In today’s hyper-connected world, the cybersecurity landscape is no longer defined by fixed perimeters. For CISOs, managing a dynamic, ever-expanding attack surface has become a critical challenge. In a compelling fireside chat hosted by CISO Platform, Rick Doten, VP of Information Security at Centene Corporation, joined Erik Laird, VP North America at FireCompass, to explore practical strategies and executive-level thinking required to stay ahead of evolving threats.
The session offered rich insights into achieving real-time visibility, driving risk-based prioritization, and embracing AI-led continuous validation—all essential components for a resilient cybersecurity strategy.
Key Highlights
1. Attack Surface Visibility
Doten emphasized that real-time visibility across assets—including cloud, shadow IT, and acquisitions—is no longer optional. Security leaders must align technology with business context to understand what matters most and how to respond swiftly.
2. Continuous Security Validation
Static assessments are no longer sufficient. The shift to continuous testing through AI-powered tools ensures threats are discovered and remediated before they cause damage. Rick stressed that vulnerability discovery is easy—fixing is the bottleneck.
3. AI, Automation & Smart Tooling
AI is revolutionizing security operations—from red teaming to automated detection and response. Rick cautioned, however, that controls, governance, and ethical boundaries must evolve in tandem to avoid unintended consequences from agentic AI.
About the Speakers
- Rick Doten (VP, Information Security – Centene Corporation)
- Erik Laird (VP – North America, FireCompass)
Listen To Live Chat : (Recorded)
Featuring Rick Doten (VP - Information Security, Centene Corporation)
CISO Executive Summary (Strategic Takeaways)
1. Security Prioritization Requires Business Context
Doten urged CISOs to move away from technical severity (like CVE scores) and instead evaluate issues based on their business impact. A vulnerability’s priority isn’t determined by how critical it looks on paper, but by how it affects key systems, data sensitivity, and operational continuity.
"Security people don’t fix things—IT people do. And business decides what gets fixed, not the CVSS score."
2. Process is Power: Governance is the Glue
Too many organizations lack structured processes to handle vulnerabilities or IT risks. Doten pointed out that successful programs rely on strong governance mechanisms that link business priorities with security recommendations—often through steering committees or decision bars.
3. The Role of the Board: Visibility & Confidence
Boards don’t need technical detail—they need assurance. Can you see everything? Can you respond quickly? Doten recommends that CISOs build risk dashboards tied to business KPIs and frameworks (NIST, ISO, CIS Controls) to communicate confidently at the board level.
4. AI and Agentic Systems: A New Risk Vector
While AI enhances capabilities, it also introduces new risks—especially with autonomous agents. Doten compared it to “an unlimited number of interns with unlimited time,” who may act in unexpected ways without clear guardrails. He advocated for ethical models and layered oversight during AI decision-making processes.
5. Metrics and Measurement Define Maturity
One of the first things Doten advises for new CISOs is to choose a program framework and define how success will be measured—whether that’s NIST CSF, ISO, or another industry standard. This builds clarity, maturity, and accountability across all levels of the organization.
Conversation Highlights
1. Security Through Storytelling
Rick’s background in English literature lends him a unique communication style. He attributes much of his career success to storytelling, analogies, and bridging gaps between tech and business audiences.
2. From Detection to Fixing: The Human Bottleneck
While tools can detect vulnerabilities at scale, remediation remains slow due to resource constraints, complex dependencies, and legacy change control processes.
3. Rebuilding Credibility with IT and DevOps
Doten emphasized the need for humility and partnership. CISOs must shift from alarmist messaging to collaborative risk framing. “My role isn’t to say fix this—it’s to explain the risk so business can make the decision.”
4. Community as a Core Security Strategy
One of Rick’s final recommendations? “Lean into your peer network.” He believes sharing knowledge across unbiased CISO communities is the most powerful way to overcome today’s cybersecurity challenges.
Question & Answer
1. What would be your suggestion for any startup company for implementing security where security structure is still to be implemented?
Employment fraud (staff who are either outsourcing their role, or working at multiple companies); observability and security of Agentic AI; data governance (not DSPM, the governance of data that might be controlled by DSPM)
2. From a CISO's perspective, what are the key considerations and essential steps for establishing an AI governance framework and its associated review process, particularly when managing diverse application teams' AI initiatives?
Inventory of all AI use, logging the type of business areas it relates, the type of actions are decisions it makes. Catalog based on AI implementation type (public LLM, internal LLM, Agentic AI, AI embedded in SaaS, AI embedded in tools, etc), and overlay the risk of the action it is taking to set security control and audit requirements.
3. Automation and AI are key to scaling ASM but how do you mitigate the risk of automation bias, where teams blindly trust AI outputs without adequate scrutiny? What guardrails do you recommend?
As with any 3rd party process, there can’t be complete trust, until enough time and reliable action occurs where it can be trusted, so in meantime needs to be human in loop, data Q/A step, and observe what prompts or commands are assigned to these agents to understand where there might be misalignment.
4. ASM tools generate hundreds of alerts daily. How do you translate those into business‑level risk signals? What criteria do you present to the board to decide which risks are mission‑critical versus noise?
Based on platforms that would have largest business impact if they are compromised or unavailable. Formally, this would be from Business Impact Assessment (BIA), but most don’t have time or resources to conduce or maintain that process. So doing query of business owners which platforms are most critical, which data is most critical, and why (confidentially, privacy, quality, etc), and what would “a bad day” look like. So anything that could contribute to that “bad day” becomes the highest risk. And understand it will change over time.
Conclusion
This session redefined how leaders should approach the attack surface—from one-off scans to real-time, AI-supported risk frameworks. Rick Doten’s insights provided a blueprint for transforming cybersecurity into a business-aligned, continuously validated function.
Future Directions
The attack surface will only continue to grow with digital transformation, cloud, and AI. CISOs must be prepared not just to defend but to measure, communicate, and mature their programs with clarity and confidence.
Comments