IANS was on stage as a Research Partner at this year’s RSA Conference in San Francisco. RSAC is the central meeting place for the cybersecurity community with the 2023 conference attracting more than 40k security professionals and luminaries. Nick
Kakolowski and Gina Glendening, two of IANS Senior Research Directors, attended and shared their feedback on RSAC 2023.
Five questions with IANS Research team members from RSAC 2023
1. RSAC's Theme for 2023 was 'Stronger Together' - How did this theme resonate throughout the week?
Gina: We saw this theme across a number of different areas:
- Public/Private Partnerships: We heard a lot about the government and CISA teaming up together with the private sector, specifically about federal agencies looking to work with the private sector more for information sharing around threats and vulnerabilities.
- Collaborative Discussions: We continue to hear a focus on how security can work better with the business units within their own organizations. That ‘hand in glove’ relationship is really important.
- Peer-to-Peer insights: Certainly, there is some information that shouldn’t be shared publicly – especially during an active incident – but the value gained by sharing information with infosec leaders you trust, whether an informal
network of peers or your industry ISAC, is key. We see and hear this same sentiment throughout the IANS community as well.
2. What were some of the trending topics at RSA this year?
Gina: ChatGPT period.
The buzz around Generative AI, Large Language Models, and ChatGPT specifically dominated presentations and conversations. Everyone was talking about it. With so much speculation and uncertainty about the technologies, more questions than answers were
raised.
- How do we use this safely?
- Where are the advantages?
- What are the disadvantages?
- How are attackers using this?
Nick: The security industry is saying let's pump the brakes and understand the risk. Let's have a nuanced conversation about where we can use it safely, how we can control its use, and how we can set adequate boundaries around using these technologies
so we can gain the benefits while controlling risk.
There is an awareness that this technology can be used for bad as well. So how do we continue to stay a step ahead of the attackers and where they may be able to use it in disingenuous ways.
Nick: The topic of InfoSec staffing came up a lot.
We have to start getting strategic and smart as an industry when figuring out ways to attract and keep talent. This industry has been in an ad hoc state, growing fast as the security function matures and now hitting a tipping point. In security staffing,
there’s a need for:
- More inclusive job descriptions that set reasonable expectations
- Clear definitions of different roles
- Better, more creative hiring strategies
We can't just keep hoping that we’ll eventually ‘somehow’ figure out security staffing and retention problems by organically growing these teams.
Gina: Zero Trust and Identity
Still much discussion around zero trust, identity, multi-factor authentication and cloud configurations and governance. These are areas we've been long talking about as organizations seek guidance and best practices to continue on their journeys, improve
and mature.
3. What did the speakers cite as some of the biggest challenges in the coming year?
Nick: Supply Chain Security
The complexity of the supply chain continues to be a major talking point and an underlying challenge across the industry. There's an increasing recognition that most small and mid-size organizations will just not be capable of protecting themselves against
the scale of attacks.
It's creating a situation in which the supply chain orgs have an opportunity to deliver more value to customers by taking on a bigger responsibility for security. This approach may also become a de facto expectation as the government’s cyber roadmap
includes strengthening supply chain security baselines across the board.
4. What security data points surprised you the most?
Gina: macOS Attacks
One of our IANS Faculty members, Ismael Valenzuela co-presented a session with his colleague that broke down the TTPs of recent attacks against macOS, which was interesting and just very timely. There’s been an assumption that Macs are “safer”
from a lot of targeted attacks - then the 3CX incident came along. Most organizations have made no investments to prepare for this new wave of attacks. This is alarming, considering macOS devices now constitute over 20% of the U.S. enterprise computing
market, and Mac enterprise adoption grew significantly over the last year.
This will be a challenge for organizations to manage the increased risks associated with the use of macOS devices. Defensive countermeasures were recommended, but nonetheless, it will be an interesting space to watch moving forward as we’ve heard
other IANS Faculty members warn of the growing threat of compromises to macOS devices.
5. What was IANS’ presence at the RSAC this year?
Nick and Gina: As an official RSAC Research Partner, we were thrilled to have Faculty member George Gerchow speak on behalf of IANS during his session on hiring, development
and retention. It was also great to see so many IANS Faculty members on the agenda. While there were more than 650 speakers who took the RSAC stages, the level of deep domain expertise, tangible insights and actionable takeaways provided in the sessions
led by IANS Faculty members really stood out.
Outside of sessions delivered by IANS Faculty members, it also wasn’t uncommon to see some RSA presenters cite work that IANS Faculty have done. This just reinforced the pride we have in our Faculty as luminaries in the industry and such a valuable
resource to our clients.
About the IANS Faculty
Our Faculty are comprised of more than 100 renowned security practitioners with deep, domain-based knowledge who understand - firsthand - the challenges faced by CISOs and their teams.
IANS connects clients with Faculty to help them make better decisions, grow professionally, save time & stay compliant. Get in touch to learn more about how we can help move your security program forward.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.