A

You're listening to the rsa conference podcast,

B

where the world talks security.

A

Hello, listeners. Welcome to this edition of our RSAC podcast series. Thank you for tuning in. I'm Tatiana Sanchez.

C

And I am Casey Zerkis, and we

A

are your RSAC podcast hosts. Casey, what are we going to discuss today?

C

Well, Tatiana, I am sure that you know that the agenda for RSAC 2026 conference is fully baked and live. And we are excited to sit down today with some of the program community members Jennifer Minella, Chuck Kessler, and Lenny Seltzer to discuss how traditional network security has evolved. They together are the program committee that selected the sessions for the network and communication security track. So we're going to talk today about what challenges security teams face with the evolving landscape of network security, what sessions they are looking forward to, and what the audience should be excited about. Are you ready to dive in, Tatiana?

A

Yes, I am. But before we get started, we do want to remind our listeners that here at RSAC we host podcasts twice a month. And we encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now we would like to ask our guests to formally introduce themselves before we dive in. Jennifer, let's start with you.

D

Sure.

B

Hey, everybody. Jennifer Manella or jj, Founder of Vision Security and part of the program committee.

A

Great, thank you. And Chuck.

E

Hi, everybody. I'm Chuck Kessler. I'm the Chief Information Security Officer for Pindo. I've been here for about seven years. Prior to Pindo, I was the CISO for Duke University Health System, also for about seven years. Um, and prior to that, I have some experience working with Symantec and their Advisor Services consulting practice. So overall, they have been around the industry for quite a while. About 30 years total, and about half of that in security and privacy.

A

Amazing. And last but not least, Lenny.

D

Hi, everybody. I'm a longtime security professional with expertise in running and building security programs and products. And in addition to being a working ciso, I'm also a faculty fellow at SANS Institute where I teach security courses.

A

Great. Thank you all for taking the time to join us today. So, Jennifer, how has traditional network security evolved over the last few years in response to new technologies in a rapidly expanding threat landscape?

B

Well, it's pretty funny, I think, and it's interesting that we have this group because I love working with Chuck and Lenny. We all bring a little bit different lens here. I came more from the infrastructure side where traditional on prem networking technologies. You know, Chuck is very heavy into the, the cloud and AI space, as is Lenny, kind of all encompassing, lots of different topics, but I think, you know, some of the trends that we're seeing that sort of transcend, you know, we're, we're in the network and communication track. Right. But some of the things that transcend any single type of network infrastructure are things like, you know, the move from these perimeter based controls to things that are more identity based, which is, you know, native for a lot of people, but it's new for a lot of us that came from infrastructure things like continuous verification and validation and then moving from horse segmentation to more granular controls. And I think, you know, I hate to put a marketing term on stuff, but a lot of that kind of wraps into the zero Trust, you know, strategy. But we're really just seeing that across the board and I think the submissions from this year really reflected that change.

A

Thank you. And Chuck and Lenny, do you guys have anything to add?

D

I really enjoy observing how the industry is moving beyond this old school idea that the network is the organization's IT environment. Now the network is so segmented into micro networks and on prem and off prem and cloud and serverless, it's been even challenging for us to decide what do we consider in scope for this track, what is the network nowadays and what does it mean that we have IT resources communicating with each other, even though some of those communications go through the networks that we don't control or don't manage in a traditional way. And yes, as JJ mentioned, this all began with our discussions of zero trust and now have evolved over the years. And that's going to be very exciting to see how our practitioners are adapting to this still relatively new way of thinking about network security.

E

Yeah, I totally agree with both JJ and Lenny and I've lived this transition myself, having previously worked in infrastructure and really where I started my career in systems administration, networking like it used to be. That was the core technology that we needed to understand. And I've seen it shift over the years as my career itself has shifted from working for organizations that did most everything on prem to now in a fully cloud native environment. And it's interesting to see how you have to think about the world slightly differently with that change.

