Here’s What 15 Top CEOs And Cybersecurity Experts Told Us At RSAC 2023
CRN sat down with leading executives and security experts from companies including Palo Alto Networks, CrowdStrike, SentinelOne and Rapid7 during RSA Conference 2023. We asked each the same question. Here’s what they had to say.
Generative AI may have been the unofficial theme of last week’s RSA Conference 2023, but plenty of other meaty topics came up for discussion — and debate — among the tens of thousands who attended.
CRN was on hand at RSAC 2023 in San Francisco to speak with top CEOs and cybersecurity experts and hear what’s on their minds. When asked for their top issue at the conference, most actually brought up topics other than ChatGPT and the implications of generative AI for cybersecurity.
[Related: RSAC 2023 Sees Big Moves From SentinelOne, CrowdStrike, Google Cloud, Accenture]
Specifically, we asked 15 leading cybersecurity executives and experts — from companies including Palo Alto Networks, CrowdStrike, SentinelOne and Rapid7 — the same question: “What’s the No. 1 issue you’re focused on at the conference?”
They supplied a variety of answers. Product consolidation and the need to simplify security for customers was a running theme through many responses, but numerous other issues came up, as well. The future of extended detection and response (XDR), cloud security and vulnerability management were the key topics for several executives — while others pointed to the need to tackle the immense cybersecurity challenges posed by ransomware, software supply chain attacks and the development of quantum computing.
Ultimately though, while flashier issues often get the attention at RSAC, the fact remains that many businesses would benefit most from focusing on the cybersecurity fundamentals, as Lesley Carhart, director of incident response for North America at Dragos, told CRN during the conference.
What follows are comments from 15 cybersecurity executives and experts we spoke with at RSAC 2023. (Comments have been edited and condensed.)
Tomer Weingarten, co-founder and CEO of SentinelOne
Issue: Reducing security complexity
“The amount of vendors, the amount of solutions, the solution sprawl, environments entrenched with so many different products, all working in silos — that’s the biggest issue in cybersecurity. Security is complex enough as it is, and if you spread it across 100 different products, then it becomes even more complex. So it’s almost like we’re shooting ourselves in the foot by trying to put more and more products out there. [Customers need] a more seamless experience.”
Lesley Carhart, director of incident response for North America at Dragos
Issue: Focusing on the cybersecurity fundamentals
“If I could convey one thing to the security universe and to the technical universe, especially in the OT space, it’s, ‘Do the fundamentals.’ We’re still fighting for those in the OT space. There’s a lot of flashier topics. But in the OT space, particularly in critical infrastructure, we’re still assuming they’ve got things they don’t have, in terms of the basics — like asset inventories, security monitoring, an incident response plan.
There’s a lot of whiz-bang things in the news. As you walk around RSA, there’s topics of the day that are getting a lot of attention, because they are the hot topics. And they aren’t necessarily the basics. They’re important things. They’re meaningful to security. But it’s hard to get people to talk about knowing what devices are in your environment, and having a plan for what you’ll do if you have an incident, and things like that. That’s not a cool topic to talk about in 2023. But people are still missing it. And I’m still walking into horrible situations for organizations that do really important stuff for society, and having to do those basics for them, at a massive expense — because they never did them. Or they thought they had them, and they didn’t.”
Jaya Baloo, chief security officer of Rapid7
Issue: Post-quantum security readiness
“There is an effort to try to figure out where the federal government is [on post-quantum readiness] by May this year. And so if they have to figure out where they are by this year, then eventually, so do their vendors and everybody who sells to them and does stuff for them. But I don’t feel like, as a community, that we necessarily pull together in the right way. There still seems to be a degree of complacence.
And let me be clear — I do not mean, don’t do the basics first. Absolutely not. I believe that if you don’t have your asset and inventory management sorted, if you don’t have vulnerability management sorted, if you don’t have your foundational threat understanding sorted — please don’t begin with quantum. That’s the dumbest thing we can do. Because no one’s going to attack you on your super-hard encryption if you leave the front door open. Obviously, it’s about getting the basics right first. The issue that I’m worried about is, we don’t have those inventories correct. But subsequently, we also don’t know our [cryptographic] inventories. If you ask any random company, ‘Hey, do you know all the different places where you use cryptography now? What you depend on from your vendors, what you get from them, what cryptography do they use? And then if you need to transition all that stuff to a [post-quantum system], where you should start?’ They have no clue. And these are crown jewels. Even if we didn’t have this quantum threat, your cryptographic assets are crown jewels. How come we don’t have a good enough understanding of them?”
Lee Klarich, chief product officer of Palo Alto Networks
Issue: Security product consolidation
“[A major discussion topic] is being able to deliver security in the form of platforms, as opposed to lots of different point products. This has been a huge challenge in the security space for a very long time. And I just don’t believe that we collectively can accomplish the outcomes that are needed from a cybersecurity perspective, if we don’t make progress on that.
