This episode captures a candid reflection on how the cybersecurity community—particularly CISOs—are navigating risk, innovation, and decision-making in an environment saturated with noise and pressure. Sean Martin and Marco Ciappelli explore why true progress may require shifting who gets to evaluate new ideas and how we collectively think about security’s role in shaping the future.
In this closing conversation from Day One at RSAC Conference 2025, ITSPmagazine co-founders Sean Martin and Marco Ciappelli reflect on what they’re hearing in the halls, on the show floor, and in conversations with attendees—and the picture they’re painting may surprise you.
Sean Martin raises a recurring theme that’s come up in multiple off-camera discussions: the increasing hesitancy among CISOs to engage with new vendors or consider new technologies unless they come from familiar sources. The concern isn’t about the technology itself—it’s about time, trust, and the overwhelming volume of noise. In many cases, CISOs prefer to rely on their peer network rather than explore unknown options, potentially limiting their exposure to different ways of thinking about risk and security.
But this isn’t just a “vendor fatigue” issue. It’s a structural one.
Martin points to a conversation with Philip Miller, who emphasized the need for vendors to connect with the security team—not just the CISO. That shift could unlock a healthier, more scalable way to evaluate solutions without overloading leadership. When security teams are empowered to explore, test, and validate, it changes the decision-making dynamic and may lead to more open-minded program development—especially as AI begins reshaping how data and security interact.
Meanwhile, Marco Ciappelli looks at this cultural tension from a societal perspective. He draws parallels between the speed of technological progress and the slower-moving nature of regulation, governance, and even human behavior. If security programs are stuck in reactive modes—bound by risk aversion, budget constraints, or outdated expectations—how can they support the innovation their businesses (and society) demand?
The two hosts conclude that change isn’t just needed—it’s already underway, albeit unevenly. The key may lie in empowering the broader security ecosystem, from frontline analysts to policy makers, to think and act with more agility.
For those wrestling with how security can lead rather than lag, this conversation offers a timely reflection—and a few provocations worth sitting with.
What does a future-ready security program really look like?
Learn more and catch more stories from RSAC Conference 2025 coverage: https://www.itspmagazine.com/rsac25
___________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.com
Marco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com
___________
Episode Sponsors
ThreatLocker: https://itspm.ag/threatlocker-r974
Akamai: https://itspm.ag/akamailbwc
BlackCloak: https://itspm.ag/itspbcweb
SandboxAQ: https://itspm.ag/sandboxaq-j2en
Archer: https://itspm.ag/rsaarchweb
Dropzone AI: https://itspm.ag/dropzoneai-641
ISACA: https://itspm.ag/isaca-96808
ObjectFirst: https://itspm.ag/object-first-2gjl
Edera: https://itspm.ag/edera-434868
___________
Resources
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
___________
KEYWORDS
sean martin, marco ciappelli, ciso, ai, cybersecurity, risk, decisionmaking, innovation, rsac 2025, technology, event coverage, on location, conference
Security at a Crossroads: Innovation, Risk, and the Relationship Between the CISO and the Vendor Community | An RSAC Conference 2025 Conversation | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Marco Ciappelli: [00:00:00] Ready?
Sean Martin: Take off. I'm ready to go.
Marco Ciappelli: Ah. Alright. So look at that. This is, this is pretty sci-fi. I love it. It's kind of like being on a spaceship.
Sean Martin: It is like being on a spaceship. It's a spaceship to the future. It's nice 'cause I can't see you.
Marco Ciappelli: I can't even hear you, so it's great. I love this podcast already.
That's perfect. In my, no, don't put your feet there. Come on.
Sean Martin: Do
Marco Ciappelli: I
Sean Martin: have to?
Marco Ciappelli: I always have to watch out.
Sean Martin: I know
Marco Ciappelli: Sean. I have no manners.
Sean Martin: No manners whatsoever.
Marco Ciappelli: We are at the end of day one, but you know what, is it really? Day long? Is there any days? I don't know. Day two, three. Just one
Sean Martin: big, long day of many, many hours for me.
Week. Yeah. But it's good. It is good. It is good. Didn't feel
Marco Ciappelli: too stressful. No. People are nice.
Sean Martin: All of them people are you, you, it's amazing how many, um, [00:01:00] people we've seen and met that we've only exchanged emails with.
Marco Ciappelli: Right? Yeah. It's
Sean Martin: uh, it's quite something. I mean, yeah, people walk up and they, Hey, we've been on online with You aren't.
Marco Ciappelli: Yeah, you look younger on tv. You look skinnier on
Sean Martin: tv. I look, I look skinnier and younger too.
Marco Ciappelli: I know.
Sean Martin: That's right. I look better at the radio. Oh, funnier on TV too.
