RSAC is the largest cybersecurity conference in the world. Leaders and practitioners across all sectors come together to tackle challenges, all under the maxim of “managing risk.” But what does “risk” actually mean at a security conference? Is it a mythical pursuit? Marketing buzzword? Or generic substitute for “the thing we need to detect/prevent/remediate”?
RSAC Chairman Dr. Hugh Thompson opened this year’s conference by asking: “How do we operate with purpose in a time of great uncertainty?” This simple question is at the core of risk management and marks a radical departure from the security status quo. Where security focuses on “operate,” risk focuses on “uncertainty.” The goal of risk is to make better decisions that maximize opportunity and minimize loss while operating under uncertain conditions. Security and risk intersect by leveraging security data about today’s operational environment to make risk-informed trade-offs.
Where Does Risk Fit In At A Security Conference? Even In Places You Don’t Expect.
Of RSAC’s 535-plus open conference sessions, more than one-third prioritized risk-centric topics. Regulatory compliance still occupies the most space in risk conversations, but there was nearly an even split between strategic/programmatic topics (regulatory, risk management process and governance, and strategic and business risk) and technical risk domains (application security, AI/ML risks, supply chain and third-party risks, threat and vulnerability intelligence, cloud and infrastructure security, and data privacy and security).
Key Trends Reshaping The Risk Narrative
As we noted in our RSAC themes blog, efficiency drove vendor messaging. AI agents (hoping to be fully agentic one day), platformization, automation, and intelligence dominated. These RSAC themes, current business trends, and thousands of end-user conversations we’ve held at the intersection of security and risk signal key industrywide shifts, such as:
Technology resilience must be connected to customer services and business value. Regulatory mandates have put operational resilience on the map for financial organizations worldwide, and it’s now influencing global IT practices. To better define and plan for resilient outcomes, risk leaders emphasize connecting technologies with the critical services those technologies enable — even when regulation isn’t forcing their hand. This approach isn’t new, but it’s accelerating, creating stronger partnerships between risk and IT teams and enabling risk teams to better articulate revenue impacts from failures in critical business and technology components. Professional services and business recovery firms highlighted this at RSAC, further underscoring the resilience imperative.
Newer GRC vendors innovate continuous controls monitoring (CCM). The enterprise governance, risk, and compliance (GRC) market has talked about CCM for years. But it required customers to have developer-level expertise to manage API specifications or perform DIY for integrations (spoiler alert: most risk teams don’t have this!). Smaller vendors have leapfrogged established ones by building out-of-the-box integrations that target cloud-native SaaS providers where more “greenfield” customers operate their tech stack. For now, these newer GRC offerings will struggle with enterprise customers who have legacy and on-premises tech footprints with plenty of technical debt to contend with, but they are paving a path to CCM that shows it isn’t just for “high maturity” organizations.
Legal and security teams form an unlikely but critical alliance. This year, RSAC featured many general counsels and heads of legal (30 by our count!) in its GRC and CISO sessions. Legal and security teams are working more closely together, driven by the legal and regulatory landscape. In his session “A Deep Dive Into The New SEC Cybersecurity Disclosure Requirements,” Forrester’s Jeff Pollard explored the legal implications that boards and CISOs must consider. General counsels and CISOs are establishing structured communication channels and regular cross-departmental check-ins to align priorities and share information effectively. This new power couple’s shared goal: Protect their organizations and mitigate risk to the business.
“Supply chain” has become a confusing catch-all in the market. Plastered on conference booths were dozens of references to supply chain risk. Vendors use it to describe a range of capabilities, including AI-driven third-party assessments, fourth- and nth-party discovery, and vulnerability identification in the software supply chain. This broad usage muddles the distinction between managing risks to and from entities versus the security risks posed by components and processes. The result? Buyers are often misled about the solutions.
Cyber risk quantification (CRQ) gains mass appeal among CISOs and vendors. Business-minded CISOs are increasingly seeking ways to articulate operational cyber risk in terms of its material impact on the business. Concurrently, security vendors across various market categories are beginning to integrate CRQ analysis into their products, including vulnerability, attack surface, security posture management, Zero Trust, risk ratings, third-party risk, and GRC technologies. These tools provide essential security telemetry that, when applied through a CRQ model, delivers objective risk insights. Industry efforts to champion open standards, automation, and integrated data models for cyber risk analysis have helped shake off legacy ideas that CRQ is too manual and difficult to accomplish. Now, CRQ is evolving into a core capability of a holistic cyber risk management program.
AI is GRC’s shiny object. GRC is overdue for innovation. AI holds tremendous potential to automate data collection, processing, and reporting, which has been a prolonged pain point for GRC users. While AI promises to drive efficiency and reduce overhead — a core business priority for GRC buyers — scaling AI and agentic AI requires resources to manage workflows and agents, and GRC teams are still struggling with the basics. They’d love to use AI to automatically conduct risk assessments when new assets are identified but are stuck building scalable control testing processes or maintaining accurate asset inventories. To help customers fully embrace AI, GRC vendors need to streamline the fundamentals so that customers have more time and resources to plan for AI-enabled workflows.
RSAC conference sessions, vendor messaging, and customer conversations reflect what we’ve known: Risk is not a compliance checkbox but a dynamic discipline to navigate uncertainty and enable business outcomes. Has it reached critical mass? Not yet. Risk practitioners must continue to drive the conversation by showing up to security conferences, challenging status-quo thinking, and pressuring vendors and presenters alike to think critically about how security exposures and events translate to material business impact. Build proficiency by seeking out technical conference tracks and listening to how security practitioners talk about risk, and showcase your own risk program enhancements at security conferences. As RSAC indicates, security leaders are eager for risk knowledge.
