Rate My Rizz

RSA is always a good opportunity to reconnect with industry friends—2025 was no exception. Beneath the marketing avalanche of “AI-enabled everything,” one theme stuck out in conversations with CISOs and defensive leaders: the mounting time and energy spent on cyber audits, reporting, and remediation.

These Enterprise Risk Management (ERM) and Governance, Risk, and Compliance (GRC) efforts are especially demanding in regulated industries. But with mandates like NIS2 and DORA taking effect in Europe—and domestic frameworks like SOX, SOC2, and CMMC still in play—security leaders are spending more time with audit committees than ever before.

Compliance Theater: Starring the Risk Register

In enterprises, defensive resource allocations are often adjudicated by committees and measured by audit progress and the almighty risk register. This means most of the attention (and budget) aligns with avoiding one specific risk: legal or compliance failure (LCF). It’s no surprise that CISOs are often left with a single 15-minute slot each year to brief the board on the other four cyber risk impacts. That’s a missed opportunity.

fd1196e7-bada-42fe-a6c7-89d17c95a98f_1536x1024.webp
Board presentation produced by ChatGPT 4o.

Boards need to better understand cyber risk beyond compliance. The “state of rizz” (resilience) depends on more than audit checklists. Point-in-time audits work well for demonstrating regulatory due diligence. If something goes wrong, but the virtual paperwork shows that policies were followed and corrections made, enforcement actions can often be minimized or avoided.

That’s not true for the other risk impacts—operational disruption, financial fraud, brand impairment, and competitive disadvantage. Even after clean audits, the residual risk across these domains remains. Boards need to grasp this difference. And CISOs must continue translating technical risk into business language that supports resilience conversations.

Measuring Rizz: Easier Said Than Sustained

Communicating rizz is momentary. Measuring it is constant. Organizations spend heavily to prevent all five impacts, but security investments tied to non-compliance impacts often receive less scrutiny (ROSI). That’s where control validation comes in.

db8bfa53-0eaa-4b4d-9851-ffc68b449c44_1600x1110.webp
Sankey diagram depicting threat categories leading to multiple possible risk impacts. Code produced with ChatGPT o3 and Claude-3.7-sonnet.

Looking ahead (meaning, likely six months from now), AI agents will monitor and challenge other AI agents in continuous loops of control testing and remediation, especially as adversary TTPs evolve daily.

The Automation Angle: Purple Teams and Silver Bullets

Until then, automation in purple teaming, breach and attack simulation (BAS), and exposure validation is the best way to scale defenses without burning out staff.

A growing number of vendors (like Picus) offer automated testing platforms with user-friendly workflows. These platforms aren’t silver bullets, but they help CISOs tell a better executive story.

7953860e-e123-423f-a4dd-df174b2c727b_1024x1024.webp
A silver bullet produced by ChatGPT 4o.

Consider Business Email Compromise (BEC). GRC will enforce controls like phishing simulations and financial separation of duties to satisfy LCF (Limit Control Frameworks) requirements. But if the CISO is also emulating attacks and testing the actual tech stack—email gateways, MFA, IAM policies—the story becomes richer. It shows intentional, tested resilience across financial fraud risk, not just paper compliance. It’s far more compelling than: “We have an EDR as prescribed in our compliance framework.”

Real Rizz Moves: How Live Threat Emulation Beats Paper Promises

To make this real, draw from live TTPs observed in the wild. For example, within the past 90 days (as of May 14, 2025), Recorded Future’s AI Insights flagged dozens of events that could be used as fuel for BAS automation.

Risk Registers Win Audits. Rizz Wins Crises.

If the board only sees traffic light audit checkmarks, they’re missing the real color of cyber risk. That’s why rizz narratives must move beyond compliance and into control validation and business risk translation—before the next threat does it for you.

99848340-b1fd-4323-a25a-eb83920695bd_1024x1024.webp
The rizz game show produced by ChaptGPT 4o.