At a brunch roundtable, one of many many casual occasions held through the RSA Convention 2024 (RSAC), the dialog turned to the preferred traits and themes at this 12 months’s occasions. There was no disagreement in what folks presenting periods or firms on the Expo present ground have been speaking about: RSAC 2024 is all about synthetic intelligence (or as one CISO mentioned, “It’s not RSAC; it’s RSAI”).
The chatter round AI shouldn’t have been a shock to anybody who attended RSAC in 2023. Generative AI as we all know it at this time was just a few months previous then. Everybody needed to speak about it, however nobody was fairly positive of the affect it might have on cybersecurity.
A 12 months later, there are nonetheless plenty of questions, however the career has embraced AI into its instruments and options. It was by far the preferred subject throughout the tutorial periods and in demonstrations and displays throughout the Expo. Nevertheless it wasn’t the one challenge that cybersecurity professionals have been considering. Listed here are a few of the hottest matters that folks at RSAC have been speaking about.
AI isn’t simply generative AI
There have been over 100 periods that handled AI on the convention. Many convention attendees have been most within the double-edged sword of generative AI: how you can use it as a instrument to detect and forestall cyberattacks and the way cybercriminals use the expertise to launch assaults. AI’s position in misinformation campaigns and growing deepfakes has many individuals frightened a few important shift in the way in which risk actors use social engineering. This fear solely compounds with the priority that security consciousness coaching gained’t have the ability to sustain.
The time period “shadow AI” was talked about plenty of occasions, typically by CISOs who expressed concern that the dangers confronted via shadow IT and shadow cloud behaviors are starting to repeat themselves in using unauthorized AI. Proper now, a lot of shadow AI is expounded to staff who use instruments like ChatGTP for analysis sources and trusting the data they obtain as absolute truths. However as staff develop into extra subtle in utilizing AI instruments and as generative AI exhibits itself as a possible security danger, CISOs wish to see steps taken to get AI insurance policies and authorised instruments adopted into the organizations sooner somewhat than later.
Nevertheless, one of many points that cybersecurity consultants have been fast to level out is the necessity to separate generative AI from different varieties of AI. Due to the overwhelming presence of AI all through the convention, the expertise has this sense of newness to it, that it’s one thing that was simply launched prior to now 12 months. Most of the panel discussions coated machine studying and huge language fashions and how you can construct on the predictive advantages these applied sciences carry to cybersecurity instruments. AI isn’t new, one CISO mentioned; it’s been round in some type for many years. The hope is that the AI hype of this 12 months settles down by RSAC 2025 and that there will probably be extra optimistic discussions round constructing higher predictive fashions with AI or extra outlined makes use of of the instrument.
Data governance and AI
One subject that appeared to return up virtually as a lot as AI was information governance. A few of the conversations have been round AI’s position in information governance, however cybersecurity professionals spoke of the necessity to know their information and construct out insurance policies that may meet ever-evolving compliance requirements. Data governance was generally talked about together with the SEC cybersecurity disclosure guidelines and different authorities laws put in place. As one cybersecurity govt identified, the battle with information governance comes right down to the biases from three totally different areas inside an organization: the engineers who create information; the C-suite workforce who use the information; and the CISO who controls the information and the security round it. There isn’t any settlement on what determines metadata, and till there’s governance that agrees with all biases’ factors, true information governance will probably be troublesome, if not unimaginable, to realize—and that hurts general security efforts.
The absence of zero belief
In 2023, zero belief was far and away probably the most mentioned subject at RSAC. Whereas everybody needed to speak about generative AI final 12 months, it was typically centered round zero belief structure and rules. This 12 months, zero belief was pushed into the RSAC dustbin. Oh, it was nonetheless there: eight periods had a concentrate on zero belief and it was highlighted in various firm shows. Nevertheless it has moved past its preliminary buzz, which one CISO advised wasn’t that shocking.
Making use of zero belief rules is time-consuming and since it has been a few years because the White Home launched its cybersecurity govt order, many firms are already properly into their zero belief journey. It might be as a result of it’s now not the “it” buzz time period or it might be as a result of there isn’t the demand for extra data, however the glow round zero belief has formally dimmed.
Budgets, or lack thereof
On the brunch roundtable talked about earlier, one of many CISOs mentioned they anticipated to listen to so much about security budgets, or, extra to the purpose, the shortage of security budgets. Funding for security was a subject that got here up continuously, as many security professionals weren’t afraid to say they have been coping with a fragile steadiness to handle funds cuts with rising prices round cyber incidents.
IT and security departments have to do a greater job of studying the language of enterprise executives and explaining how and why cybersecurity matches into the company mannequin and general enterprise operations. But when cuts to the security budgets proceed, with layoffs of skilled security personnel and the shortcoming to get the instruments wanted to maintain up with the newest threats—particularly round AI security fashions—firms will get hit with cyberattacks, and the prices will probably be higher than the funds cuts.
It’s clear from this 12 months’s RSAC that we’re simply on the tip of the iceberg relating to AI developments—and the hype round it doesn’t look like going wherever anytime quickly. However what security concern, rising tech or new advertising buzzword will probably be prime of thoughts for attendees at subsequent 12 months’s RSAC?