Here’s What 20 Top Cybersecurity CEOs And CTOs Were Saying At RSA Conference 2024
CRN spoke with the CEOs and CTOs of a number of cybersecurity companies, including Proofpoint, Palo Alto Networks, Rubrik and CrowdStrike, during RSA Conference 2024. Here’s what they had to say.
While the many implications of GenAI for security continued to be discussed and debated at last week’s RSA Conference, an array of other issues were front and center—including for many CEOs and CTOs at leading cybersecurity vendors.
During interviews the week before RSAC 2024 and mainly during the conference itself, top cybersecurity industry executives told CRN that dealing with data challenges in security, defending against intensifying attacks and the many other pressures on security teams have been among the major topics of discussion.
[Related: RSAC 2024: A ‘Mindset Shift’ In Cybersecurity Industry As Vendors Prioritize Integrations]
Ultimately, looking ahead to a world of increasingly AI-powered cyberattacks, Evan Reiser, co-founder and CEO of Abnormal Security, said, “I don't think as a civilization we’re on track to defend against those attacks.”
More customers, Reiser said, should be demanding this from the industry: “’Tell me how you get me on a path that ends up in a positive state.’”
Meanwhile, the CEOs of companies including Proofpoint, Rubrik, Mimecast, Trellix and Netskope, as well as the top technology and product leaders at companies including Palo Alto Networks, Check Point Software Technologies and Zscaler—plus a number of other executives—also spoke with CRN.
What follows are comments from CRN’s interviews with 20 top cybersecurity executives. (Comments have been edited and condensed.)
Sumit Dhawan, CEO, Proofpoint
Issue: The need for a coherent cybersecurity architecture
I think what’s interesting at this point is a dynamic that I see between security and IT. I do believe the solution to that dynamic, to make it healthy, would be formulating an architectural approach to cyber … identity and access, EDR, SASE, human-centric [security]—and then automation on top—those five boxes are your architecture. The rest are basically components that should either be consolidated into those five boxes, or should just become mere extensions of them … The underlying dynamic becomes unhealthy and non-trustworthy if you’ve got too many point products doing too many things versus managing the risk at the infrastructure and human side. An architectural approach—with holding the providers of the solutions in the architecture accountable for what they do and how they integrate—is the approach, in my opinion, where the handshake between CIOs and CISOs can be much stronger than what it is today. It’s a little shaky at this point in time.
Bipul Sinha, Co-Founder, CEO, Rubrik
Issue: Cyber resilience versus prevention
Cyber resiliency is about cyber posture, which is [getting an] understanding of the data and user activity on it, and then delivering remediation. Now it is dawning on [customers that] the cyber industry framed the whole discussion wrong. They said, ‘prevent, prevent, prevent.’ So everybody is focused on risk and threat. Now it is dawning on them that Change Healthcare is not an isolated event. Cyberattacks are inevitable. So how do you ensure that you can be a continuing operation even in the presence of successful attacks?
Dorit Dor, CTO, Check Point Software Technologies
Issue: Data challenges accentuated by AI growth
Data was always a problem that we never solved very well. … The usage of AI [is revealing] the problem of data in a much bigger way. We always had the problem of data, but we kind of ignored it. And we use the fact that it was segregated in different places and we give you access to someplace, and have access to another place, and kind of [tacked on] these controls. With AI, it becomes more difficult because we want all the data to speak to each other. We want people that implement AI systems to have access to all these elements and [enable] more data collection. It’s really becoming very hard to [control]. So the ability to keep some authorization and some control level on data becomes harder.
Marc van Zadelhoff, CEO, Mimecast
Issue: Platform consolidation
I’ve been in the cybersecurity space for 25 years. There has been the rise and fall of platforms in the cyber space. When I got into cybersecurity, McAfee and Symantec were the big platforms, and they sort of disintegrated. I was at IBM Security when we built that into a huge business. I think now you’re seeing some very interesting platforms on the infrastructure side. … I think with the pressures that customers are facing on budget right now, they’re looking for every one of their vendors in these different segments [to] ‘do more for me.’ … I think there’s a big move toward spending as much [as possible] with fewer vendors. That’s that platform play.
Lee Klarich, Chief Product Officer, Palo Alto Networks
Issue: Real-time security
If I were to look across cybersecurity, the biggest topic from my perspective is the need for cybersecurity to be real time. There are too many places where technology has not kept up with the pace of attackers. And we’ve shared data on this, from initial attack to breach being, even just a few years ago, 40-plus days. Last year, based on our data, it averaged about five days. But we’ve seen attacks that have been in hours. And so that time window is the amount of time that companies have to be able to detect and remediate in order to disrupt the attack before it completes. We believe that that will continue to narrow, requiring security to be as close to real time as possible.
