The RSA Conference is one of our favorite yearly events: it’s an opportunity to exchange knowledge, get a pulse on the cybersecurity landscape and connect with new technology developments. Chris Olson, the CEO at The Media Trust, provides an insightful post-event round-up of key discussion points that deserve more time and debate.
After going virtual in 2021 due to the COVID pandemic, RSAC 2022 returned to the Moscone Center in San Francisco on June 6th, and it couldn’t have come at a better time.
This year, ransomware events have increased by 13%, which is more growth than we’ve seen over the last five years combined; the average data breach costs organizations $4.2 million, and geopolitical tensions have made impending cyberwarfare a real danger. In short, cybersecurity expertise is more important than ever, and RSAC is the perfect place to share it.
Unfortunately – while the events at RSAC 2022 included timely sessions on supply chain security, emerging data privacy legislation and zero trust architecture – other important topics demanded closer analysis. This blog post will outline four major oversights and their implications.
1. The Consumer Perspective
The mentality of “business over consumers” is nothing new and is a perennial problem for cyber professionals. While the topic of consumer safety came up a few times at RSAC 2022 – particularly in sessions focused on data privacy legislation – it was always on the periphery and never at the forefront.
This is an oversight for two reasons: first, consumers are the ones who shoulder the highest cost for data breaches and poor digital safety. According to IBM, 44% of data breaches include personally identifiable information (PII) such as names, social security numbers and financial details like credit card numbers.
Second, putting consumers first is the most reliable way to protect revenue in the long term. Money and data aren’t the only things an organization loses in cyberattacks: they also lose priceless brand equity and consumer trust, which results in a long-term hit to revenue. 90% of consumers will buy more from a brand they trust – building that trust is hard, but losing it is easy.
See More: What Do New Cybersecurity Rules Mean for the Cloud, ITSM and ITAM?
2. No Focus on Our Digital Borders
Digital attack surfaces always seem to get left behind at cybersecurity conferences, and we were glad to see a few sessions at RSAC 2022, which were focused on the Web. In its presentation for AppSec Teams, for instance, Nucleus Security highlighted that 56% of the most significant security incidents in the last five years could be traced to Web application security issues.
But given the scale of this problem, it is still woefully underrepresented on the RSA Conference agenda. Up to 80% of websites across the Internet – including high-ranking news, entertainment, and sports sites – contain at least one vulnerability related to third-party code. Meanwhile, mobile apps are regularly implicated in data-stealing schemes, mass credential theft, and worse.
With no laws surrounding third-party code in Web or mobile applications, America’s “digital borders” are open, leaving organizations and consumers vulnerable to foreign actors, election manipulation, identity theft and worse. Meanwhile, few organizations are aware of the problem, and even fewer are trying to solve it.
3. Reactive Over Proactive Measures
RSA Conferences are always chock-full of security researchers eager to share their latest tools and methods for threat identification. Unfortunately, this means sessions tend to be focused on reactive cybersecurity measures rather than proactive ones. But reactive security is more important than ever: by the time a ransomware attack is in progress, for instance, cyber defenders have less than an hour to stop it.
This year, we saw talks with some focus on prevention, from threat intelligence to human risk and ransomware risk factors – but these were the exception rather than the rule. As cyber actors move faster, proactive controls are the best way to prevent cyber incidents, especially in the digital ecosystem.
If there’s one trend we’d like to see more of, it’s zero-trust security, which follows the philosophy of “never trust, always verify.” This stance can protect organizations from software supply chain attacks, insider threats, privilege escalation and more. Thanks to an executive order issued last year, government agencies are moving towards zero trust architecture, a trend reflected in more than a few talks at this year’s RSAC.
4. Limited Discussions on Web3
Over the past year, we’ve seen an explosion in Web3-related technologies like non-fungible tokens (NFTs), cryptocurrency adoption and smart contracts. At the same time, we’ve seen weaponized NFTs that drain crypto wallets, hacks on NFT marketplaces and sophisticated scams that lure users into parting with their money.
Given that these technologies have a strong chance of mediating business and consumer relationships in the future, it was disappointing to see only one relevant talk on this year’s RSAC agenda (Protecting Traditional and Blockchain Virtual Economies). Today’s businesses have a unique opportunity: to shape the future of the Web in light of its past.
Because Web 2.0 was not built with digital safety or trust in mind, it left mobile apps and websites overrun by unregulated digital vendors who often prey on users. Early adopters of Web3 have the chance – and the responsibility – to agree on minimal standards of digital safety to prevent it from being overrun with misleading links, harmful destinations, and contracts that protect companies rather than consumers.
Dialogues to be Continued
The best presentations at any cybersecurity conference are forward thinking – not only devoted to solving the threats we face today but also preparing for the ones we will face tomorrow. Given how closely the digital ecosystem has become entwined with our personal and professional lives today, thinking about the future is not just a matter of curiosity – it’s a matter of survival.
Despite its oversights, RSAC 2022 was well worth the cost of admission. But at RSAC 2023, we hope to see a greater focus on the consumer perspective, a proactive mindset, and non-traditional channels for cyberattacks – while this includes Web and mobile devices, it also includes developing platforms like NFT marketplaces, the “Metaverse,” and more.
Do you think the four points mentioned above warrant deeper debate? Share with us on LinkedIn, Twitter, or Facebook. We’d love to know!