Impressions from RSA, February 24-28, 2020, and Marcus Dahlén presenting at the residence of the Consul General of Switzerland in San Francisco

The cyber security world is complex. On the one hand, cyber-crime actors are increasing in numbers as well as skills. On the other hand, the IT landscape grows more complicated partly because sensitive business information resides on multiple cloud providers and must be accessed from devices all over the world. Add to this billions of “smart”, but “hackable”, devices being connected to the Internet, such as toasters, and an increase in regulatory requirements to protect sensitive information. These are all very challenging tasks to corporate security teams worldwide. Over the last years, these teams have invested billions of dollars in security products to prevent, detect and respond to risks related to these challenges. The result is a complex landscape of security products that may not always play well together or provide the promised return on investment. Add the lack of cyber security experts in the global market and you have a good picture of where we stand in today’s cyber security world. Having a comprehensive view of these challenges and how to tackle them is crucial to all security startups.

Some observations from the RSA Conference

Some weeks ago, I visited the RSA conference (RSAC) in San Francisco with some of the most successful cyber security companies in the world. The conference had about 36 000 attendees, 700 speakers and 650 exhibitors on the expo floors. The week was filled with security startups trying, but quite often failing, to explain their unique selling points. Many startups are struggling to explain the problem that they solve for their customers. One reason for this might be the limited number of words which can be used to describe the value of a security product. Startups should consider using standard security frameworks (e.g. NIST) to explain to their customers where they provide added value. Or even better, the security framework from the customer, as Microsoft’s CISO explained it during a session at RSAC.

I also talked to major security vendors and multinational corporations providing a one-stop-shop for security needs in a certain area but often missing innovative approaches. This gives startups a “sweet spot” to introduce their product on the market.

Due to the Coronavirus it was also a week filled with hand sanitizers, “elbow greetings” and keeping a constant look at the development of the virus in San Francisco.

The RSAC startup pitch stage is always a highlight: This is where startups compete against each other to win the prize as the “most innovative startup” of the year., which gives you a global view of all personal data across your systems, won the title. Another of my favorites was Vulcan, which had a very interesting product for automation of vulnerability remediation. I enjoy looking at startups providing products supporting “cyber hygiene” (i.e. best practice such as correct configuration, patching vulnerabilities, etc.). Attacks exploiting these kinds of vulnerabilities are still prevalent and an area where many companies are still struggling. Hence, I also did a deep-dive on mature and enterprise grade startups like Cycognito, which helps you understand your company’s external attack surface, and XMCyber, which continuously analyzes your internal infrastructure for vulnerabilities and misconfigurations.

Further, the conference is filled with network opportunities to discuss approaches to new concepts such as SASE. And I also discussed the opportunity of doing Zero Trust workshops in Switzerland with John Kindervag, the “inventor” of the Zero Trust model.

Of course, I also talked to a lot of Israeli startups. It’s impossible to write about startups in the cyber security space without mentioning Israel. After all, Israel has, per capita, the most startups in the world and their ecosystem is somewhat unique when it comes to cyber security startups. One of the reasons for this is that the best people in the country are being hand-picked for the cyber security military force, where they receive the best possible technical training on the job. One example being Cycognito above.

A Swiss presence would make sense

The ecosystem in Silicon Valley attracts Israeli startups and we see them opening offices all over the Bay Area, but usually they keep the product development in Israel. Of course, Israel also had their own pavilion at the RSA conference expo floor. Other countries such as Belgium, Germany and the Netherlands also had their own country pavilions introducing their security startups to the 36 000 attendees but also profiting from social networking across the industry. With Switzerland being one of the most innovative countries in the world, the country should showcase their government organizations, startups and other companies on this cyber security stage.

During RSA, Swisscom together with the Cyber Defense Campus and the Swiss Business Hub hosted a networking event in the residence of the Consul General of Switzerland in San Francisco. This was a great opportunity to bring Swiss, US and Israeli security experts from large enterprises, venture capitalist and startups together. We are looking forward to organizing a similar event next year.

Please don’t hesitate to reach out if you have any questions about the topics above or if you want more information about the startups we are looking at.

Marcus Dahlén, VP Cyber Security @ Swisscom Outpost, Palo Alto, California, US (LinkedIn)