At RSA Conference 2025, cybersecurity leaders gathered to discuss the latest trends and technologies shaping the industry. But according to Steve Winterfeld, Advisory CISO at Akamai, there were two pressing security concerns that didn’t get the attention they deserved: supply chain vulnerabilities and insider threats.

“It’s a great conference… but the ones I see year after year fade to the back are supply chain and insider threat,” said Winterfeld in his TFiR interview.

Two Threats That Fade Into the Background

Both threats have a history of surfacing in the aftermath of high-profile incidents—ransomware infections via third-party tools, or internal actors exposing sensitive data. Yet as Winterfeld notes, they consistently slip below the budget line when it comes time to allocate security spending. “We’ll have a huge supply chain issue hit… it gets big for a while, but it doesn’t seem to be something we really focus on.”

The Risk of Budget Amnesia

This tendency to deprioritize long-term threats in favor of immediate concerns is a challenge not just for CISOs but for the entire enterprise security posture. It raises a key question: Are we budgeting for headlines or for resilience?

Winterfeld’s insights offer a reminder that real security maturity comes from proactively addressing low-frequency, high-impact risks—not just chasing the news cycle.

For more coverage from RSA and cybersecurity insights from industry leaders, visit TFiR.