EP 22 – Security at the speed of innovation: Breaking down legacy barriers

David Puner: You are listening to the Security Matters podcast. I’m David Puner, senior editorial manager at CyberArk, the global leader in identity security.

Here’s a snapshot of a modern cybersecurity professional’s day. See if any of this sounds familiar.

It’s 8:47 a.m., and the security dashboard is already noisy. Nothing is on fire yet. Just alerts, logins, requests, systems spinning up and tearing themselves down again. Containers that exist for only minutes before disappearing. Identities that were never human to begin with.

By mid-morning, the business asks for speed. By lunch, it asks for AI. By the afternoon, it assumes both are already secure.

And somewhere in between, a defender is asked to make sense of it all.

This is the quiet tension shaping modern security. Not a single breach or exploit, but the steady realization that the rules defenders built their careers around are dissolving faster than they can be updated.

Attackers don’t need weeks anymore. They don’t need teams. They don’t even need creativity. They need scale, automation, and systems that learn faster than humans can react.

And yet defenders are still told they have to be perfect. One hundred percent right, every time.

That’s the mismatch.

Today on Security Matters, we’re talking with Rick McElroy, founder and CEO of Nexus, longtime security leader, and former CISO, about how cybersecurity reached this breaking point, how AI is accelerating both sides of the fight, and why identity, culture, and human decision making are now as critical as any tool in your stack.

Because attackers getting in is a given. The real question is whether defenders can interrupt the moment before everything moves too fast to stop.

Let’s get into it with Rick McElroy.

Rick McElroy, founder and CEO at Nexus, thanks so much for coming onto the podcast.

Rick McElroy: Hey, thanks so much for having me today.

David Puner: Great to have you on at the end of the year, our last episode of 2025. We’ll be looking back at 2025 and ahead to 2026, but before we get into the big shifts and challenges, let’s start with you. What are some of the key experiences and turning points that have shaped your career, from your early days in security in the Marines to building security programs across industries, leading cybersecurity strategy at VMware and Carbon Black, and now founding and serving as CEO of Nexus? What shaped your approach to security and leadership?

Rick McElroy: By and large, it’s been the people I’ve been lucky enough to work with throughout my career. Early bosses and managers, peers who pushed me. There have been a lot of folks who gave me amazing advice, great guidance, and kicked me when I needed to be kicked in the right direction.

There were a couple of key distinctions along the way. First, I started out heavily on the red team side of the house. It was very easy to get into companies, and that led to a realization early in my career that there weren’t enough defenders. That pushed me to focus on what it really means to defend systems, people, and data at scale.

From there, I began to see how human this work really is. I’ve spent a lot of time trying to understand people, processes, and culture inside organizations, and more broadly, how humans and society make decisions. When are we proactive? When are we reactive? All of that fuels the symptoms we see in cybersecurity.

Embracing the people component, getting good advice along the way, and finally, taking advantage of opportunities as they came up has shaped my path. I’m pretty famous for saying that when someone cracks the door open, kick it in. Get in the room, figure out where you fit, and try to add value.

That’s something I continue to do on behalf of our clients now that I’m on this journey as a brand new founder. CEO is still a title I’m figuring out, but we’re learning as we go.

David Puner: Earlier in your career, your background within the military was in physical security and counterterrorism. When did you make the shift to cyber, and did you know consciously at the time that you were making that shift?

Rick McElroy: I didn’t. I was a United States Marine, a heavy machine gunner, deployed frequently and focused on counterterrorism and physical security through security forces. That journey brought me to San Diego, where I met my wife, and I had to start thinking about what I wanted to do long term.

I got some really good advice from my stepdad, who had been in the Navy as a data specialist and later worked government contracts. He told me that computer networking and systems were understaffed and that I had a proclivity for it. He suggested I seriously consider it as a career.

The pay scales were enough to get my attention, and a lot of what I had learned in the Marine Corps translated well to school. Within about a year, it became very clear that cybersecurity needed to be taken seriously.

Once again, I got good advice from someone I was working with on a project. He told me to pick a specialty and be very good at it, and that the rest of your career would likely take care of itself. I took that to heart.

I had early opportunities to work with some very serious security professionals, and I focused my career around cybersecurity, what it means to lead a program, and how to build for organizations. There were also plenty of failures along the way.

