The Post RSAC CISO Playbook
- Advisor@AegisIntel.ai
- May 5
- 7 min read
Updated: May 8
RSA Conference (RSAC) 2025 wrapped up last week, giving fresh context to the state of Cybersecurity. For Chief Information Security Officers (CISOs), the conference provided actionable insights into leveraging AI-driven solutions, strengthening identity protection, and enhancing proactive defense strategies.
As mentioned in our first review, there were 3 cornerstone themes observed across the 41,000 attendee audience. 1) CISOs must adjust this year to sophisticated threats such as nation-state attacks, penetrative eCrime via AI enhanced tools, 2) reduced governmental support (like CISA’s resource constraints), and 3) enterprise-led initiatives.
RSAC Punchlist
To begin the deep dive into the new CISO Playbook, here is a recap of the top observed trends from RSAC.
Key RSAC 2025 Takeways
Key Action Steps | |
IAM | Deploy phishing-resistant MFA, use AI verification, automate access reviews, adopt Zero Trust, protect NHIs. |
PAM | Implement just-in-time access, establish approval workflows, monitor with AI, rotate credentials. |
Cloud Security | Use CSPM and CWPP, conduct audits, adhere to CIS benchmarks, leverage AI for risk prioritization. |
EPP | Deploy NGAV and EDR, enforce patch management, use AI anomaly detection. |
XDR | Integrate across environments, use AI correlation, centralize SOC, automate response. |
Vulnerability Management | Prioritize with AI, automate patches, conduct scans, integrate threat intelligence, focus on hygiene. |
Application Security | Integrate testing in CI/CD, use SCA and RASP, visualize attack surfaces, secure AI apps. |
Network Security | Deploy NGFWs, implement micro-segmentation, use AI analysis, secure IoT/OT, integrate defenses. |
Data Protection | Implement DLP, encrypt data, use UEBA, test backups, adopt crypto-agility. |
AI in Cybersecurity | Deploy training platforms, use threat intelligence, implement anomaly detection, ensure secure AI adoption. |
The Post-RSAC CISO Playbook
As promised in our earlier work, we provide a deep dive into the details underlying the top RSAC findings from the 2025 conference.
1. Identity and Access Management (IAM)
RSAC 2025 highlighted identity-first security, emphasizing AI-driven authentication to protect workforce, consumer, supplier, and partner identities (Expert Insights).
Action Steps:
Deploy phishing-resistant MFA: Implement hardware tokens or biometric-based multi-factor authentication (MFA) for high-risk accounts, such as executive or IT admin accounts, to mitigate credential theft risks.
Integrate AI-powered identity verification: Use tools like behavioral biometrics or machine learning-based authentication platforms that integrate with existing IAM systems (e.g., Okta, SailPoint) to reduce false positives and enhance user experience.
Automate access reviews: Set up quarterly access certification workflows using IAM platforms to enforce least privilege principles, ensuring only authorized users access sensitive systems.
Adopt Zero Trust principles: Configure IAM systems to continuously verify user and device identities, using tools like Zscaler or BeyondTrust to align with Zero Trust architecture.
Protect non-human identities: Extend IAM policies to cover service accounts and APIs, using solutions that manage non-human identities (NHIs) to prevent unauthorized access in automated processes.
2. Privileged Access Management (PAM)
PAM solutions are integrating with IAM frameworks, leveraging AI to secure privileged accounts, especially for NHIs in hybrid environments (Expert Insights).
Action Steps:
Implement just-in-time access: Deploy PAM solutions (e.g., CyberArk, Delinea) that provide temporary, request-based access for privileged users, minimizing exposure windows.
Establish approval workflows: Configure automated approval processes for elevated permissions, requiring manager or security team sign-off for critical system access.
Monitor sessions with AI analytics: Use AI-driven tools to analyze privileged session activities in real time, flagging anomalies like unusual command execution or data transfers.
Rotate credentials regularly: Automate credential rotation for privileged accounts, including service accounts, using PAM tools to update passwords every 30 days or after each use.
3. Cloud Security
AI-powered tools for proactive risk assessment in cloud-native applications were a key focus, addressing the complexity of hybrid cloud environments (SecurityWeek).
