Keynote Analysis, Day 1

Clips
News
More from RSA Conference 2024

David Linthicum

Principal Analyst

theCUBE Research

Dave Vellante

Co-Founder & Co-CEO

SiliconANGLE Media, Inc.

Shelly Kramer

Tech Analyst

theCUBE Research

TheCUBE Research talks cybersecurity in the digital age at RSAC

Staying ahead of threats is not just a challenge, but a necessity when it comes to cybersecurity.Kicking off this week’s RSA conference, theCUBE Research analysts discussed the key trends and challenges shaping the industry, from the expanding role of artificial intelligence to the elusive quest for a zero trust cybersecurity approach.“We’ve got this machine that’s turning out this new generation of tech workers, but yet they don’t quite have the ability to slide in where they’re most needed,” said Shelly Kramer (pictured, left), managing director and principal analyst at theCUBE Research. “It’s an interesting industry challenge

play_circle_outline Skills gap in the cybersecurity industry

play_circle_outline Cost considerations in cybersecurity

Info

Keynote Analysis, Day 1

David Linthicum

Principal Analyst theCUBE Research

Dave Vellante

Co-Founder & Co-CEO SiliconANGLE Media, Inc.

HOST

Shelly Kramer

Tech Analyst theCUBE Research

HOST

>> Hi everybody. Welcome to San Francisco. This is theCUBE's coverage of RSA Conference 2024. Thanks for being with us. Shelly Kramer and David Linthicum, both of theCUBE Research. We're really excited, four days of wall-to-wall coverage. We start here. Monday evening, we've got a cocktail event that we're doing with the New York Stock Exchange. We have so many guests. This is an amazing show. pre-COVID, it was probably 45 000 and I think it's getting close to back-

David Linthicum

>> It's up there.

>> And yeah, it feels that way. We're here in Moscone. We're in Moscone West, so if you're around, stop by and see us. Look at, this market, guys. It's like the gift that keeps on giving. And I say that tongue-in-cheek because it really is an insidious situation where you have the adversaries are so highly capable and we're spending, let's call it 150 billion a year. The recent ETR survey data suggested a vast majority of enterprises are increasing their budgets by more than 5David, I'm seeing budgets increasing 10 on cybersecurity, whereas the overall budgets are increasing, maybe, let's call it mid-threes. So every year we spend more, but we feel less safe. As a former CTO, how do you feel about that?

David Linthicum

>> Yeah, it's going to be something we're going to contend with today. I was walking around the show and having a conversation with lots of CISOs, and one of the things they're concerned about is they're here to figure out how to justify the budget increases that they're going to need to protect the data. They have generative AI coming at them. They have multi-cloud building up. Things are getting more complex. They're leveraging on-premise systems. They understand that the cloud's not necessarily the destination for everything. It's going to be part of the infrastructure, so they can't really move anything there and then try to secure it there. So they need to figure out how to deal with this complexity. It's money, money, money, and it's going to be a lot more resources to get at this thing.

>> Yeah. So Shelly, we've seen just the dynamics over the It's this ping-ponging between the adversaries and the good guys. And it seems like no matter how much we spend, you look back, do you feel safer at the end of the year? Why do you think that is? First of all, are we closing the gap or is it just going to be a perpetual arms race?

Shelly Kramer

>> We're not closing the gap, and I don't think that we will close the gap. I think this is a continuous game of whack-a-mole. And as excited as we all are, there's not a conversation that any of us have, there's not an event we attend where AI and gen AI doesn't lead the conversation. And as excited as all of us and enterprises and every size organization on down are about how to leverage AI, so are threat actors, and they're very motivated because the better they get at this, the more money they stand to make. So I personally don't see there ever going to be a time where we're like, Oh, we got this.2022 at Palo Alto Ignite, Palo Alto Nir Zuk, Nikesh Aurora made a very strong case for how Palo Alto is the consolidator, that on average ... and you hear this at CrowdStrike conferences, you hear it all conferences, on average, there's between 75 tools installed at large enterprises, and there's a skills gap. And so the premise that Palo Alto put forth, and again, others do as well ... CrowdStrike and others, is that, We're going to be able to consolidate that down. Simplify.Last quarter, Palo Alto came out and said, Well, there seems to be spending fatigue. The consolidation, maybe the ROI is not there.CrowdStrike said, Well, we're not seeing.That Zscaler, Jay Chaudhry who's coming on here said, We're not seeing that.But then the ETR survey came out, 51of the enterprises in a survey of around 320 said they're increasing the number of vendors. Only said they're decreasing and only 6said they're decreasing as a function of consolidation. So is consolidation a myth, or is it only happening in pockets? Why is the vendor narrative so different than what's actually happening in the field?