Marco Ciappelli: I look great in on radio. I'm like, fantastic.
Sean Martin: A face radio. No, it's not
Marco Ciappelli: really. I mean, let, let's be honest, I don't want to go on and on because we already had a lot of podcasts, a lot of webcast video walk around, but anything that really stuck in your mind and for RSA conference 2025 so far,
Sean Martin: so.
I think, I'm trying to think. There was one thing about, about the CISO role that here's, here's what I'll say. I had this conversation off camera many times actually in the last couple [00:02:00] days, that there's don't, there's a security conference. We tend to not talk about risk a lot. It is connected to some degree.
Um. We had a chat with Tim Brown about the personal risk of the CSO role, and the reason I'm mentioning that is the, the conversations I've had and the things that I've heard are around CSOs not necessarily being open to taking undue risk. Meaning don't change things too much, meaning don't explore new technologies too much meaning.
Yeah, don't take the calls from the new newer vendors. Basically just close out anything that's not already part of your organization and, and only what I'm hearing is that a lot of the CISOs only connect with each other to determine what [00:03:00] next for their programs, for their business, and may not open themselves up to learning new, new exposures.
New ways of looking at risk, new ways of tackling the problems they have. And I'm not in any way saying, look at every vendor on the show floor. And I'm not in any way saying, open yourself up to more hours than you have available, making your life more uncomfortable. But what I'm hearing is from some CSOs that they, they're actually opening their mind to new ways of looking at the problem.
Because, and I, I think especially with AI and some of the new technologies around AI and the amount of data that's available and the way to interact with that data, it's becoming less transactional perhaps. And you can have a different relationship with your security program, different relationship with your security team, [00:04:00] different relationship with your security infrastructure.
Marco Ciappelli: But you're not saying they're close to new technology. They just want to get the new technology from the usual vendor. I mean,
Sean Martin: so the, someone understand the, what I'm hearing is newer, new technology from an existing vendor, new, new technology from a new vendor. I think the, the general stance has been don't take calls from vendors.
Which that's not good news for vendors, which also means don't, don't go outta your way to understand the problem that they see that perhaps you may have that perhaps you should be looking at. Not because you now need to add another tool and get more budget to do it, but, and this is some, I did have this conversation on record, on, on, on a podcast [00:05:00] where.
If you actually think differently about how your program is running and use the tools that are available now, specifically ai, you might change your mindset and you might not need to do some of the things you're doing right now because you think of it differently. You approach it differently. Different technologies that you're not using might
Marco Ciappelli: so wait.
Wait. Right? Might
Sean Martin: help you achieve the the real goal. Versus the one year year from, why wouldn't you
Marco Ciappelli: want to do that?
Sean Martin: That's the question.
Marco Ciappelli: Sounds a little fucked up to me. I No,
Sean Martin: no, because here's, because they only have so many hours in the day and they don't want to get a cell phone call at six o'clock at night when they're having dinner with their kids and, and spouse.
Marco Ciappelli: Right. Well, makes sense. And
Sean Martin: so I think that the general is, I'm not gonna do that. I'll turn to my CSO community for some of this information. I don't know the CSO community. What I'm hearing this week, I don't [00:06:00] know that you can get all of the information from a closed group. I think what some, some CSOs are saying, they need to different, especially if everybody doing the same
Marco Ciappelli: thing to be closed to new thing.
That is a big issue for the industry, but it's hard for me to believe and I'm, I'm just playing devil's advocate because,
Sean Martin: and I'm only trying to communicate what I'm hearing. Yeah. And I'm, and I'm not in that role and I'm not, I don't wear those shoes. Well, the same times I'm
Marco Ciappelli: here and. 42,000 people, maybe more RSAC conference.
There is sandbox.
Sean Martin: Yeah.
Marco Ciappelli: There is the villages, there is, uh, the, the competition mm-hmm. For the startup. So, and I see a lot of, and I hear a lot of new things both from small Absolutely. Start top to the biggest one. So it's, it's, uh. If, if they crash into a mindset like this, there is a lot of innovation that is going to [00:07:00] be,
Sean Martin: yeah.
Marco Ciappelli: Stopped. But maybe, and I know I, you're the one that talked with the cso, but are the CSO usually the one that make the decision on, on the vendors to, well, that was the other point, right?
Sean Martin: And, and this was on, I had the conversation with Philip Miller and that that recording's coming, that episode will be out.
He said, I'm open to have these conversations. As a ciso, but I also really want the vendors to talk to my team.
Marco Ciappelli: Well then makes more sense. So I wanna be
Sean Martin: open and I'm happy to take a call, happy to see a demo, but I really need you to connect with my team.
Marco Ciappelli: Right. That makes sense. And
Sean Martin: I guess that what the whole kind of bring it full circle is my ex, my expectation or understanding is the vendors are trying to reach the top through the ciso.
