It was attended by companies, practitioners, and investors focused on cybersecurity, including members of the Cervin team.
Stark contrasts marked the conference - on the one hand, sheer optimism and on the other - market and industry uncertainty. In terms of the former, the conference was bigger and better attended than last year, signaling a return to pre-COVID form. Moreover, most vendors we talked to stated that their expectations were met or exceeded in terms of the number of meetings, quality of conversations, and interest from potential buyers. On the other hand, there are the challenges the industry is experiencing and the potential tough times ahead. Many of the conversations and sessions at the conference centered around the instability in the market, the potential of a prolonged downturn, and how those impact security budgets. Concerns were also raised about the continued industry fragmentation and growth in security sub-segments against potential security budget consolidation. Finally, many conversations centered around the increase in attack sophistication, with the emergence of Generative AI-assisted hacking, and the step-up in attack-surface related to protecting the fast-growing Generative AI toolchain with the proliferation of vendors and environments.
Here are some of the reflections, insights, and takeaways our team captured.
The importance of security is as strong as ever
Security continues to be top of mind in board conversations, and as such, CISOs have protected and even slightly increased their budgets, even as the market conditions deteriorate. However, boards and management teams are asking CISOs to consolidate vendors and to sharpen their thinking as to what their priorities are versus nice-to-haves.
The enforcement versus discovery axiom
With the expansion of the shared-responsibility model, where overall security responsibility and programs are directed by the Security teams under the CISO while patching, fixes, and resolutions shift to developers or sometimes DevOps teams, it's evident that CISOs are looking to solutions that will address their needs, but also, will be easy to digest and use by other parts of the organization. Moreover, security is now of interest to multiple other and much less security-savvy functions in the organization (Finance, Marketing). With that in mind, Security vendors are expected to shift from being passive tools of visibility and discovery into tools of action (enforcement, such as detection and response).
Unfortunately, for most companies, the quality of discovery in actuality is less robust than desired, and hence, while that increased attention on enforcement is long-overdue, some organizations find out that they still haven't fully cracked the discovery problem and may not be able to move forward to enforcement.
Who stole my AI?
Unless you've been living under a rock, the explosion in Generative AI (GenAI) and foundational models (LLMs) as a new area of interest (or perhaps a returning one) was part of many conversations and discussions. Entrepreneurs, vendors, buyers, and investors are racing to understand how to better counter adversaries using GenAI (I.e. AI-assisted security), what are the new surfaces of attack (such as enhanced, more sophisticated phishing; using Gen-AI towards brute-force pen-testing for vulnerabilities, applying AI to create new malware much faster). Additionally, practitioners are thinking about how you counter them (I.e. securing against GenAI based attacks), as well as how do you secure LLMs/GenAI environments (for example, against drifts/data leakage, privacy-issues, as well as the reputational and monetary risk associated with such issues). Just to help paint the risk picture, one should realize, over 1000 GenAI tools have been created in the last three months alone, some of them have become the fastest adapted technologies in history (such as ChatGPT or AutoGPT hitting 117,000(!) gitstars in 40 days).
One such example was evident in the Sandbox competition, where ML protection startup HiddenLayer took the grand prize, after beating out early favorites such as Pangea and Endor Labs, in what seems to be a declarative announcement for the industry.
As always, there was massive buzz and varying opinions about the companies and winners - Congratulations to all the participants!
You’re stepping on my supply-chain security
One area that has experienced immense growth in mindshare and hype this past year is supply-chain security, from pre-deployment (i.e., code attestation, CI/CD, IDE-based CVE/OSS-vulnerability code scanning, vulnerability operations/life-cycle management) to post-deployment (runtime-protection, code-reachability, prioritization, blocking). This is a category where all vendors are bleeding into each other's solutions, with what seems to be an over-investment from funds. So it will be interesting to see who will emerge as a new gorilla in the category. Clearly moats can be built around the database and auto-remediation, but with massive amounts of dollars still being poured into the space, it’s becoming increasingly harder to figure out the winners.
Security has not been immune to the changes in the markets. Our partner, Daniel Karp, participated in a panel discussion during the annual AGC West-Coast Security Conference, which took place on the first day of RSA and provided the early-stage lens to a panel on Capital Markets. There's an abundance of evidence that there are fewer and further-between late-stage mega-rounds and that investors increasingly scrutinize metrics so that unless efficiency metrics (rule of 40, NRR, CAC/LTV, sales efficiency, ACV, repeatability) are perfect, companies find it extremely hard to raise. Moreover, as the IPO windows have almost disappeared, companies had to find ways to fund their activity as private companies in more creative and sometimes less favorable ways (debt, down rounds, warrant-based financing, investor-friendly terms such as liquidity preference). Some expect market consolidation as a result, but even for early-stage entrepreneurs, who are contemplating forming new companies, this environment can give pause, as product playbooks of years past may not be easily replicable. For example, platform-based approaches or best-of-breed point solutions may be more challenging to execute than before.
At Cervin, we firmly believe that material companies will be founded during these downtimes, especially for relentless entrepreneurs who focus on problems that ride strong tailwinds and are top priorities for CISOs. As a result, we remain bullish about areas such as the Cloud and Identity (top CISO priorities), which remain unresolved. In addition, we are excited about how security will react to new threats emerging in popular tool-chains in areas such as GenAI.