David Linthicum

>> Well, that never happens, Dave.

>> Yeah, I know. big surprise.

David Linthicum

>> Ultimately, they can't consolidate the tools. It's just the risk of the fact of the matter is Shelly had it right. The threat actors are growing in power and spanning their power, and so therefore they have to get a number of tools to protect themselves. So they're not going to be able to do some consolidation for at least five years. So it is a myth. It's something you do. I would take it off the radar screen as far as planning purposes go. It's a false narrative right now.

>> Why do you think that customers can't consolidate the number of tools vendors?

Shelly Kramer

>> Well, I think that they could. I don't know that that's necessarily the best thing for them to do, because I think that, as we know and as anybody who's here today will see, this is a very crowded landscape with some amazing technology solutions out here. And so I think what customers are doing is that they are taking best of breed for endpoint and best of breed for this and plugging those in. And you know what? Every vendor on the planet would love for every customer to only use their platform. Is that really what's best for customers always? I don't think so.

>> Yeah, it's an age-old debate. I know Zeis and I have talked about this. We talked about it at the Palo Alto conference. Can you be a broad portfolio player and best of breed? Do you feel like this is one of those places ... George Kurtz has a saying is, Good enough, not good enough.Of course he says that because he's going right after Microsoft, which is his biggest competitor. But is good enough not good enough in cyber?

David Linthicum

>> Yeah, I think ultimately this is about specialization. You just hit the nail on the head. Your ability to provide best of breed to do something better than your competitors, and not trying to span too much and trying to get at different aspects of the market. This is going to be about integration of a very complex multiplicity of technologies that come together to really protect the enterprises moving forward. So it's going to be about vendors who are able to specialize and do something very well. So it's like the old Ross Perot thing. He used to tell General Motors, Let's do one thing well. Let's make the best brakes, the best tires.And that's exactly what the vendors need to do right now.

>> You have all these countervailing forces in the market, don't you, Shelly? Where you have cloud has become the first line of defense, yet there's still all kinds of stuff you have to do on-prem. It's a shared responsibility model. So the cloud vendors will only do so much. So you're putting more on developers. This term shift left. That means developers are going to have to secure the infrastructure, which is not their favorite thing in the world to do. Speaking of consolidation, you have a lot of MA going on. You look at companies like CrowdStrike, they're buying like crazy. Wiz just acquired Lacework after I think Lacework raised over a billion dollars. And then, yeah, pretty amazing. And then the other force you have is all this money being raised. Island just raised 175 million Corelite, which is network security, raised 150 million. The AppDynamics co-founder, he got investment from Citi's arm to start a company called Traceable. Oasis Security. There's a SIM startup, RunReveal just got a few million bucks. So there's all kinds of startups popping up to fill these holes, to your point, to be best of breed, whether it's API security, IOT security. So it just seems like we're not going to have less complexity, but at the same time, you've got a skills gap. Okay, big question. Does AI solve this?

Shelly Kramer

>> In some ways, it helps. It doesn't solve it completely. AI, the technology alone is never the answer. It's technology working alongside humans. And so I think that we're seeing ... when you talk about the responsibility on developers to secure the network and to secure the system, I think that AI can play a big role there. Can it do it all on its own? Probably not. But I think it will help with augmenting the skills gap.

>> But the bad guys have AI too.