David Puner: That idea of kicking the door down, that’s something you started early and have carried forward.

Rick McElroy: I think so. I mentor a lot of younger people coming into the industry, and one thing I notice is a lack of confidence. That’s natural early on. You think everyone else is smarter, more experienced, and you’re not sure where you fit.

But there’s almost always a place to fit. Some people think the opportunity is too big or that they’re not ready yet. I look at it differently. Opportunities show up when they show up. If you care about your career, your family, and building a future, you should take full advantage of them.

If you’re given a chance to lead a technical session for your team, treat that like it’s your next job. Take it seriously. Execute well. Over time, those skills compound. If you’re good at this, you’ll likely be managing people someday.

That’s what I mean by opportunities. Take them, do your best work, stay committed to outcomes the team and organization care about, and I’ve found the rest tends to take care of itself.

David Puner: Thank you for that. Let’s bring this back to the year we’re closing out. 2025 has been a year of massive shifts, from AI acceleration to identity sprawl to the continued industrialization of cybercrime. You’ve been on the front lines of these conversations. What’s been top of mind for you this year?

Rick McElroy: Early in the year, the impact of AI on defenders was top of mind. Whether inside a SOC, at the leadership level, or helping organizations navigate their AI journey, it’s been disruptive.

That said, I think about other major disruptions I’ve lived through. The move to cloud, when cloud wasn’t a thing. The rise of mobile devices, when suddenly we had to protect and respond to activity on phones as executives embraced them.

I’ve been through several big shifts, so I may be a little more thick skinned about this one. The promise of AI at the beginning of the year is roughly where we are now. We’re seeing faster, better, smarter workflows, especially in SOCs. GRC vendors are using AI to better understand organizational risk. Teams are rolling their own AI agents or turning to vendors to orchestrate and automate more with less.

The work itself hasn’t changed. There’s more of it. The volume is what’s changed. We were already underwater with alerts, and while we’ve used SOAR and automation for years, now we’re fueling those efforts with AI.

One disappointment for me has been the lack of true innovation around generative AI for cybersecurity on the defensive side. Many vendors are bolting language models onto existing tools or using them for better context, but I haven’t seen the next breakthrough in generative prevention, even at the malware level.

On the adversary side, AI is making life harder for defenders. Deepfakes are real, and most people interacting online understand that media can be manipulated. Organizations are seeing increased wire fraud, more scams, and even fake help desks spun up internally.

Losses are increasing, and adversaries will adopt AI faster than defenders. They don’t have change management or production controls. We’re already seeing malware that generates brand new binaries that have never existed in the wild.

The key question is how defenders keep up with the OODA loop and interrupt adversaries during the attack chain, whether that’s persistence, privilege escalation, or lateral movement.

Then there’s identity. We’ve made progress securing human identities, but now we’re adding machine identities, containers, systems, and soon generative identities. We need visibility into what these identities are doing in real time, even as they move and communicate at incredible speed.

We’re at a tipping point. Many legacy solutions were built for attacks of the past, relying on pattern matching and traditional analysis. That model is breaking down, and we’re going to need AI-native tooling to keep up.

David Puner: You talked about AI, of course, and that’s been a huge topic this year and last year. So much of what you mentioned has been covered across our canon of episodes. Looking back, what’s been real progress, and what’s been noise?

Rick McElroy: I mentioned some of the innovators who are really bringing generative capabilities to bear. Tools that were born generative and built using generative techniques. That’s been very cool for us to see. In our position, we get exposure to a lot of new market entrants.

Beyond that, I’m not sure I’d call most of what the rest of the vendors are doing truly innovative. Adding a copilot into the mix is helpful, yes, but is it innovative? No. We’re all going to use these tools in our workflows, whether we’re in finance, whether we’re CEOs creating lead generation agents, or whatever the case may be.

What does encourage me are a few solutions that are generative at their core and not beholden to frameworks like MITRE ATT&CK. They’re analyzing data at scale, building the ontology of attacks on their own, understanding relationships between processes, systems, and users, and baselining what normal looks like so they can detect anomalies.

That’s highly encouraging because it works at scale. There are a few vendors really embracing that approach. But honestly, I’m most interested in what’s happening quietly in the background, the things we don’t yet know about.

