Phillip Miller, CISO and founder of Qurple, shares how stepping outside the enterprise helped him reconnect with what security teams and startups really need—and why that perspective is critical for making better cybersecurity decisions. This episode explores how CISOs can better engage their teams, understand the business, and unlock the value of emerging tech without getting lost in feature sprawl.
In this episode of On Location at RSAC Conference 2025, Phillip Miller—Chief Information Security Officer and founder of Corporal—offers a candid and practical look at the current realities of cybersecurity leadership, innovation ecosystems, and the business-first mindset required to drive effective security outcomes.
With a unique background that blends enterprise cybersecurity leadership and hands-on work on his Virginia farm, Miller brings a grounded perspective to the CISO role. Over the past 18 months, he stepped away from a traditional enterprise seat to work directly with startups through his company, advising them on how to align their offerings with the real needs of security teams. His return to a full-time CISO position follows that immersive experience, giving him a renewed sense of what enterprise security leaders are missing when they close themselves off from emerging technology vendors.
Shifting the Buying Conversation
One of Miller’s strongest messages is that buying decisions should start with the security team—not just the CISO. Too often, tools are purchased at the top and handed down without enough input from those who will actually use them. Miller stresses that founders who are selling into the enterprise need to solve real problems with real people—and CISOs should invite that dialogue rather than block it.
He also encourages CISOs to think beyond the big names. While legacy providers are often the default, marketplace ecosystems (like AWS or GCP) and accelerator programs (such as those run by CrowdStrike) offer curated, credible entry points to newer solutions. These platforms can streamline the validation process while introducing fresh capabilities that legacy tools may lack.
Lead With the Business, Not the Tech
For Miller, the CISO’s most valuable contribution is helping business leaders understand their own risks—especially the ones they don’t associate with cybersecurity. By starting with “What are your biggest non-cyber risks?” Miller helps organizations connect the dots between core operations and digital exposure.
Whether working in manufacturing, retail, or financial services, his approach remains consistent: understand how the business creates value, then align security programs and tooling accordingly. The tech, he reminds us, comes second.
Catch the full conversation to hear more on third-party risk, building high-functioning teams, and why peer conversations at conferences like RSAC are essential to the health of the cybersecurity community.
___________
Guest:
Phillip Miller, CISO and founder of Qurple | https://www.linkedin.com/in/pemiller/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine | Website: https://www.seanmartin.com
Marco Ciappelli, Co-Founder at ITSPmagazine | Website: https://www.marcociappelli.com
___________
Episode Sponsors
ThreatLocker: https://itspm.ag/threatlocker-r974
Akamai: https://itspm.ag/akamailbwc
BlackCloak: https://itspm.ag/itspbcweb
SandboxAQ: https://itspm.ag/sandboxaq-j2en
Archer: https://itspm.ag/rsaarchweb
Dropzone AI: https://itspm.ag/dropzoneai-641
ISACA: https://itspm.ag/isaca-96808
ObjectFirst: https://itspm.ag/object-first-2gjl
Edera: https://itspm.ag/edera-434868
___________
Resources
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsa-conference-usa-2025-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
___________
KEYWORDS
sean martin, phillip miller, rsac 2025, cybersecurity, ciso, startups, risk, marketplace, leadership, technology, event coverage, on location, conference
The Hidden Cost of Closing the Door on Innovation | An RSAC Conference 2025 Conversation with Phillip Miller | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Phillip Miller. Good to see you. Good to see you. Good to see you here we are in San Francisco. Beautiful city, right? So sh sunny today is the sun was in your eyes a moment ago, but, uh, I How'd you get here?
Phillip Miller: Did you fly in? I did. Flew in from, uh, farm in Southern Virginia and, uh, got here by way of Charlotte, North Carolina.
Look at that.
Sean Martin: Did you fly over any farms here? There's plenty of farms, lots of, lots of cattle, a lot of sheep. I dunno if you got to see any from the plane. We came in
Phillip Miller: the dark, it was late last
Sean Martin: night. No glow in the dark cows. Hopefully no glow in the dark cows. Don't need any of those. No. But, um, I'm trying to think where we met.
Was it blackhead or was it, I don't remember where we met. Yeah, I don't even either. It used to be so long and anyway, I, we've uh, we've kept in touch wherever we start and fall following each other. And, uh, I'm particularly. Fan of yours because of the work you do on the farm, and obviously your role as a ciso.
Very different mindsets of things, but perhaps a lot of overlaps too. [00:01:00] Um, and you're actually gonna join us on a, on a webinar where we talk about kind of the, the future of farming and agriculture and food, food safety and all that fun stuff. And we're talking about cybersecurity as part of that important.
