This interview at Chainguard Assemble 2026 examines securing the modern software supply chain and artificial intelligence-driven development. John Sapp of Texas Mutual Insurance Company appears on theCUBE Research with hosts Rebecca Knight and Paul Nashawaty. The conversation addresses the evolving role of the Chief Information Security Officer and approaches to modernizing the secure software development life cycle.
Sapp emphasizes that CISOs must enable secure, responsible AI adoption through governance, inventorying software components and embedding security by design. They recommend shifting security left, reducing developer remediation time and measuring return on investment for supply chain controls. Nashawaty highlights Chainguard as an emerging application security innovation that automates lifecycle visibility and helps organizations achieve near-zero Common Vulnerabilities and Exposures.
Topics covered include supply chain security, secure software development life cycle, AI-driven development, open source security, developer experience and strategies for measuring security ROI. The discussion provides practical guidance and strategic considerations for organizations balancing speed and security in modern software delivery.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Chainguard Assemble 2026. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Register for Chainguard Assemble 2026
Please fill out the information below. You will receive an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for Chainguard Assemble 2026.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Chainguard Assemble 2026. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open the link to automatically sign into the site.
Sign in to gain access to Chainguard Assemble 2026
Please sign in with LinkedIn to continue to Chainguard Assemble 2026. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
John Sapp, Texas Mutual Insurance Company
This interview at Chainguard Assemble 2026 examines securing the modern software supply chain and artificial intelligence-driven development. John Sapp of Texas Mutual Insurance Company appears on theCUBE Research with hosts Rebecca Knight and Paul Nashawaty. The conversation addresses the evolving role of the Chief Information Security Officer and approaches to modernizing the secure software development life cycle.
Sapp emphasizes that CISOs must enable secure, responsible AI adoption through governance, inventorying software components and embedding security by design. They recommend shifting security left, reducing developer remediation time and measuring return on investment for supply chain controls. Nashawaty highlights Chainguard as an emerging application security innovation that automates lifecycle visibility and helps organizations achieve near-zero Common Vulnerabilities and Exposures.
Topics covered include supply chain security, secure software development life cycle, AI-driven development, open source security, developer experience and strategies for measuring security ROI. The discussion provides practical guidance and strategic considerations for organizations balancing speed and security in modern software delivery.
VP Information Security & CISOTexas Mutual Insurance
Paul Nashawaty
Practice Lead and Principal AnalysttheCUBE Research
HOST
Rebecca Knight
HostSiliconANGLE Media
HOST
In this interview from Chainguard Assemble 2026 in New York City, John Sapp, vice president of information security and chief information security officer of Texas Mutual Insurance Co., joins theCUBE's Rebecca Knight and theCUBE Research's Paul Nashawaty to discuss how the CISO role is evolving to modernize the secure software development life cycle in the AI era. Sapp traces four generations of the CISO — from technical problem-solver to business enabler to risk manager to AI-era strategist — and explains why every employee is now effectively a developer cap...Read more
exploreKeep Exploring
How should the secure software development life cycle be modernized to address security challenges from AI-generated code and heavy use of open-source components, and what role do solutions like Chainguard play?add
How has the role of the Chief Information Security Officer (CISO) evolved over the past 25–30 years, and what should CISOs focus on in the current AI-driven era?add
How does Chainguard help identify and manage software supply-chain risk, support application/AI risk management, and justify its investment by reducing developer remediation effort?add
>> Hello everyone and welcome back to theCUBE's coverage of Chainguard Assemble here in New York City. I'm your host, Rebecca Knight, alongside Paul Nashawaty, Principal Analyst here at theCUBE. I would like to welcome John Sapp. He is the CISO of Texas Mutual Insurance Company. Thanks so much for coming on the show, John.
John Sapp
>> Thank you so much, Rebecca. Glad to be back.
Rebecca Knight
>> Yeah, no, it's always fun to have a repeat customer here on theCUBE. I want to start with a very broad question, and that is that we know that the pace of software development is accelerating. AI is moving at breakneck speed and of course, forcing a lot of organizations to adapt. It's created a lot of opportunities, but also so many challenges.
John Sapp
>> Sure.
Rebecca Knight
>> From your perspective as a CISO, can you talk us through the challenges that you're seeing, particularly here in the context of Chainguard Assemble?