David Puner: How do you see AI reshaping the attacker defender dynamic in 2026? And how will it move the needle even further for both sides?

Rick McElroy: In 2026, I think we’ll see more of the same. We still have a long tail of legacy technologies out there. All the same challenges remain, including cultures that don’t support major new security spending.

For anyone leading security efforts, you’ll have to tie security directly to business objectives. If the business wants to transform through AI, security controls have to be attached to that. You’ll need to understand where the data is going, who’s using it, and whether it’s actually private.

The good news is many organizations have started with governance. They’re approaching AI the way they approached cloud adoption. But after 2026, I think it gets pretty bleak for the defensive community.

We’re in a legacy trough. Adversaries are moving faster and adopting AI more quickly than defenders. I expect both anticipated and unanticipated outcomes for defenders.

The real challenge will be volume. You won’t need a smart human to create a zero day. You’ll just need a system that can generate one in seconds and weaponize it against your environment.

On the defense side, you’ll start seeing agent swarms and MCP controllers operating inside environments. One area where I still want to see innovation is how we control these agents in a meaningful way. How do we send them out to patch systems or apply shims when a brand new zero day is discovered?

I’ve spoken with people who currently create zero days, and they won’t be in that business much longer. The value of zero days will collapse from hundreds of thousands of dollars to almost nothing because of how easily adversaries will be able to generate them.

That will upend the gray market around zero days. They won’t last as long, and they won’t be as valuable. As defenders, we have to rethink our approach. If we’re operating with swarms of agents running constantly, how do we control them? What’s the right layer to manage that?

I don’t have the answer yet, but as an industry, these are going to become pressing challenges.

David Puner: The people you’re talking to who are creating zero days, are they red teamers, or are you talking directly to attackers?

Rick McElroy: It gets pretty murky. I would say no, I’m personally not talking to cybercriminals. However, whether you’re on the DoD side, the government side, or elsewhere, there’s an entire ecosystem built to buy, sell, and distribute these capabilities.

Some folks might be considered gray hats, but most are white hats producing this work for companies. Even if you’re participating in bug bounties, I expect bug bounties to start paying out less over the next five years because adversaries are going to identify vulnerabilities faster.

Manually running through a bug bounty probably won’t exist in two years. You’re going to need an AI framework to do that.

David Puner: Possibly one you’ve written. So putting yourself in the CISO point of view, how do you see CISOs facing the challenges or dilemmas of AI implementation, even when the business case may not be fully established?

Rick McElroy: I don’t think the business case is fully established yet. We’ve seen a lot of projects in a prototyping phase, where organizations are asking, what can we do with this?

For some, it’s about embracing generative capabilities inside platforms like Salesforce. We see a lot of that. How can the business do more with less? How can it potentially reduce headcount over time?

Trying to keep things on the rails through governance is something CISOs are doing today. Who’s on the committee vetting these tools? What are the data sources? Are there third-party supplier evaluations? There’s a lot of programmatic work happening there, and vendors are popping up to support that.

You’ll also start to see threat intelligence flow into GRC platforms as a result. But fundamentally, organizations are trying to manage this the same way they handled the second wave of cloud adoption.

Not the early adopters, but the companies that waited and then said, we have a clear use case. We’re moving all of our email to Office 365. Great. What guidelines and standards do we need to make sure that data doesn’t end up in an adversary’s hands?

My advice to leaders is that this is our moment to be consultants. This is our moment to make sure we’re in the room, raising these risks. There isn’t a tool for every risk. You’ll need process. You’ll need assurance. And you’ll need a lot of education for your staff.

Right now, CISOs are focused heavily on those efforts. Technical controls are lagging a bit, but people are starting to think about 2027 and 2028 roadmaps and what tools might fit those future needs.

David Puner: Identity remains at the root of most breaches. Looking back on 2025, what’s still broken in how organizations approach identity?

Rick McElroy: I’ll share the last conversation I had about identity.

We were recommending removing local admin from all systems. The fleet wasn’t thousands of systems. It was hundreds. Very doable. And yet the level of resignation from the program leader was astonishing.

As leaders, we’re still saying it’s impossible to eliminate local admin across a fleet. I can assure you we’ve done this in large environments and small ones. It’s possible.

