RSA 2019 was an incredible conference for AttackIQ. We had many reasons to be excited, as this year we celebrate the 5th Anniversary of AttackIQ and yet the first time we had a booth on the show floor! We commemorated these milestones with an incredible booth display to demo our platform, numerous technical partnerships to announce and our new CEO, Brett Galloway leading the way! I couldn’t have been more proud of AttackIQ as one of its co-founders.
For those of you who attended and saw the keynotes, presentations, walked the expo floor and spent their time meeting with vendors, customers, and partners, I congratulate you on completing another year. RSA is intense, and as it is now over, it’s valuable to reflect on the theme, the general discussions, and the overall mood, so I’m going to share some of my thoughts with you in those areas.
Each year RSA grows and this year was no different as there were over 50,000 attendees and over 550 vendors showcasing on the expo floor. This growth is not a surprise as the security industry as a whole is growing year over year. More vendors, more partners, more organizations who, as the digital transformation of their business develops, need to make sure they can minimize risk, provide privacy and trust and enable the business to advance. Reflecting on RSA this year, there were a few key areas worth noting:
- The overwhelming amount of vendors and conflicting and confusing marketing messages
- The shift from attendees in being more selective with vendors and addressing their needs around discussing capabilities and business outcomes vs. features and technical value.
I credit to some degree the discussion of capabilities over features to the rise in adoption of MITRE ATT&CK. MITRE ATT&CK as a framework, knowledge-base, and lexicon has pushed vendors to differentiate their capabilities vs. primarily attempting to differentiate themselves via their sales and marketing messaging. It has pushed enterprise security teams to think about threat modeling attacker behavior as a means of understanding and measuring their current defensive capabilities and overlaying and validating their current security controls. This results in understanding control effectiveness and exposes gaps for future prioritization. Focusing on capabilities vs. messaging was especially important this year as walking the expo floor it was easy to get lost in the rhetoric of messaging around AI, Automation, Cloud and verbiage that melted all the vendors together. Understanding what capabilities you as the enterprise currently have and were looking for helped differentiate the vendors, as long as they were aligned and “spoke” MITRE ATT&CK.
I was also happy to see more vendors and enterprise teams talking about business outcomes vs. technical value. I attribute this shift to the evolution of the CISO role becoming more ingrained at the highest level of the business. I saw security professionals in the enterprise as well as the vendor community speaking less to the technical value that their teams or products provided and more what business outcomes are provided, including, Governance, Compliance, Cyber Resiliency, and Data Protection.
The theme of this year’s RSA was “Better“. At first, I did not fully appreciate the theme and negatively compared it to phrases like “good enough.” But the more I thought about the high-level RSA theme this year and thought about how in cybersecurity we typically talk in Hyperboles of either the sky is falling or silver bullet solutions, “Better” on the other hand was a subtle and positive message and outlook. A tone that perhaps we need more than we know. Especially given the increasing level of stress most security professionals live in day in and day out. I think a great deal of this stress is due to unreasonable expectations as well as operating constantly in a reactionary manner vs. having a proactive strategy, understanding threats in order to invest in a defensive strategy accordingly. But I have a positive outlook because of frameworks like MITRE ATT&CK and discussions around business outcomes. I have a positive outlook when I look at what AttackIQ is doing around being an open platform helping to provide transparency, truth towards datw-driven decisions. As an industry, we are Better than we were last year. That doesn’t mean we won’t continue seeing more data breaches as the digital transformation of business is growing, and with it the attack surface will grow as well. There will be more systems interconnected and more business online potentially exposing more risk. But at least as an industry we’re moving away from using FUD to explain the value of security, and adopting frameworks like MITRE ATT&CK that help us speak in a common lexicon between threat and risk, we’re discussing how to enable the business with security playing the crucial role of helping to articulate and minimize risk and framing security around business outcomes.
I’m proud to be part of a company driving the continuous security validation (CSV) market and helping enterprises cut through the noise and measure and validate their current capabilities and defenses. I saw and heard the responses from attendees as they came to our booth. Many familiar with AttackIQ, but those that were not were able to move from the confusion of marketing messages amongst vendor booths to the confidence that’s provided by the mission of AttackIQ. The mission of improving the efficacy of the security stack for every organization. AttackIQ cuts through the noise and aligns with standards and frameworks such as MITRE ATT&CK, helping security organizations to enable their business by providing business outcomes. A value proposition that brings us confidence in doing our job, knowing we are making a difference and making us better as an industry.