Matthew Rosenquist is a CISO, cybersecurity strategist, and industry veteran whose career has spanned over three decades at the intersection between technology, business, and emerging risk.
Rosenquist spent 24 years at Intel, where he built and led the company’s first SOC, as well as managing platform security for the i3, i5, and i7 chip lines.
He now advises governments and businesses as a virtual CISO, sits on 16 advisory boards for organizations navigating AI adoption and modern threat environments, and has been publishing annual cybersecurity predictions for over a decade.
We spoke to Rosenquist as part of our ongoing series interviewing cybersecurity professionals to bring you their unique insights into cybersecurity today, the challenges they are facing and the realities of what it takes to defend complex global environments.
To start, could you tell me a little bit about yourself and your background?
I’m Matthew Rosenquist, I’m a CISO and cybersecurity strategist, and I’ve been in the industry over 35 years. I spent 24 years at Intel where I justified, built, and managed Intel’s first 24/7 security operations center, and was the first incident commander, so I owned any time the company was attacked. I managed platform security for the IT systems, was the security strategist for the factories, developed a number of cybersecurity tools and deployed them, and I was also the cybersecurity strategist for Intel Security, the division Intel built around its multi-billion-dollar acquisitions of McAfee, Stonesoft, and others (at the time, the third largest security company in the world).
I also oversaw security for Intel’s core chips (the i3, i5, i7) working across the hardware, firmware, OS, application, and data layers. My last role there was essentially a BISO for their billion-dollar AI group, where I managed security across the stack and, at my request, took on a public role talking about cybersecurity and AI at a time when almost nobody in the industry was connecting the two.
Throughout my career I’ve been advising governments, businesses, and academia. I contribute to all sorts of different standards that are out there and talk with a lot of different governments, particularly about emerging risks and industry best practices. I started releasing cybersecurity predictions around 20 years ago, which I make public. I’ve got my 2026 predictions, and a whole bunch of them have already come through. It’s all around AI this year. I do advisement work, virtual CISO work (I’m on 16 advisory boards) and I do a lot of keynote speaking around the world at events.
What cybersecurity challenges do your teams deal with on a day-to-day basis?
For the operational teams, it’s really around prediction, prevention, detection, and response. From a prediction perspective, it’s risk assessment and risk management; really around emerging threats and performance against metrics. In the prevention phase, you’re talking about configuration and vulnerability, third-party risk management, new tech partnerships like AI, and any kind of mitigation optimization. From the detection side, it’s security operations, your SOC, vendor assessments, sometimes even code or patch assessment if you’re looking at product stuff. And then from a response perspective, it’s crisis management, digital forensics, incident response, follow-up for policy changes. And all those things circle back around and feed upon each other. They overlap and they reinforce continuously.
The last thing, from the leadership role, is managing senior leadership expectations. What are those risk goals? Do they need to change? Especially with AI, they do need to change a little bit. What kind of report-outs are you going to be doing? What kind of strategic metrics and recommendations do you have for where the organization wants to go? Those kinds of things.
How have the challenges you deal with evolved in the last few years?
It’s really about an increase of speed, complexity, ambiguity, and chaos, which is the norm in our world. If you sign up for cybersecurity, you get as much as you can consume of all of those things. But the increase in speed is not linear, it gets faster and faster. So, we have to deal with that.
We’ve got much more powerful threat agents, especially as we’ve seen nation states come onto the scene. These are threat agents that can literally throw billions of dollars into discovering new vulnerabilities, creating world-class exploits, attacking entire industries or multiple industries at the same time. Then you’ve got the technology adoption cycles. AI is the latest, and it’s a big one, but we’ve had cloud before that. There’s been lots of different technologies that have shaken the foundations and fundamentally changed the landscape of what we need to protect and how we need to protect it.
The last thing I would say is the expectations of cybersecurity. Part of that is the scope: what do you own? It used to be the internal IT environment, and that was it. That’s not the case anymore. Now you own that, plus third-party vendors, your OT environment, your products, anything AI touches. Every year that expectation grows. That’s something that really has to be managed.
How do you set teams up for success dealing with these challenges?
I help and mentor a lot of CISOs in the industry, and it’s really about getting certain fundamentals in place.
First is the goal. You have to have really clear, reasonable goals, and we have to move away from the misconception that our goal is to prevent all bad things from happening. Because that’s just not realistic. If that’s the inherited goal, and that’s what the executive leadership believes should happen (either because it’s been stated or it just hasn’t been corrected) you’re going to fail. You have to set up good goals.
The other thing is around that continuous learning cycle I was talking about (the prediction, the prevention, the detection, the response) and continually getting better and better at all of those. New CISOs typically aren’t thinking in those terms. They’re just thinking, “I’m going to prevent things. I’m going to identify every vulnerability and fix it, and my job is done.” And then they realize that doesn’t work. Prevention is one piece of a very large puzzle, and putting one piece in place doesn’t help you manage risk responsibly over time.
