Conference Highlights: Secure World Seattle 2025

On Nov 5 and 6, we attended Secure World Seattle to learn from Washington's leading cybersecurity experts.  We discussed cyber workforce development with CISOs from Nordstrom, HP, PACCAR, and many others. The message was clear: the landscape is evolving at a breathtaking pace, and the education of our next-generation workforce must evolve quickly.

One dominant theme was the double-edged sword of Artificial Intelligence. Defensive techniques must leverage AI-powered tools for detection and response to counter the sophisticated, automated, and rapid assaults launched by AI-empowered attackers. The vendor hall underscored this trend, filled with solutions promising AI-driven defense. The challenge for today's educators and students is learning to swim in a sea of alerts that no human can navigate without automation.

Here are the major takeaways that should be shaping what we teach in Washington’s technical and community college classrooms today.

1. The Vulnerability Tsunami: A Core Challenge for Modern Defenders

The most sobering presentation came from keynote speaker Tim Rains, CISO of ADT and a former security leader at AWS and Microsoft. He presented a stark data-driven reality: we are losing the numbers game.

An Overwhelming Flood: In 1999, the National Vulnerability Database (NVD) saw about 4 vulnerabilities per day. In 2024, that number exploded to 110 new vulnerabilities per day.

Why the Spike? The surge is due to more vendors reporting their own vulnerabilities and, critically, the use of AI to automatically find and report flaws, some of which are genuine, while some are just cluttering the system. This volume is impossible for traditional, under-resourced teams to manage. So, they end up triaging and patching only the critical and high-impact vulnerabilities, of which there has been a 400 percent increase since 2016.

The Zero-Day Reality: According to Google, 2024 saw 75 zero-day vulnerabilities (flaws with no available patch) actively exploited in the wild. More than a third of those targeted enterprise-focused technologies, such as security and networking products. This forces security teams to drop everything to address immediate threats. Some of these have domino effects across multiple industries.

Basic Security Hygiene: The good news, according to a 2023 Microsoft report, is that 99% of attacks can be prevented through basic security fundamentals. These tactics are essential to learn: Multi Factor Authentication (MFA), Zero Trust, extended detection and response (XDR), staying patched, and protecting data through encryption and backups.

The Classroom Takeaway: While the fundamentals are still essential, we must move beyond teaching manual patching. Students need to master intelligent triage powered by AI and automation. The future defender must be the human at the helm of sophisticated tools, not a manual laborer drowning in alerts. This means our curricula should include hands-on experience with creating and directing cybersecurity AI agents. Students must learn what data to feed these agents, how to task them to look for patterns and correlations across thousands of vulnerabilities, and, most importantly, how to critically interpret and act on their findings. It’s about leveraging automation to do the heavy lifting while applying human judgment to make the strategic decisions. Furthermore, students must understand architectural strategies like immutable, short-lived infrastructure to fundamentally reduce the attack surface and patching burden.

2. AI in Security: From Hype to Practical Application

The AI discussions moved beyond theory into practical challenges and tools.

The AI-Powered Vendor Hall: The expo floor was a live demonstration of AI in action. One of the most impressive tools was EchoMark, which tackles the insider threat. Their AI subtly watermarks internal documents and communications, creating a unique version for each employee. If information is leaked, EchoMark can forensically analyze the leak and pinpoint the source with high accuracy by identifying the specific watermark.

The "Human in the Loop": A central theme from the "Taming AI" panel was that autonomy has limits. Timothy Youngblood, CISO and university professor, stressed that AI agents need guardrails and human oversight. The consensus was that for the foreseeable future, AI will be an assistant for research and reporting, not an autonomous actor making critical security decisions.

What if an AI agent can perform a privacy impact assessment, but you have to give that agent your domain identity in order to proceed? That agent might do something unexpected. Even if you weren't the one pushing the buttons, you gave autonomous permission to the AI agent. Are you comfortable with that? You can't predict for certain what it will do. What if it falls for a prompt injection scheme? - Timothy Youngblood.

