Takeaways from RSA 2022

At the first in-person RSA show since February 2020, we identified several takeaways that reflect how cybersecurity has both changed and stayed the same over the past two years.

The complexity of the cybersecurity environment and cybersecurity threats have increased since the beginning of the pandemic.

The cybersecurity market grew through the pandemic, and growth probably accelerated. While the outlook is positive, the mood of the conference was that the sector is recession-proof. We think of the market as more recession-resistant and are concerned sentiment will be too bullish should the economy continue to weaken.

The shortage of cybersecurity talent continues, leading to weakened security and demand for cybersecurity solutions that enable companies to achieve adequate cybersecurity with fewer internal personnel.

The cybersecurity market has become more concentrated among a handful of large players.

Software bill of materials (SBOM) is an emerging, interesting area that helps organizations deal with the increasing interdependence of software products and systems.

Change and continuity

For us and many others, the resumption of the RSA conference as an in-person event earlier this month marked the end of the pandemic’s trade-show hiatus, and it was great to be back. When we attended the February 2020 RSA conference in San Francisco, little did we know the emerging coronavirus meant it would be the last conference of any type we’d attend in person for more than two years. While this year’s show did not feel nearly as crowded or chaotic as some of the RSA shows we’ve attended in the past, the exhibit floor and related surroundings were busy enough, and masks on attendees rare enough, that there was a relatively normal RSA-show vibe.

We did not find any single underlying theme or emerging technology that dominated the conference, but we did identify several takeaways that reflect how cybersecurity has both changed and stayed the same over the past two years. Some takeaways reflected a continuation of historical challenges. Some reflected how certain ongoing challenges became more acute during the pandemic. A few reflected new challenges that emerged during the pandemic.

Complexity of security environment increased; threats increasing

A topic that seemed to permeate most of our discussions is that a variety of factors combined over the past two years to cause the challenge of defending attack surfaces to grow in breadth and complexity.

COVID-19 and the related shift to working from home not only erased any remaining semblance of the contained corporate network, but it forced companies to either take responsibility for securing millions of personal devices such as home computers, printers, and routers, or somehow mitigate the risk presented by these devices’ typical lack of enterprise-grade cybersecurity protection. The pandemic also accelerated corporate IT’s already substantial migration to the cloud.

At the same time, governments added new cybersecurity regulations and continued to enforce existing ones. Amidst the extraordinary circumstances of the pandemic, sensitive data found its way onto unprotected or weakly protected personal devices due to organizations’ well-intentioned efforts to continue providing essential services and sustain the economy during lockdowns. But the worthwhile cause afforded companies little relief from fines or other enforcement actions under regulations such as the General Data Protection Regulation and the Health Insurance Portability and Accountability Act.

Finally, ransomware attacks appear to have continued to grow exponentially in terms of cost per attack, with several RSA briefings highlighting the decades-long trend from a few hundred dollars to millions today.

Growth and the outlook: Recession-proof or recession-resistant?

Given the already substantial and still increasing cybersecurity challenge society faces, it’s not surprising the industry continues to grow. Several RSA presentations indicated recent sector revenue growth continued at 10% or more and has accelerated over the past year. Our analysis of 2021 public company revenue supports this view of steady to slightly increasing revenue growth rates (see our April 2022 report Cybersecurity demand accelerates, notably stronger growth at larger firms). There also seemed to be near consensus that the secular nature of the demand drivers noted above means the sector is recession-proof. However, if a recession does occur imminently as many fear, we think that view will prove overly optimistic. We have always felt this area is more recession-resistant than recession-proof: We think it won’t be hit as hard as many IT sectors, but we think the pain in this sector will be worse than consensus expects. Despite increasing cybersecurity challenges, we think entities comprising the market for cybersecurity products and services will opt, explicitly or as a byproduct of other budgeting decisions, to accept greater cybersecurity risk by spending less on cybersecurity than they would otherwise in order to buttress profitability during weak economic conditions.

Cybersecurity talent shortage continues

The lack of qualified people to manage cybersecurity risk remains a critical issue for the industry and remained a hot topic at the show. In fact, discussions indicated the problem is getting worse as cybersecurity has become more challenging and as demand has increased. Our discussions pointed to three important implications of this shortage:

Poor security. Organizations are foregoing not only high-level cybersecurity tasks, but also basics including configuration and patching, due to a lack of personnel to do the work.

