Shauli Zacks
Published on: November 25, 2025
In this SafetyDetectives interview, we spoke with Trevor Horwitz, CEO and CISO at TrustNet, about the security challenges companies face as they scale, the dangers of treating compliance as a checkbox exercise, and how AI is reshaping both offensive and defensive cybersecurity. Trevor shared insights from his work helping organizations build real security maturity, navigate supply chain risks, and prepare for a future where continuous testing and AI-driven threats play a central role.
Can you introduce yourself and talk about your role at TrustNet?
My name is Trevor Horwitz. I’m the CEO of TrustNet and also serve as the Chief Information Security Officer. Along with steering the company, I work directly with clients, mostly on the pre-engineering side, helping determine their needs and right-sizing the solutions we build for them. That includes developing compliance programs and assurance services.
Can you tell our readers a little about TrustNet?
Our primary value proposition is built around security services and assurance services. On the security side, we help clients understand their security posture through cybersecurity risk assessments, then expand on that work to enhance their security. We conduct penetration testing and ethical hacking to identify vulnerabilities in their systems and help them build roadmaps to remediate those issues.
The other side of the business focuses on helping companies meet their compliance objectives, whether they’re regulatory, governmental, or industry-based. For example, with the PCI Data Security Standard (PCI DSS) for organizations that take payment cards, we assess their gaps, help them build remediation plans, and then audit them against the requirements. We issue assurance certificates so they can validate their compliance with partners, customers, and regulatory agencies.
What are some of the biggest security challenges companies overlook when working toward compliance?
Many companies treat compliance as a checkbox exercise, which is a dangerous mindset. They focus on “meeting the requirements,” but what we coach clients to understand is that compliance should be a byproduct of real security. If you implement best practices and strong controls, compliance naturally becomes the output of that process. A check-the-box approach doesn’t achieve meaningful security and often leaves gaps. It also goes against the spirit of why compliance requirements exist in the first place.
How do you help your clients move beyond that checkbox mentality toward true security maturity?
It starts with a mindset shift, and that needs to come from the top. We spend time coaching executive teams to understand security and compliance at a deeper level. If you look at most MBA programs in the last decade, very little attention has been paid to cybersecurity risk, even though it’s a core responsibility for today’s leaders. Many executives understand ROI, accounting concepts, or supply chain issues, but their depth of knowledge in security is limited. Education is key. Once leadership understands why these efforts matter, it becomes easier to adopt the idea that compliance should follow security investments, not be the goal in itself.
What recent threat trends worry you most, and how do you help clients manage them?
Supply chain attacks are top of mind. There’s often an over-reliance on vendors. I can’t tell you how often clients tell me, “We’re in the cloud, so we’re secure,” or, “My service provider handles this.” You cannot outsource all of your security responsibility. There’s always a level of accountability that stays with the organization.
Another major trend is AI-enabled hacking. Just this week, a significant attack was carried out by a China-based actor using Anthropic as the backend for a sophisticated AI-driven campaign. These attacks scale quickly, adapt intelligently, and have very low barriers to entry. Agentic AI models are accessible for pennies, which makes the threat landscape more volatile.
AI is a worrying trend, but is there a positive side in terms of preventing attacks?
Absolutely. Defenders have access to the same tools, and in many cases larger budgets. I always remind clients that defenders need to be right 100 percent of the time, while attackers only need to be right once. That makes our job more difficult, but AI gives us important advantages.
AI allows us to scale our defensive capabilities, ingest and analyze large volumes of data, and detect patterns quickly. We’ve also developed a tool that uses agentic AI for penetration testing. It accelerates the identification of vulnerabilities and helps clients remediate issues faster. Penetration testing is shifting from a point-in-time assessment to a more continuous, real-time model, which is a very healthy evolution for the industry.
What is your best advice for organizations struggling to balance security with agility?
You need a mature approach that starts with the C-suite. Companies can scale very quickly with technology, but strong security controls are what give you the steering wheel. If your business is the jet engine, security controls are what let you navigate changing conditions so you don’t crash.
Security can’t be an afterthought. You can’t build the engine and then decide to bolt on the steering wheel later. We encourage clients to incorporate security investments into their technology stack from the beginning rather than trying to retrofit controls.
The same applies to compliance. With so much attention on third-party risk, it’s crucial to build these controls in from the start. We’re even seeing early-stage startups come to us with nothing more than a blueprint, asking for help setting up security controls. We love that, because it becomes part of their DNA and lets them scale safely.
