RSA Conference 2024 | AnalystANGLE, Day 1

Clips
News
More from RSA Conference 2024

David Linthicum

Principal Analyst

theCUBE Research

Shelly Kramer

Tech Analyst

theCUBE Research

RSA Conference 2024 goes beyond AI-powered security to securing AI itself

The past week’s RSA Conference 2024 was crowded, buzzy, vibrant and chaotic, underscoring the very nature of the cybersecurity industry.This market has a kind of self-propelling energy with a dynamic that blends tons of money, an ever-present and capable adversary, technical innovation, public policy, geopolitics and a smashing together of the digital and physical worlds. Despite a logical need to consolidate tooling and simplify, organizations find themselves constantly searching for answers to new problems that they face every day, week, month and year

Tackling the digital tsunami threat in cybersecurity: theCUBE’s RSAC day 1 insights

There’s a lot of enthusiasm at this week’s RSA Conference, but there’s a lot of concern too.That’s because there’s an expanding attack surface, leading some to suggest that there’s a “digital tsunami” being experienced.“We have got all of us on the good side of this, and we’re trying to figure out how to use AI, how to leverage gen AI, how to do all these amazing things that we know it’s possible to do,” said Shelly Kramer (pictured, left), managing director and principal analyst at theCUBE Research. “Then we’ve got threat actors on the opposite end of the equation, the bad guys, if you were, and they’re quickly learning how to use and leverage these tools

play_circle_outline The Struggle of CISOs: Adapting to New Technologies, Budget Constraints, and Securing Generative AI Systems

play_circle_outline Need for advanced planning and training to address security issues

play_circle_outline Importance of government intervention and industry collaboration

Info

AnalystANGLE, Day 1

David Linthicum

Principal Analyst theCUBE Research

Shelly Kramer

Tech Analyst theCUBE Research

HOST

search

>> Hello and welcome back to theCube. I'm Shelly Kramer. I'm here with fellow analyst David Linthicum. We are at RSA here in San Francisco, and this is the cybersecurity event of the year, and we are so thrilled to be here. David, it's great to see you.

>> It's great to be here. There's lots of excitement here. I think everybody's trying to figure this out. They're back. It feels like 10 years ago all over again when the internet starts to explode and cloud computing starts to explode, and now everybody's back here trying to figure out how to secure generative AI systems. They want answers now.

>> Everybody's excited. I've heard words like this is a digital tsunami that we're experiencing.It's funny, but it's true. We've got an expanding attack surface. We have got all of us on the good side of this and we're trying to figure out how to use AI, how to leverage gen AI, how to do all these amazing things that we know it's possible to do. And then we've got threat actors on the opposite end of the equation, the bad guys, if you were, and they're quickly learning how to use. And leverage these tools and they're very incentivized by an opportunity to wreak havoc and make money and all of that sort of thing. So I think there is very much a feeling of excitement in the air because we're all trying to figure it out.

>> I would call it fear, but, sure, excitement, we can use that word. the CISOs here are quite frankly trying to figure out how to make this stuff work within their enterprises. And they just figured out cloud computing and they just figured out multi-cloud, or trying to still figure it out. That's probably the best way to describe it. And now they have this other technology that the investors want them to invest in very quickly and make sure that they can't be breached and make sure we don't violate any laws and legal constraints, and do so within the same budget we've been giving you for the last 10 years. And so they're trying to figure that out. I think there's some desperation here around those questions.

>> Oh, yeah.

>> And I just feel for them. I think people have an impossible task in many instances as to providing the security, the same amount of resources, the same approaches that we had, and also not necessarily getting the innovative thinking I think we need in the cybersecurity space to make things better.

>> Well, I think there's every reason that the average tenure for a CISO is about 18 months. This is a job that comes with a lot of responsibility and a lot of stress, and I don't even know how they sleep at night. I was interviewing someone earlier today who has transitioned from CISO role into a role leading a vendor, actually a founder of a company, and he was talking about how for so long he slept with his phone right here. And one night his wife was saying, What's up? You're not sleeping with your phone.And he said, I just am so used to it. It's really been a change for me not to have that level of fear anymore.So I think you're right, I think it is exciting and scary.