Absolutely. So, um, but you've taken the last 18 months. To kind of, you'll tell me what you did, but I presume to kind of refresh and regenerate and you, you know, have a new role as a full-time cso. So I wanna talk to you a little bit about what that transition back into full-time is like. But first, what? A quick intro for the, for the folks, uh, listening and watching here, um, what you've been up to prior to the 18 months of virtual ciso and then, um, 'cause you've had many roles and that's right in,
Phillip Miller: in, in and out of all kinds of different organizations from retail.
Yeah. A little
Sean Martin: history there.
Phillip Miller: Yeah. So, re retail, Payless Shoe Source or Collective Brands, Brooks Brothers. Then [00:02:00] I did consulting for a while with AWS, that was the pandemic years. Those were great years. Got to work with lots of very large enterprises on their, uh, journey to the cloud. And then, uh, with NetApp for a while as their ciso.
And then following that, uh, really wanted to strike out on my own, kind of do a little bit of what I did at AWS, uh, but under my own banner, a company called Corporal, which I've had for. Quite a long time. It's, uh, also the farm is connected to, to pork as well. And, uh, my wife and I participate together in that as a business mostly being, uh, 18 months of helping startup companies who are.
Trying to feel their way around the cybersecurity or ag tech landscape and some AI landscape stuff. And you know, there's a, it's a crowded field of people trying to enter the market, but also a crowded field of choices in terms of ag tech or [00:03:00] all of cyber. Yeah, cyber, ag tech, ai, lots of people trying to get a slice of that pie.
And many of them don't know how to tell their story. And particularly they don't know how to tell that story to enterprise buyers. Right? And you see it on LinkedIn, right? Mm-hmm. The CISO saying, please don't email me. Please don't use my cell phone. Please don't send me a message on LinkedIn. Don't send a a, a letter to my home address.
Right? And, and I've always tried to be the opposite. Because I recognize that as an enterprise ciso, I'm only as good as the tech that I can bring to the organization, coupled with my experience, the business processes. But underpinning the, the whole industry is this great group of founders and, uh, businesses that say, we can solve a problem.
We think you have that problem. So if I close myself off to that community. Then I'm not gonna be very effective as an enterprise [00:04:00] ciso. So I really wanted to spend 18 months deeply entrenched in that community. So I worked with all kinds of, of founders and, and you know, just some really great conversations.
Just like today, I was just with, uh, uh, Demi from Pan Race and, and, and dean from Axons. Right. These are, these are long-term relationships that I've been able to foster over the last 18 months, which is very hard to do when you are in that enterprise seat. Right. 'cause everything's so transactional,
Sean Martin: right?
Yeah, very. I just connected with Demi funny enough before the conference, so hopefully I'll run into him at some point for the next few days. But, um, third party risk obviously is a, it sure is. It's a big, big topic. Um, so yeah, it's very interesting 'cause I. If one is in a role within an organization, it becomes about that organization.
And to your point, I think you can kind of get insulated slash [00:05:00] isolated from stuff outside of that. Yes. 'cause MBOs are driven by, uh, annual, annual reviews and, and, uh, perhaps even bonuses are, are tied to how well the company does. And so, and of course, hopefully if you're doing your job as a ciso, you're, you're connecting that to the risk and protecting the revenue, which gives you a focal point, which is great, but to your point, can maybe keep you isolated from some of the stuff that might come in, perhaps, or you don't know what the exposures are.
Maybe you're not looking at things, say the right way, or perhaps in a more open way. So you talked a bit about the, the 18 months. Um, what are some of the things you, you saw and heard that maybe folks sitting in a we'll get to your own new CISO role mm-hmm. But folks sitting in a, in a seat, um, working with their executive leadership team and perhaps even the board, what, what did you see in the last 18 months that maybe some [00:06:00] of those folks in that seat might not, if, especially if they closed themselves off from tech vendors.
What are they, what are they might, might be missing?
Phillip Miller: Yeah. I think probably the first thing is that every founder has experienced the same pain at some place, either in an enterprise gig or, you know, a lot of our founders come out of the, the defense industry. Right, right. Uh, but, but they, they, they are actually practitioners.
And so they don't just sort of wake up one day and say, I wanna make, you know, a hundred million in a RR, they come at us. And I, I was experiencing, uh, a high volume of alerts coming from my sim, and I wanted to come up with a way to make it so that those low, low quality alerts could be solved with an agent AI solution.
