#323 - Identity Security with Silverfort’s Hed Kovetz

The old perimeter is gone and people are walking from anywhere. And I think there's more understanding even at the even at the board level and the CEO level that identity is, is critical. They can actually understand it. I think more than themselves. Some other areas of security they, they, they get it like they think that's one of the advantages and also disadvantages of identity. It meets the end user more than

any other category of security. Like every, every employee, every, you know, the CEO logs in and has to do like multi factor authentication and all these things. Like they actually see them as opposed to some of the stuff that like other categories where it's much more behind the scenes. So they understand the importance and the way to put more budgets on it.

I, I hear from a lot of companies that identity is now like the number one priority or the number one budget item, which is, which is great because I do believe, and I'm, I'm, I'm biased, but I, I honestly do believe that it is the most important element of security these days. This is identity at the centre if it has anything to do with IAM. This is the go to podcast now your hosts Jim McDonald and Jeff Stedman. Welcome to the Identity of the Center podcast.

I'm Jeff, and that's Jim. Hey, Jim. Hey, Jeff, how are you? Not so bad yourself. Good. What do you think of the get up today? I'm waiting for the magic tricks to start. Like is there a a dove going to fly out of your? Why not? I don't have the magician jacket. I've got everything else. I don't have the hat either, but I've got a cowboy hat just right from Texas. Yeah, we're at the Gartner Gartner IM Summit here in Texas.

The other thing is you know other magician, maybe dealer at like a casino table with the other option it's. In like 1876 or something like that. That's right, you've seen the movie A Tombstone. You know you're sitting there and Whiter walks in and takes control of things. Yeah, yeah, no, actually I've been watching the series, Deadwood began, which I remember the first time I watched it, like thinking, Oh my God, that's so violent. And this was TV for 20 years ago

and now? Game of Thrones had not yet aired at that point. Yeah, yeah. No, we've been hardened. Well, you look like you belong in the Deadwood sort of environment, right? You got the beard, you got the long hair. I could see you absolutely with a cowboy hat. You pull that off for sure. All right. I'm going to wear one tomorrow, so we're going to set for that. That'll be our first episode of the year. This is going to be our last session.

So this is the year. Last episode of 2024 and it's been a ride. Another big year for us. I'm sure we're going to do a lot of things. We're going to talk about a bunch of different things today. But yeah, this is it for us. And we're going to take a couple weeks off and then, yeah, come back. I think first or second week of January I can't move up the schedule. Makes sense. One last conference, one last episode. So I think we should jump into it.

What do you think? Yeah. So I mentioned we're at the Gartner, I am Summit and definitely want to give a shout out to RSM, the ones that are helping make as possible. Also shout out to Silver Fort. We are in their suite right now. Sweet, sweet, sweet suite. And we're sitting here with Hed Kubetz. He's the CEO and Co founder of Silver for It. Welcome back to the show, Head. Thank you. Great to be here and will be an honor to be here for the last

episode of the week of the year. Just of the year, we're going to keep going until next year. It was so we actually met the first time at a Gartner a couple times ago. So it would have been Gartner. I think at the end of 2022. We did Episode 166, we talked with you, we learned more about any threat detection response at ATR.

We're definitely going to get into probably saw that and then more today, but definitely encourage people to go back and check out episode 166. We're not going to make you relive your, you know, tell us how you got that any story, people go back and listen out, but why don't we start with, hey, what's new? Like silver fork has been the news, you know, a couple times over the last year and a half or so, two years almost. What's new with silver fork? What's been going on in your room?

