RSA Conference 2023 Preview

1. The ROI of Cyber Security – Tomy Han, Partner

There is no doubt cyber security is mission critical for organizations of all sizes. It is also true that most executives and corporate boards have a difficult time understanding their organization’s cyber posture relative to the amount of dollars being spent. I believe we’ve been in a unique time of expansion as an industry as the number of attacks and the awareness of such attacks has increased exponentially. This, coupled with the pandemic that has forced organizations to go hybrid, budgets of cyber teams have grown at a rate that is likely to invite financial scrutiny by executive teams and corporate boards going forward.

I believe the ability of vendors to demonstrate their value to both practitioners and non-practitioners, whether it’d be tying it to measurable milestones or dollar figures, will be an important topic at RSAC this year. There will be difficult decisions that need to be made between adopting best of breed technologies vs. consolidated platforms and justifying adding new solutions on existing cyber stacks where benefits could be marginal or transformational. We’ve seen this ROI justification need play itself out with our compliance technology portfolio and expect a similar story to play out with cyber security over time.  

2. Cybersecurity for SMBs – Jake Wasserman, Senior Associate

The SMB market for cybersecurity has been relatively underinvested in and, as a result, smaller companies find themselves poorly positioned to handle the explosion of cyber threats. SMBs actually suffer more from cyber-attacks and constitute a bigger end market than enterprises. In fact, some of the biggest vulnerabilities enterprises face come from their SMB partners as bad actors gravitate towards the path of least resistance. This is one tailwind we saw which made us so excited to lead Black Kite’s Series B round, which helps enterprises gain greater visibility into third-party cyber risk. 

I believe solutions in this market need to take a more holistic, all-in-one approach as SMBs lack the budget to buy several best-in-breed tools. These companies will also need a services strategy where cyber specialists help with implementation and continuous monitoring. We’ve seen a rise of vendors trying to tackle the SMB cyber gap and believe they will garner a lot of attention at this year’s RSAC.

3. IoT and OT – Wells Johnstone, Analyst

The pandemic led to a wave of Digital Transformation with enterprises that has helped businesses gain efficiencies and unlock business value at a rapid rate. However, for CISOs, it has meant an even greater expansion in attack surface area and vulnerabilities.  

Specifically, Operational Technologies have previously been disconnected from the outside world, keeping them in an airtight environment and shielded from cyber-attacks. Concurrently, more devices – whether it be sensors tracking container shipments or access control devices protecting critical assets, have come online. This has forced security teams to tip-toe around the fine lines of trading off productivity for security. I anticipate there to be meaningful conversations at RSAC around the need for standards, systems and practices to be put in place for all the OT and IOT devices coming online. Companies will need a basic understanding of what assets are online and their interconnected levels of exposure, and finally tailored playbooks to respond to breaches in a timely fashion.  

4. SBOM’s Implications – Sinjon Goldberg, Analyst 

In March 2023, the Biden Administration released a comprehensive, 39 page briefing on our national strategy. The strategy emphasized how moving forward there will be a standardized implementation of SBOM. This move will surely help software vendors address vulnerabilities such as Log4j in their systems as quickly as they are discovered.  

Additionally, and arguably more importantly, SBOM implementation will enable users/software organizations to assess and remediate their own exposure across their software stacks. While the security posture of organizations continues to mature, it is also clear that there is still a wide attack surface area (that is only continuing to grow) via technology vendors and business partners that are much more difficult to evaluate, manage, and control. SBOMs will help alleviate many problems, but the list of potential third-party risks is much longer. SBOM and third-party risk will continue to be an important topic at RSAC 2023.  

-The Volition Team