John Sapp, VP, Information Security & CISO of Texas Mutual Insurance Company, joins us for a captivating discussion at the RSAC 2025 Conference. In this enlightening session, Sapp shares their expertise on the role of artificial intelligence in cybersecurity, the challenges of secure adoption, and the drive for innovation within the industry. The session is hosted by Jackie McGuire, principal analyst from theCUBE Research, alongside Jon Oltsik, a former distinguished analyst.
In this in-depth conversation, Sapp brings their experience as a seasoned Chief Information Security Officer to uncover the truth behind the proliferation of AI technologies. The discussion delves into the expansion of AI across various industries, highlighting its integration into security protocols and potential in streamlining operations. The conversation, led by McGuire with insights from Oltsik, focuses on the significance of secure and responsible AI adoption.
Key takeaways from the session underscore the potential of AI in transforming the cybersecurity landscape. According to Sapp, AI's capabilities extend beyond efficiency, enabling the identification of threats and facilitating seamless security operations. Furthermore, the analysis highlights the evolving skillsets required for modern security professionals, emphasizing critical thinking and practical knowledge in leveraging AI technologies. This insightful dialogue explores actionable strategies for enhancing cybersecurity in an AI-driven world.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For RSAC Conference 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC Conference 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to RSAC Conference 2025
Please sign in with LinkedIn to continue to RSAC Conference 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
John Sapp, Texas Mutual Insurance & Company
Exploring the Role of AI in Modern Cybersecurity: Insights from RSAC 2025
John Sapp of Texas Mutual Insurance Company, the Chief Information Security Officer, joins us for a captivating discussion at the RSA Conference 2025. In this enlightening session, Sapp shares their expertise on the role of artificial intelligence in cybersecurity, the challenges of secure adoption, and the drive for innovation within the industry. The session is hosted by Jackie McGuire, principal analyst from theCUBE Research, alongside Jon Oltsik, a former distinguished analyst.
In this in-depth conversation, Sapp brings their experience as a seasoned Chief Information Security Officer to uncover the truth behind the proliferation of AI technologies. The discussion delves into the expansion of AI across various industries, highlighting its integration into security protocols and potential in streamlining operations. The conversation, led by McGuire with insights from Oltsik, focuses on the significance of secure and responsible AI adoption.
Key takeaways from the session underscore the potential of AI in transforming the cybersecurity landscape. According to Sapp, AI's capabilities extend beyond efficiency, enabling the identification of threats and facilitating seamless security operations. Furthermore, the analysis highlights the evolving skillsets required for modern security professionals, emphasizing critical thinking and practical knowledge in leveraging AI technologies. This insightful dialogue explores actionable strategies for enhancing cybersecurity in an AI-driven world.
VP, Information Security & CISOTexas Mutual Insurance
John Sapp, vice president of information security and CISO at Texas Mutual Insurance Company, talks with theCUBE Research’s Jackie McGuire and Jon Oltsik at the RSAC 2025 Conference about the secure adoption of artificial intelligence in cybersecurity. Their discussion explores both the promise and the risks of integrating AI into modern security strategies.
Sapp shares how AI can streamline threat detection and enhance response efforts, but notes that responsible use is key to long-term success. He emphasizes the need for secure deployment practices...Read more
exploreKeep Exploring
What challenges do healthcare industry professionals face when it comes to managing regulations while incorporating new technology like AI?add
What are the benefits of utilizing AI in a SIMSOC environment?add
What is the process of using AI to identify leaked or compromised credentials on the dark web and take proactive security measures to protect an organization's accounts?add
What is one of the challenges that AI is presenting to the next generation of cyber professionals?add
>> Hello, CUBE community, and welcome to RSAC 2025. We are live. I'm Jackie McGuire, practice lead and principal analyst, joined by analyst in residence, Jon Oltsik. And I am very happy today to be joined by the CISO of Texas Mutual Insurance Company, John Sapp. Thank you for joining us, John.>> Oh, my pleasure. Glad to be back.
