Vulnerability management is no longer a routine IT task. It’s a strategic imperative in the age of artificial intelligence-driven cyber threats.

As generative AI accelerates the sophistication of phishing campaigns and exposes gaps in traditional defenses, security leaders are reevaluating how they manage risk, protect sensitive data and maintain operational resilience. The conversation now includes brand reputation, breach response costs and the effectiveness of foundational practices such as patching, according to Mike Arrowsmith (pictured), chief trust officer at NinjaOne LLC.

NinjaOne’s Mike Arrowsmith talks about vulnerability management.

“The feedback has been tremendous on just the impacts that AI has with phishing email,” he said. “We ourselves are seeing that grow day in and day out.”

Arrowsmith spoke with theCUBE’s Jackie McGuire at the RSAC 2025 Conference, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how AI is transforming cybersecurity by intensifying phishing threats, complicating vulnerability management and forcing organizations to prioritize trust, data visibility and smarter incident response strategies. (* Disclosure below.)

Building trust through smarter vulnerability management

Vulnerability management remains one of the most overlooked yet foundational aspects of cybersecurity strategy. Despite its routine nature, the process of patching carries hidden complexities, especially in large, diverse environments where applying a faulty patch can trigger new problems. Understanding not just when to patch, but how and what to patch, is central to reducing long-term risk, according to Arrowsmith.

“When you have large dispersed environments, different types of systems, you need to have the confidence that as I apply these patches, I am not going to introduce more areas of failure,” he said.

To address this, NinjaOne has introduced a new capability called patch sentiment, designed to scan online forums, social media and technical channels to help organizations assess the real-world effects of newly released patches. This proactive approach enables teams to prioritize based on actual field experience rather than assumption, reducing guesswork and minimizing downtime, Arrowsmith explained.

“We scrape all social media, all forums to just try to get a sense and kind of an idea, is this a ticking time bomb? Is this something that’s going to be benign that you can apply and not think about?” he asked. “When we think about how organizations do patching, it really starts at the fundamentals. I think that’s an area where I think at Ninja we can help a lot of our existing customers, but also future customers.”

But patching is only one piece of a larger trust framework. The rising wave of AI-powered phishing attempts, often tailored and highly specific, has outpaced the capabilities of many current security programs, Arrowsmith pointed out. Leaders are now struggling to understand not only the scale of the threat but also how to respond effectively.

“Among my collectives of CISOs, CSOs, chief trust officers, we are all trying to gather enough data points to really understand how big of a threat is this in our organizations, what solutions are available,” Arrowsmith added. “Most importantly, how are other organizations protecting themselves against [this] rise in phishing attempts?”

The focus needs to shift toward visibility into sensitive data, effective breach response planning and more transparency with customers and regulators, Arrowsmith explained. While cyber insurance is often treated as a fallback, it doesn’t resolve the immediate and lasting damage a breach can cause to customer trust and brand reputation.

“When you’re in that breach situation, you finally are recovering and trying to contain, you’re notifying, the cost just is extraordinary right then and there,” Arrowsmith said. “You’re also under the gun. You have reporting requirements to various regulatory authorities, but also customers. We at Ninja take that very seriously.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the RSAC 2025 Conference event:

(* Disclosure: TheCUBE is a paid media partner for the RSAC 2025 Conference. The sponsors of theCUBE’s event coverage do not have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE