Former CISA Director Jen Easterly Calls for Calm on AI Security Risks at RSAC 2026

What Happened

Jen Easterly, the former director of the Cybersecurity and Infrastructure Security Agency (CISA), delivered a keynote address at RSAC 2026 in which she urged the cybersecurity community to avoid panic about AI's implications for security while advocating for measured, practical approaches to emerging threats. Easterly, who describes herself as a "relentless optimist," also expressed hope that federal government participation at RSAC would increase next year after a notably reduced presence at this year's conference.

Easterly's remarks come at a time of significant transition for US cybersecurity policy. CISA has undergone leadership changes and budget pressures under the current administration, and several senior cybersecurity officials have departed government service. The reduced federal presence at RSAC 2026 — one of the industry's largest annual gatherings — has been widely interpreted as a signal that government-industry collaboration on cybersecurity is weakening.

Office 2024 Pro Plus

Word, Excel, PowerPoint + more. 3 Devices.

$29

Buy Now →

Windows 11 Pro

Professional Edition. 3 Devices.

$29

Buy Now →

Office 365 Lifetime

5 Devices. Lifetime Account.

$29

Buy Now →

Visio 2024 Pro

Professional Diagramming. 3 Devices.

$29

Buy Now →

Project 2024 Pro

Project Management. 3 Devices.

$29

Buy Now →

Win 11 + Office Bundle

Win 11 Pro + Office + Visio + Project

$49.99

Buy Now →

Despite the institutional challenges, Easterly emphasised that the fundamentals of cybersecurity remain unchanged regardless of AI's influence. Patching vulnerabilities, implementing multi-factor authentication, maintaining secure configurations, and training employees remain the most impactful defences — whether the threats are AI-powered or traditional.

Background and Context

Easterly served as CISA director from 2021 to 2025, during a period of unprecedented cybersecurity challenges including the SolarWinds aftermath, the Colonial Pipeline ransomware attack, and the Log4Shell vulnerability. Under her leadership, CISA expanded its role as the primary interface between the federal government and private sector on cybersecurity matters, launching initiatives like the Known Exploited Vulnerabilities catalogue and the Secure by Design pledge.

Her departure from CISA and the subsequent changes at the agency have created uncertainty in the cybersecurity community. CISA's budget has faced proposed cuts, and several programs that Easterly championed — including the Joint Cyber Defense Collaborative (JCDC) — have been scaled back. The private sector, which had grown accustomed to robust government partnership on threat intelligence sharing and incident response, is adapting to a more self-reliant posture.

The AI security debate has been dominated by two camps: alarmists who warn that AI will supercharge threat actors beyond defenders' ability to respond, and pragmatists who argue that AI is a tool that amplifies both offensive and defensive capabilities roughly equally. Easterly positions herself firmly in the pragmatist camp.

Why This Matters

Easterly's message is important precisely because it pushes back against the AI panic narrative. The cybersecurity industry has a tendency to amplify emerging threats — partly because genuine concern drives it, and partly because fear sells products and services. AI-powered attacks are real and growing, but the defensive fundamentals that stop most breaches remain the same: patch your systems, enable MFA, segment your networks, and train your people.

The reduced federal presence at RSAC signals a genuine risk to national cybersecurity. Government-industry collaboration on threat intelligence sharing, vulnerability disclosure, and incident response coordination has been a cornerstone of US cybersecurity strategy for over a decade. If that collaboration weakens, both government and private sector defenders will have less visibility into the threat landscape.

For businesses of all sizes, Easterly's pragmatic message is a useful corrective. Rather than chasing the latest AI security product, organisations should ensure they've implemented the basic defences that prevent the vast majority of breaches. Keeping systems updated with a genuine Windows 11 key and maintaining proper software licensing is part of this fundamental security hygiene.

Industry Impact

The cybersecurity vendor community is grappling with how to position AI in their products and messaging. Easterly's call for calm could influence enterprise buying decisions, encouraging security teams to prioritise foundational investments over AI-specific tools. This would be a healthy correction in a market where "AI-powered" has become a marketing buzzword applied to products of widely varying quality and utility.

The government-industry relationship will evolve regardless of RSAC attendance. Information Sharing and Analysis Centers (ISACs), sector-specific agencies, and international partnerships continue to function. But the symbolic importance of RSAC as a gathering point for government-industry dialogue should not be underestimated — relationships built in hallway conversations often prove more valuable than formal coordination mechanisms.

CISA's future direction under new leadership will have significant implications for organisations that rely on its advisories, vulnerability alerts, and incident response support. Businesses using enterprise productivity software and critical infrastructure should maintain awareness of CISA guidance regardless of the political environment, as the technical threat landscape is apolitical.

Expert Perspective

Easterly's optimism is earned rather than naive. Having led the national cybersecurity agency through some of the most significant incidents in recent history, her assessment that AI is a tool rather than an existential threat carries weight. The cybersecurity community has weathered previous paradigm shifts — cloud computing, mobile devices, IoT — and adapted each time. AI will be the same, though the adaptation timeline may be compressed.

That said, the pragmatic message shouldn't breed complacency. AI is genuinely accelerating the pace of vulnerability exploitation, phishing sophistication, and social engineering effectiveness. The correct response is to accelerate adoption of defensive fundamentals while selectively investing in AI-powered defensive tools where they address specific, validated use cases.

What This Means for Businesses

Use Easterly's framework as a guide for cybersecurity investment decisions. Before purchasing any AI-specific security tool, ensure your organisation has fully implemented the basics: multi-factor authentication on all accounts, automated patch management, network segmentation, endpoint detection and response, regular backups tested for recovery, and security awareness training for all employees.

For small and mid-size businesses without dedicated security teams, CISA's published guidance remains the most accessible and practical resource for cybersecurity planning. Their Cybersecurity Performance Goals provide a prioritised checklist that any organisation can follow. Pair this with properly licensed, updated software — from an affordable Microsoft Office licence to current operating systems — and you'll be ahead of the majority of organisations.

Key Takeaways

• Former CISA director Jen Easterly urges cybersecurity community to avoid AI panic
• Basic security fundamentals remain the most effective defences regardless of AI threats
• Federal government presence at RSAC 2026 was notably reduced
• Government-industry cybersecurity collaboration may be weakening under current administration
• AI amplifies both offensive and defensive capabilities roughly equally
• Organisations should prioritise foundational security investments before AI-specific tools

Looking Ahead

The cybersecurity industry will continue to navigate the tension between AI hype and practical defence. Easterly's voice, now from outside government, will remain influential as the community debates the appropriate level of concern and investment. The government-industry partnership gap will likely be partially filled by private-sector led initiatives and international cooperation, but the loss of centralised government coordination will be felt in reduced threat intelligence sharing and slower coordinated responses to major incidents.