Jackie McGuire
>> It's nice when we have a practitioner on the show. Jon was just saying, this is a practitioner, so we're actually going to get some truth and not just marketing.>> I like to say, I'm going to give you the hype, the hope, and the harsh reality.
Jackie McGuire
>> Yeah. So what are you looking forward to at RSA this year?>> I think everything is going to be branded AI of some sort, and that's probably the number one thing here, because it's a priority everywhere because there's an explosive use of AI everywhere you go, everything you do, no matter what part of life it is. So there's that part of it. But then it's looking at the things in the innovation sandbox and what's emerging in terms of technology from a security standpoint, and how are we collectively as a community going to come together to protect against the adversaries.
Jackie McGuire
>> I always feel like people don't spend enough time in the villages. I've spoken in the villages a few times. So if you go to DEFCON, if you weren't aware, RSA actually has the same villages at RSA that they have at DEFCON. There's the Dark Arts Village, the Blue Team Village, the Red Team Village. So I feel like people should check those out as well. Would you agree with the sentiment that shadow AI is the new shadow IT? That's what I heard a couple minutes ago.>> Yeah. And I don't even know that it's shadow AI anymore. It's just AI everywhere. And it doesn't matter whether it is your coffee maker ... I've seen those in the offices, where AI, you literally can talk to it and tell it how to make your own Frappuccino iced latte, whatever it may be. But there's AI in everything we do. So now I think it's come out of the shadow and I guess they're applying kind of the concept of what we did with shadow IT a few years ago. But yeah, it is everywhere because we think about now there's the growth of agentic AI. And there's an agent of AI that's everywhere that does everything. And that's where I'd like to take this conversation, into talking about how do we enable the secure adoption and responsible use of AI.
Jon Oltsik
>> That's just what I was thinking, John. Because I look at healthcare as just a prime industry for AI, not only clinicians, but to get into some of the efficiencies. It's a very decentralized industry.>> Right.
Jon Oltsik
>> It's 17% of GDP. So what are you seeing in your domain that's interesting or even scary for us->> Yeah, I actually had a podcast with some folks maybe about a month ago, and we were talking about this very thing. And it is, you think about AI being used in terms of making diagnosis and the things that go into that, how much more efficient or how many more things could be discovered sooner? Because AI does have the capacity to help with identifying or connecting the dots where maybe a surgeon or a doctor may not be able to. I think about years ago when I was working at McKesson here in San Francisco, we were working on this thing of the concept of a longitudinal patient health record. Imagine connecting all of your different doctor records together so you could literally identify any patterns. So imagine AI being used to look across your longitudinal patient health record to maybe identify something that a doctor missed, that maybe something from your dentist tied in with something your other doctors may not have seen. So I think there's that. There's the diagnosis part, there's the and processing claims.
Jackie McGuire
>> I was just going to mention that, the ability to go vertically as well. So my first adult job was actually at the mental health and substance abuse subcontractor for Blue Cross Blue Shield. So I did a lot of claims processing. And our first attempt at automating claims processing went really wrong, right? There were a lot of very chronically ill people who were denied care and had to appeal. So for me, AI would enable kind of a more personalized automation of claims. So if you can go vertically within the person and make those decisions that are actually long-term more profitable for the insurance company to keep people healthy rather than just being for the average person this service isn't needed. Because that's something, as someone who suffers from a chronic illness myself, it would be really nice not to have to justify everything I need that normal people don't need.>> Right. Yeah, and you make a great point there. But now we also have to think about the other side of it, because always where there is some good, there's some bad that can come out of it. There are risks associated with it. For years, WebMD became kind of the go-to thing for people to self-diagnose, right? And so now maybe you start applying AI into WebMD and now you start to provide recommendations to the patient or the individual that's doing the searching. And now the question becomes, is there liability associated with that? So that's why I talk about the secure adoption and responsible use. Because we can't make any of this foolproof. There does have to be a bit of common sense applied to it. You can't just say, "Well, AI produced it," because we know there are hallucinations. So we have to be cognizant of that. But I think the good outweighs the bad. It's just hopefully the litigious society that we live in doesn't ruin it for us.