>> It is exciting and scary. There's some opportunities here as well. I think there's opportunities to improve and do things better and more efficient. My advice to them, and I had conversations here one after the other, I said, You really need to revert to advanced planning. You need to look at where the ball's going to be kicked, where this generative AI stuff is going to end up. You're going to deal with more databases, more data integration, more heterogeneity and more systems that are at risk with different attack vectors that have to be applied.If you figure that out a couple of years ahead of time, you can put the planning in place to get the technology configuration you need to be successful in doing that. So how is that going? And they would always look at me like, It's not going. We haven't started that yet.And so they're really here to kick off the planning, which is a great place to be. You're amongst a bunch of experts and they're willing to help you and listen to different opinions and bring those back to your enterprise and see how you make that happen. But it'll be interesting next year when we're here, what has been accomplished? What have we learned? There'll probably be some very publicized breaches. What did we learn from those attacks? Were they able to defend against them and how to recover against them? And all these things that are really blank spaces right now that we need to fill in.

>> Yeah. We have a lot going on. Another thing that we've been talking a lot about are the talent gaps. And one of the conversations that we had earlier today was a gentleman who actually thought that what's happening now might actually widen the gap a little bit, which I think is interesting. And we've talked a lot about this talent gap before here too. So what are you seeing on that front when you talk to people?

>> It's the primary risk that we run. People don't want to hear that because it sounds like a boring answer to the risk question, but the reality is that we're making mistakes with mis-configurations, which can link back to poor talent and poor training. Just not having the right individuals in those roles, we were able to configure the security correctly. We've had security that works for a long period of time if it's used properly. We just don't have enough security architects. We don't have enough security engineers. We don't have enough high-grade talent that's going to keep us safe. And right now, the best I can tell that there's 10 open recs chasing one qualified candidate, if you look at it. And that's scary because that means they're not going to be able to find the talent that they need. They are aggressively training internally and turning out some of the security engineering that needs things like that. But we're going to have to ramp up the education systems, we're going to have to ramp up the individual training systems, we're going to have to ramp up the way in which we train people in an on-demand way to get the skills needed to make that happen. And I don't see that at a level of scale where it's looking to solve the problem anytime soon. I think this is going to be something we're going to be dealing with in the next five years.

>> And it reminds me, we talked about this earlier today, I was mentioning that I'm seeing lots of young people coming out of college having studied cyber security. When they started, it was definitely where they needed to be, and we had this skills gap and blah, blah, blah, and now they're getting out of school and they can't find jobs. And part of the challenge there is finding you don't have any experience. It is a huge challenge, and I have conversations, I've mentioned to you before, I have twin eighteen-year-olds who are getting ready to go to college, and so as much as I can, I'm trying to gently be not the annoying mom, which is very, very hard. I'm trying to suggest things like data and analytics and cyber security, and thinking about the things that I like. And so I'm trying to distance myself between the things that would like to do if I had a chance to do it all over again. But it is interesting the challenges that are happening there. And you mentioned before that we need to redo our whole education system, and I know you teach a university professor and do a lot of on-demand training with LinkedIn Learning and things like that. The reality is this, and I know people don't want to hear this, but people with just high school educations, if they're willing to take the training and able to get into the entry-level jobs and get a year of experience needed to be able to do that, they're going to be more valuable than people their same age who come out of the college and universities, which is not necessarily an indictment in college and universities, but it gets to the fact we need to have different ways in which we train and increment people. There needs to be more on-demand training, more training plans are in place, more mentoring aspects that go along. People need to be incentivized to make this happen. Right now, enterprises don't know where to invest. They'll give endowments to colleges, but they're not getting the value out of those endowments. And we're spending more and more and more for college educations and they're not getting the value out of it in their ability to get out and get to a job. And when I got out of college, it was an awakening for me. I didn't know anything based on when I got a job and started a day's work and started the analyst stuff and started to figure out what was really happening. We need to have those links between the real world and the and universities. I would think that we need to have a gray area between them before things are going to get better.

>> Yeah. I agree. And it's funny because so many, IBM and Amazon and Google, so many, Microsoft have committed to training and education. Some of it's in other countries, some of it's all different kinds of things, but we really need to level this up I think.

>> We need to figure this out. the primary problem that I see. And the thing is, a lot of the problems that we're talking about, the fear that talked about, a lot of that stuff goes away. The guy's not going to have to sleep with his phone in his ear if he has enough levels of talent where he can allocate that, and CISOs are going to live longer than 18 months.

>> Right.

>> And the ability to look at this as a long-term thing. We need to come together and figure out how that's going to happen. We have lots of things that are going against that right now. We have not a lot of people who are getting into universities now, less and less males are getting universities. Those are typically the people who are attracted to computer science degrees. So how are you going to train the number of people that we need to make it happen? And it is at a point right now where there needs to be some government intervention that's going to come along to figure out ways in which we can do that. Because I don't see the enterprises, I don't see the private sector moving in that direction as fast as they should.

>> We need to make cybersecurity training and certification I am only saying this because I a 14-year-old grandson who loves gaming and all that. You know what I'm saying? We need to figure out a way that we can take what especially males already love to do and pack in a training certification. That could be cool. Maybe I'm just a nerd though.