John Sapp
>> Absolutely. One of the things is the way that software gets developed has evolved and it's been pretty continuous over the last couple of decades. There's always a new way to create more code, create code faster. And the open source community has been a great place to get those code snippets and different things that help you develop things faster. But what comes with that is the challenge of the security within that. And so the concept of what I'm calling the modern SDLC, how do we modernize the secure software development life cycle? Because AI is now the generator, the creator of the code. And so how do we point them to those solutions to the trusted source, if you will, of open source components? And that's really what Chainguard is all about in my estimation and in my opinion, because as a CISO, my job is to enable the responsible use and secure adoption of AI in the organization. And that is whether it is from a business innovation standpoint or from a technology standpoint in terms of the solutions that are used to create that feature function that we're trying to deliver to our end customers. Or things that, how are we trying to use it to detect threats? AI is everywhere and people are building agents to help them be able to do that. And so we want to make sure those things are secure by design and by default.
Paul Nashawaty
>> Yeah, I think you're spot on. One of the things that came up at another show that I was at was the role of the CISO is kind of changing, right? The role of the CISO is... And don't take offense to this, but the way they said it was the CISO was sitting up in an ivory tower, right? And is kind of waving their hands on how things are happening. But now the CISO's rolling up their sleeves and getting involved, especially with AI and how things are working. But I think, and you touched on this a little bit, I'd love to get your perspective of the CISO's perspective of today's software supply chain issues, specifically as it relates to open source, because that's really where there's a lot of the ecosystem matters, the open source community matters. But then the CISO, actually, I believe security should be viewed as slow down so you can go faster, if that makes sense.
John Sapp
>> It does make sense. And I actually wrote a piece a couple of months ago about the evolution of the CISO role, and it really kind of ties into your question here. And if you go back, and I put it into generations, if we think about the last 25, 30 years, going back to when Steve Katz was the first CISO, we were first technical and we were trying to solve a technical problem and then we evolved to being business aligned and business enablers. Then we evolved into being risk managers. And now we are in the AI era so it is all things AI is now our focus, this new digital era. And so when I think about it from the CISO perspective, we do have to be more connected to things that are in terms of how the business is creating value. And now, because everyone in the organization is a developer with the ability to be able to create an agent to do those mundane tasks, but to be able to do them consistently. But what we want them to do is we want them to be security aware, but not security worried. And so that's part of my messaging, is I want you to be aware of the challenges because I want to enable you to achieve that time to value that you're trying to utilize these AI solutions for, but do so in a secure manner so that we don't find ourselves... Because I always feel like compliance, whether it be with the EU, AI Act, and in our case, maybe the Texas Responsible AI Governance Act down in Austin, it is more about how do we make sure that we are compliant as a byproduct of doing things the right way? Because we've considered the right governance things, we've considered the right things from a risk management standpoint that allow us to really be able to move fast without the fear of running into a sinkhole.
Rebecca Knight
>> Well, I really like the way you're describing this in that having workers, particularly those who are not necessarily coders by design, aware of security risks, but not fearful or anxious about them, not freaked out.
John Sapp
>> Right.
Rebecca Knight
>> So how do you, as the leader at the top, empower people to have that approach to developing and coding? And what have you learned that maybe other organizations can learn, some best practices that have emerged?
John Sapp
>> Sure. I think it all starts with a strategic approach and the organization having an AI strategy. And our organization has one of those whereby... And it doesn't have to be this complicated thing, it's supporting the development of that strategy. And so it's pretty simple for us. It is, how do we improve our overall customer experience or how do we improve our operational efficiency? When you think about things like that as a simple strategy, okay, so now let me align with that. Going back to one of those things that we had to become 20 years ago, being more business aligned, but being able to communicate a message that, "Hey, I'm here to not get in your way, but to enable you to achieve whatever it is you're trying to achieve."