Jon Oltsik
>> And what about regulations? Because healthcare's a very heavily regulated industry. How do you manage that? Because on the one hand, you want to unleash this new technology for benefit for the patient and for efficiency, but on the other hand, you've got security and regs to deal with.>> Yeah. So there are a handful of states who have already come up with AI bills.
Jon Oltsik
>> Yeah, Colorado, I think.>> Yeah. And I know Texas is exploring those right now. Nothing has been finalized, but we know it's coming. There are things from the federal government. And then you think about more broadly the EU, their AI bills and all those things. So that's why I talk about the secure adoption. Because AI is just another application. And so there are traditional security measures that have to go into play there that will ... To me, compliance with regulatory requirements becomes a byproduct of doing security right from the beginning.
Jon Oltsik
>> From your mouth to God's ears, John.
Jackie McGuire
>> Yeah, I know. If only it wasn't check the box.
Jon Oltsik
>> Yeah.>> Compliance is important, but it's a byproduct of doing the right things from a security standpoint. So if we go through this thinking about what are ... There are traditional security measures, but then there are guardrails that you got to have in place because this is an emerging technology. It's still growing and it continues to explode in terms of its growth. So you have to continue to evolve the security measures that you put in place to protect the user of the AI so that there is responsible use. You got to be able to detect bias and ensure safety. And just one quick note on that. When we talk about safety, people automatically think physical safety. As in the way my car's going around, and there's a bad decision and the AI going to get somebody into an accident, right? Yeah, that's part of it. But then there are other measures of safety, mental or psychological safety, harm in terms of ... Let's say the AI makes a decision that denies me access to care. There's currently a case with the FTC right now being reviewed about a consultancy that built an application that makes decisions on eligibility for Medicaid benefits. Well, when the decision is made, benefits are denied. Harm has just been brought about to the person to whom benefits were denied.
Jackie McGuire
>> And with healthcare, you deal with some of the most sensitive things in a person's life.
Jackie McGuire
>> Absolutely.
Jackie McGuire
>> I did customer service for mental health and substance abuse for Blue Cross Blue Shield, and we would ask people every time we talked to them, "Do you think you're going to harm yourself or someone else?" And so when you put that question in the hands of AI and expect it to respond appropriately, that's a lot of risk to take on with regard ..>> Yes.
Jackie McGuire
>> Or if someone's having a heart attack and they're chatting with your chat bot, and you've got to be able to very quickly tell them, "Actually, no, you need to get to the emergency room as soon as possible." I mean, I think that sometimes we lose touch of the fact that hallucinations might mean a bad answer from ChatGPT for you, but when we're talking about people's lives and it literally has life or death consequences. So I don't know that your position is enviable.
Jon Oltsik
>> Liabilities with that too.>> It is definitely not an enviable position, but it's one that I embrace because I see myself as a protector, whether it's with my family or within the organization that I'm employed by. My goal and responsibility is to protect our stakeholders internally, externally, and those people who depend on the service that we provide. So that's why I absolutely love this job. I don't know that I'd want any other job. So yeah.
Jon Oltsik
>> That's great.
Jackie McGuire
>> That's probably why you're so good at it too.
Jon Oltsik
>> Yeah.
Jackie McGuire
>> Oh, thank you.
Jon Oltsik
>> Hey, John, let me turn this around because we are at RSA. As a CISO, how much are you looking at AI for security roles, security automation? I mean, I've lived in the security operations world for a long time and we're talking about, well, AI could substitute or at least enhance a level one analyst. So what does that look like in the real world, in your world?