Right. Or, um, I see way too many, uh, messages still getting through my spam filter. And so I want to bring new technology that helps the end user [00:07:00] better bring their human intelligence to that problem. And so I think that when you are sitting in that enterprise seat and you have all of those, um. OKR is your to-do lists.
You have the volume of alerts that telling you, Hey, I've got all these excess vulnerabilities, or I've got legacy tech. You. You start to think that the only way I can solve this problem is to go to my existing major, what provider? Microsoft, Google, Amazon. And you forget that these companies have marketplaces, right?
And if you, um, explore the marketplaces or if you can come to a conference like this and, and engage directly with, with the startup community, you can really find that sweet spot of, of somebody who will be an extension of your team to solve the problem, but know that you're also not like harming your underlying [00:08:00] ecosystem.
Right. Because that's the unique thing about, that's a big investment. Yeah. And being part of a big enterprise, you've got lots more responsibilities for protecting your data, your customer privacy. You can't just go buy any random thing off the shelf and incorporate it in your enterprise. So I, so marketplace is key.
Marketplace is key. Um. The look for vendors that are being sponsored, uh, through, uh, like the AWS CrowdStrike Accelerator, um, the RSA Innovation Sandbox. Right? Right. These are, uh, ways in which you can sort of short circuit some of that validation. Also look at who their logos are. And I know that there's, there's always controversy around that, but there are enterprises that do so much, but behind, behind your logos, hopefully
Sean Martin: there's a ciso CISO and due diligence.
Phillip Miller: Right, right. And you know, I, I know that if Bank of America has, uh, started [00:09:00] using a product, it's gone through so much validation and certification that chances are I'm not gonna find anything they've missed. Right.
Sean Martin: Correct me if I'm wrong though. Your, your perspective on this. Just because Bank of America may have recognized the problem and recognized they could solve that problem with a certain set of technology, doesn't mean any organization can, right?
No. Um, 'cause teams are different. Obviously the companies are different, teams are different. The rest of the tech stack is different perhaps. Um, how does. How does a CSO kind of, well probably a conversation, but how, how does a CSO really get their head wrapped around their environment, their needs related to perhaps others and tap into the community for
Phillip Miller: Well, you know, you, you hit on a key word there, team.
Mm. And this is where a lot of my advice into the founder community has been, is stop selling to the ciso, sell to the team. Mm-hmm. Because the team is the one who [00:10:00] has to actually fix the problem. And the engineers and architects that are designing and uh, engineering around the problem are the ones who need to be deeply involved in what the next solution to that problem is.
And so, yes, as CISOs we can inject a level of. This is a program that I want you to go and, uh, find new entrance to try to solve. Here's some that I've seen. Please go do your own due diligence. And so when we have, uh, a CISO led buyer, uh, cycle, it often leads to poor outcomes. And I've seen this, whether I was on the consulting side, uh, interim CSO work or stepping into, um, any enterprise role.
There's always tech that has been purchased and not fully leveraged software. Yeah. But, but it, it's kind of different now, right? [00:11:00] 'cause you're paying for it. Just setting, forget it, where you're paying a sa a SAS fee every month for it. And, and it may be giving you marginal value and. This is the hardest conversation that you have as a CISO with a, a supplier, is I don't want to leverage you anymore and I don't want to leverage you because your team didn't give my team value.
Because inevitably when you have that conversation, they say to you, but your team didn't ask us. And I'm like, but you are the supplier. You want us to leverage your technology, so please don't just sell and walk away. Right. And expect that automatic renewal three years down the road because we we're no longer in a world where there's only one player.
Right? Or two players like antivirus use two players, right? Yellow. Exactly. Now there's 8 0 9. Highly competent EDR players,
Sean Martin: so [00:12:00] we're talking a bit about. Tech, even if the, even if the CSO says, we have this problem team, go do some due diligence. Here's a, you said here's a few tech options to consider. Go, go explore.
Do you find that we start with the tech in most cases? Mm-hmm. And is that the right way? Or, or do we or, or do we have smart people on our teams that perhaps my, my personal view of security is. If we actually build business properly, we can reduce exposure and really reduce the reliance on technology and other solutions to mitigate the risk that we've introduced in the first place.
So I'm wondering if, if turning to the team to say, here's our exposure, here's, here's our risk, how would you solve it? Versus we've been told, or I've seen [00:13:00] other, and I've heard from others that there's this. Issue that we might come across, and we've heard that there's technology to solve it. To me it's two different things.
I don't your your thoughts on that in terms of can we change the business or do we, or do we just turn to the tech immediately? So
Phillip Miller: we, we've got dual problems here, right? We have a, uh, an engine of business that is exists to deliver stakeholder value, could be shareholders, customers, et cetera. Then you have this group of individuals that want to destroy that relationship.