So if you're trying to better summarize your content so that you can revise your meeting based on feedback that you get from the customers, sure, you want them to use AI to do that, but you want to make sure that we provide them with the ability to utilize these things, but not have to worry about it because we in the background, are doing security the way that we always do. When you open up your laptop, you don't worry about whether or not there's endpoint protection on there, right? You know that there is. Somewhere, somehow, somebody has made sure it got there before that device got to you. That's the same thing we're trying to do. And that to me, is the best practice, is from a governance standpoint, capture an inventory of what's being used by the organization, not for the purpose of trying to, if you will, slap them on the wrist, but to identify what they're using it for and help them understand, "Hey, you know what? I want to help you become even better and more proficient at that while also being secure in how you do that." And now you come across as a partner and an ally versus, "Here comes the guard that's here to haul me away."
Rebecca Knight
>> Right.
Paul Nashawaty
>> Yeah, I think it's interesting. I mean, I think what you're touching on is some of the things that came out of the keynote today. Software, the traditional scan and patch kind of model is really not working the way it was. It was working fine back then, but it's not working now. And moving at shifting left, it's really shifting anywhere is really what's happening, right?
John Sapp
>> Sure.
Paul Nashawaty
>> It's like it's not just working, focusing, but developing secure code at the point of build and release versus finding vulnerabilities after the fact, that's kind of where you're going with this.
John Sapp
>> Yeah, that's absolutely it. I think back to a session that I delivered at RSA 2011, it was called Innovations in Application Security. Fast-forward 15 years and we're doing it again, and I think that's where Chainguard comes into play, is they are now the new innovation in AppSec.
Paul Nashawaty
>> Yeah.
John Sapp
>> Back then, we were talking about application security risk management, and that was a concept hard for people to wrap their mind around because they couldn't figure out how to quantify it. But I think what we're able to do with something like Chainguard and being able to identify the software supply chain risk, because this is a risk management exercise. Because as I mentioned, prior to the digital AI era, we were now being asked to be risk managers. And this is one of those risk components where we were doing application risk management, now we're doing AI risk management because it's a different type of application that is in the hands of everyone on all types of devices, right? As you think about that, it is identifying what is the value of the risk that you're trying to mitigate. So to your point about the remediation, if you look at it and say, "Okay, our average cost of remediation," if we looked at all the flaws that our developers remediated over the last, just take the last quarter and we put a dollar value to that, the cost per developer hour spent on that, now we come up with a number and I balance that against the spend that I put on something like a Chainguard, now the return on that investment is very visible. So now that becomes part of the story that I'm telling internally that helps both my leadership understand why we're going down this path, but then all of the innovations and the things that they are doing, think about the things this morning, now it really makes it seem like that was a genius move. But to that point of shift left, shifting even further left and being able to understand where now developers aren't spending time trying to remediate vulnerabilities, they're getting near zero or absolute zero CVEs in that code. So now that time that they spent on remediation is spent on delivering value. And that's what we're all challenged with today, is deliver more value and achieve those outcomes.
Rebecca Knight
>> Finally, we talked a little bit at the beginning of this conversation about what Chainguard represents from your perspective as a CISO. I'm curious about your reactions to some of the new products and announcements and features that came out of the keynote today.
John Sapp
>> Oh, this was one of the best keynotes that I've attended and I've been to a number of them. Just the fact that they clearly have heard the pain points that some of their customers have expressed or things that have come out of conversations that they've had with prospects. And I'll say that the number one thing is the ability to identify all of the different components in that entirety of the life cycle and the automation that goes with it. I will tell you that the gardener was the one thing that absolutely stood out because I'd like to think of it as the landscaper, because landscapers are a little more strategic. Gardeners kind of focus on one thing, so I think about it a little bit broader. But the concept was spot on, that automation. And I was talking to one of our developers here, we've got a pretty good size team from Texas Mutual here, and they are super excited about the fact. We've got someone from development, somebody from our cloud engineering, somebody from security. So we've got all of the different stakeholders, if you will, in this process here, and just that, those announcements answered so many of the challenges and the concerns that we had going in, but it shows that Chainguard could be trusted with the feedback that we gave them.
Rebecca Knight
>> Excellent. Well, great note to end on. Thank you so much for coming on the show, John.
John Sapp
>> Thank you so much. Glad to be back and greatly appreciate it.
Rebecca Knight
>> I'm Rebecca Knight for Paul Nashawaty. Stay tuned for more of theCUBE's coverage of Chainguard Assemble. You're watching theCUBE, the leader in enterprise tech news and analysis.
