28 April 2023

RSA 2023 - Insights and Recap

The 32nd annual RSA Conference was held between April 24-27, at the Moscone Center in San Francisco.

 It was attended by companies, practitioners, and investors focused on cybersecurity, including members of the Cervin team. 

 

Stark contrasts marked the conference - on the one hand, sheer optimism and on the other - market and industry uncertainty. In terms of the former, the conference was bigger and better attended than last year, signaling a return to pre-COVID form. Moreover, most vendors we talked to stated that their expectations were met or exceeded in terms of the number of meetings, quality of conversations, and interest from potential buyers. On the other hand, there are the challenges the industry is experiencing and the potential tough times ahead. Many of the conversations and sessions at the conference centered around the instability in the market, the potential of a prolonged downturn, and how those impact security budgets. Concerns were also raised about the continued industry fragmentation and growth in security sub-segments against potential security budget consolidation. Finally, many conversations centered around the increase in attack sophistication, with the emergence of Generative AI-assisted hacking, and the step-up in attack-surface related to protecting the fast-growing Generative AI toolchain with the proliferation of vendors and environments.

 

Here are some of the reflections, insights, and takeaways our team captured.

 

 

Key Takeaways

 

The importance of security is as strong as ever
Security continues to be top of mind in board conversations, and as such, CISOs have protected and even slightly increased their budgets, even as the market conditions deteriorate. However, boards and management teams are asking CISOs to consolidate vendors and to sharpen their thinking as to what their priorities are versus nice-to-haves.

 

The enforcement versus discovery axiom

With the expansion of the shared-responsibility model, where overall security responsibility and programs are directed by the Security teams under the CISO while patching, fixes, and resolutions shift to developers or sometimes DevOps teams, it's evident that CISOs are looking to solutions that will address their needs, but also, will be easy to digest and use by other parts of the organization. Moreover, security is now of interest to multiple other and much less security-savvy functions in the organization (Finance, Marketing). With that in mind, Security vendors are expected to shift from being passive tools of visibility and discovery into tools of action (enforcement, such as detection and response). 

 

Unfortunately, for most companies, the quality of discovery in actuality is less robust than desired, and hence, while that increased attention on enforcement is long-overdue, some organizations find out that they still haven't fully cracked the discovery problem and may not be able to move forward to enforcement.       

 

Who stole my AI?

Unless you've been living under a rock, the explosion in Generative AI (GenAI) and foundational models (LLMs) as a new area of interest (or perhaps a returning one) was part of many conversations and discussions. Entrepreneurs, vendors, buyers, and investors are racing to understand how to better counter adversaries using GenAI (I.e. AI-assisted security), what are the new surfaces of attack (such as enhanced, more sophisticated phishing; using Gen-AI towards brute-force pen-testing for vulnerabilities, applying AI to create new malware much faster). Additionally, practitioners are thinking about how you counter them (I.e. securing against GenAI based attacks), as well as how do you secure LLMs/GenAI environments (for example, against drifts/data leakage, privacy-issues, as well as the reputational and monetary risk associated with such issues). Just to help paint the risk picture, one should realize, over 1000 GenAI tools have been created in the last three months alone, some of them have become the fastest adapted technologies in history (such as ChatGPT or AutoGPT hitting 117,000(!) gitstars in 40 days).

 

One such example was evident in the Sandbox competition, where ML protection startup HiddenLayer took the grand prize, after beating out early favorites such as Pangea and Endor Labs, in what seems to be a declarative announcement for the industry. 

As always, there was massive buzz and varying opinions about the companies and winners - Congratulations to all the participants!       

 

You’re stepping on my supply-chain security

One area that has experienced immense growth in mindshare and hype this past year is supply-chain security, from pre-deployment (i.e., code attestation, CI/CD, IDE-based CVE/OSS-vulnerability code scanning, vulnerability operations/life-cycle management) to post-deployment (runtime-protection, code-reachability, prioritization, blocking). This is a category where all vendors are bleeding into each other's solutions, with what seems to be an over-investment from funds. So it will be interesting to see who will emerge as a new gorilla in the category. Clearly moats can be built around the database and auto-remediation, but with massive amounts of dollars still being poured into the space, it’s becoming increasingly harder to figure out the winners. 

 

Industry-wide concerns

Security has not been immune to the changes in the markets. Our partner, Daniel Karp, participated in a panel discussion during the annual AGC West-Coast Security Conference, which took place on the first day of RSA and provided the early-stage lens to a panel on Capital Markets. There's an abundance of evidence that there are fewer and further-between late-stage mega-rounds and that investors increasingly scrutinize metrics so that unless efficiency metrics (rule of 40, NRR, CAC/LTV, sales efficiency, ACV, repeatability) are perfect, companies find it extremely hard to raise. Moreover, as the IPO windows have almost disappeared, companies had to find ways to fund their activity as private companies in more creative and sometimes less favorable ways (debt, down rounds, warrant-based financing, investor-friendly terms such as liquidity preference). Some expect market consolidation as a result, but even for early-stage entrepreneurs, who are contemplating forming new companies, this environment can give pause, as product playbooks of years past may not be easily replicable. For example, platform-based approaches or best-of-breed point solutions may be more challenging to execute than before.  

 

At Cervin, we firmly believe that material companies will be founded during these downtimes, especially for relentless entrepreneurs who focus on problems that ride strong tailwinds and are top priorities for CISOs. As a result, we remain bullish about areas such as the Cloud and Identity (top CISO priorities), which remain unresolved. In addition, we are excited about how security will react to new threats emerging in popular tool-chains in areas such as GenAI. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas a fringilla tortor, et porttitor tort. Vestibulum non nisi interdum, blandit dolor in. laoreet magna. Suspendisse sit amet elit sit amet nisl. semper imperdiet. Suspendisse

Cervin Portfolio Companies at RSA

The conference was an eventful one for some of our portfolio companies in the security space. They won a number of industry honors at the Global InfoSec Awards, which was presented during the conference, and showcased themselves at events and on the exhibition floor. 

- Airgap Networks won three Coveted Global InfoSec Awards including Most Comprehensive Micro-Segmentation, Next Gen OT Security and Most Comprehensive Remote Work Security.

- In addition to winning the Global InfoSec Award for the Most Comprehensive Threat Detection, Incident Response, Hunting, and Triage Platform, Anvilogic exhibited at the conference and hosted Cyber Sips Happy Hour.

- RSA 2023 was a busy one for ArmorCode. CEO Nikhil Gupta was part of a panel at AGC Partners' 2023 West Coast Cybersecurity Conference about the challenges of leveraging AI in security. ArmorCode won Global InfoSecAwards for Hot Company in Application Security and Top CEO. They also exhibited at the conference and were a co-sponsor of Snyk’s Cocktails in the Clouds event at SFMOMA.

- Privacera made a splash with their booth on the exhibition floor and social media coverage of the event.

- Two of our newest portfolio companies - Bolster and FireCompass also had a presence at RSA . Bolster exhibited at the conference and FireCompass sponsored CISOPlatform’s informal community meet & greet event. 

It was great to be back networking and learning about the latest and greatest in the cybersecurity space. We’re looking forward to 2024!