Jay Bavisi on AI, Cybersecurity, and the HUGE Talent Gap (RSA 2026)

Show Notes

Artificial intelligence is evolving at an unprecedented pace—but is cybersecurity keeping up?

In this exclusive interview from RSA 2026, Amber Pedroncelli sits down with Jay Bavisi (CEO of EC-Council) to break down the biggest challenges facing cybersecurity leaders today. From AI adoption to governance gaps, the conversation reveals why organizations may be moving faster than they can securely manage.

💡 𝗞𝗲𝘆 𝗶𝗻𝘀𝗶𝗴𝗵𝘁𝘀 𝗳𝗿𝗼𝗺 𝘁𝗵𝗶𝘀 𝗶𝗻𝘁𝗲𝗿𝘃𝗶𝗲𝘄:
  • Why AI is outpacing cybersecurity frameworks
  • The shocking stat: only 18% of major companies have AI governance in place
  • How CISOs are being “steamrolled” by rapid AI adoption
  • The growing AI cybersecurity talent gap
  • Why some jobs will disappear—but many new roles will be created
  • The biggest risks: prompt injection, data poisoning, and AI attacks
  • Introducing the ADG Framework: Adopt, Defend, Govern

🚀 As AI reshapes industries, cybersecurity professionals must adapt quickly—or risk falling behind. This discussion explores what organizations must do now to secure the future of AI.

👤 𝗔𝗯𝗼𝘂𝘁 𝘁𝗵𝗲 𝗦𝗽𝗲𝗮𝗸𝗲𝗿
Jay Bavisi is the CEO of EC-Council and a global leader in cybersecurity education and workforce development.

Transcript

SPEAKER_01 0:06

Welcome everybody. I am Amber Pedrin Sully here from the Global CISO Forum at RSA 2026. And I'm here interviewing Jay Bovisi, CEO of EC Council Groups. Thanks so much for taking the time, Jay. I know this is a crazy week for you.

SPEAKER_00 0:22

It's been insane, but thank you for having me, Amber.

SPEAKER_01 0:24

Yeah, this is great. I mean, I've done a little bit on the floor. Have you been to all the booths yet?

SPEAKER_00 0:29

It's dizzy. Yeah. Right? The amount of booths that are here, we've always talked about cybersecurity, but if you look at the talk tracks, 40% of the talk tracks are all about artificial intelligence. So Right.

SPEAKER_01 0:40

Every booth, it seems like, is highlighting their AI that they have embedded in their product or the service. Tell me your thoughts on AI and security.

SPEAKER_00 0:48

Yeah, I mean, not only is every booth talking about AI, because you know, from a perception standpoint, if you don't have AI, you're kind of outdated. Right. There are many companies that are adding AI to their name. You know, and that's understandable. I think the challenge that we have is that last year at RSA, the entire theme was about companies rushing to use AI and implement them as quickly as they can. Right. But if you think of cybersecurity, well, cybersecurity was always been an afterthought as well for many, many years. So we as a community rushed in building applications, network systems, we wanted efficiency, and then we say, oops, we forgot cyber, and then came cyber, the era of cyber. We're repeating the same mistake with AI. We're rushing with the use of AI, but we're not thinking through the implications of AI and cybersecurity with artificial intelligence. So that's very concerning.

SPEAKER_01 1:42

Yeah, it seems like the same story every time there's new tech. But AI feels different. I mean, I know wireless took us one place, cloud was the next thing, mobile security, but AI does feel maybe it's just because we're living through it currently.

SPEAKER_00 1:56

No, I I I beg to differ. I'll tell you it may feel different. It is different. Let me give you a contextual point. It costed humans about three 250 billion dollars to send Neil Armstrong to the moon based in today's inflationary rate, right? I mean, 1960s to today, yeah, approximately 250 to 80 billion US dollars. This year alone, according to a McKinsey report, we're gonna spend between 2.5 to 4.5 trillion US dollars this year alone in artificial intelligence. So it should not just feel different, it is different. The amount of focus that we are putting on artificial intelligence, the way corporate companies are spending on artificial intelligence is absolutely dangerous. But not just that, if you take a look at some data out of fortune fighter companies, 84% of fortune fighter companies actually discuss AI as they are 10K filings, right? But do you know what's the percentage of these fortune companies that actually have a full-fledged AI governance model that is implemented? Take a guess.

SPEAKER_01 3:08

I want to say all of them, but I'm guessing it's a lot lower than 100%. 18%.

SPEAKER_00 3:14

One in five companies on the Fortune 500 actually have a full-fledged. So I think this is an era where it's developing very rapidly, and this is something understandable considering the amount of money that we are pouring, but there's a tremendous amount of danger with the way we are governing AI.

