SecurityScorecard joined U.S. cybersecurity leaders and the cybersecurity community at the 2022 RSA Conference in San Francisco, California from June 5-9. The RSA Conference is one of the world’s leading cybersecurity events, and SecurityScorecard was proud to join our community in-person at San Francisco’s Moscone Center.
This year’s multi-day event included industry and government leaders sharing the latest technologies and policy perspectives, including ransomware, supply chain security, and third-party risk management.
U.S. Cyber Leaders Speak
In an op-ed published before delivering keynote speeches during RSA, U.S. government leaders Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), and Chris Inglis, the U.S. National Cyber Director, emphasized that the current cyber threat environment is dynamic and constant, requiring vigilance, and a normalization of the current “shields up” posture. To defend against cyber threat actors, continuous monitoring and “left-of-boom” cyber risk posture assessments are of incalculable value.
Rob Joyce and Morgan Adamski, senior leaders from the National Security Agency, told conference participants that building trust, decreasing cyber incident response times, and sharing open source threat information at speed will empower companies to defend against malicious cyber threat actors. This is particularly necessary, Joyce said in a conference panel, to combat malicious cyber actors leveraging ransomware attacks against critical infrastructure entities.
Themes and Insights
Aside from its booth on the expo floor, SecurityScorecard hosted a number of small-group roundtables, analyst meetings, and additional private interactions with thought leaders, CISOs, CIOs, government officials, and others to exchange ideas and collaborate. More than two dozen guests joined us over two days to discuss how to secure Federal, State, and Local cyber networks. Together with our distinguished attendees, we dived deeper into the current state and where swift improvements are needed.
The following themes emerged from these discussions:
Automation was a hot topic at RSA, both on the offensive and defensive side. Automated attacks are shrinking identification and response/mitigation times significantly, and as a result, companies are first establishing a zero-trust environment to limit the blast radius, and micro-segmenting their networks at scale (i.e., each device is its own network). Multiple government executives told us that too many of their processes remain manual and were actively looking for automated solutions.
Less is more – How do you make the tech stack talk to each other? While cyber tools continue to proliferate, CISOs are looking for fewer tools, and better tools. To the extent CISOs can accomplish this, they want to see consolidation in the market and, where possible, have more integrations so that their security investments are enhanced and enriched, instead of being replaced. Most CISOs have not yet experienced budget decreases, but there is an added layer of caution and analysis as they assess new tools.
Ransomware remained a focus area as it has been throughout the pandemic. One commentator aptly remarked to us that it was like a kid’s soccer game: everyone is swarming the ball. Interestingly, several thought that business email compromise (e.g., phishing) will soon overtake ransomware in terms of dollar losses. Several companies reported text message phishing of their employees as leadership attended RSA.
Visibility was frequently mentioned: you cannot protect or defend what you cannot see. Adding to the challenge of visibility is cyber risk quantification. How can CISOs visualize and quantify their cyber risks, and how can CISOs better present and communicate cyber risks to their Board of Directors and/or related stakeholders (e.g., state governors)?
Metrics measuring internal and cloud security received particular attention among both public and private sector executives. Security ratings traditionally measure the outside-in security posture, but what about the internal network, including the cloud? These additional measurements help organizations better quantify their cyber risk, particularly if there is integration with existing security tools to identify and prioritize issues behind the firewall that have the greatest impact on security. Contextual threat intelligence that supports the broader picture helps organizations understand the who, what, and why behind cyber-attacks that help better inform metrics.
The demand for operational technology (OT) is through the roof. OT asset owners are focused on tools that are reliable and increase safety. For example, building management systems seek OT-related capabilities that will ensure oxygen/air is flowing and elevators are working.
Education and awareness on key cybersecurity issues remains disparate, particularly among pockets of state governments. For example, which metrics are the “right” ones?
The talent war remains front-of-mind, particularly for the public sector which is having difficulty competing with the private sector for limited cybersecurity talent. Public sector leaders we spoke to said their primary selling points were emphasizing the mission and civil service, but so many agencies in both the state and federal sectors still have too many open positions they are having difficulty filling.
We’re here to help — to make smart, economically justified business decisions to buy down cybersecurity risk, measure it in a real-time, dynamic way, and communicate cyber and supply chain risk to stakeholders, as part of your current technology stack, in an easy-to-visualize way.
Working together, SecurityScorecard and our partners can elevate cybersecurity risk management and leverage continuous monitoring and critical public-private partnerships to meet today’s cyber threat environment.
Your organization’s security rating is 100% free and forever will be. To get started with your free score, (which CISA also identifies as a free tool) visit