The biggest challenge is that, even companies that are bought into the strategy — which is a growing set of companies out there — still often have the traditional way of project-based decisions. It’s just part of how things have been done for so long, that it takes time to change. And so, that’s actually one of the biggest challenges: How do we make sure that we continue to work with our customers more at the strategic level, building multi-year roadmaps with them on how to get there? While at the same time, still winning the hearts and minds of the individual architects and engineers that are looking at solving specific problems. And showing them how we can solve those problems as a component of a broader platform.”
Assaf Rappaport, co-founder and CEO of Wiz
Issue: Consolidation through integration
“One of the things that we’re seeing as a theme is consolidation. That is important both to the security aspect, but also important [because of] the economic downturn — we’re feeling the pressure to do more with less in this economy. We want our platforms to work together.
[Integration of products] is part of consolidation. Everybody talks about consolidation. It’s not [only] vendor consolidation. It’s more about platform consolidation [around] how these things work together. And that’s what we’re expecting many vendors in the market eventually to do — to partner to work better together.”
Wendy Thomas, president and CEO of Secureworks
Issue: Collaboration between security vendors
“Collaboration and community [is critical for cybersecurity]. Forging the connections to all the players in this industry, to give customers choice, is part of my job here. We’re building relationships with different partners so customers have the best security options possible in the space. [We want to] integrate in a way that customers gain bidirectional benefit — where both products get better — so that a customer of both is better off from a security perspective.
Customers are just interested in the outcome, and in being able to achieve that without a very rigid prescription around technology deployments or stacks. That’s when you get to good security. Anytime you’re rigid about anything, and not flexible, things tend to break. And so it’s that flexibility that keeps organizations resilient and keeps their security efficacy.”
Daniel Bernard, chief business officer of CrowdStrike
Issue: How to make XDR a reality
“From the partner meetings that I’ve had, the No. 1 [question] is, how do I make XDR a reality? What are the steps? What’s the journey to go on? How do I consolidate? I think that’s the unique nature of the market that we’re in right now. There’s tons of growth opportunity, but it’s different [than selling a single product]. It’s [about] replacing other products and consolidating.
Underneath it all, everyone [is wondering], ‘How do I build my business in a macro environment where it’s uncertain?’ Certain markets are growing, certain markets are shrinking. How do I grow? Where do I go next?”
Sam King, CEO of Veracode
Issue: A shift in focus on vulnerabilities
“Our industry has spent so much time discovering vulnerabilities. You’ve got a long list of issues to deal with — whether they are vulnerabilities in your software applications, or your vulnerability management program is finding [issues]. But that’s not the goal of the exercise. Scanning is not the goal of the exercise. Getting to a secure outcome is. So, how do we hasten the path to fixing these problems? How do we hasten the path to preventing them from getting in the code in the first place? Bringing our emphasis back to the outcome, not just the activity, is crucial.
In almost all of the conversations we have with customers or prospects, the conversation comes back to, ‘How do we make this actionable and adopted inside our organizations?’ Increasingly, our focus has been more around the actionability of what we’re doing. If someone can take the information we’re producing, the remediation advice we provide, and use it to actually solve the problem — instead of just marveling at the problem — that makes it effective.”
Sanjay Poonen, president and CEO of Cohesity
Issue: Defeating ransomware
“There’s so much interest by boards, by audit committees, on ransomware. There’s a ransomware attack every 20 seconds — at least an attempt. And what we’re seeing is that people are looking for a proactive, detect-and-identify approach within the framework of NIST. And then there’s a need for a reactive [approach] — ‘I want to simulate a ransomware attack and know if I’m able to recover.’ The traditional view of some vendors in our space has been to come at this problem from a storage perspective, which is fair. But I come at this from a very different perspective [based on] security and analytics and AI.
AI is very much a factor in both the proactive and reactive aspects of security. But just because there’s so much ‘AI washing,’ we’re looking now for specific use cases where people can see the benefits.”
Melissa Bischoping, director of endpoint security research at Tanium
Issue: Software supply chain attacks
“Supply chain concerns are top of mind for everyone, because those are some of the hardest threats to remediate. The industry is dependent on the use of a lot of third-party libraries, shared code bases. And being able to ‘trust but verify’ what’s in your environment is a large part of the conversation with customers that I talk to every day. So the challenge for a lot of organizations is having the tooling, the processes, to be able to take the products from their vendors and the products they build in-house — and really have confidence that they’re using non-vulnerable versions, or that if it is vulnerable, they’ve mitigated the risk to the organization.