>> No, you got something. We need to make training more consumable. Right now, the stuff that I see in the universities, they're still doing written word training for the online stuff and reading lists and things like that. We need to have some sort of a thinking around the strategy and making this happen. And make it more consumable. People can learn at scale if they're given the ability to learn in ways they want to learn. And I think that's a core theme here. Some people are going to the event. Some people are listening to the thing. Some people are watching the videos. People learn at their own pace, different methods, different media things, and you got something there. I would love to play a game where I learn about cyber security.

>> Let's figure this out. We could have a new business here.

>> We could.

>> Well, I think that we are going to call this a wrap on day one coming to you from RSA here in San Francisco. My fellow analyst, David Linthicum, thank you for joining us. You keep it right here on theCUBE and we'll see you tomorrow.

AnalystANGLE, Day 1

search

>> Hello and welcome back to theCube. I'm Shelly Kramer. I'm here with fellow analyst David Linthicum. We are at RSA here in San Francisco, and this is the cybersecurity event of the year, and we are so thrilled to be here. David, it's great to see you.

>> It's great to be here. There's lots of excitement here. I think everybody's trying to figure this out. They're back. It feels like 10 years ago all over again when the internet starts to explode and cloud computing starts to explode, and now everybody's back here trying to figure out how to secure generative AI systems. They want answers now.

>> Everybody's excited. I've heard words like this is a digital tsunami that we're experiencing.It's funny, but it's true. We've got an expanding attack surface. We have got all of us on the good side of this and we're trying to figure out how to use AI, how to leverage gen AI, how to do all these amazing things that we know it's possible to do. And then we've got threat actors on the opposite end of the equation, the bad guys, if you were, and they're quickly learning how to use. And leverage these tools and they're very incentivized by an opportunity to wreak havoc and make money and all of that sort of thing. So I think there is very much a feeling of excitement in the air because we're all trying to figure it out.

>> I would call it fear, but, sure, excitement, we can use that word. the CISOs here are quite frankly trying to figure out how to make this stuff work within their enterprises. And they just figured out cloud computing and they just figured out multi-cloud, or trying to still figure it out. That's probably the best way to describe it. And now they have this other technology that the investors want them to invest in very quickly and make sure that they can't be breached and make sure we don't violate any laws and legal constraints, and do so within the same budget we've been giving you for the last 10 years. And so they're trying to figure that out. I think there's some desperation here around those questions.

>> Oh, yeah.

>> And I just feel for them. I think people have an impossible task in many instances as to providing the security, the same amount of resources, the same approaches that we had, and also not necessarily getting the innovative thinking I think we need in the cybersecurity space to make things better.

>> Well, I think there's every reason that the average tenure for a CISO is about 18 months. This is a job that comes with a lot of responsibility and a lot of stress, and I don't even know how they sleep at night. I was interviewing someone earlier today who has transitioned from CISO role into a role leading a vendor, actually a founder of a company, and he was talking about how for so long he slept with his phone right here. And one night his wife was saying, What's up? You're not sleeping with your phone.And he said, I just am so used to it. It's really been a change for me not to have that level of fear anymore.So I think you're right, I think it is exciting and scary.

>> It is exciting and scary. There's some opportunities here as well. I think there's opportunities to improve and do things better and more efficient. My advice to them, and I had conversations here one after the other, I said, You really need to revert to advanced planning. You need to look at where the ball's going to be kicked, where this generative AI stuff is going to end up. You're going to deal with more databases, more data integration, more heterogeneity and more systems that are at risk with different attack vectors that have to be applied.If you figure that out a couple of years ahead of time, you can put the planning in place to get the technology configuration you need to be successful in doing that. So how is that going? And they would always look at me like, It's not going. We haven't started that yet.And so they're really here to kick off the planning, which is a great place to be. You're amongst a bunch of experts and they're willing to help you and listen to different opinions and bring those back to your enterprise and see how you make that happen. But it'll be interesting next year when we're here, what has been accomplished? What have we learned? There'll probably be some very publicized breaches. What did we learn from those attacks? Were they able to defend against them and how to recover against them? And all these things that are really blank spaces right now that we need to fill in.

>> Yeah. We have a lot going on. Another thing that we've been talking a lot about are the talent gaps. And one of the conversations that we had earlier today was a gentleman who actually thought that what's happening now might actually widen the gap a little bit, which I think is interesting. And we've talked a lot about this talent gap before here too. So what are you seeing on that front when you talk to people?

