Why the Cybersecurity Industry Needs to Be AgileRSA Program Committee Chairman Hugh Thompson on 2023 Top Security Trends
The cybersecurity industry needs to be increasingly agile, said Hugh Thompson, program committee chairman of RSA Conference and managing partner at Crosspoint Capital Partners. Attackers are constantly changing tactics. Security leaders also need to change and keep up with the technologies accessible to a large group of people, he advised.
Generative AI language models and their potential to revolutionize the industry as well as their unintended consequences are on practitioners' minds in 2023. Thompson also highlighted the growing focus on software supply change security and government oversight.
"We're seeing a very dynamic environment. Think about ChatGPT and the impact it's had, but also its ability to write a compelling-looking phishing email. We're also seeing changes in regulation and legislation," he said. "It's not just the U.S. All over the world, new legislation is either in the hopper or about to get enacted around a variety of topics that touch security. And I think that's a big open question to people," he said.
In this video interview with Information Security Media Group at RSA Conference 2023, Thompson also discusses:
- The hottest cybersecurity topics in 2023;
- Solidarity and community in the cybersecurity industry, as demonstrated by RSA 2023;
- The evolution of security regulations.
Thompson is one of the world's leading experts on cybersecurity and privacy. Before joining Crosspoint Capital Partners, he was chief technology officer at Symantec. Prior to joining Symantec, he was chief technology officer and chief marketing officer at Blue Coat Systems Inc., which was acquired by Symantec in 2016.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group. And it's my pleasure to welcome to the ISMG studio, Hugh Thompson, a familiar face to many, often on stage at RSA by virtue of your being program chair of RSA, but also a managing partner of Crosspoint Capital Partners. Welcome!
Hugh Thompson: Thanks so much for having me, Matt. It's great to get to talk to you.
Schwartz: Thank you. It's my pleasure. Thank you so much. So many things I want to talk about today. I am going to start predictably with RSA.
Thompson: Good topic, I like that topic.
Schwartz: I know, I'm playing to the home crowd here. So Crosspoint Capital Partners, I mentioned that in part because you're not only the program director, but you liked RSA so much that you now own a piece of it. Tell me a little more.
Thompson: We just think that RSA Conference is an amazing institution. It's a place where the community comes together. It's the place where people talk security. And for us, the question was, could you take RSA Conference, preserve everything that's great about it, and extend it and expose it to other people at scale? That's what we're thinking about and trying to do, but couldn't be more thrilled.
Schwartz: Excellent. So community is a wonderful word that you just brought up there. Because having been at the conference, walking around, I just get this sense that people are relieved to be back.
Thompson: I think it was good. And it's a good characterization.
Schwartz: Tell me more. I was just saying like, last year was maybe a little more shocked, coming out, how's this going to go? Tentative baby steps, if you will. But I just feel like things were back in force this year.
Thompson: I completely agree with you. I think last year, there was joy and seeing those people that you hadn't seen in two or, some cases, three years. But there was still this kind of hesitant nature around. That was the state of the world. And people are just kind of emerging from COVID. I think this year, you're seeing folks being very open, incredibly excited to see people that haven't seen in a long time, and get to bathe in the community. And why I keep coming back to that word is that software and security, in particular, is one of the spaces that inside of a company, you're often the person that has to say no to some initiative, or if something goes bad, you're the person that people go to. That can get very difficult for you as a cybersecurity professional. You need to be around others that have shared experiences, folks that have tackled challenges that maybe you're about to tackle or you've been tasked to tackle. And this is one of the best places where you can do that where you can meet those people and learn from them and grow and also share your own experiences.
Schwartz: As is typical, every year, there seem to be some hot topics. And I guess you get to cook the books a little bit because you're deciding what you think is hot and programming for it. So little man behind the curtain stuff, perhaps. But with that caveat, yeah, what is hot? What's the buzz? What are you hearing that has some legs to it, not just marketing buzz? But, topically, conceptually, what is interesting for you or has been interesting for you with the RSA Conference that we saw this year?
Thompson: Yeah, definitely would love to hit some of the hot topics. But I'll dispel the man behind the curtain type of a thing. It's the community behind the curtain. If you think about how the content is programmed. We have an open call for speakers' process. The community submits these very detailed abstracts about what do they want to talk about, what experiences they want to share. And then we have a program committee that's comprised of the community that adjudicates all of those things and gets us to that program at the end. So that's one of the things I've loved about RSA Conference - I've been the program chair now for 15 years - it is this community aspect. It's community-generated content, community-adjudicated, and then we get these tracks. But on themes, generative AI, large language models ...
Schwartz: I've heard of it.
Thompson: Heard about it on the fringe.
Schwartz: Probably got a few submissions on that part.
Thompson: A couple, and you're also seeing even sessions that weren't on it, that are now including it. So I think that's definitely an interesting topic - in many ways. On the good side, how can we leverage it to get better at what we do? How can we defend better using it? So that's one side of it. And then the other side is the unintended consequences that happen with any advancement in science or technology? How are the bad guys using it? How can they use it against us? How do we defend against it? So that's definitely a big topic that's on the table this year.
Schwartz: What else are you seeing?
Thompson: You're also seeing this realization that we bring so much software into the enterprise. A lot of it, we don't know what's in it. You buy it from a vendor, they're a good vendor and a reputable company. They're giant. But what are the constituent pieces that they've used to build that software? That's a big question that's going on in the space. And you've seen it for the last two years with SBOMs and people wanting to enumerate the bill of materials that's inside of software. Now, I think folks are going to the next step and saying, I have this list of stuff. But what do I do with it? How do I prioritize that? What about things that are packaged inside of binaries and not just open source? So that's a big topic. How do I know what I'm buying, and what's the risk of the thing that I'm buying? And how do I mitigate it?
Schwartz: Are all SBOMs equal? What does that begin to look like? If it's a federal requirement now, how does that begin to play out? There are huge amounts of discussion around that these days. Supply chain security ...
Thompson: Supply chain security, a huge topic ...
Schwartz: We can pick so many of the other things you're talking about here to get to so many other things as well. The Biden National Cybersecurity Strategy. Exactly. Also, talking more about this very dynamic environment, we're seeing.
Thompson: Very dynamic. And I think that's a topic onto itself. I think what we've learned in cybersecurity is we need to be increasingly agile. It's not just the attackers that are changing. It's the underlying technology that's being accessible to a whole bunch of people. Think about ChatGPT, for example, and just the impact it's had and the ability, again, to do great things, but also the ability to write a very compelling looking phishing email, for example. You're also seeing changes in regulation and legislation. And it's not just the U.S., all over the world, new legislation is either in the hopper or about to get enacted or about to get enforced around a variety of topics that touch security. And I think that's a big open question to people. How should I prioritize this? How do I implement it in some of those standards that are relatively vague? What does it mean for us? And how will it get enforced? So we live in a space that is just incredibly dynamic.
Schwartz: Extremely dynamic. I'm looking forward to seeing how all these laws that we now find on the books shake out. I'm sure that's one of the big other themes we're hearing this year, as you were saying with the regulations and how all of that is evolving. No end of the fascinating topics. Thank you so much for all of the wonderful programming you have done and continue to do with RSA and for being in our studio today. Thank you.
Thompson: Thank you. Thanks for taking the time. Really enjoyed it.
Schwartz: My pleasure. See you at the next RSA Conference.
Thompson: Absolutely. Looking forward to it.
Schwartz: Thank you. I'm Mathew Schwartz with Information Security Media Group. Thanks for joining us.