The third thing is leadership. You have to have strong leadership, because this is a tough industry. There is a tremendous amount of ambiguity and chaos, and metrics are stacked against you. It’s very difficult to measure our successes, but it’s really easy to measure when we fail. That’s why you need really strong leadership; and that strong leadership flows downward to build strong teams. You’re growing them, you’re helping them, and you’re protecting them. That’s essential.
The last is a culture of inclusion. And inclusion isn’t just about people: it’s about business partners too, both internal teams and external partners like third-party vendors. You’ve got to start partnering with them and including them in things. Inclusion of technology is important, too. We’re seeing that with AI. We have to embrace that. There’s just no two ways around it. We can’t put the brakes on it or say no, don’t do that. Inclusion also applies to processes and a whole bunch of other things; we have to be more open and understand the needs, the drivers, the right balance, and how we achieve those overarching goals in a partnership kind of environment. And then we have to adapt constantly, because our world changes constantly because of the attackers and the technology.
With AI, we did have some initial CISOs go, “No, stop, it’s just too risky.” They were absolutely right, it is incredibly risky. But you can’t say “stop” to a technology that is seen as a business imperative, that we have to adopt to survive as a business. You can’t just say no, because then you’re an impediment to the business. And when executive leaders see cybersecurity as an impediment to the business, your support, your funding, everything that you need will then begin to wither. It begins a downward spiral.
So, we have to instead proactively partner, knowing we have to embrace this. Think, how do I get ahead, work with my business partners to say, yes, you need AI, let me help you make it happen? Of course we’re going to put some guardrails in, but I’m going to move just as fast as you, and we’re going to make this happen.
What impact do you see new technologies like AI having on your day-to-day? Do you see AI having a long-term impact?
Oh, absolutely. AI lends itself to the attackers’ capabilities. It makes them better, faster, and helps them to scale and do some amazing things, and they can do it all before the defenders.
Then we look at the battlefield shift as the industry adopts AI. Internally, with partners, suppliers, customers; everybody’s adopting it, and that brings more vulnerabilities. The faster we adopt new technology, the more vulnerabilities we know there are. The attackers can use AI to detect and exploit those.
The third area is around security itself. In order to keep pace and continually adapt, we also need to be using AI. But we can’t just use some random untested AI, like the attackers can. We can’t risk bringing an untested, unvetted tool into the environment, because if we bring down the environment, executive management goes, “Wait, you’re worse than the attackers! We’re paying you. You can’t do this.” So, we have to wait until the technology is mature and vetted. That gives a window of opportunity to the attackers, and that’s kind of the state that we’re in right now.
Lastly, the scope of growth and expectation changes. Now executive leaders say, “Yeah, oh by the way, in addition to everything else you’re doing, we also want you to make sure that all our AI adoption (that we’re not even telling you about) is all secure. And anything AI touches, which we’re not quite sure what that is, make sure all of that is secure. And any of the data going to our vendors, suppliers, or partners and the AI systems they’re using, yeah, go ahead and make sure all that’s secure too.” Okay, yeah, sure, let me just add that on, pile that on, add another log on the fire. It is a sea change for us in the intensity that we have to address all these issues.
You’ve published cybersecurity predictions for several years now. Looking back, which prediction surprised you most in how it played out, and is there one you got wrong that taught you something?
Take the AI evolution. I predicted AI would arrive, vulnerabilities would be discovered, and exploits would get faster. I got that piece right. But what I got wrong was really the velocity; the speed and direction and focus of vulnerability discovery, exploit creation, exploit chaining, and the overall orchestration of attacks. That has happened much faster than anyone ever expected.
Take Anthropic’s recent Mythos model. They’ve restricted it. They’re not giving it out to everybody simply because it’s so tremendously powerful. It was able to find several thousand vulnerabilities in every operating system and every web browser. One of the severe vulnerabilities it found had been in existence for over 27 years, and nobody ever detected it. And this was before the model was actually released to professional vulnerability researchers. This was just them testing it internally. They’ve restricted it, let the world slowly see what it’s doing, and people are concerned.
That rapid pace (the ability to jump forward) we knew it was coming, but we just underestimated the intensity, the speed, the continual learning acceleration of AI. It’s kind of like compounding interest. It’s not additive, it’s compounding, and it increases at such an incredible rate because these AI models are using AI models to move to the next model. It’s beyond what humans can do.
You built Intel’s first SOC and have watched the CISO role evolve over 35 years. What’s the biggest shift in what the role demands today compared to when you started?
When I started, there were a lot of dangerous misconceptions, and I’ll pick on two. Originally, back in the day, it wasn’t even called cybersecurity; it was called information security. And actually, before that, it was system security. I’ve been around way too long.
Back in the day, when I created the Security Operations Center for Intel, the predominant viewpoint of what that meant was that cybersecurity is a technical problem to be solved. That’s the engineering mindset; “There’s a problem, just go fix it. Go turn on whatever device you need, whatever firewall, just turn it on, and we’re done.” Piece of cake, security is solved, we move on.
