Top 5 Takeaways from the RSA Conference 2023

Expert perspectives on the cybersecurity community, recent technology developments and their real-world implications.

May 8, 2023 | By Mike Mulligan and Danielle Gonzales

As some of the greatest experts in cybersecurity gathered in San Francisco for the RSA Conference 2023, we discussed the future of security and its role in digital transformation and business growth. After connecting with customers, collaborators and thought leaders, here’s what you should know.

1. Focus on Resilience

It’s not a matter of if but when something happens. That’s why conversations at this year’s RSA Conference centered not just on preventing an incident but surviving one. Even leaders who claim their organizations are 100% secure should assume technology will fail or something can go awry.

The name of the game here is cyber resilience.

• Reframe: start thinking of change controls as part of your security program. Build in guard rails and checks throughout your operations.
• Create business continuity and disaster recovery plans.
• Move from reactive security posture to proactive by testing the strength of your protections, not just bracing for impact.
• Educate your employees to improve their cyber hygiene and tech habits, both in and out of the office.

2. You Can—and Should—Put a Price Tag on Security

Facing an uncertain economy, inflation, supply chain disruption and ongoing talent shortages, companies are scrutinizing spend, according to TEKsystems’ State of Digital Transformation Report:

• While 1 in 3 organizations were averaging $10M+ per initiative in 2022, only 1 in 5 organizations report nearly the same level of investments in 2023—with most projects coming in under $5M.
• Digital laggards, companies with tentative plans and limited digital transformation initiatives and investments in place, are two times more likely to cut tech spending in 2023.

Much like other organizations within the enterprise, security leaders are being tasked to assign monetary value to projects. “How much are these protections saving our company?” Said another way, “What’s the cost of not doing this work?”

Other organizations and even some C-suite leaders may view security as a cost center. But here’s the thing: security can seem like overkill, too expensive and not a priority—until you have a major incident. Then, suddenly, an incident occurs that could disrupt or fully stop operations. In come compliance fines, risk exposure to customers and a tarnished brand reputation that will take money and time to rebuild.

Calculating the financial impact of failing to meet compliance standards is straightforward, as many have associated fines. It’s a more complex calculation to consider an incident that halts operations, hurts customers or harms your brand. But those tougher calculations are worth computing.

So, how can you start to put dollar signs next to these big efforts to support top-level cost-benefit analysis? Start by bringing together the same people you’d enroll in your business continuity and disaster recovery plans. You can dig into the logistics and financials around these kinds of questions:

• “How would an incident affect business operations and projected revenue?”
• “How could this impact our customers, our reputation, our brand in the short term and long term?”
• “What does it take to survive an incident and get us back to a good place?”

3. There Are Other Impacts of the Security Talent Shortage

As cybersecurity evolves, the gap widens between needed and available expertise. This isn’t a new phenomenon; cybersecurity talent demand has outpaced supply for years. And TEKsystems’ annual survey respondents identified cybersecurity as the most critical skill to the enterprise.

We’ve outlined both human-focused and technology-focused tactics to bridge the talent gap in our RSA Conference 2022 Takeaways, even considering how to reduce strain on your current security teams to avoid burnout and turnover.

Building on ongoing talent shortage concerns, we’ve heard an additional challenge surface this year. Constant movement in the workforce has created blind spots. New managers bring their own security strategy. They may advocate for a new security software or tool. As employees come and go, security leaders find half of their tools haven’t been implemented, adopted or kept up to date.

So how does a revolving door of talent affect your enterprise-wide security approach? Start today by working through these steps:

• Zoom out: Take a big-picture view of current people, process and technology to identify and address vulnerabilities.
• Change controls: Document what you say. Do what’s documented. Prove it. Keep current and future teams all on the same page.
• Security tool rationalization: Where are redundancies? Where are gaps? Are we using all the capabilities from our current tools? Can removing or replacing an existing tool optimize costs while aligning to our security strategy?

4. New Technology Means New Vulnerabilities

The world of technology moves fast—security must move faster. As companies look to new technology to meet digital transformation goals, they’re entertaining new opportunities for incidents.

Generative AI for example, a hot topic at the RSA Conference 2023, has security experts concerned. Already, some major companies have banned employee use of generative AI tools, like ChatGPT or Google Bard, on company devices and networks after engineers accidentally leaked intellectual property just last month, according to TechCrunch.

Does this mean security organizations must shut down all innovation? Of course not. Security and business leaders must work together to bring on game-changing technology to drive transformation and revenue while protecting customers and minimizing exposure for risk. Before you build or buy it, ask: “What are the implications? How does it align to standards across our enterprise?”

This is where a security-first approach can enable your business. Start a conversation around the people, process and technology elements of your digital transformation goals. This can inform a security strategy that drives business forward.

5. Rules before Tools

Facing an ever-expanding threat landscape, the search continues for a quick yet comprehensive fix for security. A single purchase or licensing fee to fully protect the enterprise. A “set it and forget” solution. A silver bullet. The cybersecurity community is not there yet, despite the growing number of new security tools and software on the market.

Risk tolerance plays a factor here. Nascent and growing companies reach for software over security strategy because it may meet their current needs, bandwidth constraints and risk tolerance. Well-established brands with big reputations and brand equity have a much lower risk tolerance because they may believe they have more to lose. These companies should reach for process and standards first over an off-the-shelf security tool.

Both groups may benefit from considering a new tool, if they start with a simple phrase: Rules before tools.

Before jumping into the next big thing in technology—whether a new hyped technology like generative AI or a security software—start a dialogue to dig into the who, when and how around:

• Deployment
• Management
• Compliance
• Governance
• People adoption and activation

The Bottom Line

Cybersecurity will continue to get more attention since it’s constantly evolving and affects everyone. Here’s where to focus to survive and thrive in this next chapter:

• Companies will continue to aim to drive business growth and—in this moment—focus a great deal of effort around optimizing costs. Security leaders must help business leaders find that balance while keeping their operations, customers and brand safe.
• Even with new technology and changing terminology, it’s all about perspective. A security-first approach to business growth, powered by business and security leaders working in lockstep, is the most sustainable way forward.
• It can be tempting for company leaders to cut security spending or headcount, but it’s shortsighted. Avoid these pitfalls by ensuring CISOs not only have a seat at the table but also have a voice.
• The best first step you can take today is looking at the big picture. Take an enterprise view of your security posture to inform your security roadmap and activate a future-focused strategy.