C

So as we think about these changes and consider the evolution of traditional network security, I'm wondering what the primary challenges are that organizations are currently facing, particularly with the integration of everything from cloud computing, remote work, and now AI.

D

Some of the challenges that I've observed is the broad diversity of technologies that we now need to incorporate to get visibility into and control over our network security. Just because so many different types of technologies are responsible for the communications that we need to secure and oversee, we might need to have lots of different tools, each one specializing in a particular aspect of network security. And how do you as an IT and security professional deal with such a sprawl of the tools that need to be in your toolkit? I think that's a big challenge that many of us are figuring out.

E

I think in addition to that, it's a fundamental shift from my perspective in what I'm actually going to try to instrument and look at. You know, I've moved from an organization that basically built and controlled the network to as most newer companies that get founded these days, you know, cloud native again, our offices might as well be coffee shops and we expect our workforce to be remote. And I think a lot of organizations made that shift during the pandemic anyway to more of a hybrid model where they had workers all over the place, some in physical offices for a portion of the time, but many people working from homes, from coffee shops, from hotels. Of course that's always been a bit of the reality that people do travel as part of their roles. But I'm seeing a shift away from more traditional VPN types of approaches where you try to put a choke point in the network and monitor all the traffic to as JJ was alluding to earlier, more identity based types of monitoring. And also from my perspective, the way I've tried to look at that in my current organization is instead of worrying so much about network visibility, worrying a lot more about Endpoint and that that's also place where I can get better visibility into what people are actually communicating with throughout their day. So yeah, more emphasis on identity and endpoint controls, less emphasis on worrying about the network itself. It's a bit more of a commodity for me these days. And yeah, you know, just from the perspective that all the traffic exiting the the endpoint device is encrypted anyway, I'm going to worry less about what network is actually traversing and more so making sure that the controls on either end of that connection are strong.

B

And I have a slightly probably different approach on this that I think Lenny and Chuck would probably agree with and that you know, a lot of this movement now again, you know, Chuck, coming from a newer organization that had the chance to build itself and design its architecture in the cloud natively was fantastic. But I think for a lot of organizations there's a lot of technical debt and related to the Technical debt is this knowledge debt that we get from just lack of communication, collaboration among teams, and then just the siloed structure that we had all been working in. And I, I don't think Covid helped this when we all started kind of working separately from each other. But I definitely think that one of the challenges we have to overcome is like, we've got to just start talking to our peers and other teams and groups and coming up with solutions that transcend any one of our core competencies and just sort of level up as a whole. And I think that's going to be a theme coming into the next couple years.

C

Jj, I also was thinking as I was listening to Lenny and then Chuck and I was thinking, oh, maybe this is a question for only Lenny and Chuck, but you, you raise a really good point that I think your perspective here is probably valuable. You know, where Lenny pointed out that there's now this demand for more tools, how does that then impact the overall security ecosystem for the organization and the need for increased budget for more tools? How do you then, you know, justify the ROI on these investments? And how does that sort of complicate or change the role of the CISO in developing that overall security strategy?

D

From my perspective, the world is always changing. We need to be attuned to those changes and find a way to thrive and support that environment. And what that means is that as we see a need for new types of tooling, we need to find a way to get rid of some of the old tools that perhaps we don't need. Or maybe we shouldn't count the tools, but rather look at the budget that we're spending and free it up so that we can relocate that budget to other technologies that are more relevant. It's been necessary throughout the years. I think that's not new right now. We need to recognize that if the organization uses a new set of technologies, be it getting rid of old school VPN solutions and use new, more modern approaches that Chuck alluded to, or be it the need for the organization to use, let's say, artificial intelligence based tooling and we want to oversee those communications, we need to find budget by deciding what we don't need anymore. Because we cannot just keep asking for more and more money. That is never a path to success.

