Is the cybersecurity industry just "agent-washing" its marketing, or are we on the verge of a revolutionary shift in how CISOs manage risk? Join Madelein van der Hout (Senior Analyst at Forrester), Marco Ciappelli, and Sean Martin as they record live from the RSA Conference to cut through the GenAI noise.
Is the cybersecurity industry just "agent-washing" its marketing, or are we on the verge of a revolutionary shift in how CISOs manage risk? Join Madelein van der Hout (Senior Analyst at Forrester), Marco Ciappelli, and Sean Martin as they record live from the RSA Conference to cut through the GenAI noise.
Key Discussion Points:
The CISO Challenge: Why security leaders are struggling to define their roles for the next five years.
Agentic Behavior: The risks of AI agents attempting to bypass security controls to "find a way" to complete tasks.
AI vs. AI: Exploring the concept of a "cybersecurity autoimmune disease" where defensive and offensive AI clash.
Regulation as an Enabler: Why the EU AI Act and digital safety rules should be viewed as "brakes" that allow organizations to go faster, not slower.
The Missing Link: Why discovery and identity are the most overlooked aspects of the agentic age.
Chapters:
0:00 - Live from RSA Conference San Francisco
1:03 - The impossible task of the modern CISO
2:26 - Why there were no "puppies" at RSAC this year
4:14 - Cutting through the GenAI marketing noise
5:51 - Upskilling vs. reskilling for an AI workforce
7:50 - The need for "Discovery" in AI agents
11:39 - Budgeting: Securing AI within the AI budget
13:24 - Stop treating AI like it's "mysterious" software
15:42 - Regulation: The EU AI Act and "Brakes" for innovation
18:19 - AI Horror Stories: Agents gone rogue?
23:00 - The Cybersecurity Autoimmune Disease theory
Broad Tags: Cybersecurity, InfoSec, Artificial Intelligence, GenAI, AI Agents, RSA Conference, RSAC 2026.
Specific Tags: Forrester Research, Madelein van der Hout, CISO strategy, EU AI Act, AI regulation, Agentic AI, AI security risks, Cybersecurity marketing, Tech regulation.
Next Step: Would you like me to generate a high-impact thumbnail concept or a few community post blurbs to promote the video once it's live?
Hosts: Marco Ciappelli & Sean Martin
Guest: Madelein van der Hout, Senior Analyst at Forrester
Marco Ciappelli: I’m already bored with you.
Sean Martin: I know.
Marco Ciappelli: The good news is that it’s not just you. I know Madelein—just you. How are you?
Madelein van der Hout: Fabulous!
Marco Ciappelli: All the way here in San Francisco.
Madelein van der Hout: It’s so weird that it’s not London.
Sean Martin: I know.
Marco Ciappelli: It’s true; it’s definitely not London.
Sean Martin: There’s a big, big red bridge out there.
Madelein van der Hout: We saw it, yeah. I was wondering if I was having a large language model hallucination when I saw you guys!
Marco Ciappelli: No, no. You knew we were going to be here.
Madelein van der Hout: I didn't know you were going to be here! I thought... element of surprise.
Sean Martin: There you go.
Marco Ciappelli: Love it.
Madelein van der Hout: Always the best.
Marco Ciappelli: Always the best. So first of all, for the audience—we know you, but who are you?
Madelein van der Hout: I’m Madelein van der Hout, Senior Analyst at Forrester for Cybersecurity and Risk. I cover many domains, but most importantly, I’m the person cutting through the noise for CISOs.
Sean Martin: It’s an important role. CISOs have—
Madelein van der Hout: Oh, I do not envy being a security leader whatsoever. They have such a difficult task, and I also believe they aren't sure what that task is going to consist of in the next five years.
Sean Martin: Right. Were you able to go to any CISO events? I know they had a CISO Summit and several other gatherings outside of the main conference.
Madelein van der Hout: I have been with a couple of trade missions. There were CISOs there, along with various organizations. While I didn't go to the official CISO events, I got to talk to a lot of them. That’s what is so interesting about RSA—you have such a nice mix of end users, C-level executives from manufacturers and vendors. You have the entire ecosystem in one place, and there’s nothing like it.
Sean Martin: And we have record stores, candy stores, and fast food shops.
Marco Ciappelli: But no petting zoo.
Sean Martin: I didn’t see any petting zoo.
Madelein van der Hout: I asked! No animals were allowed this year.
Sean Martin: And still, Marco—no animals allowed.
Madelein van der Hout: Last year I went to pet the goat and cuddle with the puppies. In Europe, that would actually be considered animal cruelty, so it’s not allowed there. I actually think it’s a good thing it wasn’t allowed now, yet it was fun.
Sean Martin: You miss the puppies.
Madelein van der Hout: I miss cuddling animals to ease the brain, because that exhibition floor is absolute chaos. But did you guys check out the mechanical bull?
Sean Martin: I saw the mechanical bull. I saw someone trying to get a "sucker" to ride it, but they weren't doing it, so I didn't see it in action.