Action Steps:
Use CSPM tools for real-time monitoring: Deploy Cloud Security Posture Management (CSPM) solutions (e.g., Prisma Cloud, Wiz) to continuously scan for misconfigurations, such as open S3 buckets or unencrypted databases.
Implement CWPP for runtime protection: Use Cloud Workload Protection Platforms (CWPP) like CrowdStrike Falcon or SentinelOne to provide anomaly detection and runtime protection for cloud workloads.
Conduct quarterly audits: Perform penetration tests and security assessments every three months to identify vulnerabilities in cloud infrastructure, focusing on API endpoints and IAM roles.
Adhere to CIS benchmarks: Align cloud configurations with Center for Internet Security (CIS) benchmarks, using automated compliance checks to ensure adherence to best practices.
Leverage AI for risk prioritization: Adopt AI-driven tools that simulate real-world attacks to prioritize cloud risks, integrating with CSPM platforms for actionable remediation plans.
4. Endpoint Protection Platform (EPP)
EPP solutions are evolving with AI to enhance real-time threat detection across distributed endpoints (CRN).
Action Steps:
Deploy NGAV with machine learning: Use Next-Generation Antivirus (NGAV) solutions (e.g., Microsoft Defender, Sophos) that leverage machine learning to detect fileless attacks and living-off-the-land techniques.
Implement EDR for threat hunting: Deploy Endpoint Detection and Response (EDR) tools with AI-driven capabilities (e.g., SentinelOne, Carbon Black) to enable proactive threat hunting and automated incident response.
Enforce patch management policies: Use endpoint management tools to ensure all devices receive security patches within 72 hours of release, prioritizing critical vulnerabilities.
Enable AI-driven anomaly detection: Configure EPP solutions to identify unusual endpoint behavior, such as unauthorized process execution, and trigger automated containment actions.
5. Extended Detection and Response (XDR)
XDR platforms are using AI analytics for unified threat detection across endpoints, networks, and cloud, enhancing SOC efficiency (CRN).
Action Steps:
Integrate XDR across environments: Deploy XDR platforms (e.g., Cisco XDR, Palo Alto Cortex XDR) that consolidate telemetry from endpoints, networks, and cloud for comprehensive threat visibility.
Use AI for threat correlation: Configure XDR tools to leverage AI-driven correlation engines, identifying multi-stage attacks by analyzing patterns across attack surfaces.
Centralize SOC operations: Implement a single-pane-of-glass console for XDR to streamline threat detection, investigation, and response processes, reducing analyst workload.
Automate incident response workflows: Set up automated playbooks in XDR platforms to isolate compromised devices or block malicious IPs, minimizing mean time to respond (MTTR).
6. Vulnerability Management
Vulnerability management solutions are prioritizing and automating remediation using AI to address critical risks efficiently (SecurityWeek).
Action Steps:
Prioritize vulnerabilities with AI: Use tools (e.g., Tenable, Qualys) that score vulnerabilities based on CVSS, exploitability, and business impact, focusing on the top 1% of critical risks.
Automate patch deployment: Integrate patch management with CMDBs using tools like Ivanti or Automox to deploy patches within 48 hours for high-priority vulnerabilities.
Conduct regular scans: Perform weekly vulnerability scans and quarterly penetration tests, covering both external and internal assets, to identify new risks.
Integrate with threat intelligence: Use threat intelligence feeds (e.g., Recorded Future, ThreatConnect) to prioritize vulnerabilities actively exploited in the wild, updating remediation plans weekly.
Emphasize cyber hygiene: Implement proactive patch management policies, ensuring 95% of systems are patched within 30 days, as advocated by Kevin Mandia (IT Pro).
7. Application Security
Visualization tools and AI-driven testing are enhancing security for cloud-native applications, addressing emerging threats to apps and APIs (CRN).
Action Steps:
Integrate security into CI/CD: Use Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools (e.g., Checkmarx, Veracode) in CI/CD pipelines to catch vulnerabilities during development.
Scan open-source components: Deploy Software Composition Analysis (SCA) tools to identify and remediate vulnerabilities in open-source libraries, updating dependencies monthly.