>> It's the primary risk that we run. People don't want to hear that because it sounds like a boring answer to the risk question, but the reality is that we're making mistakes with mis-configurations, which can link back to poor talent and poor training. Just not having the right individuals in those roles, we were able to configure the security correctly. We've had security that works for a long period of time if it's used properly. We just don't have enough security architects. We don't have enough security engineers. We don't have enough high-grade talent that's going to keep us safe. And right now, the best I can tell that there's 10 open recs chasing one qualified candidate, if you look at it. And that's scary because that means they're not going to be able to find the talent that they need. They are aggressively training internally and turning out some of the security engineering that needs things like that. But we're going to have to ramp up the education systems, we're going to have to ramp up the individual training systems, we're going to have to ramp up the way in which we train people in an on-demand way to get the skills needed to make that happen. And I don't see that at a level of scale where it's looking to solve the problem anytime soon. I think this is going to be something we're going to be dealing with in the next five years.

>> And it reminds me, we talked about this earlier today, I was mentioning that I'm seeing lots of young people coming out of college having studied cyber security. When they started, it was definitely where they needed to be, and we had this skills gap and blah, blah, blah, and now they're getting out of school and they can't find jobs. And part of the challenge there is finding you don't have any experience. It is a huge challenge, and I have conversations, I've mentioned to you before, I have twin eighteen-year-olds who are getting ready to go to college, and so as much as I can, I'm trying to gently be not the annoying mom, which is very, very hard. I'm trying to suggest things like data and analytics and cyber security, and thinking about the things that I like. And so I'm trying to distance myself between the things that would like to do if I had a chance to do it all over again. But it is interesting the challenges that are happening there. And you mentioned before that we need to redo our whole education system, and I know you teach a university professor and do a lot of on-demand training with LinkedIn Learning and things like that. The reality is this, and I know people don't want to hear this, but people with just high school educations, if they're willing to take the training and able to get into the entry-level jobs and get a year of experience needed to be able to do that, they're going to be more valuable than people their same age who come out of the college and universities, which is not necessarily an indictment in college and universities, but it gets to the fact we need to have different ways in which we train and increment people. There needs to be more on-demand training, more training plans are in place, more mentoring aspects that go along. People need to be incentivized to make this happen. Right now, enterprises don't know where to invest. They'll give endowments to colleges, but they're not getting the value out of those endowments. And we're spending more and more and more for college educations and they're not getting the value out of it in their ability to get out and get to a job. And when I got out of college, it was an awakening for me. I didn't know anything based on when I got a job and started a day's work and started the analyst stuff and started to figure out what was really happening. We need to have those links between the real world and the and universities. I would think that we need to have a gray area between them before things are going to get better.

>> Yeah. I agree. And it's funny because so many, IBM and Amazon and Google, so many, Microsoft have committed to training and education. Some of it's in other countries, some of it's all different kinds of things, but we really need to level this up I think.

>> We need to figure this out. the primary problem that I see. And the thing is, a lot of the problems that we're talking about, the fear that talked about, a lot of that stuff goes away. The guy's not going to have to sleep with his phone in his ear if he has enough levels of talent where he can allocate that, and CISOs are going to live longer than 18 months.

>> Right.

>> And the ability to look at this as a long-term thing. We need to come together and figure out how that's going to happen. We have lots of things that are going against that right now. We have not a lot of people who are getting into universities now, less and less males are getting universities. Those are typically the people who are attracted to computer science degrees. So how are you going to train the number of people that we need to make it happen? And it is at a point right now where there needs to be some government intervention that's going to come along to figure out ways in which we can do that. Because I don't see the enterprises, I don't see the private sector moving in that direction as fast as they should.

>> We need to make cybersecurity training and certification I am only saying this because I a 14-year-old grandson who loves gaming and all that. You know what I'm saying? We need to figure out a way that we can take what especially males already love to do and pack in a training certification. That could be cool. Maybe I'm just a nerd though.

>> No, you got something. We need to make training more consumable. Right now, the stuff that I see in the universities, they're still doing written word training for the online stuff and reading lists and things like that. We need to have some sort of a thinking around the strategy and making this happen. And make it more consumable. People can learn at scale if they're given the ability to learn in ways they want to learn. And I think that's a core theme here. Some people are going to the event. Some people are listening to the thing. Some people are watching the videos. People learn at their own pace, different methods, different media things, and you got something there. I would love to play a game where I learn about cyber security.

>> Let's figure this out. We could have a new business here.

>> We could.

>> Well, I think that we are going to call this a wrap on day one coming to you from RSA here in San Francisco. My fellow analyst, David Linthicum, thank you for joining us. You keep it right here on theCUBE and we'll see you tomorrow.