Editor’s note: This update for OODA Loop Members was produced with contributions from four of the OODA Loop team attending RSA 2019: Matt Devost, Bob Flores, Bob Gourley and Mike Tanji. 

The cybersecurity community includes many players from a wide range of disciplines, including enterprise technologists, strategists and executives, academics, government policy makers, lawyers, investors, bankers, authors, entrepreneurs and vendors. A wide swath of people from these communities come together every year at the annual RSA conference. The event is a good opportunity for attendees to interact and learn from each other, to sell product and services, or explore how the market is innovating to meet emerging needs. In addition to the 30,000 attendees at the conference many others come to San Francisco at the same time just to arrange meetings around the event. This makes RSA week one of the most important times to gauge the state of the cybersecurity community.

One thing is clear; the state of the cyber community is strong and we’ve accomplished a lot of the last 30 years, but there is also so much left to do.

The state of adversary activity is strong as well. The big lessons of the last 30 years endure. Adversaries in cyberspace will continue to innovate. Defenders must also innovate in a way that increases the cost of the attackers while continuing to provide real security ROI in the enterprise.  We need to build increased resiliency and cope with a workforce that just can’t keep up with the labor requirements of the industry.

What follows is a quick hit of observations gathered from conversations, meetings and reviews of technology at the RSA conference. Namely, things that we thought are worth noting for our members. For a list of the top companies we tracked at RSA, please download the report at the end of this article.

The technology vendors serving the cybersecurity community are a source of great promise but come with their own inherent risks. The promise comes from innovation we are seeing in domains like rapid analysis of high speed network traffic, rapid detection and blocking of malicious activity, new deception and trapping techniques to delay, monitor, and learn from adversaries, new ways to prevent counterfeiting of hardware, and ways to automate actions that in the past required manual effort. We are also seeing more application of true AI to solutions in the cybersecurity domain. Of course, the risks include the fact that there is not enough security budget to sustain the 3,000 or so VC funded startups in business and consolidation and failure are inevitable for many. The Cambrian explosion of firms we have seen over the last decade will have to end one day. The next model for these firms may be more Malthusian, with parts of the ecosystem dying off.

Enterprises being defended face many technological challenges. The greatest ones can be summarized by the simple phrase: Complexity Kills!  Every enterprise is different and the more complex they are the harder it is to leverage automation for patching, monitoring and securing the enterprise. The good news is that new technologies can improve enterprise architectures and reduce complexity while enhancing security. The bad news is that modernization costs money. The art form here is for enterprises to build smart modernization plans that provide so much functionality to the business that the investment is worth it,  and build in security while modernizing.

One of the greatest waves of technology sweeping enterprise today is around making better use of all enterprise data. Initiatives over the last decade have been around accessing, indexing and analyzing data. Now most every enterprise is examining how to leverage new artificial intelligence capabilities to derive business and security value from that data. The security around these new activities is woefully lacking. This was one of the big take-aways from the RSA conference. We didn’t encounter any speakers, vendors, or business leaders in any of the meetings we were in raising this topic. We raised it, and received significant interest as we did, and expect this will be a hot topic for next year’s RSA conference. Why? Because security of AI solutions is much more challenging than traditional security. To date there is one framework for securing AI solutions, and that is the one we have been writing about at OODAloop.com (see: Securing AI: Four Areas To Focus On Right Now).

Security of AI Solutions is a different concept than AI in Security Solutions. Regarding the latter, many security technologies use some form of analytics over data, including, at times, machine learning algorithms. We review several of those in our accompanying guide to the most disruptive technologies we encountered at or around the event. But we noticed a change in marketing this year that may signal a bigger shift. Last year it seemed every other vendor was claiming they use AI to find and stop adversaries. This year very few led their marketing with that. Our sense is that this is a sign of customer fatigue over the overuse of AI as a marketing term.

An observation of the state of threat awareness at the conference: It seems like too many in the industry want to put our heads in the sand when it comes to the threat. Firms like FireEye, iDEFENSE, and Crowdstrike have always been good about seeking to identify who adversaries are, but other than that there was little mention of threat actors anywhere on the expo floor. Seems like most businesses did not want to say that they have capabilities against the real threats. Why would that be? Are they being politically correct? Some panels at the conference had U.S. government speakers who referenced threats from China and Russia but those references seemed rare. One great thought leader in the space, Rob Joyce from NSA, found a good way to articulate the cyber threats from China and Russia, saying “We worry about Russia degrading others,” he said. “China projects its power to build themselves up.” He then went one better: “Russia is the hurricane, coming in fast and hard. China is climate change: long, slow, pervasive.”  We are glad Rob Joyce mentioned the threats from China and Russia. We now call on any tech vendor who wishes to succeed in the community to bravely describe what they can do to mitigate threats from China and Russia. Those that can should be on the list to survive the big Malthusian extinction that is coming.

We also noticed at small and welcome shift towards a resurgence of companies focusing on people, not technology. This includes firms that do security awareness training in novel ways (including gamification), reinforcing training with testing and helping improve behavior in other ways. Since most major incidents today involve some human action (or inaction), training and user behavior is a big topic.

To conclude: The state of the cybersecurity community is strong, but we all have a great deal to do. Our intention at OODA Loop is to help you be more effective in leveraging the best of what the community has to offer, while helping the community prioritize the hard work in front of it.

To read about the 30+ companies we think are worth checking out, please see our special memo:

• OODA LLC Memo on the Innovative Technologies of RSA

Additional References:

• AI Security: Four Things to Focus on Right Now
• OODA Loop Special Report: The China Threat
• OODA Loop Special Report: The Russia Threat
• OODA Member Resources