David Linthicum

>> They sure do. They're able to use it as a weapon. You have to use it as a defense mechanism. I think it's going to be spy versus spy. It's 50kind of assembly. We can weaponize it as well as they can. So who can do it the best as the race is on you think we should think about gen AI specifically in the context of cybersecurity? Last year at CrowdStrike, they showed Charlotte, which was their natural language interface. Show me where my exposures are, write me a patch, deploy the patch, et cetera.So that was kind of cool. Should we think of this as a core technology to solve for cyber, or is it more, do you an orchestrator across a complex cyber estate?

David Linthicum

>> You just hit the nail on the head. We need to use it to mediate the complexity of these various systems that are out there. All these AI systems can't be siloed into themselves if they're going to have value. They need to be communicating one to another, have a coordinated defense platform, even though multiple vendors are part of it. So we have to figure out how to orchestrate these generative AI systems to turn them into a defense mechanism that's going to be effective.

>> Shelly, I want to get your take on this. Frank Slootman once said to me, and I think he wrote this in his book, Amp It Up, If you've got 10 priorities, you have none.So I'm loving this survey from ETR where they said, What's your priority? What are the areas that are highest priority?

Shelly Kramer

>> Everything.

>> And it's like single sign-on, MFA, vulnerability management and patching, endpoint, EDR, XDR, SIM, AV antivirus, network security, zero trust. All these have very, very high priorities. Web application firewalls, SASE, cloud security, posture management. There's like 15 priorities.

Shelly Kramer

>> That's why they need more budget.

>> Yeah, but we've seen that ... Well, there is a correlation. I presume if you spend more, you're going to have better tooling, better infrastructure, better people. But just seems like that gap never closes.

Shelly Kramer

>> No. It's interesting too, on the skills gap standpoint, as you know, I think your kids are a little bit older than mine, but my kids are just getting ready to start college, and tons of young people are majoring and graduating in computer science, cybersecurity-focused degrees, and they're having a heck of a time getting jobs. And so what's really interesting about that ... I see your brow furl. That doesn't make sense. Well, it does make sense because even though you have this pool of new workers, they don't have any experience. We've got this machine that's turning out this new generation of tech workers, but yet they don't quite have the ability to slide in where they're most needed. So it's an interesting industry challenge.

David Linthicum

>> Yeah, and we need to think differently in terms of how we train people. The colleges and universities probably need to do a better job in how we're doing it, it should be on-demand, continuous training, continuous learning that comes from ... and you have to change the dimension of that. Right now, education's too expensive. We're not getting the outcome and the value out of it, and we need to start producing people that are more applicable for the job market, to your point.

Shelly Kramer

>> Yeah, absolutely.

>> So the other thing is, 50of the respondents in this survey are attending RSA. So it was a great sample of representative of who's here. And they asked them, What are the things that you're most interested in learning at RSA?And of course, AI was number one, AI security zero trust network. I want to ask about zero trust. David, explain from your perspective, how should we think about zero trust? You don't buy it. It's a set of practices, set of standards. So you build it, it's cultural. What are you seeing in the community in terms of how organizations are adopting zero trust?

David Linthicum

>> It's the standard. It's baked into everything. So it doesn't really resonate with anybody anymore. You're talk about zero trust, they hear dolphins squeaks. They've heard it before. At the end of the day, we need to build this technology in there in certain ways. And certainly these approaches and best practices are fundamental to build technology. Zero trust is going to be fundamental to that. We just need to figure out how to apply it to single sign-on, into AI, into everything that we're discussing, all the different silos of technology that are being put in there. So how do we do this thing in an orchestrated way where these things are coming together, where we're going to have a holistic value that comes out of our security system with zero trust capabilities built into the system. That's the harder problem to solve.

>> Yeah, and 11of the respondents in the survey said they've achieved ... Our organization is fully deployed on a zero trust model.That's hard to believe.

Shelly Kramer

>> It really is.

>> It's kind of never-ending, first of all. Now, maybe there's some small organizations who have gotten there. There's a two-person startup, everything's zero trust. But when you talk to CISOs, they seem to be leaning into the concept, maybe because it's such a buzzword. But is a journey. It's going to take a long time to get there. And essentially you never get there.