Yeah, there's been a lot going on. I mean we're lucky to to really see huge course in this time. So you know, and a lot of exciting things. So we just announced a couple of weeks ago that we acquired the company for the first time, which for me personally and for the company is you know, a big step. We acquired a company called Resonate that is focused on cloud identity security. Great company, great people. And now, you know, we're really kind of integrating the

platforms together. So that was some recent really exciting news. Earlier in the year we we announced a big funding zone. So we raised the CSD pound of $116 million. That's it. So yeah, that's, you know, we had to figure out now what do we do with all this money? Like we need to build a big company I guess. You need a podcast. Yeah, yeah. It's, it's, it's exciting. So a lot of things going on. And then just today we announced a new product that we that we released on privileged access

security. So really a new way to secure how, you know, privilege access kind of fit is protected across all the different environments. So there's the lot going. And sounds like it. And there's a lot of money pouring into the space. So I'm curious 'cause you were kind of talking before I get recorded, like do people really care about the entrepreneurial side of, of identity? I'm interested in it. So I'm going to ask questions

anyway. So whether or not people listening are interested, I want to get into it a little bit. You know, having founded and run this business and now you've made an acquisition to resonate, I guess what is it like to start something up like that? And 2nd follow up question is there's a lot of money being raised yourself one of them. What are VCs looking for when it comes to products in the space? Because it seems like identity is so hot, right? Now where it's become a lean house festive.

Yeah. So first of all, it wasn't always hot. I have to say, you know, I probably had a different experience than what entrepreneurs that start today probably see. And, you know, that was how do. But I guess I'm also thankful for what kind of how it helped us mature. When we started eight years ago, it was a pretty tough experience. I mean, we went to a lot of VCs to talk about what we want to do. We want to, you know, do something in identity security.

We had a couple of ideas and the reaction we got from almost every VC was that's just not an interesting category. Identity. What do you mean like authentication? And it's like, isn't that like 20 years ago? That was already done. Companies, you know, already have that and we were trying to explain that yeah, the the they did that, but then look at how many attacks of still using compromised identities. I mean, it's only glory. So something must be missing,

right? And we want to solve that. Luckily, we were able to find someone who who actually believed in that, but it wasn't easy. And you know, if you want to know a bit about the, the entrepreneurial experience, that's like a really tough part of it, like hearing no so many times and having people doubt what you do and is it even worth your time and obviously their money. It's tough.

And, and one of the biggest tasks I think is you have to get up after every time that someone tells you it's not a good idea, it's not the way to work. You need to somehow get yourself back to, to optimism, you know, because that's kind of the key to, to building a startup. You need to be optimistic and you need to get back on your feet every time.

And luckily we did. We, you know, got up enough times to the point for now, it's actually, it's happening and it's growing and it's, it's, it's doing really well. But I, I don't forget that beginning it was a much different time. Now it is getting very hard though. So I'm, you know, glad. I think it's, it's the right thing. I I think when you walk around the exhibitor hall at this conference, you just, I mean, I'm blown away by how many

start-ups there are. Yeah. Side by side with the big players in the space. What was your impression? Yeah, there are a lot of start-ups. I think it's a very good thing because the innovation will mostly come from the start-ups. I mean, you, you hear about some of the big vendors trying to do new things. It, it can happen to a degree, but I think that just like in any other category, the, the real disruptive things will come from start-ups.

They just have a better ability to take the risk. You know, I, I used to open a big up and I'm so many people know that, you know, even if you come up with new ideas, the ability of a large company to just throw away everything they've done and, and go for this whole new approach, it's hard. You know, they, they need to meet the quarterly goals and it's just harder to do when you start a company, you could take a huge risk.

And you know, I remember we, we thought, hey, you know, either this will work and we'll have something amazing, or it will not. And you know, let's fail fast, you know, and figure that it's not the right thing and go do another thing. That's a risk that you can only take as a, as a startup. So a lot of startups are now kind of paving the road in, in, in many areas of identity security, which is great. I mean, we are kind of lucky to

be in that sweet spot. I I feel between being still a start up that can move fast and innovate and build. But also we're big enough at this point that we can really, you know, execute when we have a big customer base and we're trying to enjoy both worlds for as long as we can before we become a, a big corporate. And I think at least, at least like now, it feels like it is in that sweet spot.

