I think the most talked about thing at RSAC 2025 were the Waymos. The folks willing to wait an absurdly long time to get one marveled at how the steering wheel still moved even when the car was driving itself.  

It was cool. It was also a little freaky.  

Now that I’ve had a week to reflect on it, I think that’s kind of where we are in cybersecurity right now. We’re racing into an autonomous, AI-infused future. But we’re still clinging to old controls and models that no longer make sense.  

If you’re going to have a self-driving car that still needs to have the steering wheel move, at least put a creepy robot in the front like they did in the original Blade Runner.

I left this year’s event excited about cyber’s future but thinking that we still have a lot of work to do as an industry. Here are a few things I noticed at RSAC that made me want to set the record straight.

Security is a trade, not a product.

Too many people treat cybersecurity like it’s a product you can buy off the shelf — or worse, like it’s an academic debate.  

But cybersecurity isn’t theoretical. It’s experiential. Unfortunately, we seem to have built an industry pipeline that prioritizes products rather than real, hands-on skills.

You wouldn’t hire someone to build your house if they’ve never used a saw. But in cybersecurity, we do that all the time.  

Products aren’t going to be the key to solving the cybersecurity challenges of the future. It’s going to be people.

Cybersecurity is a trade — something you learn by doing. Until we treat it that way, we’ll keep repeating the same mistakes.  

I hope to see the pendulum swing back to an industry filled with technical experts who are using products as tools rather than supplements for real knowledge and skill.  

CISOs are still the security scapegoat

Let’s also talk about the elephant in the boardroom: CISOs are being set up to fail.

At RSAC, I heard from multiple security leaders who said their primary role felt like taking the blame when things go wrong. One even joked they’d earned “two sets of tire tracks” from being thrown under the bus so many times.

That’s not leadership. That’s negligence.

Worse, some organizations are intentionally putting inexperienced people into the CISO role because they “can’t do much damage.” That’s like putting an intern in charge of structural engineering because they don’t know enough to break anything. It’s absurd — and dangerous.

Until we protect CISOs with the right incentives, legal protections, and authority, we’re just asking them to take the fall. This doesn’t move the industry forward and certainly doesn’t build secure organizations.

Resilience is a step to anti-fragility

Everywhere I turned at RSAC, someone was talking about resilience. That’s good. Finally, the conversation is shifting from breach prevention to breach containment and continuity. But I’d argue we’re not aiming high enough.

Resilience means you bounce back. Anti-fragility means you come back stronger.

The systems we build should not just survive stress — they should learn from it and adapt. That’s how we’ll win in cybersecurity. And to get there, we need observability that actually gives us actionable insights, not just more data and dashboards.

That’s why I’m so excited to be part of the launch of Illumio Insights at RSAC this year. We need tools like Insights that help us understand what’s really happening in our environment and give us the confidence to act.  

Compliance is not the end goal

I’ve said it before: compliance is the tax you pay for not doing the right thing in the first place.

Take PCI DSS. Back in the day, I heard people say, “I don’t care about credit card data — it’s not my data.” Well, that attitude is exactly why PCI became a mandate. If we don’t self-regulate, someone else will do it for us and probably not in a way that helps. Mission is always the failure of corporate governance.

Security should be the foundation of your business, not a checkbox. If you treat it like a burden, you’ll always be behind. But if you build it into your DNA, you can stay ahead of regulation and create something actually worth trusting.

Security doesn’t run on cruise control

All those Waymos I saw at RSAC last week are a good reminder for us in cyber. Despite the fact that we’re rushing toward an AI, automated future, the steering wheel still moves — the basics are still just as important as they’ve ever been.

Invest in your people. Celebrate the heroes. Reward the courage it takes to speak up and make big changes.  

Give your CISO a real seat at the table — and the protection to do their job without fear. Focus on building systems (and teams) that grow stronger under pressure.

Cybersecurity isn’t a destination you arrive at. It’s a mission you lead. And missions need drivers, not passengers.