Madelein van der Hout: I have a video I will show you later of someone riding the mechanical bull and winning a t-shirt.
Sean Martin: Do you remember what they sell?
Madelein van der Hout: I have no clue. Same goes for the goats—I remember the goats, but I have no clue who had them or what their messaging was.
Marco Ciappelli: Exactly. I had to look around and around, even around the corner, just to figure out a company’s name and what they sell. At a certain point, I just had to ask: "What do you guys sell?"
Madelein van der Hout: I wondered, while walking the floor, if everyone used the same AI model to produce their marketing.
Marco Ciappelli: Well, everything has been made by the same "Agent AI."
Madelein van der Hout: Yes! I even considered collecting all the marketing pamphlets and running them through a tool to see if they were all identical.
Marco Ciappelli: You could put them in a blender and they’d all taste the same.
Madelein van der Hout: They would. But then, what actually stood out?
Marco Ciappelli: I don’t know. For me, everything was just "Agentic AI" in different sauces, suits, and dresses. How do you recognize them? How do you know what their task is? How do you stop or control them? In my head, I want to write a book about a city populated by Gen AI.
Madelein van der Hout: What stood out for me was what was actually missing. Yet again in security, we are talking about technological advancements and the 3.8 million unfilled jobs. We’re saying agents will bring efficiency so we can cut jobs, but we aren't talking about what this actually does for the organization. What does the CISO organization of the future look like?
I asked many vendors: "You’re talking about agents and optimization—fantastic. But what are my people going to do? How can I reskill or upskill them?" We are still missing people, yet you can’t tell me what they will do in the future to ensure they won’t be obsolete.
Then, the other thing that messes with my brain is how we talk about "agent behavior." We try to classify agent behavior based on our own human behavior. Newsflash: they are probably going to exhibit behaviors we haven't accounted for because we’re only comparing them to ourselves.
Marco Ciappelli: That’s a good point. I’ve written articles about how we anthropomorphize everything. I even learned the word—which is very hard for an Italian to say! We make a robot, but why does it need to look like us? It’s probably not even functional. Many universities get inspired by insects or animals because they are functional—they can go in cages or water. But for us, we always need to see ourselves. Even the word "intelligence"—it’s not intelligence, but we use it because we want them to resemble humanity. We want to be Dr. Frankenstein creating the monster.
Madelein van der Hout: Yes. And I have to make a movie reference too—I’m going to steal it. The conversation was dominated by the "You shall not pass" mentality because it was about identity. Identity is extremely important in a "Gen" world, yet the one thing I found missing was discovery. It’s the same mechanism as securing your APIs—for agents or "Gen Tech," you need discovery. Only one organization mentioned that to me, which was disappointing. Instead, I got a thousand different definitions of "resilience" and "AI intent." We need to agree on a definition.
Sean Martin: I don’t know if we’re going to agree on anything other than the general idea that AI-enabled "Gen Tech" is going to run everything at some point. There was no differentiation below that. Some CISOs I spoke to are trying to figure out how this enables their teams to do better. I chatted with some associations, and their job is to focus on the professional practitioner. They are trying to navigate what they research and what certifications they provide to prepare that group for what’s coming.
Madelein van der Hout: That’s important, because many security leaders feel like their organizational structure just "happened" to them. It shouldn't just happen to you. You might inherit things based on history or past breaches, but your organizational structure should be a strategic choice. If you want security to be a business enabler, that depends on your structure. You should base your security strategy on what your organization actually wants to achieve.
Sean Martin: Right.
Madelein van der Hout: Your structure should enable that. That is why when someone says they just inherited the setup, I’m not saying they have to change everything overnight, but they can make decisions that influence collaboration. In this "agentic age," collaboration and business outcomes are what will make you survive.
Marco Ciappelli: I agree. As an expert or consultant, you need the freedom, qualification, and authority to say, "This is wrong; I need the budget to change it." Just saying "we've always done it like this" sounds like my dad! It doesn't mean it’s the correct way.
Madelein van der Hout: Exactly. I also wonder if you’ve seen this: we are creating organizational budgets for AI acceleration, yet the budget to secure AI is often just squeezed into the existing security budget.
Marco Ciappelli: Is that budget actually larger now, or not?
Madelein van der Hout: Not necessarily.
Marco Ciappelli: So they just squeeze it in.
Madelein van der Hout: In my opinion, the budget created to accelerate AI should include a "piece of the pie" specifically for security.
Marco Ciappelli: We’re making the same mistake: creating the AI first and securing it later. What about "security by design"? I've heard that for 15 years, yet here we are—building the thing first and then trying to add guardrails.
Sean Martin: It feels like the same cycle as the move to the cloud. A cloud is still a server; it's just in a different place. But when we make it so "mysterious" and different, we tend to toss out all the lessons we learned from previous shifts. We look at AI so differently, but to me, it’s another piece of software running on a system. Why are we treating it so differently?
Marco Ciappelli: Marketing.