Uh, threat actors and the, the individuals in business that are trying to drive revenue are often very unfamiliar with how a threat actor can disrupt it. We all understand ransomware and we understand spam and those things, right? But the, the murial world. Is often very inaccessible to a [00:14:00] business leader.
So the, the, the most important job a CISO has is to help the business leaders understand for their line of business, their p and l accountability, where are the, the choke points that they're most susceptible to, to give them not just that information, but then ask them, you know, how much is it worth in a sense to mitigate that risk?
Then when you have that answer, then you can inform your teams and enable them to have, you know, the tools, the technology, the business processes, because you, you, as the accountable CISO for risk and the accountable p and l owner are having executive level conversations, hopefully supported by a board.
That are in place to, uh, make the enterprise safer for customers to transact. So it, it, it is a team and a business problem [00:15:00] First, tech second for me. Okay. Um, but that's not common in the industry, and you can see that by just how many, uh, new, uh, tech companies emerge. And the feature function sprawl, right.
Uh, amongst existing tech is, uh, vendors say, well, I, I see somebody's going after this market. I don't want to lose out. Right. Uh, in fact, I think cybersecurity vendors have fear of missing out more than any other part of the tech, uh, ecosystem that I've ever seen. Yeah. It's like ERP all over again. Right.
Exactly.
Sean Martin: Um. So I love that. I love that viewpoint. And it, it makes me wonder, so the team clearly, well, a good team hopefully understands the business and, and the operations and, and vulnerabilities and, and exposure, talking security teams here. Yes. That [00:16:00] then can help achieve, help the organization achieve what they're trying to achieve safely.
Um. I hear very often that that CISOs are closely connected to their team and closely connected to the technology and have, find it difficult, I'll say, to have a conversation with their executive leadership peers and perhaps even the board at that business level. So how, what, what do you see, um, not just from you and your cso.
Role and virtual CSO role, but from a company's perspective, as you engage with them, either as a virtual or even in your new role, how do they, what do the, what is the business team looking for?
Phillip Miller: Mm-hmm.
Sean Martin: From a, from a cso, given the other stuff we just talked about.
Phillip Miller: Yeah. Let, let me pull something from earlier in my career as a, as a way to describe this.
I, I joined [00:17:00] a paper manufacturing company in, uh, late 1999. I was with 'em for about 10 years. I knew absolutely nothing about large, uh, process manufacturing. Okay. I knew very, these are like the big spools of paper. Big spools of pap. Yeah. I knew very little about safety in, um, a forest where we cut down trees to Oh yeah.
Make the pulp. I knew nothing about the chemicals, right? Mm-hmm. And here I was coming in as a person who. Had varying different responsibilities, but my, my final responsibility was for securing the enterprise. And I needed to understand not just the task orientation of my job, but also how the business is glued together, and any CISO that steps in should make that their first priority.
First 30 days, try to deeply understand the business. Get out there, whether it's on the [00:18:00] manufacturing floor, on the shop floor, I did retail, or in my current role. Get into the offices where people are engaging with the customers and understand how does the business work. Then understand how the business leaders, your colleagues are.
Making changes to improve or retain customers, profit and loss. Uh, learn the language of of, of the business and the board so that when you want to have a conversation about impacting that from a information security, data protection, privacy, cybersecurity basis point, you've got a frame of reference that is from their lens, not just yours.
And then they in turn also have an accountability, right, right. To understand, uh, enough about the world that the CISO is operating. That's common to them, right? They understand that, uh, [00:19:00] even if you are the product person, you have to understand marketing, right? You don't do the marketing, you rely on the marketing team, but you know that they're valued.
You know, I also know what to
Sean Martin: give them so that they can do the
Phillip Miller: marketing, right? Hopefully a good product. Right? So,
Sean Martin: I don't know how to ask this question if it's what's the first question or if there's an important question or a common question. And I'm hoping you can gimme an example that one from the manufacturing paper company.
One from technology, NetApp and, and AWS maybe one from, uh, financial services. In your current role, what, what do you ask? The what business team? The leadership team as you're getting started in each of those three scenarios. I'm gonna guess they're gonna be slightly different maybe. Mm-hmm. Um, to give you what you need to establish that relationship and the connection to then further the, the understanding of the business.[00:20:00]
Phillip Miller: I mean, I think the first thing, and this is sort of common to all of them, is where does the business see its biggest, uh, non-cyber security risks? Right? 'cause, 'cause most companies are gonna have information security, cyber, somewhere on their, their risk, but. What are they seeing as other risks? Because that will inform you as to how they're thinking about that.