[The 3CX supply chain attack] hit a large amount of customers across different industries, across different verticals, and they all had to solve the same problem — regardless of the size of your company. We’re dealing with software that’s being used by your smaller shops — 100 employees or less — all the way up to some of the biggest Fortune 50 companies in the world. And each of those teams has wildly different processes, tooling, staffing. So building solutions and building transparency — into things like the SBOM [software bill of materials] initiatives — is going to be critical to making sure we’re across-the-board covered.”
Mårten Mickos, CEO of HackerOne
Issue: Why humans will always be needed in cybersecurity
“We’re seeing more evidence than ever that really big problems can only be solved by humans. Or maybe not even by humans — but certainly not by machines, certainly not by AI, certainly not by firewalls. [Gartner says] that only a human-centric cybersecurity program can be successful.
We have this fallacy that the world can be rescued with technology. And it’s a terrible fallacy. If we have a problem, it needs to be solved through human agency. We will certainly speed up a lot of work with AI. To think that cybersecurity would be the first benefactor, I think, is also a fallacy. It will help us in our daily work. Something as sophisticated as a cybersecurity problem is not yet solvable.
Let’s take Log4j. It’s a known vulnerability and it has a CVE number. To really act on it, you first say, ‘What software do I have?’ Could AI figure out what software you have? Maybe they could. Then you say, ‘How do I test where I have it?’ Then somebody needs to test it. And that is something AI can’t do today. AI can do some rudimentary tests, but to find something as elusive as Log4j, you need skill and ingenuity and creativity in a way that AI doesn’t yet have. And then when you find it, you say, ‘How do I fix it?’ And then you need a lot of contextual knowledge. AI will at some point get there [on providing context]. But even then, at the important junctures, a human being will [need to be] assessing what should be done. So AI will speed this up, but it will not solve it.”
Dror Davidoff, co-founder and CEO of Aqua Security
Issue: Where cloud security is going next
“For many customers, cloud security started by just getting visibility — to understand what they have in the cloud. I think there is a realization that it’s a good first step, but it’s certainly not enough.
Now, as organizations mature, and regulations are maturing as well, they’re looking for more security controls to actually act on the information — to prevent things from happening, and then if something happens, to block it. I think that’s a transformation that we see in the market. There’s also the realization that when they need to secure their application in the cloud, the right way to do this is to start with the developer. Rather than cutting it into multiple segments and point solutions, it’s actually one problem. So how can they now connect the dots and solve the big problem for their cloud security?
Eventually, the cloud will be much more secure than the legacy applications run on-prem. That’s the transformation for the next 24 months. The end goal is to be able to look at that as one problem, and to fix it from code to cloud. And if they do that, security will be that much better.”
Caroline Wong, chief strategy officer at Cobalt
Issue: Pressures on security practitioners
“There’s layoffs, and there’s budget cuts, and there’s burnout. And that’s affecting folks across the board. Practitioners are affected, the vendor community is affected. It’s definitely a stressful year. Folks are working really hard, and it’s not as easy to accomplish business objectives in 2023.
We’ve got qualitative survey data from the professionals. And we have quantitative vulnerability data from the pen tests. And where those two data sets match up [shows that] security vulnerabilities are not getting fixed. And it ends up becoming a little bit of a vicious cycle. Imagine a security team — they’ve done a pen test, and there are findings. That same security team, some of the team members get laid off, the security budget gets cut. All of a sudden, there’s fewer people doing more work. And the vulnerabilities are not getting fixed, because those fixes are not getting prioritized. When the vulnerabilities don’t get fixed, the chances of a breach increase. And then when the breaches happen, it’s a firefight. It’s incident response time. And every minute that a security professional is fighting fires, they’re not doing proactive security work.”
Dave Gerry, CEO at Bugcrowd
Issue: Bringing greater security capabilities to SMBs
“One of the challenges that often happens in this [penetration testing] space is the biggest customers get to buy whatever services they need. They get whatever tools they need. They get all the help and the coaching that they need. The SMB part of the market has been forgotten for a long time. So as we start to think about how to go down-market in an efficient way, how do we do this in a way that starts to democratize how we think about security and about access to security? How do we help some of the smaller players in the space to actually get some of the results that they need? And ultimately, that secures all of us. Because when you think about the supply chain, these [SMBs] are a lot of the folks that ultimately have interconnectivity back into the bigger players. You have a breach there, you’re breaching the whole chain.”
Casey Ellis, founder and CTO at Bugcrowd
Issue: Making security easier
“[There are some] organizations that aren’t doing anything [on penetration testing]. Oftentimes it’s because of the amount of friction, when you go to a consultancy and you’ve got this long drawn-out conversation around scoping and resourcing, all these different things. And once you’ve signed the check, you have to wait six weeks until someone’s available … People need hacking. And the easier we can make it for them, the better.”