and buyers alike was around security spend and any softness in demand. In the last years, security spend has been growing at a low-double digit CAGR, commanding a growing portion of overall IT spend. And while the consensus around the startups and investors attending the convention was that we’re deep into the softening of the fundraising environment, there’s still no slowdown in customers’ willingness to spend on security. In our view, as the economic downturn further spirals into a bear market, the eventual impact on the demand side should be further felt, even for security vendors. We expect to see consolidation in the industry, with customers focusing on shortening the list of vendors and priorities, though we think the industry will be more immune to the downturn than other segments in technology.
- Future of work security is growing in importance. While it’s hard to determine whether remote, hybrid, or physical offices are going to be the new norm two years from now, security professionals have had to make the adjustment and enable all those options in a short span of time. The growth in importance was evident in the RSA SAndbox competition, where the two finalists of RSA sandbox were BastionZero - a remote access / key management solution, and eventual winner, Talon Cyber Security - provider of a secure enterprise browser. A healthy stream of innovative vendors are looking to tackle key attack surfaces and help protect remote workforce protection. Other solutions that are riding this headwind include remote/end-user biometrics, NG UEBA, and modern SaaS Security.
- Our team joined forces with our friends at the Citi Ventures team to host a collaborative session between CISOs, CEOs, and practitioners focusing on topics in data security, such as “Balancing security needs vs. unlocking the value of data”, “Cloud Data Protection”, “Supply chain vulnerabilities” and “Data discovery”. Some of the surfaced themes were pretty universal to security, and talk to the challenges in changing organizational behavior and the perception related to the role security teams play in the organization, but what’s evident is that there’s a fundamental shift in where the organizational crown jewels reside (on premises -> cloud/hybrid) and that the analogy of data being the new oil is true in more than one sense - companies have data pockets in multiple locations and it’s incredibly hard to clean up the data after a drill (granting access) and spills (DLP and sprawling Data pockets “Data is everywhere”).
- Once budgets tighten, the security industry will find itself at an interesting intersection. Given that companies will undoubtedly continue to be breached (not a matter of if, but when), security will continue to be in demand. But with the looming recession, C-suites and Security teams will focus on ROI of security projects and budget prioritization. As such, vendors should consider the inherent pitfalls of today’s cyber industry. For example, every security vendor nowadays talks about the ease of deployment. In reality, security teams call out having many shelfware products and multiple never-ending deployment projects, so vendors should relentlessly focus on meshing their claims with the deployment reality. Moreover, they should consider the impact on the end users’ experience, and remember that the typical preconceived bias against security products is that those solutions get in the way of their business / operational goals. At Cervin, we will continue to be bullish about the need to innovate across this segment, but will spend extra time conducting a thorough analysis of willingness to pay and the deployment/usage experience. We will be looking for high-priority budget line items that consider the human behavior element as part of the solution and that are laser focused on enabling business outcomes.