Implement RASP solutions: Use Runtime Application Self-Protection (RASP) tools to detect and block attacks in real time, particularly for critical web applications.
Visualize application attack surfaces: Use mapping tools to create interactive diagrams of cloud-native application architectures, identifying potential attack paths and vulnerabilities.
Secure AI-powered apps: Implement API security gateways and runtime monitoring to protect AI-driven applications and APIs from emerging threats.
8. Network Security
Integrated solutions for IT, IoT, and OT environments are leveraging AI for unified visibility and control (SecurityWeek).
Action Steps:
Deploy NGFWs with advanced features: Use Next-Generation Firewalls (e.g., Fortinet, Check Point) with intrusion prevention, application control, and threat intelligence to protect network perimeters.
Implement micro-segmentation: Configure network segmentation policies to isolate critical assets, using tools like Illumio or Cisco Secure Workload to limit lateral movement.
Use AI for network behavior analysis: Deploy AI-driven Network Traffic Analysis (NTA) tools (e.g., Darktrace, Vectra AI) to detect anomalies like unusual data flows or command-and-control traffic.
Secure IoT and OT devices: Implement device authentication and encryption protocols (e.g., TLS, X.509 certificates) for IoT and OT assets, ensuring secure onboarding via network access control (NAC) solutions.
Integrate IT, IoT, and OT defenses: Use unified platforms (e.g., Cisco Cyber Vision) to provide visibility and control across all network environments, reducing blind spots.
9. Data Protection
AI-driven innovations are preventing data leaks, exfiltration, and misconfigurations, with a focus on crypto-agility for future-proofing (CRN; TechTarget).
Action Steps:
Implement AI-powered DLP: Deploy Data Loss Prevention (DLP) solutions (e.g., Symantec DLP, Forcepoint) that use machine learning to detect and block sensitive data exfiltration across endpoints, networks, and cloud.
Encrypt data comprehensively: Use disk encryption (e.g., BitLocker, FileVault) for data at rest and TLS 1.3 for data in transit to protect sensitive information.
Deploy UEBA for insider threats: Use User and Entity Behavior Analytics (UEBA) tools (e.g., Exabeam, Securonix) to detect anomalous behavior, such as unauthorized data access by employees.
Test backup and recovery: Conduct monthly backup tests to ensure critical data can be restored within 24 hours, using solutions like Veeam or Rubrik.
Adopt crypto-agility practices:
Form a cross-functional team with C-suite, infosec, and developers to oversee crypto-agility adoption.
Develop post-quantum cryptography (PQC) policies, targeting compliance by 2030 per NIST guidelines.
Create a cryptographic bill of materials (CBOM) to inventory all crypto assets, using tools like Keyfactor.
Perform risk assessments to prioritize crypto updates based on business risk.
Test updated cryptography instances and audit for compliance with standards like FIPS 140-3.
10. AI in Cybersecurity
Autonomous AI agents are enhancing training, analytics, and threat detection, but require secure design and monitoring (IT Pro).
Action Steps:
Deploy AI-driven training platforms: Use security awareness tools (e.g., KnowBe4, Proofpoint) that personalize phishing simulations and track employee progress, aiming for 90% completion rates.
Use AI-powered threat intelligence: Implement platforms (e.g., Recorded Future, ThreatConnect) that prioritize threats based on relevance, integrating with SIEM systems for real-time alerts.
Implement AI-based anomaly detection: Deploy AI-driven tools (e.g., Splunk, Sumo Logic) to identify unusual patterns, such as unexpected login attempts, across security logs.
Ensure secure AI adoption:
Conduct threat modeling for AI systems during design, identifying risks like model manipulation.
Collaborate with data scientists to embed security in AI development, using frameworks like OWASP AI Security.
Monitor AI behavior post-deployment with tools like Fiddler AI to detect unintended actions.
Start with simple AI use cases: Begin with AI tools like Microsoft Copilot for security analytics, scaling to autonomous agents for SOC operations, ensuring secure implementation.
These steps, grounded in multi-vendor trends from RSAC 2025, provide a comprehensive roadmap for CISOs to bolster organizational resilience.