Through the Looking Glass: A CISO's Take on RSAC 2025

Fresh off the show floor at RSAC 2025, I’m still processing the high level of energy—and urgency—of what felt like a pivotal moment in cybersecurity’s evolution. From the keynotes to the expo hall to off-the-cuff conversations, it was clear the industry is in the middle of a major shift. And AI is no longer just part of the conversation—it is the conversation.

Across panels, hallway debates, and impromptu lunches and dinners, CISOs made it clear they’re struggling with the tension between AI’s promise to meet business objectives and its threat to security and privacy. The tremendous excitement about AI’s potential for automation and efficiency is matched by growing anxiety about advanced phishing threats, impersonation, and bad actors using AI to optimize and launch business-crippling attacks, further impacting operational resilience.

Here are a few of my key takeaways from RSAC 2025.

Conversations about AI completely overshadowed other once-hot topics like quantum computing and vulnerability management. From attack simulation to autonomous response, the focus has shifted to how quickly we can operationalize AI because threat actors are already getting ahead of our defenses. In a private dinner setting, Magic Johnson emphasized the precision required of defenders guarding global systems, drawing a parallel between athletes and cybersecurity professionals who have to anticipate, adapt, and always guard the perimeter.

CISOs I spoke to consistently ranked identity as one of their top challenges. With generative AI making it easier to mimic internal communications, spoof trusted senders, and exploit supply chain relationships with man-in-the-middle attacks, verifying "who's really on the other end" is no longer just a compliance issue. It has become a board-level topic of conversation and a critical security imperative.

With AI now embedded in every layer of the enterprise, we need to balance progress with ethical intent and observable integrity. That means consistently trusting but verifying as we build and expand the use of AI in our systems. RSAC 2025 highlighted the critical need for cybersecurity professionals to deepen their AI knowledge and to use new systems responsibly and effectively. It’s no longer enough to be AI-aware—security teams need to be AI-literate, capable of asking hard questions about model behavior, risk boundaries, and real-world consequences.

In her keynote, Department of Homeland Security Secretary Kristi Noem emphasized efforts to strengthen cybersecurity as a national priority and the commitment to streamline operational support for critical infrastructures. The speech landed with particular resonance given ongoing concerns about the restructuring and downsizing of CISA and its impact on coordinated public-private partnerships to respond and share intelligence.

Curated by CISOs for CISOs, this forum stood out for its value, affording the participants a safe space to discuss the challenging topics that don’t always make it into public-facing panels. RSAC reminded me that some of the best insights don’t come from vendor pitches. They come from peers sharing what’s actually working or not working in their organizations.

RSAC made some impressive updates to the attendee experience this year, with a new mobile app that kept attendees connected to what was happening during the conference. But in true RSAC fashion, the app goes even further to keep you engaged after the event. It features a great section on daily curated news briefs, a library of resources like blog posts, and group chats you can join based on your level of interest. Brilliant!

For me, RSAC 2025 confirmed that we’re standing at a crossroads. The choices we make now—how we adopt AI, how we prioritize humans, and how we build resilient systems that protect workflows from nefarious AI attacks—will define the next decade of cyber defense.

I would be remiss if I didn’t give my own company credit for our biggest product announcement to date:

At RSAC 2025, we unveiled AI Phishing Coach, giving organizations a tailored agentic AI security trainer with superhuman knowledge of the specific attacks targeting their workflows. We also introduced AI Data Analyst and announced major free updates to Cloud Email Security—making it easier than ever to choose Abnormal for superior email protection.

The response from security practitioners—especially those who’ve lived through the grind of phishing investigations and BEC cleanups—was electric.

Want a closer look? Request a demo to see how Abnormal’s AI-native platform protects the world’s most targeted inboxes.