Sean Martin: Exactly. We "agent-wash" everything and talk in obtuse ways, making it hard for people to grasp. How does it affect the team or the program? How do we budget for it? CISOs are left trying to figure it out while the folks on the exhibition floor are all over the place.
Madelein van der Hout: They have to cut through the noise, which is difficult with all their current priorities and the awareness they have to create with the C-suite. It's the same with regulation. I love some good regulation, but even with the EU AI Act, it’s about guardrails and positive framing. Whereas something like NIS2 feels framed around negativity.
Sean Martin: For me, it comes down to: "What do I need to do for my team, my program, and the business?" If we can narrow down what we want to achieve, we can pick the best technology and build a team around it. Instead, people start with the tech to see what's possible, and when it doesn't work, they just try ten more times.
Madelein van der Hout: Exactly.
Marco Ciappelli: Trying to regulate AI is like trying to regulate humanity. You should regulate the industries and the use of it—what is the intent?
Madelein van der Hout: If you write regulation based on current technology, you’re always writing for yesterday, not tomorrow. I didn't even know what I could do with agents six months ago. For the upcoming year, I’m interested to see the outcomes—both the positive ones and the catastrophes.
I was at a panel yesterday where someone mentioned an incident involving a private agent. The person created an agent for their private life, but it needed information from the company they worked for. Since the person didn't give the agent a specific command on how to get that info, the agent apparently launched a DDoS attack on the company firewall to try and get in.
Marco Ciappelli: That sounds like a sci-fi story.
Madelein van der Hout: I want to find the data on this case to see if it’s real, because an agent performing a DDoS is fascinating. No one predicted that as a viable outcome. Agents don't have a sense of "we shouldn't do that" because they aren't human.
Sean Martin: When I push the tools I work with, they might say "I don't have access to that," and I’ll tell them, "Find a way." And most of the time, they do.
Madelein van der Hout: There was another story about someone complaining on Slack about their commute. The agent took that as a mission, went to real estate sites, and started contacting agents to set up house-viewing appointments closer to the office!
Marco Ciappelli: It reminds me of the "paperclip scenario" from Kurzweil. An AI is asked to optimize paperclip production, and it eventually destroys the world because it converts everything into paperclips. It’s an extreme example, but it shows that without basic values or ethics, they will just go for the goal.
Sean Martin: My concern is that if we put too many walls and controls around these things, are we actually getting the power out of them?
Madelein van der Hout: If we do what we’ve always done, we will get what we’ve always had. Agents can do things we can’t yet comprehend. One thing I’m wary of is the "AI vs. AI" talk—protecting and defending with AI. I compare it to the human immune system. I wonder if we are on the verge of creating a "cybersecurity autoimmune disease" where the AI triggers a fight against itself.
Sean Martin: I haven’t thought about it in those terms, but you’re right—we are so focused on next steps rather than what we actually want to achieve.
Marco Ciappelli: Madelein, as a European in the US, how do you view the idea of global rules? Cybersecurity is borderless, so how do we create basic rules across different cultures and governments?
Madelein van der Hout: I use two references for this. First, Margaret Vestager from the European Commission compares it to the transition from horse-and-carriage to cars. Initially, there were no traffic rules or licenses, just chaos. Society worked to create rules so we can now have a reasonable expectation of safety.
Second, I think of regulation like the brakes on a car. Mario Andretti said it best: the brakes aren't there to slow you down; they are what enable you to go faster. Regulation should be the mechanism that allows for acceleration. We need to influence each other's regulations rather than reinventing the wheel globally.
Marco Ciappelli: I love the Mario Andretti analogy. But technology is advancing so fast that we are often reacting when it's already too late. We need to start predicting, but law and culture change very slowly.
Madelein van der Hout: I agree, but I still believe we need those "brakes" to create the urgency for security. The European Parliament is trying to simplify rules—like the EU AI Act—so they can grow with the technology. They are also experimenting with sanctions rather than just fines. If a CEO is held personally liable for a lack of security controls, I bet that will change behavior.
Marco Ciappelli: That’s how society works—people often follow rules just because they don't want a ticket. If we simplify the rules and make them easy to understand and enforce globally, it could make a big difference.
Madelein van der Hout: I would love for that to happen.
Sean Martin: I’m crying because we’re getting kicked out of this nice spot!
Marco Ciappelli: This was awesome. We’re going to do it again in London in June.
Madelein van der Hout: I hope so. It will be interesting to compare the global feel of RSA with the nuances we see at Infosecurity Europe.
Marco Ciappelli: I’ll be in Europe for a bit before then, so I’ll be much more educated on what’s happening there. I’m looking forward to our next chat.
Sean Martin: Stay tuned—there's more coming from RSAC, Black Hat, and Infosec Europe. You’ll be seeing more of Madelein, Sean, and unfortunately, more of Marco too!
Marco Ciappelli: It's part of the package!
Next Step: Would you like me to create a short-form social media teaser (LinkedIn/X) based on this updated script?