E

Yeah, totally agree with Lenny. I mean, I think one of the challenges that we have in our industry is that we have no shortage of tools and no shortage of companies starting up new startups, bringing us new tools, new ways to solve old problems, and new problems as well, and I think as Lenny alluded to, as a budget owner, I do not have access to an infinite amount of funds to go buy those tools. So typically if I am going to go buy a new tool, it means I need to probably turn off another tool, maybe multiple tools. And I think again, and I think Lenny was kind of alluding to this, we need to look at it not from the perspective of a tool specifically and what space that tool sits in, but more so what problem am I trying to solve? And is this thing that I'm going to purchase, is it actually going to move the needle for me in a way that, for example, doesn't create a lot of additional work for me? I've certainly seen a lot of tools that I've implemented over time that quite frankly just brought a lot of noise into the pipeline for my teams to look at. And finding signal to that noise was very difficult. So I don't know that those were necessarily wise investments. It's not always easy to tell up front what those good investments versus bad investments will be. I think JJ was kind of alluding to this earlier. Collaboration between our teams is hugely important between our peers, yes, certainly going to conferences like rsac, but I have a lot of other forums that I engage with my peers with throughout the year and being able to have those dialogues and exchanging ideas around, this is working. This is not working. It's invaluable to me.

C

Yeah.

B

And back on that, just kind of tying together, you know, budget teams, tools, collaboration, you know, for most organizations, and I don't, I hate to generalize, but I think we can agree that probably 90 some percent of the world's orgs still have this model where they've got IT operations under somebody, some structure, cio, cto, whatever, and then the security team, you know, in another structure with, you know, reporting to a CISO somewhere. And you know, of course the lines are sometimes dotted and squiggly when it comes to that, but a lot of times those are two different budgets, they're two different strategies, they're two different teams and they have two different objectives. And I think some of the challenges, whether it's any type of technology and any type of sort of digital transformation that we're moving forward with is you've got these two groups or buckets of money and groups of people, and maybe the security office understands that they need to modernize and do certain things and get past some of this technical debt. But the IT operations team doesn't have access to the same information. Right. They don't know necessarily the, the strategy of what the security team or the organization even as a whole is working towards. And you know, when you start to talk to some of these professionals, you understand they've, I don't know if they're not listening or they're not being told, but, but they're really in the dark when it comes to understanding what the business is trying to do. And they're very caught up in kind of what they're doing and the tools that they're used to using. And I think that's the other opportunity with the tooling and to bring these things together to get some harmony. And it's, it's bumpy. I mean, it's ugly and it's bumpy and I think people keep kicking the can down the road, but at some point, you know, we've got to just rip the band aid off, shift, you know, move into a system tools infrastructure that lets us continue moving forward instead of just, you know, duct taping everything together on the back end and crossing your fingers and hoping that your phone doesn't ring at 2 o' clock in the morning.

E

Yeah, we've only lightly alluded to AI so far, but I think that's the elephant in the room at the moment for a lot of organizations. And jj, a great point around how IT and security teams sometimes are part of the same work, sometimes they're not. But I think we're all faced with the reality that AI is fundamentally changing the way a lot of enterprises operate, changing the way our security teams operate as well, obviously. I mean, I think there's a lot of value that we potentially can get from AI enabled tools in the security world. But if we just sort of take a step back and think about the fundamental things that we care about in security and privacy, one of them is understanding data flows. And we really have in our past been able to count on things being fairly deterministic in that regard and now we're seeing lots of changes in that. Things that are very non deterministic in terms of data and how it flows. And that presents some huge challenges around both IT and security management. Again, just highlighting the need to make sure that we are all staying synced and working together to solve those problems.

A

And based on the challenges we talked about today with, you know, needing to have more technology to secure our network, but not crossing the line where we become, you know, debt into technology. What are you guys most looking forward to? For sessions this year at RSAC 2026 conference and for our audience who may want to know more about how to build a strong network security. What sessions should they attend at conference?