How do you defend against that position of, OK, that spirit of innovation and entrepreneurism versus, you know, big company and very slow to react and I got to imagine that would probably keep you up at night. Yeah, it's one of the things that's gonna be the most to to lose that innovation.

So we invest in it a lot. I think that especially this year, I think everything that is happening in the space, all these new start-ups that have these really cool new technologies, what kind of a wake up call for us. We need to be ahead of the market not only because we we are getting the, you know, all the traction in the, the big customers, but also in, in innovation. So this year we've actually innovative more than ever before, more than in the early years we've had.

And we built, I mean it across some organizational adjustments, right. So we built really good innovation team and we divided our R&D into smaller teams that each focus on a different port. So there's a team building ITDR, there's a team building, you know, privilege access security. It was a team building, not human identity, security, ISPMMFA, all these different things now have smaller teams that can operate more like a startup.

Because what happens in a big or even medium sized companies, you, you get this huge R&D organization at some point and every person does the tiny piece of it. So they use some of the motivation and, and definitely the innovation by dividing it and, and keeping small teams that act more like startups. And, and if you manage to build the platform as a tool platform, I mean kind of shared infrastructure that all these products can operate on, but they don't need to worry about it.

You know, like in all of the enterprise features, I mean, you need, you know, you need to be with security and compliance and scale all these things. If you if you manage to push them down to a certain platform and build all these products on top, you can still keep those as, as almost like small start-ups. And we've managed to to do it this year, which was a big organizational effort, but I think it was worth it. And now we're moving very fast.

And still, you know, I see start-ups that are doing really cool things and I think it's great. I mean, we all, I think we've been enough time in this market to know by now that it's not a bad thing. You know, I think that it was much worse being back then at the time when nobody thought it's even interesting, right.

So I actually prefer to have a lot of start-ups then pushing us to innovate, pushing us forward, pushing the industry forward over, you know, if you look five years ago that nobody thought it's even that interesting you. Mentioned identity security a few times and as I walked in vendor hall, it's like identity security, identity security. And it's like, yeah, under that company, they have been doing the same thing for five years, but now they're calling it identity security.

Is that just that's just what happens, Just like zero trust. I mean, everybody's now zero trust. And then that's not popular anymore. Now it's identity security. I mean, I think identity security has a real meaning, right? So yeah, in your mind, what is that real meaning?

I, I think that identity security is, is one of the best things that can happen to this industry is that, that platformization, let's call it, because if you think about the, the history of identity security for many years, it was just a feature of the identity infrastructure. I mean, we talk about IAM, right, a lot IAM, which to me is the identity infrastructure, you know, it manages your identities and, and it's, it's not really a, a security offering.

I mean, to me it's more like, you know, it's related to productivity to, to IT security was always a feature in that. So if you had like Active Directory or Octa or Entrac, you might have some security features in there. I think that what's happening now is finally these security features are decoupling on the infrastructure to become the own stand alone layer that that can operate on top of all of these identity infrastructure solutions.

And that's really important because as long as there are features, they only see their own island. If you think about it, I can log in to Okta and I, I failed the authentication, right? It's not me, right? I failed the MFAI can still then go and log in to enter or to the onto MAD and nobody will stop it because those solutions don't even talk to each other. It's it's all islands that are are looking at security as a silo.

And I think that only by decoupling security from it and creating a layer that understands the whole picture, all these silos, all these islands, you can really do security effectively. If you think about it, it already happened in other categories of security. Think about the cloud security. In the early days, you were buying cloud security from AWS and Azure and Google. And after a while people understood it doesn't make sense, you need it to operate on all the clouds.

So then companies like Whiz came and created a cloud security platform. You don't buy it anymore from the cloud providers. Same for Android, like you don't buy Android security from Lenovo and Apple and Dell, you might form a company that can work on all the endpoints, all the types of endpoints. I think the same is finally now happening to identity. And that is to me identity security, it's a stand alone layer that can operate on top of all the islands of identity infrastructure.

