Balancing Security and Innovation through the Right Means: Insights from ProArch’s CISO–CTO at RSAC 2025
- The Cybersecurity Podcast
At the heart of every digital business today lies an unceasing question: How do you drive technological innovation without compromising security?
The question took center stage at RSAC 2025, where EC-Council Group CEO Jay Bavisi interviewed Ben Wilcox, ProArch’s dual CISO–CTO. Their candid exchange lays out a roadmap on how to balance organizational security with the relentless pace of technological change. The conversation maneuvers around the “dual hat” approach, the critical role of identity as a security foundation, and how AI serves both as a threat and a safeguard in today’s cybersecurity landscape.
While navigating the dual roles of CISO and CTO, Wilcox gained perspective on the tension between enabling businesses through technology and protecting them from risk. As he quotes, “On one hand, you’re the enabler; on the other, the CISO is often seen as the disabler.’’ While he focuses on the business-first approach, he also mentions that security must be the foundation for everything we do in a business.
Wilcox started his career by providing web hosting services, which evolved into running his own internet-focused business and gradually shifted toward delivering services with a focus on infrastructure, firewalls, and networking. This experience led him into consulting. Ultimately, he joined ProArch, and has now been with the company for 18 years helping shape its security and technology strategy.
Aligning security and business growth
Holding both titles of CISO and CTO places Wilcox at the juncture of innovation and security, two domains that are often at odds.
As CTO, he drives technological advancement and delivers innovative solutions. As CISO, he must ensure that security remains of utmost importance, especially given ProArch’s role as a managed security service provider handling sensitive customer information.
Wilcox acknowledges the inherent conflict between these roles, especially with constant pressure to accelerate product development and enhance functionality. To navigate, he adopts a business-first approach, drawing on lessons from his time in consulting. He emphasizes a consultative approach that balances what’s best for the business without compromising on standards for cybersecurity, especially identity services and data integrity.
What keeps a CISO awake at night: Protecting data in a 24/7 threat environment
True data protection requires a multi-layered approach starting from robust data governance tools that manage both structured and unstructured data.
ProArch operates 24/7, relying on multiple threat intelligence vendors and early warning systems to stay ahead of potential breaches and detect early warning signs. A critical part of this strategy is what Ben calls “hypercritical vulnerability management”, where a cybersecurity team wants to prioritize and remediate the most urgent vulnerabilities that are being actively targeted by threat actors. This allows the IT and security teams to prioritize patching and reducing risk in real time.
Artificial intelligence: An opportunity as well as a risk to cybersecurity
Wilcox opines that AI should be seen as an opportunity as well as a challenge for an organization. As ProArch develops AI-based applications it also encounters new risks, such as AI-driven attacks and prompt injection threats. To address these, the team uses advanced cloud detection and attack surface reduction tools to identify the threats and stop malicious activity before it escalates.
As AI-related risks emerge, security operations centers (SOCs) must modernize and adapt to new business strategies to protect sensitive business data within AI-powered applications, ensuring that security keeps pace with technological advancement.
Rethinking penetration testing in the age of automation
AI has been changing the face of penetration testing. Traditionally, organizations had annual or quarterly pen testing schedules. This was posing a problem with the advancement of AI, as an AI attack is usually continuous and relentless. Rather than viewing this as a crisis, Wilcox sees this as an opportunity for innovation in the cybersecurity industry.
Leaders are encouraged to consider this an opportunity to rethink security strategies, adopt dynamic approaches, and put in place continuous testing methods. For CISOs today, meeting the challenge means moving beyond compliance checkboxes to embrace a proactive, always-on approach to security validation.
The need for certification and continuous learning
‘’Managing a global security team of 50 professionals is not an easy job, especially in an industry that is constantly evolving’’, says Wilcox. ProArch looks for candidates who have an inherent urge to learn, particularly those who have pursued certifications such as EC-Council’s Certified Ethical Hacker (CEH) or relevant Microsoft credentials. These certifications are strong indicators of foundational knowledge and a proactive, self-driven attitude.
Practicing the “dogfooding” philosophy
ProArch doesn’t just deliver solutions to customers; it uses them internally, embodying the “dogfooding” mindset. For example, when it develops an AI protection tool, it deploys it internally first to ensure that the technology is battle-tested and effective.
Senior engineers build secure foundations using infrastructure as code (IaC). These foundations are rigorously tested and improved through security assessments and penetration testing, allowing the team to identify and remediate weaknesses in no time. Once done, these micro-skills gaps are addressed by establishing a secure base and promoting targeted skill development across the team.
Securing investments and bridging the cybersecurity knowledge gap
Sometimes the board or management team members fail to understand the importance and criticality of cybersecurity and the cyber risks associated with their services or products. This creates hurdles for CISOs or the cybersecurity team when trying to secure funds and budget for important security initiatives for an organization.
Wilcox shares his own experience where he has delivered several presentations to boards over the past few years on AI-associated risks, building foundational awareness, highlighting the possible risks it could bring to the business, including worst-case financial scenarios, but also the potential business benefits. Striking this balance is essential. This knowledge gap between the board and CISOs can make it difficult to justify budgets and explain the importance of the proposed security measures, perhaps until a breach occurs. After an incident of cybercrime, urgency and budget are no longer constraints, but by then the damage is already done.
There are no real quick fixes
Listen in to Jay Bavisi and Ben Wilcox’s CISO & CTO on the Frontline: AI, Identity & The Invisible Cyber War podcast to hear some insightful takeaways such as the joy of embracing new challenges without fear, learning from not only our mistakes but also our successes, and there are no real quick fixes in the real world.
For more conversations shaping the future of cybersecurity, subscribe to the Cybersecurity Podcast by EC Council.