E

So I'll just. Because I was just mentioning AI, I will say one thing. When we were doing our reviews of proposals, certainly the MCP related ones model context protocol that for those that are not necessarily very active in the AI space right now, essentially it's a little bit of a misnomer to put it this way, but the easiest way to think about it is an API gateway for AI. I think it fundamentally changes some of the ways that we think about AI security. So I'm definitely interested. I think we have two talks in our track around mcp, so that definitely is very interesting to me and I hope to be at both of those talks.

D

The presentation that I'm really looking forward to is one that is labeled Beyond Zero Trust. And the reason for this is because I have become accustomed to partially ignoring the term zero trust because it became such a buzzword over the years, although it is tied to. To very meaningful and useful design patterns. In this case, I was excited to see the presenters explaining what they have done in their organization once they have put Zero Trust in place. Because of course, we need to continue evolving and maturing our security controls. So in this case they'll be talking about how they've been able to implement continuous validation. And to me, that's very exciting and I'm planning to attend that session for sure.

A

Awesome.

B

And what about you, jj? Oh, God. You know, this is my. This is my hardship every year with RSA is there's so much stuff on the agenda and I end up like putting little hearts or stars next to everything in my little planner, you know, from our track. So many great stuff ranging from the MCP and AI stuff that Chuck was talking about. We have a few good Zero Trust now. I think everybody's kind of zero trusted out. So, you know, if you see Zero Trust on a RSA agenda, there's a reason for it. I'm with Lenny and that the Beyond Zero Trust, which is actually by a couple folks, I think from LinkedIn and then we also have another one from Helen Patton and Wolf on Zero Trust. But then we also like getting a little bit geekier because that's my background. We have mobile security, there's cellular IoT breach pathways, there's some interesting stuff from Ericsson. And then the Learning labs. Oh, and Shameless Plug. I also have a session on network security, but the Learning labs, I think are absolutely phenomenal. And if you're going RSA and you've Never taken advantage of the learning labs. Check those out. You do need to register, you know, for them and reserve your spot and show up for that. But I have had so much fantastic experience at the learning lab and it's everything from super hands on stuff. There's some like OT red team and purple team activities all the way up into like leadership and CISO strategies. So, you know, no matter what your role is or where you are in your career, there's going to be something in there for you. And I really love just getting, getting to get in there and you know, meet new people, work with peers and then also just learn to apply something versus just watching it.

E

Yeah. One more thing I would like to add. I think we had a lot more submissions this year around quantum computing. I think that's interesting to see an uptick in that area. I'm curious if that's going to be another inflection point that we see in the industry a couple of years down the road, similar to the inflection point we've seen in AI over the last couple of years. One thing I will note, it seems like our focus still currently tends to be around the encryption side of quantum computing and the threat that it poses. From that perspective, I'm also curious again how it could fundamentally change how we do it and what effects that could have on security as well in the future in a similar way that AI has. So yeah, that's one thing I'm hoping to learn a lot about at the conference this year as well.

D

You know, I'm used to hearing about quantum security. We've, we've heard about it over the recent years and we have seen proposals related to it at RSA see as well. And it felt like a thing that's like, in the future, do I really need to pay attention to it now? And to me it's starting to feel like, yes, now is the time. It is very much current and we've got some really interesting talks that are looking at quantum cryptography or talking about post quantum world in a way that's very practical and pragmatic.

C

Lots of awesome stuff to look forward to. And I'll share a little anecdote. At dinner last night, my seventh grader who is on a cheerleading team, her team voted for captains and she was disappointed to learn that she did not win the vote of captain. And I said, well, did you vote for yourself? And she said, no, you can't do that. So no shameless plug. Jj, I was going to make the plug for you if you didn't make it for yourself because it is an excellent session that was selected by your peers, not by you. So I think, you know, everyone should look forward to that as well. So thank you so much Lenny, Chuck and JJ for being here with us today. Listeners, thank you for tuning in. Please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. You can now register and view our agenda@rsaconference.com USA and we look forward to seeing you live In San Francisco March 23rd to the 26th. Until next time.