Bryan Palma, CEO, Trellix
Issue: Disparity between CISO accountability and resources
One of the things we’re seeing, obviously, is the accountability has gone up significantly. CISOs are held accountable for potential breaches that might cost the organization somewhere in the hundreds of millions of dollars. So there’s a huge responsibility there. Also, CISOs are often presenting, and are on the agenda, for the board of directors to talk about the potential risks that face an organization. Yet at the same time, we still see them not with a full seat at the executive table often. And we also see they have limited resources, and they don’t have the budgets of some of their C-suite peers. So there’s a little bit of a dichotomy there—with a really high amount of accountability and not necessarily a really high amount of resources to be able to take action in the correct manner.
Sanjay Beri, Co-Founder, CEO, Netskope
Issue: CIOs focusing more on understanding security
Some of the larger organizations here are bringing not just CISOs. I’ve had more meetings with CIOs, more so than in the past. I think CIOs have realized that they have to understand [cybersecurity]. And that’s a great thing. The CIOs run network, they run infrastructure, they run the apps … But they’re all colliding [with security]. They’re all converging. … The CIO is realizing, ‘Wait, the world is changing.’ The network is in the cloud. Security, which maybe they weren’t as versed in before, is a top board topic. And end users? They’re working remote. It’s all changed. And so I think a CIO has to have a better sense of how they handle that properly.
Nayaki Nayyar, CEO, Securonix
Issue: Cybersecurity innovation versus AI-powered attacks
If we thought the world of attacks was bad the last few years, it’s really going to get worse. We see [the growth of] attacks powered by AI now. AI has democratized cyberattacks. Maybe before it used to be a highly experienced or very technical person who was able to launch those. But now, you don’t need any technical depth. You don’t need any technical skills. You can literally launch an attack with very little skills. So that’s a scary thought. On the defender side, I know we feel very good about the pace at which we are moving. … If you can imagine fast-forwarding a year or two, the pace of innovation, the amount of innovation that will come into the market—the entire ecosystem of security practitioners and security vendors are coming together to fight this war, this cyber war.
Elia Zaitsev, CTO, CrowdStrike
Issue: GenAI impact on human security analysts
I think there’s a lot of misunderstanding of the technology and how it’s going to evolve. I speak to individuals who are asking me if all the human analysts are going to be retired, and it’s all going to be fully automated AI technology. I don’t think that’s going to be the case. I don’t see humans going away. I see humans getting much faster, much more powerful, because they’re being assisted by AI. It makes a lot of sense if you think about what the threat landscape looks like on the flip side. You’re not having adversaries replacing themselves with AI. They’re using AI to get faster, to get smarter.
Shlomo Kramer, Co-Founder, CEO, Cato Networks
Issue: Pressure on security teams
For everybody, the percentage of IT security out of IT spend is growing. The price of cyber insurance is growing. [But] security is not improving. The businesspeople are constantly on [the security team] for delaying their project. And they are in the middle with their limited budgets and their limited head count, and they’re looking to somehow make it work. And things are going to become much more complicated by the introduction of AI for the attacker, which means more sophisticated attacks at a larger scale, more capable deepfakes and financial fraud. The attacker continues to innovate. So that crunch that people feel today is going to only get worse.
Peter McKay, CEO, Snyk
Issue: GenAI putting more pressure on AppSec teams
There’s always been this disparity between [security and] the pace of the developer and software development. The sheer number of developers to security people is just exponentially higher. And now it’s like developers are on steroids—now they’re producing code 40 percent more productively than they were before [with GenAI]. It’s like the haves and have-nots—the companies who have leaned in more aggressively in application security had more of that automated. They’d already been building it into that software development life cycle. They’re at least close to being ready for GenAI. Whereas for other companies who hadn’t shifted left, there is getting to be even more of a disparity between the developers—and the pace of software—and security teams just trying to keep up.
Wendy Thomas, President, CEO, Secureworks
Issue: Prioritizing protection against vulnerabilities
A third of breaches are still coming from the scan and exploit of vulnerabilities. The importance of connecting assets and threat intelligence for optimal detection, investigation and response— it’s really fundamental. And it’s been an uncracked challenge for the industry, really for its existence. And so the ability to prioritize and contextualize and focus the work of patching to where there is actually risk, and the risk is highest, and there are no compensating controls—it just gets that flywheel of focusing resources on where things need to be protected.
