10 key questions security leaders must ask at RSA 2025

The 2025 RSA Conference is right around the corner, certain to be buzzing with marketing propaganda, intriguing innovations, and bold claims as always.

But this year’s gathering at Moscone Center in San Francisco will also provide an opportunity to glean insights into real-world concerns CISOs have about their strategies in an ever-evolving security and threat landscape — as well as about the industry at large.

Here are 10 key questions likely to dominate the cocktail party conversations, sidebars, and sidewalks of San Francisco, as security leaders process the presentations, hoopla, and in-your-face advertising across Howard and 3rd Street next week.

What does Google-Wiz portend for the security industry?

Alphabet’s recent $32 billion Wiz acquisition screams of M&A opportunities — and big questions about cloud security. With all that money being thrown around, the Sand Hill Road gang will be busy pitching new deals amid Screaming Eagle and Scarecrow cabernet sauvignon. Meanwhile, the security industry — and customers — will ponder the deal’s implications. With Microsoft and now Google offering homegrown cloud security capabilities, what will AWS do? Will Orca Security be scooped up next? Expect to hear lots of FUD (fear, uncertainty, and doubt) about Google’s ability to integrate Wiz, maintain the culture, and execute — with CISOs’ cloud security strategies hanging in the balance. Great industry soap opera stuff!

Is agentic AI more myth than reality?

Building on 2024’s AI enthusiasm, this year will be all about agentic AI, defined as “a type of AI that enables software systems to act autonomously, making decisions and taking actions based on goals, with minimal human intervention,” according to AI itself (source: Google Gemini). We’ll see lots of software demos and claims, but I’m only interested in hearing what my CISO friends think about the promise and reality of this emerging technology. After all, I remember well when Gartner declared intrusion detection systems (IDS) “dead,” certain to be replaced by intrusion prevention systems (IPS) in 2003. But this didn’t happen, as paranoid security pros were unwilling to cede decision-making to machines.

Skepticism is still a dominant force in cybersecurity culture, for good reason. But AI is progressing rapidly, and organizations need the automation and analytics help. In fact, many organizations are already developing their own AI agents across various departments, and security should be no exception. CISOs should consider AI agents a great equalizer, where they can customize software for their specific security needs without waiting around for vendors to catch up. 

Agentic AI is big and getting bigger. CISOs and vendors will need a comprehensive, business-friendly strategy as soon as possible — not RSA ballyhoo. 

Can platforms win the enterprise?

The argument for platform is extremely logical — native telemetry, improved integration, one “throat to choke,” and more. Heck, Microsoft even claims it’s all part of the same enterprise license. To paraphrase an adage, Microsoft asks: “Why buy different cybersecurity cows when you get the [E5 license] software milk for free?”

These benefits absolutely appeal to SMBs and resource-starved enterprises — those in the  public sector and healthcare, for example. But large enterprises remain dubious. CISOs worry about vendor lock-in and substandard components, all while their large enterprise IT landscapes evolve faster than any security platform can keep up. Can platform players bridge this gap? I’m all ears at RSA.

Has the passwordless revolution finally arrived?

In December 2024, Microsoft declared “the password era is ending,” while further pushing 1 billion users to switch to passkeys instead. Everyone hates passwords, but it’s always been too cumbersome to switch everything to MFA. Not anymore.

While few took notice, FIDO2 infrastructure became ubiquitous — it’s on your phone, in your browser, and even on IoT/OT devices. And while Microsoft’s enterprise customers figure things out, large financial institutions are moving full speed ahead with FIDO authentication baked into applications servicing millions of customers. The passwordless/passkey transition is going to hit like a tsunami over the next few years. RSA 2025 may be a catalyst for this evolution.

Where will the zero trust journey go in 2025?

Okay, zero trust was probably an RSA highlight in 2022, and it seems like my old friend John Kindervag has been yacking about ZT since the end of prohibition. Nevertheless, zero trust has made ample progress that’s worth some RSA chatter.

First, zero trust rides on top of the secure access service edge (SASE) impetus from vendors such as Cato Networks, Netskope, Palo Alto, and Zscaler. US federal government adoption (and the detailed DoD specification) is also driving momentum. Finally, zero trust will get a big boost when organizations adopt passwordless/FIDO2 as described above.