It comes down to not giving up. You have to eat the elephant one bite at a time. Maybe you start with five systems in a month, then ten the next. Not every organization has unlimited resources, so you have to be thoughtful about your approach.

But I’m still shocked that we live in a world where Microsoft hands out local admin by default. Microsoft does have a big role to play here, and to be fair, they’ve made progress. I’ve been complimentary where that’s deserved.

That said, the fact that NTLM still exists, the fact that pass-the-hash attacks still work, and the fact that local admin is still widely granted all work against security.

We need to continue pushing operating system vendors to improve, and we need partners to help fill the gaps. It’s also wild how many identities exist per person. Some employees have three or four identities depending on their role.

The complexity has gotten out of control. I do have hope that in a generative world, machines that can learn these environments may help us design better identity architectures.

Doing that analysis manually is a long, human-intensive effort. Handing it to a generative system that can identify issues and make recommendations like better grouping of users or reducing tickets is something organizations are open to.

But the administrative overhead of identity has exploded, and we have to solve that together.

David Puner: When you talk about the sheer number of identities, that also brings machine identities and agentic AI identities into the equation. How do you see those evolving, and what’s the risk if organizations don’t get it right?

Rick McElroy: In the short term, it’ll look like everything else. An assessment, a finding, and some budget earmarked to address it someday. Frankly, if you’re still struggling with human identity, you’re probably not ready for machine or agentic identity yet.

That said, now is the time to think about it as these capabilities enter the environment. Machine identity sprawl is already wild in some places. You have systems that live for less than five minutes before they’re torn down and rebuilt.

How do you flush that cache from your environment and make sure you understand what’s actually an asset? It’s a problem at scale.

I don’t ever call a project done, but if I can get 80% of my human identities into the right state, that’s a win. Once I hit that, I’m ready to take on machine identity. Agentic identity can be addressed as it’s introduced, especially in cloud environments, by setting good standards and guidelines early.

A lot of endpoint detection and response tooling isn’t built to see machine or agentic identities. EDR vendors will need to open up telemetry, along with network defense tooling.

The vendor community will have to respond to a world where agents or containers may exist for less than a minute. That’s not how we’ve historically thought about assets.

We’re used to servers with multi-year lifespans. You buy it, it runs for three years, finance declares it end of life, and you replace it. That model breaks down completely.

Asset management itself becomes problematic, and organizations will need more dynamic approaches as part of their strategy.

David Puner: I saw that a few months ago you delivered something called an anti-keynote at a conference. It’s an interesting concept, and while I didn’t get to see it live, one line from it really landed with me. You said, “We broke cybersecurity.” It felt like a mic drop. What did you mean by that, and looking back, what do you see as the biggest missteps that led the industry to this point?

Rick McElroy: A few things come to mind. I’ve been in this industry for close to 30 years now, and I remember what cybersecurity looked like in 1998. There was no PCI DSS. There were no real frameworks. We had ISO 27001, and that was about it.

We built a lot from scratch. Public-private information sharing through ISACs and InfraGard didn’t exist back then. So I do want to credit the incredible work that’s been done to modernize and mature cybersecurity. Twenty-five years ago, if you said you worked in information assurance, people didn’t even know what that meant. CEOs didn’t understand what their security teams did. We’ve moved past that.

But along the way, we’ve made some choices that don’t serve us well. I’ll give you a few examples without recreating the whole keynote.

First, intelligence agencies globally are not helping defenders, full stop. If zero days are being hoarded and not disclosed to vendors or the defensive community, and then something like WannaCry happens, causing roughly $60 billion in damage in a matter of days, how is that a CISO’s fault? How is that a defender’s fault?

This gray market for zero days, used to gain national strategic advantage, works against every organization that’s supposed to be protected. I understand the importance of intelligence gathering and national security. I truly do. But it’s creating a massive problem for defenders, and it needs to be addressed.

Second, analyst firms and pay-to-play models introduce bias into buying decisions. If I’m a buyer, I want the least biased information possible. I have a problem, I need a tool, which one should I buy? That should be clearer than it is.

The fact that CISOs often have to sit down with consulting firms just to figure out what tool to buy is wild to me. Why can’t we get new tools into organizations faster? Why are vendor sales teams complaining that sales cycles are longer than ever? A big reason is that buyers don’t trust us. They trust their peers.

