Today’s security landscape is ever evolving. AI is changing the game when it comes to the risk, but also offers an opportunity for cybersecurity professionals and their organizations. At RSAC 2025, SmartBrief sat down with Rich Marcus, chief information security officer of AuditBoard, a platform provider for connected risk, transforming audit, risk and compliance. In this interview, Marcus shares his insights on the latest trends in risk management, compliance, AI and how CISOs can navigate today’s dynamic threat landscape.
What’s got you excited here at RSAC?
There’s a lot to be excited about in the area of risk. It seems like every team, in every organization, is racing right now to try to figure out how to use AI in their workflows to get more productive. We’re also doing that at AuditBoard. We were really excited last year to announce a whole suite of AI functionality in our products to enable audit, risk and compliance professionals to do what they do more efficiently and more productively. We heard that a lot of folks are struggling with AI governance. So we introduced a new AI governance solution this year that enables customers to adopt best practices from frameworks like the National Institute of Standards and Technology’s AI Risk Management Framework. The platform aims to mitigate cyber, reputational and financial risks linked to noncompliance. You don’t want security or compliance to be seen as a bottleneck or friction point for adopting new and innovative technologies that are really going to drive the business forward. The AuditBoard solution encourages organizations to identify and inventory all of their AI use cases across the business.
AuditBoard recently introduced RegComply. Will you explain the solution and how it differentiates itself from other compliance tools?
One of the biggest challenges for risk professionals that we hear is the idea of the risk resiliency gap. Things are changing so fast, and they don’t have the resources necessary to keep up with the rate of change. New frameworks are coming out all the time. New versions of existing frameworks are coming out. So if you’ve invested all this time to build a regulatory compliance program around one of these frameworks, when the regulations change, it’s kind of like trying to turn a battleship at sea. It takes a lot of effort to do that, and so we’re trying to take some of the manual effort out of that process with our RegComply product. We want to make it easier for teams to stay on top of emerging regulatory changes and then make those transitions easier. So if you’re pivoting from one framework to multiple frameworks, or from one framework to another, from one version to another, you can use technology to lighten the load – define requirements, understand what the gaps and deltas are and get yourself ready for new regulatory rules changes, frameworks faster.
I think it is a product that is desperately needed, as we know that the rate of regulatory change is just speeding up. AuditBoard is a global risk platform, so it’s not just the US regulatory environment that we’re concerned about. There’s also a lot of interesting things coming out of EU, whether it’s data privacy related, AI related, cybersecurity or resiliency related. People here at this conference know [these new frameworks are] going to have big business consequences for them. Businesses have to ask: How do I implement this in my organization in a way that’s not going to grind the business to a halt? And that’s where having a really collaborative, workflow-driven approach can take some of the sting out of that and help customers socialize those new requirements in their business, get stakeholder engagement, start to track progress towards those goals, really make it measurable, and try to make folks accountable and drive towards the outcome that they want to on the regulatory side.
How do you see AI transforming compliance and risk management?
When it comes to AI risk, I do see a lot of parallels to the cloud transformation, the SaaS revolution – all of these were really powerful, innovative emerging technologies that businesses were racing to adopt. But it’s the time-tested principles of data governance, access control, logging and monitoring that matter.
But there are certainly new AI risks on the technical front. Security operations teams are on the lookout for new types of attacks, new threats. There are new ways to evaluate for AI vulnerabilities, but for most GRC [governance, risk and compliance] people who are looking to evaluate their organization’s use of AI, I think those time-tested principles are certainly helpful. We’re seeing [AI deliver] some really good benefits and time savings for GRC teams around things like framework reconciliation. Let’s say, for instance, I have 10 frameworks I need to follow, but I only want to implement once, test once. With AI, you summarize all of these frameworks, distill them down into a common set of controls that I can go and implement, test and show the mappings back to all those frameworks. That’s a huge time saver. Back when I was an analyst, that job might have taken me a month to do, just going line by line, comparing the frameworks and matching them up. AI can do that in a matter of minutes or hours.
I think we could always do more to educate people about the limitations of AI and the risks of AI, and what secure use [of AI] looks like in your organization, but the solution that we built at AuditBoard allows you to pinpoint which teams, which processes really need that care.
How do you ensure that AI-driven decisions remain transparent and aligned with evolving compliance standards?
In audit and in compliance, the idea of independence is really crucial. So if you’ve made an audit conclusion and being able to show your work and walk through that process is really important. I don’t think we’re ever going to get to a point where we’re going to allow AI to come up with its own material findings for companies. There’s always going to be a need for a human to be in the loop. But the idea is really to make that process more efficient and make that auditor more proficient at what they do – really empower them to spend more time doing the things that really provide strategic value to the business.
How do you see the role of CISOs evolving, and what strategies are needed to meet the challenges ahead?
I think a lot of aspiring security leaders come up through very technical tracks, so they’re very focused on the art of security, and they forget that businesses are in business for their customers, to deliver value for their customers, deliver great products. There’s a broader mission that you really need to understand well in order to help secure those organizations. So I think it’s, you know, developing that business acumen, understanding how you can help deliver value for your customers and for the business, while providing security as a service, you have to be able to do both to gain the trust and alignment with your leadership to be effective as a CISO.
I think more and more the CISO is being called upon to be a business leader – sit at the table with the executive team, with the board, and be brought in on the broader strategy, so they can help guide the business on how to get to that destination securely and safely.
As a leader in the cybersecurity community, what advice would you offer emerging CISOs?
There’s definitely a lot of competition for the best and brightest in that field, and one of the biggest, pitches I can make for adding AI or just technology in general to your GRC function is that it’s going to keep that talented group interested and retained on your team. If you take somebody really hungry and bright out of college, and you show them how to audit something, they might do it once. They might do it
twice. They may not really be interested in doing the same old thing over and over again. So you’re going to lose them to a competing team or competing organization. But, if you can give them good tools and AI-enabled workflows where they can automate some of those repetitive tasks, they can focus on having a strategic impact for the organization, something that AI really can’t do.
What are your key takeaways?
The key takeaway that I’ve just been talking to a lot of security folks about is this concept of connectedness – security breaking out of the back office. To be effective at what we do, we need to connect people and data. There’s a lot more data than ever. There’s a lot more surface area than ever, and security really needs to be an ambassador within organizations, establish partnerships and relationships across teams, and then really share data and work together to solve the risk problem. You can’t really do it in a silo, one team at a time. It’s something that you’ve got to find your risk champions across the business and really link arms and work together, because otherwise you’re not going to know what’s coming.