And that's the only way that we can ever, I think make this effective and and really be ahead of the of the attackers. And it just took longer in identity, but I think it's finally happening, which is really exciting. Is Identity a platform in your mind, or is it a component of something else? Identity security or in general identity? Identity. I think it's absolutely a platform. I think that identity is one of the biggest elements of

security. And also ITI think that in many ways identity is becoming the most important element. If you think about it now that everybody's walking from anywhere and they use devices that are not necessarily the company's device. I mean, if I can log in from a cafe in Thailand using my device, and as long as I prove who I am, I'm part of your organization, your virtual network, it means that the identity is pretty much the the

only remaining line of defence. So I think that the identity is becoming, I mean at, at the centre right there's. A little bit of a leading question, yeah. Yeah. You did a webinar recently with Jim around that idea of identity being at the side of security. Oh, it's very true. I I think that is becoming the biggest piece really. And I think that people finally recognize it. So what is the difference between I AM and Identity security? So I am. To me is, is the infrastructure,

it's managing the identities. You know, like when you start in a company, they need to create an identity for you. And it's almost like an an IT of an agile feature. I mean, it doesn't mean necessarily security. There's a different question of how do you secure that identity? How do you prevent someone from stealing it? But the identity itself is not a security element.

It's just, you know, it's just like saying that your device or, or the data or the cloud, our our security, no, the, the pieces of the, the, you know, the infrastructure, the digital infrastructure that you have. And then there's a question of how do you secure it? So I think that the IAM the infrastructure is something that includes single sign on and it includes like on boarding and off boarding of employees. That includes what do people have permissions to access?

I think it also includes a password less authentication, which many people view as a security feature. I I don't think so. I think that, I mean, obviously password less involves authenticity with some second factor that's security, yes. But removing the first factor, that alone is not a security functionality, It's actually a user experience functionality. So I think a lot of these things are to me part of the identity infrastructure.

That's what companies like Octa and Bing and Microsoft are doing now. Security again was always mixed up with that. So it's almost hard to separate the Bitcoin. But I think that we can have a think, a discussion around what is what is not really part of that, what should be a security functionality that sits on top. Some things are obvious like ITDR, right? I think privilege access security is part of it and you know, non human identity security, which is now a very

hot category, stuff like that. But there's also questions around areas that might need to almost like kind of split IGA, for example. Is that an infrastructure feature? Because some of it is like like onboarding and offboarding users, things like that? Or is it a security feature because achieving least privileged for them, making sure people don't have too much access, that's a security goal. So I think.

Here's also the appliance aspect accessories, and that's really where the IGA field started was, you know, we got tired of sending spreadsheets around and so the idea was to, OK, well, how do we comply with our socks or HIPAA or other things like that too. But I think that the whole market will need to go to this evolution now, because the only way to do security effectively is if you if you separate it from the infrastructure, because the infrastructure people have a

few different solutions. They have active director of them, they have been Octa in the cloud. They have maybe some SAS applications that manage identities over the, you know, the cloud infrastructure. Some people have more than that because they acquire the company and that company is using Ping, So now they have that too. If all those islands will have their own local security, again, it will be as if we would have different endpoint security for

every type of laptop. Doesn't make any sense. So we have two separate security. And that is to me, identity security. It's that layer on top that does the security that requires the overall context, you know, like understanding all the the identities and all the access and then not only understanding it, but also enforcing security policies. I think that has to separate and that is identity security. I'm actually very glad that more people are using that too.

I do feel like I walked around the that so, so many people are saying it. The outcome is finally saying it, which they told me for years that they, they, they don't agree that there's such a thing. Now they're saying it. Some of the analysts told me. Yeah, we, we understand that the like this is happening. And I don't think, you know, today. I, I think that the people have spoken. Yeah.

So we just which is very good. And it took a while, but I think it it's very important, not just for us as a company. I honestly believe that it's important for the industry if we want to stay ahead of the of the threats.