Evan Reiser, Co-Founder, CEO, Abnormal Security
Issue: Responding to worsening attacks
I see a lot of customers struggling. And they’re very frustrated, [feeling] like, ‘I’ve never spent so much money on security stuff, and we’ve never had more cyberattacks.’ People feel like they’re treading water. And so I think when you get really overwhelmed, people have less of an ability to really plan long term. I’ve been trying to just ask people, ‘Let’s just imagine it’s five years from now. And you have every petty criminal on the internet using ChatGPT 7. And they’re all writing the most sophisticated social engineering attacks we’ve ever seen. And they’re not just going through email, but through every communication channel. … I don’t think as a civilization we’re on track to defend against those attacks. And I do think AI must play a role in helping us survive in that future world. I want to try to recruit more customers to demand from the industry, ‘Hey, tell me how you get me on a path that ends up in a positive state. Because we’re not in a good state right now.’
Syam Nair, CTO, Zscaler
Issue: Secure usage of GenAI
Usage of AI is continuing to grow. How do you safely use AI? For everybody, that is top of mind. ‘I need zero trust not just for users and workloads—I need zero trust for AI.’ … In most cases, they are not able to figure out how to do it. And the answers are either, ‘Let’s block everything.’ Or, ‘Let’s open it up and see what happens.’ Everybody talks about AI, everybody wants AI [because it’s] going to enable productivity. But the risk factor of it is not well-understood.
Bob VanKirk, CEO, SonicWall
Issue: Vendors’ focus on partners
I’m not going to mention names. But over the course of the last two days, it’s interesting [to hear partners talk about vendors and say], ‘You know what, they’re not focused on our concerns anymore.' Or, ‘They’re choosing to go around us. They’re not giving us that same loyalty.’ And it makes a difference.
Merav Bahat, Co-Founder, CEO, Dazz
Issue: The many aspects of AI
AI has a lot of layers. There’s AI for security, AI as a security risk, AI as a platform, AI as an application. And there’s a lot of innovation. … The way to think about AI is it’s not just a security problem. It’s a legal problem, it’s a lot of other problems. But AI could also be used amazingly for security. Security remediation is a data problem [and] you can apply AI for prioritization, for remediation, for automation.
Anand Kashyap, Co-Founder, CEO, Fortanix
Issue: Potential threats from quantum computing
It’s like the Y2K moment with the difference being that with Y2K, everybody knew the date and time when the problem would come. Here, nobody knows that yet. But the threat of quantum computers being able to break traditional cryptography is real. To address that, people have to now upgrade their encryption keys and their algorithms and their applications, all three of them, to start using quantum-safe mechanisms. And post-quantum cryptography is this class of algorithms, which are developed to be resistant to quantum computers. At this time, what we are seeing is a lot of organizations, large enterprises, governments—they are starting to get ready, educating themselves, trying to get an inventory of everything that they have as it relates to cryptographic assets in their environment. And when they’re ready, they need a plan on how they will be able to upgrade from traditional cryptography to post-quantum cryptography. So I think right now the world is still in that assessment period, trying to take stock of what’s out there, and getting ready for that imminent threat.
Sumedh Thakar, President, CEO, Qualys
Issue: Communicating cyber risk to the business side
There is a bigger question about how to tie cybersecurity efforts and spend to the business. A few years ago, CISOs really wanted to have a seat at the table at the board, to present to the board about cybersecurity. And a lot of them got it. [Now] a lot of them wish they had not because the CISOs were speaking a language that the board absolutely did not understand. … More and more, what we are seeing now is a lot of CISOs are really focusing on, ‘How do I take an overall risk-based approach to my cyber efforts? How do I quantify my risk in terms of business impact? And how do I communicate that risk to the board, to the CFO, to the IT team?’
Rohit Ghai, CEO, RSA Security
Issue: Security for passkeys
There is a misnomer or a misperception that passkeys cannot be stolen, like passwords could be. But what is a passkey? A passkey is basically a digital certificate or a cryptographic key that you store on your device. And Google, Amazon, Apple all basically supported the FIDO standard and said, ‘Hey, you can store passkeys on your device and, by the way, we’ll sync it to the cloud.’ And that’s fine for the consumer use case. [But since] your passkey is now getting synced to somewhere in the cloud, it is possible to be stolen. Just because it’s not a password doesn’t mean it cannot be stolen. So to make sure that passkeys are appropriate and secure enough for the enterprise, you have to make sure you don’t do cloud-sync passkeys, and you [need to] have policies that govern the flow [of passkeys] and where the passkeys are actually stored, and how, and who can access it.
Clint Sharp, Co-Founder, CEO, Cribl
Issue: The data growth challenge
Literally every prospect or customer I’m talking to has exactly the same problem, which is, ‘Whatever place I’m sending data to, it’s full. I’m spending as much as I can possibly spend on it.’ What got you to 2024 is not going to get you to 2034. The same strategy that you built over the last decade [where] all the data goes into the SIEM, it’s just not viable. And so they’re all looking for, ‘What do I do now? Because I can’t keep spending 30 percent more every year.’