AI-enabled cyberthreats and volatile markets weighed on infosec leaders heading into the 2025 RSA Conference in San Francisco. In an unpredictable era for cybersecurity budgets, Synack joined co-sponsor NASDAQ to host a panel discussion unpacking how women security executives are shifting strategies to meet the moment.
“It’s fun in cyber to welcome everyone else to the world of uncertainty: That’s what we live day-to-day,” said Melissa Bishop, CISO, Corporate Services at Amazon. “You try to think about your own team’s planning processes for next year—and we have a pretty rigorous operational planning process at Amazon—it feels hard to predict where we should be investing.”
CISOs are used to surprises, but speakers at Synack’s Women in Cyber executive panel pointed out 2025 has been especially fraught.
“You listen to the news… something happens, and then it doesn’t happen,” said Deneen DeFiore, vice president and CISO at United Airlines, when asked about the impact of on-again, off-again tariffs. “It’s really hard to make sure that you have a focus and can be strategic but also responding to the day-to-day of what’s happening in your business, identifying new risks.”
Nidhi Luthra, global CISO at medical equipment provider Baxter International, and Rebekah Wilke, business information security officer at fintech company Jack Henry, rounded out the panel discussion moderated by former New York Times reporter and bestselling author Nicole Perlroth.
“We’re being expected to do a lot more with a lot less,” said Luthra of the economic uncertainty. “As soon as I get off the plane tomorrow, I’m spending a day in all things finance to figure out yet again what the rest of the year is going to look like… So we’re definitely feeling the impact.”
AI-enabled threats
Now in its fourth year, Synack’s annual Women in Cyber breakfast event during RSA drew a packed crowd to Fogo de Chão Tuesday morning.
The theme, How Leading CISOs Keep Their Organizations Secure Amid Market and AI Turbulence, was the jumping-off point for a wide-ranging discussion that covered everything from insider threats to fostering a stronger enterprise security culture.
It didn’t take long for Perlroth to steer the discussion toward the seismic impact of GenAI on the cybersecurity industry. Whether it’s adversaries abusing AI technology to produce deepfakes or employees rushing to make the most of poorly-vetted AI tools, CISOs are struggling to balance the promise and peril of AI technology.
“AI is moving so fast. How can we expect humans to catch up to it, understand it, and govern it?” said Wilke, whose organization moves nearly a third of all U.S. transactions in any given day through some 7,000 financial institutions. “That’s the elephant in the room with AI: I think the human race is too proud to say that we don’t know. And we’re uncertain of what it has the capacity to do.”
That’s not to say Wilke and the other panelists aren’t adopting AI or innovating with new technologies to minimize security risks. But keeping tabs on emerging AI attack paths is enough to keep CISOs busy without considering the litany of other daily threats they contend with.
“When we talk about the threat of AI, we do move straight to the kind of zombie, you know, rogue agent scenario,” said Perlroth, author of This is How They Tell Me the World Ends. “But it does feel like the more imminent threat is a supply chain threat—that maybe the next SolarWinds will be in the AI.”
Five years ago, a Russia-linked breach of widely used SolarWinds software compromised over 100 companies and a dozen government agencies, shaking the cybersecurity industry to its core. Strong contract language, liability sharing and careful risk analysis can help mitigate the impact of third-party risk and supply chain vulnerabilities, but there’s no silver bullet.
“If cyber security was purely a technical problem we could have solved it 20 years ago with firewalls and EDR, etcetera,” said Perlroth. “But we didn’t because it’s not purely a technology problem: It’s employee awareness, education, leadership budget allocation… I could go on.” ‘
Panelists cited the power of emerging technologies to help with some of the more urgent challenges. AI tools could be a “holy grail” for automating risk away from end users, according to Bishop.
That’s important because even the best-planned training, awareness and security culture programs can’t prevent employees from making occasional mistakes. Bishop cited clicking spearphishing links as a common example. Phishing is an attack method that’s grown more effective and scalable as adversarial AI improves targeting and helps hackers use convincing language.
“That is where more automation and AI is maybe going to give us that ability, where you clicked on a link: Based on all of our learning data on threat intel, network traffic, email traffic, threats we’ve seen like this before, we’re going to isolate you,” she said. “An [AI] agent can auto-isolate you and put you on a timeout until we’re able to validate what’s going on with your account or what’s going on with your identity. I think we’ll start to see that really soon.”
Hope for the future
Panelists found ample reason to hope for the future of cybersecurity, despite challenges in building a pipeline to fill the CISO role. Thorny legal issues play into that lack of interest in work at security’s top position—CISOs have been held personally liable for breaches in recent cases. Questions about work/life balance have also percolated given the stresses that come with the CISO job.
“It’s very important if we’re going to attract and retain women in our field, we have to focus on the basics and what gives us some balance in our lives,” said Wilke, who cited her own focused efforts to follow through with good intentions for the day. “The screen is not the last thing I touch before I go to bed. That’s been a huge game changer for me; changing my internal thought process.”
When an audience member asked how she could jumpstart her cybersecurity career, Wilke recounted her own journey into cyber, which started in military intelligence before landing her in incident response at the Department of Homeland Security.
“It was understanding what to escalate, when to escalate, how to escalate, and learning that muscle memory of: When do you sound the horn? Is this really an issue?” she said. “That was extremely crucial in understanding the process and the kill chain and how everything works, so you can see that cyber is an ecosystem and the dependencies that it has throughout the life cycle management.”
DeFiore of United emphasized the importance of self-advocacy, calling on the next generation of women cyber leaders to step outside their comfort zones and take risks.
“Yes, you’re gonna make mistakes. Yes, you’re not going to be perfect,” said DeFiore. “You might get some weird looks from other people in the room. But if you’re not going to put yourself out there, you’re just going to stay where you are.”
She also urged young women entering the field to learn how to shape their own narrative.
First, “develop some deep expertise,” she said. “Whatever that domain is, lean into it early in your career and be that confident expert. Second is know how to tell your story. You can be the best expert in your technical subject domain, but if you don’t tell people what the value is and articulate how to get behind you, you’re not going to be able to move forward.”
Luthra rounded out the discussion by citing how everyone in the room shared a common goal: Making the world safer. Whether protecting critical aviation infrastructure and travel at United, securely helping local credit unions support small businesses at Jack Henry, safeguarding the personal information of tens of thousands of Amazon employees or delivering life-saving medical devices at Baxter, “I’m not alone in this,” Luthra said. “There is a higher sense of purpose and there’s so many of us trying to solve this together. So that gives me hope.”
