[Latio Pulse #10] RSA Takeaways
RSA Takeaways
Me and Jacob - Certified Sales Wiz at Opus
A coworker told me “RSA is a marketing conference” and they couldn’t be more correct. I spent most of the time running from coffee shop to coffee shop, because most of my favorite vendors didn’t think spending the hundreds of thousands of dollars on a show floor booth was worth the price (I think they were probably correct). Overall, it was a wonderful place to see some of my favorite vendor friends in person, but a terrible place to try and learn anything technical. Below are some of my major takeaways.
Table of Contents
Word on the Street
Some recurring conversations I had with vendors and practitioners.
ASPM is Hard to Sell
Confusion around ASPM remains high across all fronts. From talking to practitioners and vendors, there seem to be two main problems:
First, vendors are clashing that don’t even really compete - because everyone just markets as “application security.” The market is under educated about ASPM from the perspective of what the 8 types of scanners are and why someone would want them. When it can be challenging to understand even one of these scanners at a time, it makes sense that the market needs to better know what scanners are out there and why they matter. I heard from multiple vendors of companies churning between products that do radically different things, as security teams are unclear about what they’re even looking for.
Second, many security teams have still not learned how applications work and are deployed in containerized environments. Many teams are still drowning in CSPM and vulnerability alerts, and haven’t even begun to tear up their application for vulnerabilities from third party libraries. Because of this, a lot of purchasing power remains in the hands of developers or SRE teams who will pursue solutions out of their own desire for security even when they’re not being given requirements.
Runtime is Heating Up
I’ll have a full post on this soon
While shift left practices are critical for maintaining security, it’s abundantly clear that the marketing push into shift left as a cure-all has lost steam. More security teams are realizing that their patching velocity is not fast enough to keep them secure, and they need better mitigations in place to protect their runtime assets.
Despite the need for runtime, there remains a lot of market education on the different approaches that are out there, and to be frank, why CrowdStrike is really outdated for modern application workloads. In general, “CNAPP” is coming across as a solved arena, and targets are shifting from Palo to CrowdStrike.
People are Discontent with Current Tools
For most of the startups, catching churn on point solutions from “platform vendors” is where the “right now” money is. People seem largely discontent with the first to market solutions - from SCA to SAST and everything in between - and are looking for rip and replace at a discount.
This is where it’s a tough market for visionary companies versus point solutions. The market has clear demand for “better SCA/SAST/DAST/Container” scanning as a single checkbox, but has been slow to realize the value of consolidating all of those things into one place.
Stay out of Wiz’s Way
Wiz remains on the forefront of every conversation - whether it’s discussing why they won the market, whether a security team should switch to them, or what they’re going to do with their billion dollars. Here are some good theories:
The market size for ASPM and code security more broadly is too small for a giant investment there, the real target is CrowdStrike and runtime.
It’s all vanity money because they want to be the largest tech IPO in history.
The Wiz runtime agent is actually really good, but perception remains that it’s something they don’t do
Either way, almost every conversation with vendors revolves around if they should compliment Wiz versus take them on directly. For most vendors, it’s being sure they could replace, but being happy to compliment. At the end of the day, in my opinion, Wiz’s strength is asset management and vulnerability scanning at runtime, so basically anything else can be seen as complimentary depending on if it’s an important enough problem.
The Latest Buzzwords
AI
That’s about 1/5 of the vendors having this in their description
While the general sentiment that AI is overblown in marketing remains true, the real blame lies at the feet of product leaders. While everyone certainly slapped AI in their posters, there was little clarity on the show floor about how AI was being used to substantially improve security, or how vendors were helping to secure LLM usage.
Honestly, last year everyone’s CEO told their product team “make it AI” and now marketing teams have nothing substantial to make campaigns around besides “look, it’s AI!” AI in general is certainly a hype cycle fad; however, some vendors are continuing to work with it both to secure it, and to improve security.
Risk Reduction
Now that everyone wants to be an ambiguous platform with a terrible solution to every use case, there was a hefty dose of vague pitches from vendors. If you look at any booth, it was impossible to tell what they did from the high level pitches. Everyone was simply a way to “get visibility into and reduce your risks.”
Other Updates
No update to the List this week with travel. This is a little personal bloggy - but my flight from Charlotte to Raleigh on Thursday night was cancelled so I ended Ubering back for 3 hours at 12am with 3 strangers which was making the best of a weird situation!
Also, I know several people I’ve done calls or podcasts with are familiar with our little dog Amy. We unfortunately had to have her put down this weekend which has been really hard for us - she was with us for 14 wonderful years and will be greatly missed.
Amy - 2010-2024