Jackie McGuire
>> I'll tell you, I think it's a fantastic thing. I think AI can certainly help us operate more efficiently, more effectively. And we currently utilize it in our SIMSOC environment, because what it does is, now we don't have to worry about alert fatigue. We don't have to worry about an analyst being on the 11th hour of a 12 hour shift and they missed a signal that would've indicated there was an indicator of a compromise that they missed. So now AI can take and leverage threat intelligence to actually find that needle in the haystack a lot sooner than maybe an individual human would be. Or be able to actually where something might be considered a false positive by the human eye, all of a sudden AI can say, "No, no, this is a true positive and here's why." And identify all of those components, connect the dots that we as humans aren't able to. We're utilizing it to be able to identify leaked, compromised credentials on the dark web. And we know those show up every hour on the hour almost, right? And it shows up on the dark web as a credential that's compromised in one of these databases, now all of a sudden that's identified as something, a credential from my organization. Now, AI takes that threat intel, feeds it into an identity threat detection and response capability, and now it's able to take and trigger Active Directory or your identity provider to disable that account, force a password reset, and then the most beautiful part of it all, ensure that reuse never happens again in the lifetime of that identity.
Jackie McGuire
>> Yeah, yeah. I think the statistic I read last year was that the average security analyst needs to know six query languages to do an investigation.
Jon Oltsik
>> Oh, boy.
Jackie McGuire
>> And understanding the difference between ... Just all of the different query languages. Even just that, I mean, I do worry that it'll erode our ability to do those things on our own. But I think there's always room to automate a lot of the crappy parts of our jobs.
Jackie McGuire
>> You nailed something there when you said erode the ability for us to do things on our own. I think one of the challenges that AI is presenting to the next generation of cyber professionals is critical thinking.
Jackie McGuire
>> Yeah. We've already seen it.
Jon Oltsik
>> Yes.
Jackie McGuire
>> And I see it in myself, like in my car. My car does lane keeping for me. I'm probably not as alert driving my vehicle as I used to be. Especially the stretch between Tucson and Phoenix, it's a hundred percent straight. And yeah, I don't know that I'm as alert as I was when I had to drive my own car.
Jon Oltsik
>> See, I'm watching videos at that point.
Jackie McGuire
>> I shouldn't admit that, right? I shouldn't admit that.
Jon Oltsik
>> I've got the video screen there and let the car go.
Jackie McGuire
>> Oh gosh. Speaking of insurance premiums.
Jon Oltsik
>> So John, but that brings up a good question. You're constantly hiring, we've all talked about, and I've done research on the skill shortage. Are there new skills you're looking for in security professionals that maybe two years ago you didn't think about?
Jackie McGuire
>> Well, yeah, there are. And to me, one of those is the critical thinking skill. Yes, the candidate can prove that they're logical in their thinking, they're analytical in their thinking, but critical thinking is one of the most key components of being a security practitioner. Being able to connect a dot that might otherwise not be ... If you aren't thinking about it, if you're just thinking logically and not ... My uncle was the police chief in the city of Tampa years ago, and one thing he taught me was to catch a criminal, you got to think like a criminal. Well, their critical thinking ability to think, okay, so if I were a criminal, how would I go about trying to attack this environment based on what I know? Because we all know environments get scanned all day every day by the adversaries, right? So they're doing reconnaissance. So as they're picking up what they see are gaps in your security or a way in, they exploit it. So if my security practitioner on my staff is not able to do that and apply critical thinking to think like an attacker, well then that's the challenge. But we are now starting to expect that these new practitioners are going to have an understanding of how to utilize AI, and how AI could be utilized in an attack.
Jackie McGuire
>> So it's almost on the employer to be doing CTFs and red team and blue team exercises for fun one day a month, two days a month with your team.>> Absolutely.
Jackie McGuire
>> Keep them on their toes, keep them functioning in an adversarial and defender way so that they really keep those skills sharp.>> Couldn't agree with you more.
Jackie McGuire
>> Yeah. All right, John, Jon, thank you so much. This has been a great conversation. This is Jackie McGuire for theCUBE. We are live from RSAC 2025. And we will be back shortly with more insights and information for you. Thank you.
Jackie McGuire
Jon Oltsik