Then I think, let, let's pick on manufacturing, okay. Is, um, under understanding how does the product get created? Because when you understand how the product's created, you can start saying, okay, we are gonna have technology in each of these different places in the product creation cycle. And every time there's technology, there's data, and then there's information risk.
So if you can understand and like model that out, uh, from a business, uh, uh, process manufacturing perspective, it really helps you from a, from a [00:21:00] cyber perspective, retail though, where most retail is merchandising and and selling, right? So their focus is customer. How do we engage and what do we promise that customer?
I think that's probably my first question. What are we promising the customer? Um, are we promising them that we're going to gather their information and only ever use it in a sales transaction, or are we doing marketing off of it? Are we selling some of this to other people because the customer trust relationship is, is critical.
And then financial services, FinTech, all of that stuff. Regulatory and legal, I think, uh, to a certain extent are the leading still, yeah. Still king and queen because, um, you obviously, all the customer stuff still matters, but you can't get the right to transact with those customers if you don't follow the rules [00:22:00] and, uh, there are external rules that you have to follow.
Right.
Sean Martin: So we're here, I think, let's see what we doing on time. Yep. We have a couple minutes left. Um, let's take part of the theme from RSA conference here, which is about the community, many voices. Um, obviously you're here Yeah. In person, I presume to partake in, in what it offers in that sense. Um, what do you look for here?
When you're on site connecting with people, what sessions do you go to? What conversations do you have maybe rooted in what we've just been talking about, or is there something else that's even bigger top of mind?
Phillip Miller: Yeah, so first priority is efficiency. I want to meet with all of the key vendors mm-hmm.
That we have in our enterprise. Okay. And do it over three day period so that I can, uh, not be trying to do that when I'm in the office. So that, that's my big rock. That's what I fill my agenda up with first. Okay. [00:23:00] Second priority is peer group conversations. Okay? And those don't happen in the meeting rooms, right?
They happen in the hotel lobbies late into the evening. That's where, um, we can have conversations that are, you know, pure Chatham House rules off the record and start thinking about, uh, how can we help other people in this community? And from there, this is where, you know, mentoring programs, uh, emerge. Um, you know.
Finding ways to, uh, bridge company, uh, gaps, uh, come from there. And then third is the, is the founder community. And so I'm here, here, the emerging tech
Sean Martin: stuff. Yeah.
Phillip Miller: Yeah. Look, AWS and CrowdStrike have an accelerator. Um, I helped three of the companies that are in the, that accelerator, uh, in their preparation journey.
So I'm gonna go and cheer on a little bit, right? Yeah. Uh, yeah, that's, that's the fun part. Uh, I, I don't go to the [00:24:00] parties. I don't really have much time for that. I'd rather have the individual conversations and, uh, yeah. Presentations can be really good if it's a practitioner, which unfortunately it's getting a little harder to find here.
Right. I'd like to see more practitioner led, uh, conversation so that my, my team would want to come and not just be a, a cso uh, hangout.
Sean Martin: Yeah, exactly. Well, great, great points there. Uh, Philip, of course, and, um. I have to thank you for taking the time. You're very busy. I saw your calendar iCalendar, this kind of crazy incident.
I was like, I don't know where you're gonna fit in my friend. We have, you have so much going on, but I'm so grateful that you, you found this time to do your, what you described in your second bullet, which is to find ways to help the rest of the community. I hope that this conversation does just that. I hope so too, that, uh, aren't able to come.
Onsite in San Francisco and, and don't have a chance to [00:25:00] connect with you at some point. So hopefully this, this conversation and story helps. Yeah. Us many
Phillip Miller: and I'm always happy to connect on LinkedIn if people want to have further conversations. Yep.
Sean Martin: You're a good guy. I appreciate you and uh, I love getting inside your brain and understanding how you look at this world and CSO role.
Um. It's a role that's had a lot of scrutiny. It does. It comes with a lot of weight on the shoulders. And, um, yeah. I appreciate you, you putting on that cape and, and taking on that role, especially for the organization that you're, you're working for at the moment. So important thing. Well, thank you very
Phillip Miller: much and I appreciate you setting time aside for having conversation.
Gotta invest in our friendships. Those are important.
Sean Martin: Absolutely. Yeah. Most importantly. So Philip, thank you so much. Thanks everybody for, uh, listening and watching this episode here, uh, on location with Sean and then Marco. Stay tuned. Itsp magazine.com/rsac two five for all of our coverage. [00:26:00] Connect with Philip and uh, we'll see you on the show floor here in, uh, one of the Moscone locations.
Thanks. Thanks everyone. Awesome.