Shelly Kramer

>> Well, that's what I was thinking. I was thinking about digital transformation is the same thing. You're never done with your digital transformation journey. It's a journey. And as technology evolves, you evolve and adapt, and that's really the world that we're living in. I don't see how zero trust can be any different. We're going to continue to see an evolution tech, of tools, of capabilities. You're not going to be done.

>> So what are you guys looking for at RSA this year? It's early. You poked around a little bit. What are your initial impressions and what are you hoping to see?

David Linthicum

>> Big thing is how are we solving the AI problem? That's the fundamental question that's here today. I know it's obvious, but everybody out there has that question, and they're asking me that question and people are here to find the answers of it. And what are the experts saying that the answers are, and it consistent from one expert to the other? And what are the vendors doing to adjust to finding certain solutions with the technology? Also, looking at and the complexity of the existing enterprises, how do we secure that? The ability to deal with heterogeneity in such a way where we can secure it in a way that's going to be scalable and it's going to provide growth around the enterprise. And at the same time, how are we going to do this to minimize the amount of cost that's going to be associated with it? Because the CISOs are concerned because they're asking for more money, they're not getting more money. And so how are they going to protect the data, these new AI assets, things like that, using the existing budgets with very slow growth, with the rate of IT spending that's going on right now? So they need to weaponize and need to buy different technologies. They're concerned about which technologies to buy, how they're going to pay for it, how they're going to the skills to make it happen, and they're here to find that out. I want to find that out too.

>> That cost piece is really important. The business case on cyber is a reduction in an expected loss. It's a reduced risk. So that doesn't directly throw off cash from the CFO's standpoint. So it's hard to make cyber self-funding, isn't it?is, and I can always define the value of what security is, but it doesn't have value. It's a soft value. You can't define it as something that you can put in the bank, and that becomes the difficulty there. But it's the same thing with agility and all these other things that IT really develops as a value that's very hard to define. But we have to learn how to put a value around security, go to the boards of directors and saying, We can deliver this much value with this much money. And this is the metrics we're going to use to measure our success moving forward. Give us this much money. We'll deliver that value.That deal needs to be made.

>> Shelly, what are you looking for?

Shelly Kramer

>> Well, the same thing. I think that ETR data showed that only ... well, 47of their survey respondents said they utilize AI from one to 10of their security tools. That's a tiny, tiny amount. So I think that, like David, all of us here, that's what we're really looking for. How are you really using AI? What vendor solutions are out there that make the most sense, and who's really checking the bottom line as it relates to AI security? Because I think that that's the world that we are immersed in all day, every day.I always fascinated by the creativity of the hackers. The new ways in which they're coming up with ways to penetrate organizations, whether it's new phishing scams about what they do with that. We saw the supply chain hacks a couple of years ago that were exceedingly novel. They go all the way back to Stuxnet and got the whole thing going. And guys, thanks so much for helping us kick off RSA And thank you for watching. You're watching theCUBE's ongoing coverage of RSA Conf at Moscone. We're at Moscone West. Keep it right there for more action. This is day one from the Cube.

Keynote Analysis, Day 1

David Linthicum

>> It's up there.

David Linthicum

Shelly Kramer

David Linthicum

>> Well, that never happens, Dave.

>> Yeah, I know. big surprise.

David Linthicum

>> Why do you think that customers can't consolidate the number of tools vendors?

Shelly Kramer

David Linthicum

Shelly Kramer

>> But the bad guys have AI too.

David Linthicum

Shelly Kramer

>> Everything.

Shelly Kramer

>> That's why they need more budget.

Shelly Kramer

David Linthicum

Shelly Kramer

>> Yeah, absolutely.

David Linthicum

>> Yeah, and 11of the respondents in the survey said they've achieved ... Our organization is fully deployed on a zero trust model.That's hard to believe.

Shelly Kramer

>> It really is.

Shelly Kramer

>> So what are you guys looking for at RSA this year? It's early. You poked around a little bit. What are your initial impressions and what are you hoping to see?

David Linthicum

>> Shelly, what are you looking for?

Shelly Kramer