Drive for vendor consolidation and a single pane of glass. With cybersecurity professionals in short supply, it’s critical to enable fewer and sometimes less-skilled cybersecurity personnel to accomplish more in the same amount of time. Implementing multiple cybersecurity point solutions (perhaps in pursuit of best-of-breed performance) entails time- and resource-intensive processes for learning, configuring, monitoring, and managing each solution separately. By implementing cybersecurity solutions that require less training and specialization and that make it efficient to monitor and control diverse cybersecurity functions in a single user interface, companies can achieve adequate cybersecurity protection with fewer, less specialized cybersecurity professionals. This means cybersecurity consumers dealing with the shortage of cybersecurity talent will gravitate toward single-vendor solutions that combine adequate performance across multiple cybersecurity functions in a unified, easy-to-use package.

Strong demand for automation, artificial intelligence, and third-party support. Given the shortage of cybersecurity talent, organizations increasingly look beyond just dealing with fewer cybersecurity vendors and user interfaces to technologies and services that extend the capabilities of their internal cybersecurity staff. These include technologies that increase automation of routine cybersecurity tasks and that apply artificial intelligence to more efficiently achieve cybersecurity goals that previously required the time of skilled cybersecurity personnel. They also include managed cybersecurity services from dedicated third-party providers and expert-on-demand cybersecurity services that can augment or replace internal cybersecurity staff.

Increased market concentration

In our April report, we showed how stock market capitalization in the cybersecurity universe has become more concentrated. Our discussions at RSA indicated a similar increase in concentration has occurred in market share as very large players Microsoft (MSFT), Cisco Systems (CSCO), Palo Alto Networks (PANW) and Fortinet (FTNT) all gained share over the past few years. According to IDC’s Worldwide Semiannual Security Products Tracker, these four vendors now control over 22% of the cybersecurity market. This is in large part due to acquisitions, though we have pointed out that Palo Alto Networks and Fortinet, at least, are enjoying above-industry-average organic growth as well. Cybersecurity buyers’ drive to consolidate vendors, as discussed above, contributes to this trend, but we believe other factors are at play as well. We are unsure of the implications of this trend, but we expect they will be significant and, over an extended time horizon, may affect valuations and capital availability for smaller companies; for the moment, at least, it appears such companies continue to raise money aggressively and at high valuations.

Software bill of materials

One relatively new area we heard getting significantly more airtime than in the past is software bill of materials, or SBOM. An SBOM is a list of all the software that makes up a product. When you buy software from a vendor, the code usually includes the vendor’s proprietary code and many open-source components, and sometimes it includes proprietary code from another software vendor. While these are all integrated seamlessly in the vendor’s product, each component code set can have different cybersecurity vulnerabilities from the others. The Log4j vulnerability earlier this year highlighted this issue. When news of the vulnerability hit, companies scrambled to figure out which software they used incorporated Log4j, a widely used open-source code base for Java applications. Those with up-to-date SBOMs that included version numbers for the underlying code components were able to quickly identify their Log4j exposure. Those that did not – which was just about everyone – faced a challenging process of running scans, contacting and requesting information from vendors, and taking other measures to understand their Log4j risk.

SBOMs can be important for many organizational functions, including third-party-risk management, procurement, governance, cybersecurity and general IT operations. Nonetheless, we were surprised at how frequently SBOMs were mentioned in our RSA conversations. While SBOMs have been around for a while, we think the combination of the high-profile SolarWinds attack first revealed in late 2020 and new regulations requiring certain government sectors and regulated industries to receive and review SBOMs has made this a hot topic and an emerging trend. Given the early stage of SBOMs’ increased prominence, SBOM solutions are evolving rapidly in terms of infrastructure, delivery, validation, storage and use. We view it as an interesting emerging area and one we expect to write more about in the future.

The more things change, the more they stay the same

In many respects, the world today seems dramatically changed from that we knew at the last in-person RSA show in February 2020. Work-from-home, Russia’s invasion of the Ukraine, and continued disruptions in China from the pandemic have transformed the global economy and helped exacerbate cybersecurity challenges. Ultimately, however, the phenomenon of instant and enormous information flows enabled by computer and network technology remains the underlying and now long-standing hallmark of this era and the existential basis for the cybersecurity sector. In that respect, the continued growth and changes in demand for ways to secure these flows is not surprising and will likely continue indefinitely.