SPEAKER_01 3:33

Or not governing.

SPEAKER_00 3:34

Or not governing AI as the data actually points out.

SPEAKER_01 3:37

Yeah. At the upcoming Global CISO Forum in October, it's gonna be a hot topic because we're talking to the security leaders about things that really impact their day-to-day. And, you know, they're all trying to play catch up. Sometimes they're the last to know their companies adopting AI. You know, I've heard from many of my executives on my committees that, you know, they're kind of being steamrolled by it. So we're gonna have a lot to discuss in October about how to implement frameworks, you know, trying to get ahead of it, but then also after the fact.

SPEAKER_00 4:07

Actually, that's a very valid point that you raise. I I kind of feel sorry for CISOs, to be honest, because the chief information security offices have traditionally been dealing with infrastructure, cloud applications, the standard protocols and surfaces that we've been used to. And now comes a new era called AI. And it's almost thrown on to say that we, the you know, the the community within an organization responsible for implementation of AI, whoever they may be, they might be program managers, they might be the CIO's office, but then you, the CISO, are responsible for protecting it. But then comes the question: how many red teamers are actually prepared with uh testing AI models? How many red teamers are certified to actually test AI models? What kind of governance frameworks do we have within an organization for implementation and governing of AI? So these are all the questions that are actually thrown to CISOs and say you just go manage it, which is why you know I say it's an afterthought, and that's exactly the dangerous point that we are at right now. So I think CISOs have a lot of evolution to do in making sure that they adopt the entire practices on how to deal with the defense of artificial intelligence.

SPEAKER_01 5:17

Yeah, I mean, the details of AI are changing weekly, it seems like the capabilities are always one step ahead. Do you think there's gonna be an overarching framework or something that CISOs can kind of use to build their AI security programs?

SPEAKER_00 5:33

That's a very good question. So let's talk about it from numbers, right? I'm I'm a numbers guy. EU has launched the EU AI framework, right? NIST has got the AMF framework. They've got ISO 40201. Apart from the European Union that is mandating these frameworks, the utilization of the EU AI framework, uh, otherwise you get fined, right? If you violate it, you get fine. Right. The ISO 40201 and the uh NIST frameworks are all recommended at this point in time. Right. 72 countries across the globe already have some AI framework in place, and by 2027, this will all get mandated. Right? So all of the organizations that are utilizing AI today think and you know, thinking that, hey, this is going to be great. You know, we live in a capitalist market, it's nice to have AI, and you know, you'll be selling your shiny objects even more, you get a lot of investor confidence, but the boards are going to be required to implement some form of a framework. The SEC is certainly going to implement a requirement to have an AI framework implemented as of the governance of organization. So we will have to rethink about how are we adopting, how are we defending, and how are we governing AI? So just think about the implementation of AI in an organization today, right? Organizations would get pressured, you know, either top-down, bot down, CEO down, to say we need to have AI implementation, we're gonna cut costs, we're gonna put in agentic AI agents because it's good for productivity. But who is thinking about, well, well, if the implementation is not done correctly, how do we back back, how do you take back steps, right? Yeah, how do we deal with cybersecurity? How do we deal with procurement? How do we deal with third-party risk mitigation? Because a lot of these are third-party tools that we have been using. How are we dealing with data protocols, right? At the same time, AI is getting you know attacked. There's prompt injection, there's LLM model takeovers, there's uh there's data poisoning.

SPEAKER_01 7:34

Agentic AI.

SPEAKER_00 7:35

Agentic AI, all of these things are happening. So I really think we gotta put some structure in place and governance is coming. It's just a matter of time. And organizations and I think the C-suite need to get ahead of themselves and say, we need to have a team that is able to be certified to actually deal with the governance of AI for the safety of the organization.

SPEAKER_01 7:59

Super important for CISOs. The training within their teams has always been paramount because it's a fast-moving industry. But now it's so much faster. And there's this huge new category that they need to get their whole teams trained on. And right now it feels a little fragmented on how to do that.

SPEAKER_00 8:17

Yeah, and you're right. And this is why over the last year, AC Council invested a tremendous amount of time and research dollars in bringing some of the largest thinkers in AI together as part of our AI advisory committee. So we have the AI mind behind large insurance companies, Prudential and Banks, JP Morgan and Microsoft and Salesforce, and they're all sitting on our advisory committee. And we've been debating about how we can make the community better and how do we actually train organizations and help organizations govern AI frameworks better. And I'm pleased to announce that you know, in a couple of weeks, EC Council will be launching the ADG framework. The adopt, defend, and govern framework. It's free for the community. It has got some of the biggest minds behind it that have helped us write this. We are so grateful to the advisory committee members that work so hard in getting us a piece of framework that can be used as a blueprint in trying to drive cybersecurity and a governance model in an organization.

