|
Dear Reader,
This newsletter was going to be about what we learned at RSAC Conference this year, and then Anthropic threw it out the windpow with the announcement of Project Glasswing. We are digging into the news as you read this and, as usual, we are not setting our hair on fire and running around over it. In fact, we are very circumspect over the news. There are sectors of the cybersecurity industry that will be affecte vy this, mostly involved in application development, but the real issue facing the cyber world is the preponderance of non-human identities, which are not affected by Anthropic’s news. We are preparing coverage soon. Now, back to our regular programming.
The RSAC Conference of 2026 is come and gone and, as usual, it was a mixed bag of emotions and insights for us.
On the surface there is nothing new. Dr. Chase Cunningham, an advisor at Cyberbridge Partners said, “Most vendors are just saying the same thing, dressed up differently. Little real innovation is happening; it’s often just repackaged features, not solutions. It’s hype, not a breakthrough.”
We got much the same take. We know that there are differentiators between the companies, but we aren’t sure the vendors know what makes them different from everyone else. But that’s what journalism is for, right?
Dueling for budgets
Almost everyone was pitching some sort of defense against Agentic AI, or providing agentic AI to defend against attacks. And within those two groups were promoting what Andesite called “humans at the helm” vs. what companies like Bonfy.ai wanted to take “humans out of the loop.” So for the rest of the year, that duality will be a focus of coverage.
There are also competing messages between companies promoting preventative measures, like Noma Security, and companies that wanted to close the barn door after attackers get in. In truth, that comprises most of the companies. The reality is preventative tools and methodologies are no more successful than detection and response. There is room for both. The question remains where should the emphasis go.
The middle child
The budget issue brings up who gets the tools and services. Clearly eight of 10 vendors are targeting large enterprises while ignoring 80 percent of the available market in the form of small to medium enterprises. It’s clear why most vendors prefer to target the big customers because they will buy at least one license jut out of FOMO, and that one sale will fund a startup cyber company for the foreseeable future.
But the supply chain is made up mostly of small to medium suppliers where criminals like to lurk for the moment a small company gets acquired by a bigger one. So what to do about the mid-size customer with the much smaller budgets? We found a few companies that expand their targets to include medium enterprises and a few that provide free tools for small customers. So we will be reviving an idea we called Security for $500 a Month. These articles will feature companies with free to low cost prevention, detection and response services and tools.
To market to market to find a fat pig
As Dr. Cunningham stated, there is a lot of duplication in marketing messages for the cyber industry. Adoption of AI for communications is part of that problem. We have seen an alarming amount of news releases, studies, reports and contributed articles in the past year produced using AI. That means they draw from the same training data, homogenize it so it sounds like everyone else, and then wonder why it isn’t getting picked up. And it’s not your friendly neighborhood journalist seeing it. The customers are seeing it, too.
At the last day of the show we hang out in the lounge area of Moscone North and asked a dozen attendees — who were not from cybersecurity companies and who were promised anonymity — about what they were finding compelling at the conference. Universally, it was a big yawn.
“Everything is about Agentic Ai,” said one. “Even the sessions are hammering on it. In one session, the speaker asked the audience about how many were from companies that were implementing AI into the security work flows. About four raised their hands. And that was in an audience of about 500.”
It seems that the companies most interested in implementing AI into security workflows are the companies selling tools and services designed to implement AI into security workflows. But they are having a hard time convincing the potential customers we talked to, who represented pharmaceuticals, automotive, finance, and government.
It’s not to say that they don’t want to adopt the new technologies, they just aren’t being convinced by the vendors that their tools will solve their particular problems.
Failure to communicate
On the positive side, the vendors are starting to recognize this discrepancy. The old ways of doing marketing (social media, direct mail, trade shows) aren’t getting through to the customer. We met with company after company that said as much. They need to do something else.
Going back to Dr. Cunningham, “As AI spins faster and faster, we should remember that the human element, the real discussions, and the true innovation lie in simplicity and trust.” A bold statement from a guy that calls himself “Dr. Zero Trust.”
He’s right, though. Trust comes from listening to your audience first, and that’s something that can only be done if you stop trying to scare them first. The cybersecurity market is already scared, but not about what the industry is telling the to be scare of.
Take the issue of encryption. We met with a couple of companies in the quantum-safe area, and we will be talking to a couple more in the next few weeks. There was one, Datakrypto (and we have covered them before) that isn’t concerned about the dreaded Q-day (when quantum computers can break current encryption). Another, Cy4Data Labs, that is absolutely certain the day is already here. Both companies have almost identical marketing messages with remarkably different views of their importance. Neither company has done the market research to know the other exists. Neither believes that the other can do what they say they can do. We can hardly wait to talk to the third company to see what they say. But for companies that play in the exact same space to have such divergent and isolated positions is interesting to say the least. We will be looking into that as well.
And then to add to the pile we will also be looking into:
• Palm print readers
• GASA whitewashing
• Phishing blocks
• Ai washing
• Device to device attacks
It’s going to be a busy year.
Enjoy Reading
Lou, Joe and Patrick |
