The RSA Conference was its usual self – above everything else, it was an annual cybersecurity extravaganza stamped with excess: marketing budgets, parties & events, and multiple themes that vie for your attention with many losing focus on why this serious cybersecurity industry exists in the first place. As expected, artificial intelligence (AI) reigned – it was everywhere you looked. Virtually every vendor had an AI story to tell; it was hard to cut through the hype to see what companies were actually applying it in a meaningful way. AI integrations should be purposeful, not simply to say you’re doing it. In this case, I think many companies were afraid of being left behind rather than having a genuine story about how AI helps with cybersecurity.

Let’s look beyond the AI hype and parties and discuss what else happened at the RSA Conference. Here are three important observations that I took from the show after walking through both conference halls and visiting countless vendors in the North, South and Innovation Halls.

1. A Growing Presence of Risk Awareness

It used to be that you rarely saw any governance, risk and compliance (GRC) vendors at the RSA Conference, but this year there were several GRC companies present. Traditionally, GRC is a different organization than cybersecurity in an enterprise, with its own budgets and tools. However, now GRC and cybersecurity have been moving much closer together because cybersecurity has become such a point of risk. Rising regulations around the world impacts compliance, with very real financial consequences. In the coming years, I think it is inevitable that there will be a convergence of GRC and cybersecurity use cases. Undoubtedly, this will include acquisition activity, so it will be interesting to see this unfold and how these two categories coalesce.

2. Identity is King

About a third of all the vendors I encountered were talking about identity. The identity conversation is complicated, as the space is saturated with tools from IDPs to CBAs to proofing to ITDR and so on. Much of what Gartner’s Ant Allan said in his identity fabric research is spot on. There’s a diaspora of identity tools today, and there’s a need to converge the various use cases much like the rest of cybersecurity has with XDR and SSE. When you cut things to the core, there are two things you need to ultimately secure: identity and data. The data side is well-understood, but we’re just starting to get a handle on securing identities. Every XDR vendor was offering identity threat, or ITDR, capabilities. In the end, there is no doubt that securing identities is the next major focus of cybersecurity.

3. The Fallacy of Platforms

The average company has multiple identity and access management (IAM) platforms in place. This makes things complicated because each platform has specific capabilities it does well, yet there is no way to consolidate them without sacrificing the strengths of a platform you’d be decommissioning. This doesn’t include the cost of the migration either. This problem is true of all security platforms. The idea is supposed to be to provide a one-stop-shop for security needs, but the different platform vendors have no interest in working with each other to integrate well together. This is especially damaging in identity management because an IAM platform may say a person is a risk, but because of a lack of integration, it can’t tell the other IAM platforms. Walking around RSA, there was a lot of talk and messaging about the benefits of security platforms, but the irony is that they inflame complexity rather than simplify things. This is one of the chief mistakes that traditional security vendors made that hopefully identity vendors can avoid – remain a best-of-breed solution and avoid platforming by acquiring substandard tools, which causes you to become a jack of all trades, master of none. The answer is to provide a layer on top that uses the best tools from platforms and integrates best of breed tools – what’s known as a “fabric”. It’s the best of both worlds – the promised consolidation of a platform, with the quality of best-of-breed tools.

The RSA conference is now 33 years old, and it has become the premier event in cybersecurity. It can be overwhelming if you let it, but if you stay focused on what you’re interested in, you can leave with some powerful key takeaways like I did that can help shape your perspective and approach with the industry.