SPEAKER_01 9:17

Incredible. Do you mind if I pivot to the job market?

SPEAKER_00 9:20

Sure, please.

SPEAKER_01 9:21

Yeah, so the industry is struggling right now to find enough people who understand AI. Do you see a talent gap widening? I know we've been hearing about a talent gap in in cybersecurity for years now. Do you think AI is helping that or hurting that?

SPEAKER_00 9:35

I think that's a brilliant question. You know, before even AI came into the mix, right, the cybersecurity market itself had a more than four million job market gap. Right. So we're already dealing with a talent shortage across the cybersecurity industry. Now the attack surface has just changed and exploded because now you have AI agents that are running around in the wild. I think AI will eat some jobs. For example, in the security operator center, the L1 jobs and now L2 are almost vanishing. Right. Because AI agents are able to do that job much better, efficiently, and a lower cost. However, I don't think that the job market is going to vanish. I think it's going to is actually going to explode. Okay. Because the number of cybersecurity professionals that we're going to require with AI is going to be much higher than without AI. The only difference will be that the cybersecurity professionals that we have to build will be those with a higher capability and higher demonstrable ability to be able to secure organizations. And this is where a lot of the work of EC Council is actually coming in, in making sure that we build that kind of talent pipeline. So I think the job of help desk operators will probably go away because we have now chatbots and all that. Or shall I say reduce significantly?

SPEAKER_01 10:48

Yeah.

SPEAKER_00 10:48

But when we talk about digital forensics experts, we talk about ethical hackers, certified ethical hackers that are specialized in testing LLM cybersecurity. When we talk about governance professionals around responsible AI governance and ethics, we talk about AI program managers. We talk about offensive AI security professionals that are specialized as red teamers to attack AI agents for defensive measures. I think those jobs are all going to be created. So there's going to be a tremendous amount of opportunity coming our way. Okay.

SPEAKER_01 11:20

Yeah, I'm interested to see how it goes. You know, as some jobs are eaten, what jobs have to be kind of added to manage the AI? It's going to be really interesting to see how it shakes out.

SPEAKER_00 11:30

Yeah, I mean, look, humanity has always dealt with that change, right? Maybe 100 years ago we were all riding horses and then, you know, Ford and the engine. Yeah. And guess what? You know, uh horse riding still exists, but it's for recreation. But now we've moved on and everyone's driving. Driving, we're going to driverless cars. Right. So I think each time this happens, I mean, that's a metaphor, but in cybersecurity, the same thing. We just have to retrain ourselves in dealing with the risk at that point in time. And what's happening right now with AI is just going to create a tremendous amount of employment opportunities for the right professionals who are able to demonstrate that they're able to help organizations.

SPEAKER_01 12:10

Amazing. So can you go a little deeper into your ADG framework? I hadn't. What exactly how does it help CISOs get their arms around this whole problem?

SPEAKER_00 12:18

Sure. So that's a great question. A lot of our enterprise customers have been coming to us and saying, look, you know, we are under tremendous pressure from the board that we need to have AI. Right. Now, some of them have gone on and added chatbots and they call it AI. Some of them have put on a ChatGPD plugin, they call it AI. I mean, that's a whole different conversation. But there are many that are AI native platforms. Now, when you implement AI in an organization and the race is on, if you think about the mid-sized markets, I mean, forget the large markets that are well regulated and you know they are well staffed, but take a look at the mid-size and the small businesses. They're all using AI. But who is questioning about changing the security awareness? The security awareness program that we've been doing for the last 20 years has been around.

SPEAKER_01 13:03

That's not gonna work anymore.

SPEAKER_00 13:05

It's not gonna work anymore. Because it's fundamental. We teach them what is phishing, what is wishing, what's a Wi-Fi, what's encryption, right?

SPEAKER_01 13:11

Right.

SPEAKER_00 13:12

But now we've got to think about all right, how am I gonna use AI securely? Right? What kind of data privacy factors are to think about? Right? What is, you know, what is prompt injection, right?

SPEAKER_01 13:24

These are the kind of principles end users are gonna have to know about prompt injection.