It's too much for them. The blanket response is, don't, don't bother me. What's missing is you really need to talk to my team. 'cause [00:08:00] they, and then the vendors actually do need to connect with the team and not just try to race to the top. I think that's kind of the gist of
Marco Ciappelli: Okay, well that, that, that, that's different picture.
Sean Martin: Yeah. It's actually, but because of filter the way, because of the way that's working information
Marco Ciappelli: that goes to him.
Sean Martin: I, I feel, and I think Philip also. Just said this, um, that because of the way that functions, the openness to new things gets shut down. Got it. Very easily.
Marco Ciappelli: Okay. 'cause the system is not built.
The system doesn't support, is not built for that.
Sean Martin: Doesn't support
Marco Ciappelli: that.
Sean Martin: Well, that's great. So, so the conference is a place to do that exploration. Mm-hmm. Maybe wear a badge that doesn't say I'm a ciso. And then go look, go look at it. Or send the teams. And I think that's another thing is companies budgeting for their, the security teams to come to these events, not just, and to take the initiative, not to.
So in
Marco Ciappelli: a way, it could be [00:09:00] a blessing in disguise, right? Because it opens the system to think differently with more people involved in the decision taking, pro, pro process. And that could be a good thing.
Sean Martin: Yeah.
Marco Ciappelli: There you go.
Sean Martin: Now there you go.
Marco Ciappelli: Lemme tell you something.
Sean Martin: Tell me.
Marco Ciappelli: So, you know, we went to the DARPA challenge yesterday morning.
We had a nice, nice little tour on the little train. Yeah. We got the train right? With the,
Sean Martin: yeah.
Marco Ciappelli: But now I understand why they don't, didn't want me to bring my coffee on it because they would've spilled it all over. Yeah,
Sean Martin: leave your coffee out all over the places. But,
Marco Ciappelli: so then we recorded that there is a pigeon flying here and it's not gonna go well.
Uh, so then. We published that, which I invite people to see 'cause we had an amazing, yeah, that's really cool. Tour. We, we were in for alpha an hour I guess. I think so. Something like that. And, and then of course you wrote your piece, right? Looking at things from your [00:10:00] cybersecurity security perspective. And I looked at it from my societal perspective and it, I'm connecting with what you said.
Sean Martin: Yeah.
Marco Ciappelli: Which is. I just published it, so go read it. Using on society and technology where I'm wondering if half of our brain is moving forward with technology, maybe took the time machine, but left the other half of the brain in the past or in the present because
Sean Martin: Yeah, a lot in that it, it's a lot
Marco Ciappelli: like technology moves so fast.
Bureaucracy doesn't. Mm-hmm. Regulation, unfortunately doesn't. Great conversation with the European community. Yeah. Uh, yesterday and Professor Luigi Martino from the University of Florence. And, and I think we all there, we, we, we need some regulation. We need the guardrails, but we need to leave freedom.
Yeah. But again, [00:11:00] the technology brain goes really, really fast. Our society is not adopting that fast. Some people miss the train, talking about the train and, um, yeah,
Sean Martin: gas appearance bay's.
Marco Ciappelli: Okay, yeah's. Very good. You're all good. That's all right. And, uh, and so it, I'm connecting to the fact that sometimes you need to get to kind of an asse on how things work to kind of rethink it and maybe have a more agile.
Government, a more agile regulation, A more agile cso Yeah. Team in the decision making so that we can keep up Yeah. And take the best of our innovation and put it outta service for our society instead of having this tug of war between, we're going too fast. The horse was, uh, John South. Oh, that's right.
John South. You know the horse already left really fast. We don't even know where it is. [00:12:00] Yeah. And now you want to regulate it. Talking about ai, that was a pretty clear message. So, yeah. And
Sean Martin: what did I say? Your horse can't win if it's disqualified. 'cause it has no judgment. Yeah. It's like you run the race, you're the fastest, but it doesn't matter.
Marco Ciappelli: So again, it's, it's a very important people, that moment for our society where we need to learn how to live with a technology that years ago it would take 20 years for a new piece of technology to really make. Advances and now it's just like, whoa, wait a minute.
Sean Martin: Here's, here's what I'm hearing. And, and as we talk about this, there's so many things, your view of it through your article, looking at the future in the past and wanting to move forward, but being stuck.
I think in the DARPA thing, they talked about all these legacy technologies Yeah. That are now online, that are now exposed and vulnerable and can be compromised and they know. Yeah,
Marco Ciappelli: but they can't change it fast enough. [00:13:00] I
Sean Martin: know.
Marco Ciappelli: Because they don't have the budget. Exactly. The government, the agencies. So there is
Sean Martin: a desire.