So how do we build stronger peer communities? How do we devalue some of the biased intelligence in the buying process?

Lastly, we haven’t done enough inside organizations around culture. I put some of this responsibility squarely on CISOs who’ve spent too much time focusing on automating and orchestrating controls, only to realize their business doesn’t understand what they do.

They don’t market internally. They don’t communicate value. And when a breach happens, the first person blamed is that leader.

We’ve made progress societally. Breaches used to never make the news. Now they’re on the nightly news. Business leaders are more aware. But internally, we still have cultural work to do.

So while we’ve done some truly amazing things as an industry, there are parts of our ecosystem that actively work against CISOs. The next generation of leaders needs to start pushing back.

I need a tool to do a job. I shouldn’t have to spend nine months figuring out which tool that is. Almost no other industry works this way. CIOs’ lives have gotten easier over the last 25 years. Ours have gotten harder.

David Puner: Mm-hmm.

Rick McElroy: The question is, how do we get to a place where CIOs can go home, sleep at night, and still meet business objectives, and CISOs can do the same?

David Puner: Whether it’s that specifically or more broadly, what’s the one thing the industry needs to do differently in 2026?

Rick McElroy: First, we need to address intelligence gathering that uses corporations as fodder. Second, I need governments around the globe to draw some clear red lines.

If an adversary is hitting a school or a hospital, that’s a red line. Human safety is impacted. If someone is attacking 911 systems, that’s unacceptable.

We don’t have a digital Geneva Convention. It doesn’t exist, and it doesn’t seem like any country is particularly interested in creating one. We need to revisit that conversation and set rules, because civilian infrastructure is now part of asymmetric warfare.

We’ve seen this in Ukraine, in Russia, and across modern warfare playbooks. As someone focused on defending civilian systems, it’s unacceptable to tell organizations they’re now part of national security, but offer no help, no funding, and minimal support.

That has to change. We need to push legislators and representatives to truly understand what this means and change behavior, because defenders can’t solve this alone.

David Puner: Going back to the CISO, because there’s so much happening and we want them to get some sleep, you’ve described the role as a Chief Persuasion Officer. How has the CISO role evolved in 2025, especially after high-profile supply chain breaches and ransomware attacks?

Rick McElroy: Early in my career, security leaders were seen as guards. You hired someone to watch things. Almost like a mall cop.

That evolved. We realized we were at the end of the delivery chain and needed to move upstream. We became more consultative and business-focused. We added skills, took classes, learned to speak the business language.

Then businesses demanded more. Security had to become an enabler. Build guardrails so the business can move fast.

More recently, CISOs are finally being recognized as true business leaders. Political capital and influence are starting to approach parity with other C-suite roles, though we’re not fully there yet. In many organizations, CMOs still have larger budgets and more strategic sway than CISOs.

To our credit, we’ve adapted. We’ve learned business fluency. Now organizations are asking us to lead, especially through AI adoption.

What’s encouraging is that CISOs are now in the room during ideation. At the moment generative AI and language models are first discussed. That never happened before.

It gives us an opportunity to consult, to guide risk decisions, and to change the dynamic. These skills will matter even more as businesses move faster than ever.

David Puner: The CISO role is clearly multifaceted and increasingly complex. What advice do you have for emerging security leaders navigating today’s threat landscape?

Rick McElroy: This is a long career. It’s an ultramarathon, not a sprint. You have to take a long view.

I see CISOs get stuck staring at three urgent problems and lose sight of progress. Ask yourself, did you make even one percent progress? Did your team move forward?

This is a great time of year to reflect. You’re not where you were in January unless you’ve done nothing, which isn’t the case. Look back three, four, five years and recognize what didn’t exist then that exists now.

There will always be another project. That’s cybersecurity. But how you relate to that matters. If leaders see you as calm and steady, that confidence spreads.

Yes, it’s a lot of work. You signed up for that. It’s never done. We all feel that. But breaking big initiatives into smaller chunks matters. Progress is still progress.

Be confident in telling your story. You invested $5 million. Here’s the risk reduced. Here’s what changed. Be optimistic. Breaches will happen. Compromises will happen.

