* YTD quotes from May 8 midday of the regular trading session.
After three COVID muted years, 2023 brought the buzz back to the security industry’s long running RSA Conference in San Francisco (April 24-27). For the first time in years, attendees were excited not just to reunite with friends but to walk the 600+ vendor booths on the show floor. There, practical giveaways like t-shirts with cheeky sayings and books paired with crowd-drawing mascots, card tricks, and an escape artist fueled badge scans that will serve as leads for business development teams.
From six-figured price tags for the highest end expo space to tastefully curated meals and happy hours, the show provided a week-long physical nexus for discussing the perennial topics of threat evolution, security innovations, and governance frameworks – only this year with tech layoffs and generative AI adding macro twists to the conversation. Through it all, a few trends shined as potential investment opportunities.
Big Tech and Pure Play Security Bets. A decade of security acquisitions and in-house innovation has deepened big tech’s domain expertise in what was once a specialist play. In 2021 alone, Alphabet, Amazon, Apple, Meta, and Microsoft spent $2.4 billion on funding or acquiring 23 cybersecurity companies. Notably, Microsoft’s security business crossed $15 billion in revenue last April, an earnings feat that few pure play security companies matched then or now. Shares* of Alphabet (GOOGL +17.83%), Amazon (AMZN +19.45%), Apple (AAPL +48.48%), Meta (META +107.54%), and Microsoft (MSFT +67.22%) all trended up year-to-date as compared to a mixed bag from pure play security vendors including Akamai (AKAM -6.19%), CrowdStrike (CRWD +27.51%), F5 (FFIV -10.73%), Palo Alto Networks (PANW +51.95%), and Check Point (CHKP -5.34%). Investors are rewarding security stocks for the most part, but the top performers are mega caps with other businesses that can co-share massive install bases.
Newcomers Extend Security. Phishing is still the kingpin threat vector but there was a critical mass of vendors on the show floor who were going beyond emails and endpoints to secure at the hardware and code level. The age-old analogy of locking the doors and windows to secure the house are table stakes. Some of the most exciting innovations at RSA are young, privately held companies inspecting the construction materials, plumbing, and electrical circuits.
DevSecOps unicorn Harness unites siloed developer and security teams to fix broken code at the heart of all vulnerabilities, “making it easy to do the right thing and hard to do the wrong thing,” as Field CTO Nick Durkin explained. Another born in the cloud vendor, Aqua Security, stops cloud native attacks that followed code development into the cloud, an issue legacy security vendors weren’t originally designed to solve. Yet another vendor, Eclypsium, addresses supply chain insecurities to find the vulnerabilities lurking beneath the operating system layer where most other security solutions typically sit.
AI for Security. With the World Economic Forum finding that generative AI is poised to eliminate 14 million jobs in 5 years, the technology presents a huge attack surface for bad actors, which creates an imperative to secure it. While AI can accelerate deep fakes and misinformation, it can also improve security. One example is this year’s winner of RSA’s Innovation Sandbox competition. HiddenLayer monitors a customer’s machine learning algorithms for signs of adversarial tampering. This protects systems from machine learning poisoning and algorithm drift, attacks meant to misguide teams relying on that data to make bad decisions. “The consequences can be severe,” noted Alex Doll, Founding Partner of TenEleven Ventures. Poisoned data might cause a regional bank, many of which are losing deposits, to approve mortgages and loans to unqualified applicants, which increases its solvency risks. “If the data inputs are corrupted or compromised, the outputs will be as well.”
RSA 2023 delivered a new sense of excitement and energy from booth staff and attendees. Each new security entrant diversifying security beyond the OS is giving customers a solution to adapt to the evolving threat landscape.