Autonomous IT

**CISO IT – RSA 2025: Identity Is the New Threat Vector, E19**

**Jason Kikta (00:00)**
Hello and welcome everyone to the CISO IT podcast from Automox. My name's Jason Kikta. I'll be your host today.

I was really excited—I was going to record the episode right after RSA. Instead, RSA got me pretty good. I was sick for about a week and a half and totally lost my voice. Nobody wanted to hear me in that state, and I don't think I could have made it through the full podcast.

So, coming to you a bit late, but we have a lot of great things to talk about. I still want to share some observations I had at RSA this year.

It was very interesting and felt like a change from what I’ve seen in previous years. A bit of a shift from the last two. That’s exciting for me as a security professional—and hopefully for you as well.

Without further ado, let's jump into it.

I’d say the trend I saw at RSA over the past two years has been very heavy on detection and very light on fixing. That general trend wasn’t exactly resolved this year. Cybersecurity still feels much more focused on finding than fixing—especially compared to IT.

But one really interesting thing stood out: this year, I saw a lot more focus on identity. That’s really encouraging—and frankly, long overdue. Probably five years overdue.

When I look at cloud environments and what really matters in preventing, detecting, or responding to an attack, it tends to be identity. Identity is one of the most cutting-edge aspects of cloud defense today.

If you’re on the malicious side, identity has largely replaced malware as the centerpiece of your focus—both in tooling and technique.

It used to be that high-end threat actors had the best malware and post-exploitation tooling. We still see good post-exploitation tooling, but now it's supplemented by initial access, lateral movement, and privilege escalation—all revolving around identity.

What used to be phishing campaigns or droppers followed by beacons and RATs has been replaced by identity games in modern cloud contexts.

That could mean taking over user identities, accessing IDPs, or exploiting credentials to take over service accounts and orchestrate services for privilege escalation and attack execution.

It was nice to see that focus gaining traction.

Another change: I saw more sophisticated approaches to understanding and managing risk. It’s still a mixed bag. Some vendors, driven by customer demand, are refining traditional risk scoring methods for small performance gains—2%, 5%, etc.

But younger vendors are taking a more threat-informed approach. Instead of cataloging everything that could possibly go wrong, they’re asking: what are the few key things that would really matter if exploited?

That shift—from broad cataloging to critical prioritization—is promising. It's about focusing on risks that could do real damage to your business, customers, and reputation.

I’m curious how this trend will play out at Black Hat. Last year, Black Hat's vendor floor felt like a repeat of RSA. I wasn’t the only one saying that.

Vendors face show fatigue. There are only so many new things you can demo throughout the year. Not everything can align to a specific show roadmap.

But I’ll be watching to see whether vendors differentiate more at Black Hat or whether RSA and Black Hat continue to blur together.

You don’t see this homogenization at other conferences. DEF CON, AWS events, Gartner, and others each have very distinct vibes.

If every show becomes the same, each one becomes less valuable. I hope we start seeing more differentiated content and messaging per event.

Same booth every time? Same priorities? Or will vendors tailor things to slightly different audiences?

That would make the events more meaningful and less repetitive.

Anyway, that was a bit of a tangent—but I always like to reflect on these big events, especially when I attend.

Hopefully it’s useful for you to hear what stood out. I went in with low expectations this year and was pleasantly surprised.

Here’s to more surprises throughout the year—and maybe a more positive trajectory for our industry and profession.

Until next time, stay safe out there. Thanks for listening, and I’ll talk to you in June.