It's, it's, it's not going to be possible to handle the the evolving threats and, and they are evolving fast and this is even before AI fully kicked in. We will not have a chance if we don't really start taking treating identity security as a as an overall thing and not as a local feature. Yeah. So you presented this morning at the summit. I think one of the main themes that you talked about was this idea of legacy IT and modern IT

coexisting. I mean, I have a friend who made the observation, you know this, the modern CIO has one foot in the past and one foot in the future. So they're thinking as like, OK, well, from an identity security standpoint, what do they need to secure the past of the future? Obviously they need to secure both. So given that context, you know, you've got to secure both. How do you do that from an identity standpoint? You think about the legacy platforms, they were built to

secure the on Prem networking. When I say legacy is not just mainframes, but it, it's, you know, could be modern applications or running an on Prem environment. Now you have applications that you're hosting in platform as a service or infrastructure as a service, as well as, you know, SAS applications. The deployment models are evolving, so you have all these things going on. How do you secure it all? How does the modern CSO or CIO look at this problem? Yeah, it's a big problem,

honestly. And, and it's getting even more complex when you think not just about applications, but think that companies have, you know, databases and, and servers and file systems and OT environments like those, all these other things that are not even web applications and use all kinds of protocols to, to authenticate to. I think that we have to solve both because attackers are looking at this as as one attack surface. I mean, we think, OK, we'll, we'll protect these applications

and not these. So we are half protected. No, you're, you're 0 protected because an attacker can choose where to, to log into. So, you know, we've seen a lot of attacks where an attacker will compromise the weakest link, which is often the legacy, the on Prem, you know, by just taking advantage of how vulnerable and Active Directory is and you know, getting user credentials over there with brute forcing there or Kerberos thing or all kinds of thing.

Now once you do that, because most organisations sync the password between AD to the cloud, you actually have the cloud password now because it's the same password. So we think about those as two different islands, but you know, if I compromise one of them, I compromise the other. And, and that's something that I think people understand more and

more. Now it's it's even more complex than that because even if you secured some of the ways to authenticate to the legacy systems, let's say that you deploy a multi factor authentication portal or your servers, right? And it protects the, the windows login screen, because that's what these agents often do.

You install don't want to name the vendors, right, But all the think about all the common MFA vendors and now everyone logging into that server is getting MFA on the on the login screen instead of just a password. But as an attacker, I can choose a different way to log in. I can log in with remote PowerShell, you know, I can log into a shared folder on that server. I can log in with so many other tools that it's it's, it's a joke.

You know, it's like you lock the front door but the window is open. And I think that people understand more and more now that if you don't secure identities everywhere and all of the access, it's meaningless because the attacker get to choose how they log into your system. And they're not going after the the shrimp tour. They're not, they prefer the

command line tools, right? Yeah. We, we spoke to a company that got breached and they were using one of the top like, you know, MFA and, and and, you know, and Pam solution and they deployed everywhere. You know, it was on all the servers and all the accounts. Then the attacker just went in and he was using one of these alternative interfaces, which attackers use anyway, and every ransomer is using anyway. I don't even think that's the

sad part. I don't even think the attacker knew that there was an MFA solution in place. It's not that they knew it and tried to avoid it, They just didn't even know because the way they log in, I mean, the way ransom was spread and that's the reason it was CLI. Exactly, Exactly. It's with command line tools anyway. So if we don't secure those things, which is probably the hardest, the fact that we have MFA on our web applications or RBP or VPN, it's almost

meaningless. And, and that's why we really believe that you need to cover all the, the darkest corners of the IAM infrastructure. And there is a way to do it again, we'll, maybe we'll talk, you know, in in the future. I don't want to go too deep into the technology, but there are ways to do it. It's just, it took actually investing a long time in, in understanding how do things even work. And you know, why do you do it? And it's, as I said before, it's not sexy.