The New Attack Vector: "Shadow AI": Panelist Joe Veroneau highlighted the challenge of unsanctioned AI use by employees. The advice for organizations—and a lesson for colleges—is not to block everything, but to "sanction something." Provide approved, secure AI tools to prevent employees from seeking out risky alternatives.

Brian Hileman, Director of Sales Engineering at Cyberhaven, advises scheduling “human in the loop” interventions. Stage automated AI processes that pause for reviews. Don't allow the AI to proceed unchecked. It must stop for an audit, and the human at the helm must decide upon the actions to take.

The Classroom Takeaway: Students need a foundational understanding of how AI and Machine Learning are applied in security tools. Courses should cover topics like behavioral analytics, AI-powered threat hunting, and the ethical implications of AI. Furthermore, they must learn security policies for managing "Shadow AI" in an enterprise.

3. The Unseen Foundation: Building a Culture of Security

Technology is only half the battle. Multiple CISOs, including Alex Di Guicuoni (Sound Transit) and Evan McHenty (Robinhood), emphasized that a strong security posture is built on culture and influence.

Be an Ambassador, Not a Cop: The role of a security professional is to educate and build partnerships across the company. The goal is to move from a "transactional" relationship with other departments (like Audit) to an "educational" one, where they see the security team as helpful advisors.

Influence Over Authority: Security leaders must "influence executives to prioritize security" and stick around long enough to see that cultural shift take hold. Don't just write policy; embed security thinking into every business process.

Know Your People: Bryon Ward (ColorTokens Inc.) pointed out that leaders must know their teams, identify dissatisfied employees, and foster loyalty. The "insider threat" is often accidental, not malicious. Investing in training and making employees feel empowered is a high-return security activity.

Some of your people have the keys to the kingdom. Do you have their loyalty? - Bryon Ward.

The Classroom Takeaway: Our curriculum must include soft skills. Students need courses or modules on communication, influencing without authority, and organizational change management. Modern cybersecurity specialists must be influencers, not just technicians.

4. The Expanding Battlefield: Supply Chain & Proactive Defense

The attack surface has grown far beyond your own network.

Supply Chain is the New Front Line: Brian Denman (SecurityScorecard) noted that 59% of companies have experienced a data breach due to a vendor. Incidents like the CrowdStrike and Snowflake outages demonstrate how a single provider's problem can cause a global domino effect.

We need to look beyond the reactive stance. Define your supply chain. Know your vendors. Why do you trust them? Continually assess them. - Brian Denman.

Defense in Depth is Back (And It’s Deeper): Proactive defense was a key topic. Tom Ertl (Seceon Inc.) and others stressed the need for telemetry and behavioral modeling to detect anomalies. Simple micro-segmentation isn't enough; you need detection capabilities to see when someone moves between segments. He cited an example where an internal server holding all customer information was breached. This server had no access to the external network. But someone on the “inside” did a port scan. Had they been watching for port scans on internal servers, this would have triggered an alarm.

The Classroom Takeaway: Students must be taught to think systemically. Courses on third-party risk management, cloud security, and defense-in-depth strategies are critical. They should graduate understanding that security isn’t just about protecting your perimeter, but understanding and managing the security of every link in your supply chain.

Educating the Next Generation: A Call to Action

The conversations at Secure World Seattle paint a clear picture for cyber educators in Washington. We are training students for a fight that is increasingly automated, pervasive, and human-centric.

Our programs must blend deep technical skills in AI and cloud security with the critical human skills of influence and communication. We must teach them to manage an overwhelming flood of vulnerabilities, scrutinize an extended supply chain, and build the cultural resilience that is the true foundation of any secure organization.

The future of Washington’s cyber workforce depends on the foundation we build today. Let's ensure it's rock solid.

For more information on integrating these concepts into your curriculum, contact the Cybersecurity Center of Excellence.