Best Practices & New Ideas:
Education, Networking, Mentorship

Context: The Gartner Security & Risk Management Summit (June 9–11, 2025, National Harbor, MD) remains the premier destination for senior cybersecurity executives. Known for its high-caliber thought leadership and trend-setting analysis, the Summit nonetheless often lacks authentic community engagement and practical depth. In response, the CxO Security Forum hosted a series of adjacent executive gatherings designed to go beyond the theoretical and foster high-impact, peer-to-peer dialogue.

 These included:

• CxO Executive Luncheons (Monday and Tuesday @ 12 noon)
• “Theory to Practice” Hands-On Innovation Test Lab (Monday @ 7pm)

Featured thought leaders

• Dr. Chase Cunningham – “Dr. Zero Trust” & Founder at Demo-Force.com 
• Richard Stiennon – Author, Security Yearbook, & Founder at IT Harvest
• George Finney – Author, Project Zero Trust, Rise of the Machines, Well Aware & CISO, Texas University System
• Christer Swartz, Director, Industry Solutions – Illumio 

Graciously Supported by Illumio 

Please extend your courtesy to the Illumio Team, especially: Mark Thatcher & Jason Chaplin  

Top Strategic & Actionable Takeaways

1. AI: Strategic Hype vs. Practical Value

AI was a central theme — but not all welcomed the noise. Participants contrasted the deafening AI-centric sales push at RSAC with the more subdued but still present AI focus at Gartner.

Highlights:

• Agentic AI (like microservices for intelligence): modular, task-specific models are gaining traction
• Practical AI applications: SOC automation, GRC workflow optimization, vulnerability triage
• AI firewalls are emerging, akin to web or API firewalls.
• AI must be treated like an Advanced Persistent Threat (APT) — not just as a tool, but as an actor.

Key Quote: “AI is a cocky teenager — occasionally brilliant, but usually unpredictable. You don’t let one teenager monitor another.”

Read: George Finney’s “Project Zero Trust” | Chase Cunningham’s “How NOT to Lead”

2. Transformation, Tech Debt & Identity Crisis

Multiple CISOs shared stories of major modernization projects — triggered by outdated infrastructure, departing institutional knowledge, and M&A-driven sprawl.

Initiatives underway:

• Active Directory re-architecture
• Multi-cloud policy consolidation
• CMMC/NIST 800-171 preparation (esp. for CFR 32 and CFR 48)
• Data classification, inventorying, and microsharding (term raised by multiple attendees)

Takeaway: Cleaning up legacy systems is a prerequisite for AI adoption, compliance, and platform integration.

3. Reporting Cyber Risk to the C-Suite

One of the most recurring concerns: how to communicate cybersecurity risk in ways that resonate with non-security leadership.

Common tactics discussed:

• Tie risk metrics to financial KPIs
• Use “speed rounds” to socialize key threats during executive briefings
• Map controls to business outcomes, not compliance checkboxes

   

Emerging Frameworks:

• Continuous Threat Exposure Management (CTEM)
• GRC platforms that enable real-time SLA tracking & drift detection

Insight: A growing emphasis on “API identity” — how are we verifying the trustworthiness of system-to-system communication?

4. Ease of Use Trumps Feature Depth

Several participants expressed fatigue over the feature creep among cybersecurity vendors. Tools often focus on differentiating with niche capabilities, but usability and integration matter far more.

“Most tools today feel like features masquerading as platforms.”

Preferred evaluation criteria:

• Seamless integration with Microsoft stack
• Low operational lift for lean teams
• Value clarity in <10 minutes of demo

Tools noted: ComplianceCow, Wiz, Onxyia, Gombak.ai

5. Vendor Discovery 

Participants reinforced the value of the CxO Security Forum gatherings as a way to cut through expo noise and evaluate vendors through informal executive networking and peer insights. A number of them commented on being “over” RSAC, as it has become too commercial and too focused on business development vs. education/community. 

6. The Case for Human-in-the-Loop AI

Across sessions, CISOs emphasized the non-negotiable role of human context in AI-based systems.

Challenges surfaced:

• LLM hallucinations under complex queries
• AI bypassing controls due to poor prompt governance
• Lack of consistent international AI policy standards

   

Consensus:

“The most important AI control is human in the loop.”

NOTE: Look for Director Analyst Kevin Schmidt’s session “Technical Insights: AI-Enhanced SOC: Bridging the Gap to Advanced Automation in 2025” in the Gartner Summit agenda for more on this subject (and look for a blog on this one soon) 

7. Leadership, Culture & the “Soft Skills Gap”

Chase Cunningham discussed leadership dysfunction in cybersecurity orgs — from founder hubris to poor people management. Participants resonated with the call for stronger emotional intelligence and post-mortem culture.

NOTE: Considerable time was spent on this during Monday’s Summit Keynote, and reflected as a general theme and in several sessions throughout the conference. 

Notable Phrase: “Self-licking ice cream cone of misery” — a reference to VC-led echo chambers and analyst pay-to-play dynamics.

Suggested Reading:

• In Chase’s How Not to Lead book, see the chapter “Microscope or Mirror?” (hint: it is usually the mirror) – a chapter challenging CISOs to self-reflect

8. Future Ideas & Community Recommendations

Participants expressed enthusiasm for:

• More regional “CxO Forum” gatherings! 
• AI test labs for security stack experimentation
• Bringing MSP partners up to speed on Microsoft E5 + Copilot
• Continued “surround” strategy at major conferences

   

Quote: “April 1 should be Zero Trust Day — it’s the one day the world doesn’t trust anything.” (George Finney, of course!)