So when we went to, to VCs to talk about that, you want to do what you want to protect the, the legacy. So now obviously we also protect the cloud. And with the resident acquisition, we, we do even more and more though, but when we started, we only focused on those dark corners. It's not will investors want to focus, but it is will companies have a problem. Yeah, it's interesting. You know, part of my thinking when I asked the question was thinking of that legacy

environment. It in other words, on Prem environment, organizations have been investing in identity solutions for that environment. Clouds like obviously overwhelming and it's been overwhelming for a long time for a lot of organizations. There are still organizations that are, you know, kind of beginning their journey. But my wonder is, OK, so as AC so or the CIO is my approach to this is the right approach to say, take those platforms and try to solve for my hybrid situation?

Or do I need different tool? So I, I think that until recently you'd needed different tours. I think that what's finally happening is, is consolidation. I mean, we are part of it. I think other companies are trying to achieve the same. Hopefully protecting the dead is end to end. I think that's how you have to do it. So on them and cloud, humans and machines, privileged and non privileged just end to end.

Because if you don't look at it end to end, you're, you're missing the, you know, you're missing some of the, the critical areas. I mean, and then you know is again the attackers will find the the blind spot. Well, let's expand the question is so we talked about the one foot in the past, one foot in the future as kind of like this major divide and they just reference another major divide and it's as far as an identity topic could be right now, which

is non human identities. So we kind of we know how to manage human identities. We've been doing it for so long and we've been ignoring the non human identities. You know, I'm part of that. I'm guilty too. It's not that we didn't know it was important. It's that we didn't have the tools. Yeah. And like, I think it is that it is one of the biggest problems. So I think it it makes sense that a lot of companies are trying to focus in it out.

I agree that the main issues that people didn't think it's possible to protect them for a long time. Even if you think about the older types like service accounts in Active Directory, they've been around for decades, right? But people didn't think there was an effective way to secure them. I think most organisations will try to do that with Pam tools and with Pam tools, you, you have to change the password.

That's kind of how Pam works, which I think is a pretty old approach, but that's what we had for for the last decades. And when you change a password on a non human identity, it breaks things in in many cases it breaks applications because they have them, you know, they have hard coded somewhere in the script or somewhere in the application those those the password. So I think people got scared of

doing it like they tried. I spoke to CSO, tried to do it once with these type of tools and took down a whole data centre and then he stopped the you know. That's a very real fear. I mean, a lot of organizations struggle with that fear is what if? What if I changed that password? What if I shut down that account? They know it exists, and yet they still let it sit there. Yeah. And when we came out with our solution to protect service accounts, I think it was 3-4 years ago it was.

We thought it's just a small thing like we thought one customer suggested today, if you can do this for humans, why don't you do the same for non human? And we did. And we thought it was going to be a a feature. We didn't even we didn't even charge money for it in the beginning. And it became one of our best products because it it is a huge problem and it takes a different approach.

You can't just try to use the the tools that use for human identities on it. I think that the best approach with non even identities is obviously visibility is a big part of it. You need to discover them, see what they're doing, who owns them, where they're being used. That's a huge part of it. People don't even know. That the kind of the governance of it. Yeah, they don't even know. And they don't even know that some of them are being abused for completely different.

Like, you know, somebody created the service account once and now they're just using it for 10 different applications. That would never. Both people use their personal account to one application instead of asking for a service bar. It happens a lot. I think I, I, I told that story in the past.

I don't remember well. Well, we had a, a customer that we were, we were installing our product for and we need the service account just, you know, like regular, you know, domain use of service card in order to, to run our product. And, and he said, Hey, can you go create a service card for us? And he just said, no, no, just let's use my on account. It's like, that's what you invited us to fix, like.

And it's, it's so built into the way people work that he didn't even realise that he's offering this to the vendor that came here to fix this problem. Yeah. So people do it all the time. So visibility is a big part of it and finding all these these bad, you know, behaviours. But then the second part is how do you secure them? So all they think puzzles is, is sometimes the light.