SPEAKER_00 13:28

They have to understand that this is a possibility so that they are always keeping it at the back of their mind. They need to understand that LLMs can be poisoned, they need to understand, right, that that these models are not necessarily always secure. So they need to appreciate that they are one of the stakes in this entire ecosystem. So that's one. Then when you implement an AI protocol or an AI program, how are you thinking about governance? How are you thinking about in in application? We're taking a CI CD pipeline. How are we thinking about an implementation of AI in an organization? Right? Who is responsible? Do we know what's the escalation matrix? Are we taking a racing matrix in in implementation program? What about program management? Right? Who owns the AI? Is it a CIO? Is it a CISO? Is it a CEO? Is it a program manager? These are questions. What kind of policies that uh that a company has in place for this for this AI? If you're using third-party vendor management, who is doing third-party risk management? Right. This entire area requires deep training. And for that, EC Council has launched a certified AI program manager to help professionals think through the implementation of AI. And then when you implement AI, who is regularly testing and red teaming the AI models for all of those things that I've talked to you about? And for that, we've launched certified offensive AI security professionals. The idea is to uplift the cybersecurity professionals, the certified ethical hackers, and the pen testers that we have into LLM cybersecurity. And finally, to all of the governance professionals that we have. We've been thinking of ISO 2701. Well, guess what? 72 countries have already implemented AI frameworks. It's coming. Right. So the governance professionals will now have to be retrained into AI, responsible AI governance and ethics area. And for that, we have launched the certified responsible AI governance and ethics certification to help risk management professionals understand how to de-risk an AI organization.

SPEAKER_01 15:35

Right. Now, how do you feel about companies that have AI that are actually involved in risk and compliance? So if you're using AI.

SPEAKER_00 15:43

Well, yeah. Yeah. And in fact, I've walked the floor and I've seen companies that say that we can actually help. The first question I'll have to ask these companies is that who are your professionals that are behind this? Which framework should I map to? Yeah. And remember the AI is changing every, at least is doubling every three months. AI escape is doubling every three months. It's changing every day. I mean, by the time I started this interview session, by the time I've ended, something new has already happened. So it's the word I can pick is dizzying. It's so dizzying to be able to see it move so rapidly. So, sure, I mean, all ideas and thoughts are definitely welcome. But the bottom line is the same thing. You cannot outsource the security, the risk will always remain with you. So, same thing with governance. You can use any platforms out there, and that's great. The risk belongs to the organization. So it comes to the pivotal question: who in your organization is certified with responsible AI, governance, and ethics? Right. Right? Where is that department and what's the reporting structure? And how intelligently can you speak to your board and report to your board and your regulators and your stakeholders? I think that's the era that we're heading right now.

SPEAKER_01 16:54

Yeah, that really means the danger would be over-AI-ifying too many things. And AI can't be held accountable, so it shouldn't be responsible.

SPEAKER_00 17:04

I like the way you say over-AI fine, right?

SPEAKER_01 17:07

That's a brand new hot off the press.

SPEAKER_00 17:09

You should have a trademark on the word. Yeah, but that's great.

SPEAKER_01 17:11

I mean, you have to have a human that's ultimately responsible for the actions of the AI. And somebody who understands what it's set up for.

SPEAKER_00 17:19

And we live in a world, Amber, where AI now have their own social networks, right?

SPEAKER_01 17:25

They can social engineer us now.

SPEAKER_00 17:26

They can social engineer us. AI, I would just think about it for a while, right? AI is their own social network. AI is now able to blackmail human beings, right? Right? Because of the way you interacted with them and that they did not like. Yeah. And on the other end, we are building robots. So when robot engineering matches AI, you're going to have humanoids. That's the direction that we as a as a humanity with this direction.

SPEAKER_01 17:53

Not even far-fetched. It doesn't feel that far away.

SPEAKER_00 17:56

Star Wars is not as far as we thought it was.

unknown 18:00

Yeah.

SPEAKER_01 18:01

Wow, it's it's an incredible thing to try to visualize how the industry is moving. But I think the more we talk, the more I'm coming to the conclusion that being in security is kind of AI proofing your career.

SPEAKER_00 18:14

Absolutely. I think this is a phenomenal time to be in cybersecurity. Yeah. And of course, not for everybody, to those that are willing to invest in themselves, to those that are willing to uplift themselves and make sure that they're able to help organizations because organizations need a tremendous amount of help. And professionals that are qualified with AI credentials are actually paid 56% more. That was actually a report I was waiting. So they're paying significantly more because this talent is rare. And so, yeah, I think it's a good time for cyber professionals to uplift themselves and to actually be able to help organizations deal through this new maze called artificial intelligence.

SPEAKER_01 18:52

Thank you so much, Jay.

SPEAKER_00 18:54

Thank you for having me, Amber.

SPEAKER_01 18:55

I'm afraid I'm gonna have to send you back out on the vendor floor.

SPEAKER_00 18:58

Thank you very much, Amber. Thank you.

SPEAKER_01 18:59

Thanks for being here. Thanks back.

SPEAKER_00 19:03

All right.