Another John, my old colleague John Grady, reminds us that zero trust is a journey, not a destination. I’m interested to see how this journey has progressed at RSA.

How are exposure management strategies evolving?

In 2018, as an analyst at ESG, I coined the term SOPV, for security observability, prioritization, and validation. The thought was that security risk management was unwieldy and we needed to improve our risk monitoring, prioritize risk mitigation affecting business critical assets, and validate that remediation actions were effective. The industry responded by pooh-poohing this acronym.

Sometime later, Gartner came up with a similar concept: continuous threat exposure management (CTEM). Naturally, it became industry gospel. Regardless of the acronym, there’s welcome activity and innovation in this space. Tools integration has improved through a combination of vendor cooperation and API connectivity. There’s a movement toward what MITRE calls a threat-informed defense, improving the intersection of vulnerability scanning and threat intelligence. Many tools are embracing AI, enhancing things like asset classification and risk scoring. Finally, there’s a lot of focus on various security posture management domains: cloud security posture management (CSPM), application security posture management (ASPM), even AI security posture management (AI-SPM).

Can any one vendor do it all, or is this a best-of-breed/integration play? I’ll look for answers at RSA.

What can enterprise CISOs glean from MSSP innovations?

The managed security services market is predicted to top $520 billion in 2032, up from $258 billion in 2023 (source: Research and Markets). That’s a phat market, but it’s not all champagne and caviar for service providers. In fact, many MSSPs face massive problems with scalability, automation, and staffing. Addressing these challenges will require innovative use of cloud-native applications, data fabrics, process automation, training, and, yes, AI. This really makes MSSPs a bellwether for future security development at large enterprises.

Leaders will win big but given these challenges, there will be far more losers than winners. The RSA Conference will be a good place to assess progress and innovation trends from MSSP leaders such as Arctic Wolf, Expel, LevelBlue, Ontinue, Red Canary, Reliaquest, and others.

Has anyone noticed network security’s big comeback?

While I don’t expect much hoopla over this one, network security has made a quiet comeback lately after endpoint detection and response (EDR) kind of stole the show in the early 2020s. Why? What was true 25 years ago is still true today — the network doesn’t lie.

Cyber adversaries can circumvent controls, turn off EDR agents, or alter log files, but they can’t do much to cloak packets moving laterally across the network. Oh, and the plethora of IP-based devices we’ve all installed over the past 10 years aren’t instrumented with EDR agents, so we still need to keep an eye on the wire. Today’s network security also aggregates cloud logs and can map network traffic to application behavior. It will be interesting to see whether RSA attendees pay attention to network security realities or zero in on shiny new objects only.

Have vendors clued into CISOs’ cyber-resilience reality?

The term cyber resilience can be meaningful (see Dr. Ron Ross, NIST 800-160) or amorphous marketing jargon. On the significant side, cyber resilience is all about sound cyber-risk management, continuous detection engineering, rapid/automated detection and response, tested recovery, and minimal business disruption. This covers a lot of ground, but it’s a focus area for lots of corporate boards and therefore CISOs.

Do vendors really understand the systemic requirements involved, or do they use cyber resilience as a marketing panacea? I’ll look for trends at RSA.

How are economic and political uncertainty playing out for everyone?

While the RSA Conference has always had an apolitical lean, this year may be different. Economic uncertainty is omnipresent on the other side of the Google-Wiz $32 billion windfall. For the most part, cybersecurity stocks are in the red in 2025, while US tariffs and reciprocal actions could impact cybersecurity vendors across the globe. The cybersecurity community is also on edge this year due to incidents such as the CVE funding fiasco, cuts at CISA and DHS, and an executive order targeting Chris Krebs and mentioning SentinelOne. We’ll see if RSA 2025 is politically active or an industry love fest.

A near miss on this list is vibe coding, a style of programming that uses AI to generate code based on natural language prompts, rather than traditional code. Like it or not, vibe coding will soon be everywhere. Security pros need a balanced strategy that promotes mission-supporting vibe coding with the appropriate security guardrails. RSA Conference: Can you help here?

This stream of consciousness list could easily be supplemented by dozens more key questions. This will be my 20th RSA Conference. Look for me in Moscone North and South, on broadcast alley, and somewhere between Howard and Mission Streets.