At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”).
The chatter around AI shouldn’t have been a surprise to anyone who attended RSAC in 2023. Generative AI as we know it today was only a few months old then. Everyone wanted to talk about it, but no one was quite sure of the impact it would have on cybersecurity.
A year later, there are still a lot of questions, but the profession has embraced AI into its tools and solutions. It was by far the most popular topic across the educational sessions and in demonstrations and presentations across the Expo. But it wasn’t the only issue that cybersecurity professionals were contemplating. Here are some of the most popular topics that people at RSAC were talking about.
AI isn’t just generative AI
There were over 100 sessions that dealt with AI at the conference. Many conference attendees were most interested in the double-edged sword of generative AI: how to use it as a tool to detect and prevent cyberattacks and how cybercriminals use the technology to launch attacks. AI’s role in misinformation campaigns and developing deepfakes has many people worried about a significant shift in the way threat actors use social engineering. This worry only compounds with the concern that security awareness training won’t be able to keep up.
The term “shadow AI” was mentioned a number of times, often by CISOs who expressed concern that the risks faced through shadow IT and shadow cloud behaviors are beginning to repeat themselves in the use of unauthorized AI. Right now, much of shadow AI is related to employees who use tools like ChatGTP for research resources and trusting the information they receive as absolute truths. But as employees become more sophisticated in using AI tools and as generative AI shows itself as a potential security risk, CISOs want to see steps taken to get AI policies and approved tools adopted into the organizations sooner rather than later.
However, one of the issues that cybersecurity experts were quick to point out is the need to separate generative AI from other types of AI. Because of the overwhelming presence of AI throughout the conference, the technology has this feeling of newness to it, that it is something that was just introduced in the past year. Many of the panel discussions covered machine learning and large language models and how to build on the predictive benefits these technologies bring to cybersecurity tools. AI isn’t new, one CISO said; it’s been around in some form for decades. The hope is that the AI hype of this year settles down by RSAC 2025 and that there will be more positive discussions around building better predictive models with AI or more defined uses of the tool.
Data governance and AI
One topic that seemed to come up almost as much as AI was data governance. Some of the conversations were around AI’s role in data governance, but cybersecurity professionals spoke of the need to know their data and build out policies that will meet ever-evolving compliance standards. Data governance was commonly mentioned along with the SEC cybersecurity disclosure rules and other government regulations put in place. As one cybersecurity executive pointed out, the struggle with data governance comes down to the biases from three different areas within a company: the engineers who create data; the C-suite team who use the data; and the CISO who controls the data and the security around it. There is no agreement on what determines metadata, and until there is governance that agrees with all biases’ points, true data governance will be difficult, if not impossible, to achieve—and that hurts overall security efforts.
The absence of zero trust
In 2023, zero trust was far and away the most discussed topic at RSAC. While everyone wanted to talk about generative AI last year, it was often centered around zero trust architecture and principles. This year, zero trust was pushed into the RSAC dustbin. Oh, it was still there: eight sessions had a focus on zero trust and it was highlighted in more than a few company displays. But it has moved beyond its initial buzz, which one CISO suggested wasn’t that surprising.
Applying zero trust principles is time-consuming and because it has been a couple of years since the White House released its cybersecurity executive order, many companies are already well into their zero trust journey. It may be because it is no longer the “it” buzz term or it may be because there isn’t the demand for more information, but the glow around zero trust has officially dimmed.
Budgets, or lack thereof
At the brunch roundtable mentioned earlier, one of the CISOs said they expected to hear a lot about security budgets, or, more to the point, the lack of security budgets. Funding for security was a topic that came up frequently, as many security professionals weren’t afraid to say they were dealing with a delicate balance to manage budget cuts with rising costs around cyber incidents.
IT and security departments need to do a better job of learning the language of business executives and explaining how and why cybersecurity fits into the corporate model and overall business operations. But if cuts to the security budgets continue, with layoffs of experienced security personnel and the inability to get the tools needed to keep up with the latest threats—especially around AI security models—companies will get hit with cyberattacks, and the costs will be greater than the budget cuts.
It’s clear from this year’s RSAC that we’re just at the tip of the iceberg when it comes to AI advancements—and the hype around it doesn’t appear to be going anywhere anytime soon. But what security concern, emerging tech or new marketing buzzword will be top of mind for attendees at next year’s RSAC?