COMMENTARY: SAN FRANCISCO -- Now that RSAC 2025 will wrap-up tomorrow, it’s clear that the cybersecurity community continues to evolve at a breakneck pace, driven by advances in artificial intelligence (AI), attacks by increasingly aggressive nation-state actors, and changes at the very heart of public-private collaboration—especially within the U.S. government.This year, a recurring undercurrent at RSAC was uncertainty surrounding the future of the Cybersecurity and Infrastructure Security Agency (CISA), and what the private sector must do in response.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]CISA has long served as a unifying force for security across critical infrastructure, helping to elevate security maturity through programs, such as “Secure by Design”, and by fostering critical collaboration between industry, researchers, and government. It’s a model of service that reflects deep dedication to the security of not only federal systems, but also private organizations and individual citizens.However, what we’ve seen over the past few months—and heard again at RSAC from Homeland Security Secretary Kristi Noem—is cause for concern. Leadership changes, budget pressures, and shifting political winds have introduced real instability into an agency the country relies on to organize and standardize its cyber readiness. As CISA’s resources stretch thinner, enterprises will need to adapt.Here are my top-level takeaways from this year’s RSAC:CISA’s shrinking role means enterprises must step-up. The potential impact of ongoing turmoil within CISA is both technical and philosophical. On one hand, fewer resources and reduced staffing could delay critical initiatives, such as vulnerability disclosure coordination and the Secure by Design program. On the other, confidence in consistent, centralized guidance—such as the CVE system—has taken a hit. A just-in-time approach to vulnerability management is no longer sustainable, especially when the integrity of a single system can affect thousands.We’ve already seen some vendors and international agencies signaling a willingness to create or adopt alternative vulnerability tracking systems. But that fragmentation risks undermining the very premise of coordinated disclosure: a single, reliable reference point for every vulnerability. Without a strong and stable CISA to steward that process, industry needs to avoid creating a fractured system of “split standards” that ultimately slows response and increases risk.AI’s role has shifted from buzzword to baseline. While AI has dominated the conversation, the discourse felt much more grounded this year. There was a noticeable pivot from speculative potential to operational urgency. The emergence of “Agentic AI”—autonomous decision-making systems capable of executing multi-step actions—was a hot topic. These systems, while powerful, raise serious concerns about unintended behaviors, model manipulation, and safe deployment.It's clear what this means for CISOs and security professionals: We must build AI systems that are threat-modeled, tested, and monitored like any other software. But the challenge, and opportunity, lies in the tooling. Just as the community has mobilized around AI safety, we must also ensure our testing and risk management frameworks evolve to reflect these new capabilities.Attacks from nation-states are getting bolder—and harder to attribute. Another big theme this year was the growing boldness of nation-state threat actors. While attribution has always been a challenge, recent campaigns have leaned into stealth and persistence, often sitting undetected within critical systems for months. These operations aren’t just cyberattacks—they’re geopolitical chess moves, and they’re becoming more targeted and more sophisticated by the day.In a world where government response might be delayed or disrupted, the onus falls to enterprises to harden their environments and test their defenses continuously. The idea that red teaming, threat emulation, or exposure management are “nice to haves” is outdated. They are now core competencies of any mature security program.The community still matters—more than ever The private sector must actively support the mission CISA represents. That means doubling down on transparency, vulnerability research, crowdsourced insights, and proactive defense. Most important, it means preserving the sense of shared purpose that has long united the cybersecurity community.At RSAC this year, the message was clear: as public-sector resources face increasing pressure, it’s up to the broader community—and the companies within it—to lead with resilience, collaboration, and a continued commitment to cybersecurity for all.Dave Gerry, chief executive officer, BugcrowdSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
