Detroit’s Cybersecurity Leaders Got Real About What’s Actually Breaking
As AI accelerates, regulation tightens, and threats evolve, cybersecurity leaders collaborate inside a candid, practitioner-led regional gathering
Inside the Detroit Cybersecurity & Fraud Forum, executives confronted AI risk, cyber fatigue, regulatory pressure, and the widening gap between what organizations think is secure—and what actually is.
Earlier this month, more than 100 cybersecurity, fraud, risk, and compliance leaders gathered at Eastern Michigan University for a different kind of industry event—one intentionally designed to avoid the usual conference formula of sales pitches, crowded expo halls, and polished marketing decks.
The CxO Security Forum Detroit Cybersecurity & Fraud Forum instead focused on something increasingly rare in cybersecurity: candid, practitioner-led dialogue among people actively dealing with operational reality inside enterprises, government agencies, and critical infrastructure organizations.
What emerged throughout the day was not panic—but a growing recognition that many long-standing assumptions in cybersecurity are beginning to fracture under the weight of AI acceleration, regulatory expansion, vendor overload, and increasingly complex attack surfaces.
Again and again, discussion leaders returned to the same underlying theme: the industry is moving faster than many organizations are structurally prepared to handle.
Core Themes from the Discussion
The day opened with a market-level view from Richard Stiennon, author of Guardians of the Machine Age, who challenged attendees to rethink how they evaluate cybersecurity products, particularly those now branded with AI messaging. With more than 4,500 cybersecurity vendors now competing for attention—and hundreds positioning themselves as AI-native—Stiennon argued that leaders must become far more disciplined in separating meaningful innovation from hype.
His message resonated because it reflected a growing frustration many CISOs quietly acknowledge: the cybersecurity industry itself has become extraordinarily noisy. As boards pressure security leaders for “AI strategies,” vendors continue flooding the market with overlapping promises, while many organizations are still struggling to operationalize the fundamentals consistently.
That tension between complexity and clarity carried into the session led by John Felker, former Assistant Director for Integrated Operations at Cybersecurity and Infrastructure Security Agency. Felker focused less on theory and more on operational coordination during real-world incidents.
Drawing on decades of experience across government and critical infrastructure, Felker demystified how organizations should actually engage agencies such as CISA, the Federal Bureau of Investigation, the United States Secret Service, ISACs, and fusion centers during a crisis. While many organizations still perceive government coordination as bureaucratic or fragmented, Felker emphasized that successful outcomes typically depend on pre-existing trust relationships established long before an incident occurs.
His point was practical and direct: organizations that wait until an active breach to build external relationships are already behind.
If Felker focused on coordination and preparedness, Kurtis Minder brought attendees directly into the operational realities of ransomware and cyber extortion. Drawing from his book Cyber Recon, Minder described how ransomware has evolved well beyond encrypted files and ransom notes.
Modern attacks, he explained, are increasingly built around leverage, psychology, and speed. Threat actors now operate as mature business ecosystems with affiliates, service providers, negotiation specialists, and increasingly automated workflows. In many cases, the true pressure point is no longer downtime—it is reputational damage, regulatory exposure, or the threat of public disclosure.
For many executives in attendance, Minder’s comments reinforced a growing reality: resilience is no longer just about prevention. It is about operational survivability.
That operational strain extended into one of the day’s most technically provocative discussions, led by Tim Rohrbaugh, who challenged the scalability of the modern vulnerability management ecosystem itself.
Rohrbaugh argued that the current CVE system—along with the downstream scoring models and workflows built around it—is increasingly overwhelmed by sheer volume and inconsistency. Security teams today are flooded with alerts, prioritization challenges, duplicate findings, and delayed intelligence updates that often create more operational noise than actionable clarity.
Rather than suggesting more human effort alone could solve the problem, Rohrbaugh outlined how domain-specific AI agents may soon become essential for continuously analyzing, contextualizing, and prioritizing vulnerabilities in real time. For many attendees, it represented a notable shift in thinking: AI not simply as another risk factor, but as one of the few plausible tools capable of helping organizations manage the scale of modern cyber operations.