But cybersecurity doesn’t work that way. I’ve had many conversations with executives to impress upon them the challenges. It took a while and unfortunately, in many companies, that mentality is still pervasive. They believe it’s purely a tech problem. If it’s a tech problem, it can be solved, then we should have zero incidents forever. So, zero incidents becomes the goal. But that’s not realistic. Until you understand cybersecurity is about managing continually changing risk, nothing works.
The other thing to consider is the people involved; not just internal users, but the attackers and adversaries on the outside. They’re smart too. In some cases, they’re smarter than you, they have more resources than you, and they may even know your environment better than you do. So, people and processes play huge roles in managing cyber risk. And yet a lot of newcomers to the industry think, “Oh, this is just a tech problem, and I’m going to fix it.” It’s that engineering mindset again that says “There’s a problem, I devise a fix, I implement it, I’m good.” But those dreams come crumbling down pretty quick. People’s own egos can sometimes stand in the way, along with their biases. If you’re just a technologist, everything you see is a technology problem.
You’ve built a significant thought leadership platform through your podcast, writing, and speaking. How important do you think it is for CISOs to have a public voice, and does the industry benefit when more security leaders share openly?
Having a public voice is optional. It really comes down to the preference of the person. However, communicating and engaging with the industry is absolutely critical; not just for the individual, but for our entire industry.
We must learn from each other to simply keep pace with the attackers, to keep pace with the technology, and to understand and evolve the best practices. If we’re not communicating and collaborating, we fail. We fail big. It is the only path for us to even be given a chance to keep pace with the attackers. So, cybersecurity is absolutely a team sport; not only within your organization and within your partner structure, but across the industry as well.
Our industry, originally, in the very beginning, we didn’t share anything. I mean, nothing. And that slowly got eaten away. There have been some great people in the industry that have really prompted different sectors to start sharing more, to communicate more. There are government agencies that help with that now. It’s absolutely a necessity for us to communicate.
With your experience advising organizations of very different sizes and maturity levels, what’s the most common mistake you see companies make when building out their security programs?
I would say the underestimation of the challenge to actually manage risk, specifically the importance of leadership, setting up reasonable goals, and the culture shift necessary to make cybersecurity interwoven into the business aspects of the organization. Companies have to understand that and move forward. It’s not about fixing what broke yesterday, because tomorrow holds a different challenge.
And actually, in my industry right now, CISOs are going through a phase of transformation. They’re moving from becoming technical experts around cybersecurity to business cyber risk executives, helping the business navigate this as part of competitive advantage, and even adding more value beyond simply managing the risk of bad things happening. Because now, with consumers, partners, and regulators all paying attention, cybersecurity can add real value to the company; and in some cases, even generate new organic revenue, improve margins, and lift sales.
What’s a widely held belief in the cybersecurity industry that you disagree with, or think needs to be challenged?
Oh my gosh — okay, so there’s a list.
- The fact that many still believe it’s a solvable tech problem. No, it’s not.
- That there’s no need to partner with other business groups; set the policy and just say no. That just doesn’t work.
- The false belief and bias around cybersecurity metrics. We have a huge problem with metrics, because it’s nearly impossible to measure the benefit, whereas you can absolutely measure the impacts.
- The fact that some still believe any leader can be moved into a CISO role and be easily successful. I’ve seen this in really big companies. People brought in from HR, IT, engineering, architecture, even finance, and told, “Okay, now you’re going to lead cybersecurity.” A lot of those skills just don’t translate. And people think, “Oh, cybersecurity’s easy. Learn a couple skills, take a class, you’re good to go.” Yeah, okay.
- Another one: reliance on simply managing vulnerabilities. “Hey, all we’re going to do is scan for vulnerabilities and close them and we’ll be good.” No, you won’t.
- The last thing is the fact that a lot of organizations still don’t believe that the people and the process matter. Organizations may have incredibly sophisticated technical controls in place, and yet there’s Bob in the corner clicking on things, bypassing all of it. They wonder, “We’ve invested so much in these technical controls, and yet we’re still failing. Why is that? Well, we need more technical controls, obviously.” They’re not taking the people and process aspects into account, and that’s why they can’t be consistent and comprehensive over time. I get called in a lot to answer exactly that question: “Why do we keep failing? We’re spending so much.” Well, yeah…
What advice would you give to fellow CISOs and industry practitioners?
Our world is rapidly changing and becoming more complex. Nobody has a complete picture, especially when it comes to cybersecurity. So, we have to communicate and collaborate with others. It’s not negotiable. We have to share and learn to avoid the pitfalls that other people have experienced, that you don’t have to if you learn from them and realize those evolving industry best practices.
And don’t just react to what happened yesterday. The breaches you’re seeing in the news today actually started months ago. We have to look ahead instead, anticipate what’s coming, and proactively build best practices to account for it. We are all in this together, so we have to leverage the diversity of knowledge and industry expertise that is out there. Participate, reach out. There are advisors, experts, analysts, your fellow peers in your industry and across other industries. Everybody collectively brings in a wealth of knowledge that you should also be contributing to, but take advantage of it and contribute to it. We’re all here, and it will help us, the entire industry, get more robust and adapt faster.
