Trends from RSA Conference 2024 Highlight the Promise and Peril of a Dynamic Industry

From the CISO to the SOC analyst, security practitioners are experiencing unprecedented levels of stress, anxiety, and burnout. For evidence, look no further than the topics of the speaking sessions at RSA Conference (RSAC) 2024: CISOs Under Indictment: Case Studies, Lessons Learned, and What’s Next; Geopolitics and Cyber Risk in 2024 and Beyond; and My Resilient Career: How to Do More than Just Survive in Security.

With a record-breaking 2700 speaking session submissions from 130 countries, RSA Conference once again captured the pulse of the industry, addressing critical issues from governance, risk, and compliance to the burgeoning impact of AI and the persistent challenge of burnout among security professionals.

Hugh Thompson, Executive Chairman of RSA Conference, shared the top trends that emerged across the thousands of speaking session submissions.

Compliance and Governance Concerns

A number of sessions pertained to compliance and governance, driven by heightened anxiety surrounding the SEC cyber incident reporting rule issued in December 2023. The mandate to report cyber incidents to the SEC within four days of determining materiality, has created a significant amount of stress and uncertainty for security and legal teams. Speakers sought to quell uncertainty and clear up confusion through a variety of sessions on materiality, risk governance, and SEC disclosures.

Personal Liability, D&O Insurance, and Compensation

The specter of personal liability and criminal indictments related to data breaches has led to a surge in interest in Directors and Officers (D&O) insurance among security leaders. Multiple speaking sessions offered advice for securing coverage. Other sessions highlighted the growing gap between CISO compensation and compensation for other corporate executives who can also be held personally liable for control failures. CISOs noted that their salaries are not keeping pace with the personal liability they’re increasingly required to take on. As a result, longer-tenured security leaders are opting for early retirement.

Burnout and Mental Health

Burnout emerged as a pressing issue, exacerbated by the mounting pressures of compliance, liability, and relentless cyber threats. Security professionals face the need to balance swift incident response with prioritizing documentation for liability protection. Some leaders are focused on providing mental health and well-being resources to help teams better manage the pressure from common stressors like managing competing priorities and growing talent shortages.

AI Dominance and Risks

Not surprisingly, artificial Intelligence (AI) emerged as a dominant theme across speaking sessions and among startups competing in the Innovation Sandbox. Speaking sessions tended to focus on either large language models (LLMs) or risks emerging from the use of AI. Meanwhile, the top 10 startups participating in the Innovation Sandbox focused on model integrity or applying LLMs to SOC operations or data loss prevention.

Government Influence and International Cyber Strategy

This year saw numerous discussions on international cyber strategy, underscoring the growing regulatory landscape and the need for collaboration on a global scale. During his keynote, US Secretary of State Anthony Blinken hinted at increased cybersecurity regulation and executive orders, signaling a shift towards greater government oversight of cybersecurity matters.

Evolution of Risk Management

The topic of risk management underwent a notable evolution this year, with a heightened focus on supply chain security in the aftermath of incidents like SolarWinds. While initial discussions centered around the vulnerabilities exposed by such incidents, the conversation has shifted towards proactive supply chain security management. The discovery of a sophisticated implant in the popular open source tool XZ Utils shows, however, that much work remains to fortify the software supply chain.

Data from the ExtraHop 2024 Global Cyber Confidence Index reflects the trend towards proactive risk management across industries: 59% of respondents say their organization’s leadership teams are moderately or very involved in cyber risk governance, and 41% said their executive management team meets regularly to assess organizational ability to protect critical assets and infrastructure from targeted attacks.

RSAC 2024 provided a clear snapshot of the current state of cybersecurity, highlighting both the progress made and the challenges that lie ahead. As we look towards the second half of 2024, and the future of cybersecurity more generally, prioritizing collaboration and innovation and supporting mental health will be essential to successful initiatives and stronger security outcomes.