But compared to 25 years ago, we’ve come a long way. We’re no longer just antivirus and firewalls. We’re doing real work. Hold your head up.

David Puner: As we look toward 2026, what mindset shift do defenders need to make, especially as adversaries operate more like corporations?

Rick McElroy: The big question is how we interrupt the OODA loop. I don’t have the answer yet, but it’s the right question.

We have tools under contract, sometimes for years. We’ve built competencies and automation around them. We have processes layered on top.

So how do we use what we have today to interrupt an OODA loop that now happens in minutes or hours instead of weeks or months? How do we account for massive growth on the cybercriminal side, including affiliate programs?

After all, deepfake-as-a-service already exists.

David Puner: Mm.

Rick McElroy: Right. If I know that, I don’t need to be an advanced adversary. I just need crypto and to know where to go to place an order. The entire way offensive teams operate is changing. The way cybercriminals run their businesses is changing.

They’re making heavy investments in backend infrastructure, and that means our defensive strategies have to change too. That won’t happen overnight. You’ll bring in some new tooling, but you really need a three- to five-year view of your strategy.

You have to ask whether a product is just here for the next six months or a year, or whether it actually meets future needs. That perspective should shape how your team invests time and how the company prioritizes projects.

David Puner: What’s one security myth we should collectively leave behind in 2025?

Rick McElroy: That defenders have to be right one hundred percent of the time.

I rant about this in most of my public talks. Defenders do not have to be perfect. If you think in terms of layered defenses, detections, and response, you get multiple chances to stop an adversary.

Attackers are going to get in. They’ll escalate privileges and move laterally. That’s reality. But you have network controls, endpoint controls, and other layers sitting on top of that.

The goal is to create multiple detections so you get multiple at-bats. Make the adversary be right every time they move through your environment.

If someone breaks into your house at 3:00 a.m., the first thing you do is turn on the lights. Then you assess where they are and decide how to respond. You want early warning at the perimeter, visibility inside, and options for response.

So yes, we should stop saying defenders must be perfect. That mindset doesn’t help anyone.

David Puner: What’s one trend you hope we double down on in 2026?

Rick McElroy: Leaning into people.

We’re entering a period of incredible new technology, and there will be no shortage of shiny new tools. Your team will bring you ideas constantly. That’s exciting.

But this is still a very human endeavor. We don’t spend enough time talking with other leaders about what we’re doing or bringing them along on the journey. Too often, we frame security as a mandate driven by compliance instead of understanding their world.

I’d love to see CISOs spend more time helping other leaders solve their challenges in safer ways. Start with something practical, like how your help desk operates. We already know deepfakes are coming. That’s a great place to influence behavior, improve controls, and reduce risk.

Often, the answer isn’t buying new technology. It’s a process change. Spending time with people and understanding how they use AI will pay off.

David Puner: What’s the one question security leaders should be asking themselves as they prepare for 2026?

Rick McElroy: Are my current skills still valuable in the future?

We tend to think in quarters or years because that’s how projects are scoped. But leaders need to look three to five years ahead. What skills are you missing? I guarantee there are some.

There are classes you can take today. When you find something valuable, share it with other leaders. It shows you’re on the same team and understand what they’re facing.

If you take an AI or business-focused course, share it. You don’t have to force anyone to attend, but it builds trust. It shows you understand what executives are thinking and how fast they want to move.

That would be my advice. It’s time to level up skills if you’re not already doing so.

David Puner: And it sounds like collaboration is at the heart of that.

Rick McElroy: It is. And it’ll be interesting to see how collaboration evolves as agents operate across departments in the future.

David Puner: There’s a lot to think about. I wish we had more time, but thank you for sharing so much with us. I hope we can connect again soon.

Rick McElroy, thanks so much for joining the podcast.

Rick McElroy: Thanks, everyone. Hang in there. It’s going to get bumpy, but we’ll get through it.

David Puner: And there you have it. Thanks for listening to Security Matters. If you liked this episode, please follow us wherever you get your podcasts so you can catch new episodes as they drop.

And if you’re inclined, please leave us a review. We’d appreciate it, and so will the algorithms.

Drop us a line with questions or comments. And if you’re a cybersecurity professional with an idea for an episode, email us at [email protected]
.
We hope to see you next time.