Yeah. But they're stuck. And that, that was my point. Yeah. And then I'm thinking in the CSO role, um, you don't wanna make a decision that puts you in front of the SEC, right? I
Marco Ciappelli: guess not.
Sean Martin: And so therefore you want to, we we're risk. Driven. Even though I said we don't talk about risk much, we certainly are a risk driven profession, we think with risk in mind.
And the security team is often called the department of No. And this the epiphany I'm having, talking, having this conversation that we're telling ourselves. No, exactly. And, and I think we've had this conversation too, of, of the security program. Well, I've had it on my show anyway, that. It's time for security to have innovation and not just support the innovation of the business.
The concepts [00:14:00] so transform the way we think about security, the culture transform the way we deploy, transform the way we measure it, transform the way it, it supports the business. And we just had chat with Richard Serious so that, so that goes for the
Marco Ciappelli: company security, but also for the city security, for the federal security government security organization.
And even the home security, our own home, like, you know, it's the same thing we're talking today with a good friend Chris Pearson from, you know, thank you for sponsor, great friend. But the point is, you know, bringing, empowering a system that you can feel safe at home as well, not just in the place where you work.
And so, again, see, it's, it's an all culture, the need to change. And it's not easy because our brains still think like we're. Yeah. And the prehistoric, something is happening. We need to, goes back talking about prehistoric and store, store food 'cause it freaking, freaking out. Fear. What did we say last year by [00:15:00] fear?
Sean Martin: It was here last year. What did we say last year? The Monster Frankenstein. It created itself. Created itself.
Marco Ciappelli: It is. That is instead. Ab B. What was that, Abbi? Maybe that's that brain I'm talking about ab. Yeah. No, but it is the Frankenstein. It's still here, man.
Sean Martin: It is still there.
Marco Ciappelli: It's still here.
Sean Martin: It has extra arms this year.
A couple extra space. It's because
Marco Ciappelli: AI has put like an extra finger. Well, there's that statue. The statue. Remember what the
Sean Martin: multiple arms? Yeah, it's kind of weird. Alright, here, here's the thing. I probably said a bunch of stuff. Cecils are going, what are you on about? You don't know what you're talking about.
I don't. I'm not a ciso. I know what I've heard a bit. I'm trying to analyze it. I'm trying to communicate what I think I heard. I would really love to hear more. Thoughts on this? Yeah. So if you have thoughts, share in the comments. Yeah.
Marco Ciappelli: Well, I'm pretty confident you wanna have conversation. I'm
Sean Martin: open to that as well.
I'm
Marco Ciappelli: confident in what I say because I'm a human.
Sean Martin: You are human.
Marco Ciappelli: Therefore, I, I [00:16:00] think like I see what the humanity and the way I feel about,
Sean Martin: I'm trying to relate what I'm hearing anecdotally from others. I, I
Marco Ciappelli: know you have it a little harder than me. 'cause you're dealing with, you know what's really at the core of the conversations here.
I can go in there and be like. Philosophical, sociological, whatever you want. But the point is we're thinking there's a point we're thinking, and I'm not going against what you say
Sean Martin: about this, I think about this stuff,
Marco Ciappelli: but we, we kind of bring a different perspective to the table and I think we make ourself better as a society because of that.
Sean Martin: Yeah.
Marco Ciappelli: Maybe we'll sit down again tomorrow and have. Yeah, another people maybe have a different, different perspective inspired by what we talk about tomorrow. I'm
Sean Martin: seeing a bunch of, uh, CISO friends tonight, so maybe I'll get some direct input if they want to share with me on, on record, but, um, sounds good.
Marco Ciappelli: We'll, sounds good, man. We'll see. You know what, I'm gonna see if I see one of those cars that drive itself
Sean Martin: are
Marco Ciappelli: Yeah.
Sean Martin: And then what?
Marco Ciappelli: And [00:17:00] then, and then I'm gonna show it on camera. All right. And then I'm gonna take it and then, um, and then I'm gonna have dinner. Oh, really? Okay, you guys.
Sean Martin: I don't, I don't see a Waymo.
Marco Ciappelli: People all stay tuned with us. Stay tuned. I hope you tuned. Enjoy with the content. We great. Silliness.
Sean Martin: Thoughtfulness. Um, yeah, I think about this stuff. I, I'd love to hear what you think. 'cause we're, we don't wanna be you. What's that?
Marco Ciappelli: I wouldn't want to be you thinking about that stuff. Stuff.
Sean Martin: I know, I know.
Exactly. I mean, there other thing, I think about music too. I love music.
Marco Ciappelli: All right. Stay tuned. What is it? Sean? RSA SB magazine dot
Sean Martin: ComCom slash r a2 five. Stay tuned.
Marco Ciappelli: 70 minutes.