The conversation then pivoted sharply toward fraud, compliance, and financial crime through a session led by Carlo Nastasi, who walked attendees through the TD Bank Bank Secrecy Act case—one of the largest of its kind in U.S. history.
Importantly, the discussion was not framed solely as a banking failure. Nastasi instead highlighted how weak identity verification, inadequate monitoring, poor escalation processes, and fragmented controls created systemic exposure over time.
For cybersecurity executives in the room, the implications extended far beyond financial services. As regulatory scrutiny increases around data governance, digital assets, and operational accountability, organizations are beginning to recognize that cybersecurity failures may increasingly evolve into legal, regulatory, and even criminal liability issues—not just technical incidents.
The intersection of AI and governance was explored further by Josh Woodruff, author of Agentic AI + Zero Trust. Woodruff focused on one of the most important emerging issues in enterprise security: the rapid rise of non-human identities and autonomous AI agents operating inside enterprise environments.
Woodruff described agentic AI systems as “digital coworkers” capable of making decisions, taking actions, and interacting across systems at machine speed. But without proper governance boundaries, identity controls, monitoring, and Zero Trust architectures, those same systems may amplify organizational weaknesses rather than solve them.
His conclusion reflected a broader shift now occurring across the industry: Zero Trust is no longer just about users and devices. Increasingly, it must evolve to govern autonomous systems, machine identities, and AI-driven workflows that traditional security models were never designed to handle.
Panel Discussion: What Cyber Grads Can (& Can’t) Do For You
Not all discussions focused purely on technology. One of the day’s most grounded conversations centered on workforce development and the disconnect between cybersecurity education and hiring realities.
Academic leaders and enterprise practitioners openly discussed the growing frustration surrounding “entry-level” cybersecurity hiring. Despite persistent narratives about massive talent shortages, many organizations continue struggling to find candidates capable of contributing immediately in operational environments.
Participants suggested the problem is becoming less about raw talent supply and more about alignment. Employers increasingly value curiosity, adaptability, communication skills, and demonstrated initiative alongside technical knowledge. Meanwhile, universities and training programs continue working to close the gap through more hands-on labs, real-world exercises, and practitioner engagement.
The day concluded with a broader discussion about the future of cybersecurity itself—and whether current security models are overly optimized for yesterday’s threats.
Participants explored how many programs remain heavily focused on known attack patterns such as ransomware, phishing, and endpoint compromise, while emerging risks increasingly involve less visible areas like AI orchestration layers, non-human identities, software supply chain complexity, and interconnected third-party ecosystems.
The concern raised repeatedly throughout the room was subtle but significant: organizations may be missing entire categories of emerging risk simply because existing security models were never designed to observe them.
Detailed Takeaways: What the room seemed to agree on
Taken together, the conversations in Detroit painted a picture of an industry at an inflection point.
The fundamentals of cybersecurity still matter deeply—identity management, resilience, governance, visibility, and operational discipline remain foundational. But the environment surrounding those fundamentals is changing rapidly. AI is accelerating both capability and risk. Regulatory expectations are expanding. Vendor ecosystems continue growing more fragmented and difficult to manage. And many organizations are beginning to realize that traditional approaches may not scale effectively into the next era of cyber operations.
Perhaps most notably, the format of the Forum itself reinforced why community-driven executive dialogue continues gaining momentum.
Without slide decks, sales pitches, or vendor-controlled narratives, conversations stayed grounded in operational reality. Executives challenged each other directly, shared lessons candidly, and explored problems without the performative constraints often present at larger commercial conferences.
For many attendees, that may have been the most valuable takeaway of all.
Because in today’s cybersecurity environment, the most important insights rarely emerge from prepared presentations. They emerge from honest conversations among practitioners actively confronting the same problems in real time.
And if Detroit demonstrated anything clearly, it is that those conversations are becoming more necessary than ever.
COMMENTS:
Find the SUMMARY version of this article on LinkedIn, and post there!