And so usually it's not. So you need to figure out how do you basically prevent any use of this identity outside of what it needs to do. So if you built a non even identity that only needs to connect from A to B every two hours, let's somehow lock it down to only be able to do that. So if somebody will try to use it anywhere else, it should be unusable and it should trigger that.

Very narrowly defined scope. Yeah, that is all it can do, but it's difficult to do sometimes when, you know, I'm going to play the the advocate for the customer. And some on the security side is I've asked security vendors, you know, a lot of times they'll say, oh, we need a domain admin account and they just leave it at that. OK, well, you push back on that and you say, OK, well, what do

you really need? Yeah. And being able to have that conversation in a way to say, OK, we don't really do domain admin, which you need are these three permissions and a lot of security vendors take the easy way out and just to just just just give. Yes, I agree. And, and, and not only security vendors, the the things security vendors are actually more well within some other IT vendors that just ask for it no matter

what. I think that part of it is also look at all the identities you have today, look at what permissions they have and look at what are they actually doing.

And let's correlate that. Let's correlate that continuously to see that, you know, this account has the permission as to do X things, but it's only doing a small portion of that and all the time let's automatically recommend to reduce what they can do. So it's, you know, it's just in time access, but it's also just enough access that we need to achieve all of these things. I don't think on you to people like the fact that you should do it.

I think that they just didn't know that it's possible. And I think that vendors kind of stayed in the comfort zone for a very long time, kind of doing the same thing. And now finally, there's almost like a renaissance in eternity security. But think about it, for how long did we just have the same port, the same technologies, while other categories of security got to have such amazing innovation, you know? And I envied that.

Like, I looked at some other categories of security where there was so many new things going on. And in identity, it seemed like nobody wants to do anything differently than how they did it for the last decades. Now the finally is willingness to do it. And the technology is the, I mean, the technology is, is possible. I mean, if people are willing to, to consider doing things in a better way. The technology is the. I think it's evolving very fast

now. Yeah, you said something scary and I think this is part of the inertia, which was OK. The existing tools can can't do what we need something to do for non humans. Layer on top of that, they're probably more complex to matters than people. You mentioned governance, then you also have secrets management, authentication, monitoring. So layer all that on. You've got your IGA Pam single signed on. So you have all these features on top of the fact that it's not solved.

So now it's a more complex population and I think you said in your in your talk, another thing that I agreed to it, which is that the non human identities need to be tied off to people. So great. That's part of that, that solution. So now you can't use your your tools, your, your existing tools can't do the job and you need to solve multiple tiers of functionality in order to really get your arms around this population. It's not an overnight solution. It's not going to be solved by,

you know, waving a magic wand. It's very hard there, I have to say, like as someone who's, you know, I feel like we're innovating in this space and we have like a lot of things that we're doing, I think in a better way than before. It's complex like the the whole mission of security identities, I think one of the most complex in, in cybersecurity in general. Like I have obviously a lot of friends that run companies in other areas of cybersecurity. I think that identity is one of

the most complex. I think that the fact that there's so many solutions already doesn't help because the fact that you already have 20 different solutions, I mean, it makes it even more difficult because we're not just coming in with this amazing new platform and you have nothing today and we just come and install it for you and you're you're done. You also have like 20 different things that you already have in place that we need to deal with and integrate with and work

with. It makes it a little more complex, but I think that that's part of the mission. Like how do we work with the existing stack while it's gradually being replaced? Because it will be like a lot of these old pieces. They'll do for now all the time. There will be next Gen. solutions for all of them. I mean, a lot of start-ups are already doing amazing things and I think the technology is there. Companies need to be open to looking at new ways of doing things, better ways of doing

things. And I think that they finally out, at least that's what I'm feeling from talking to a lot of even the largest companies. And we all already work with like a lot of the Fortune 50 Even so even the largest companies that were always like a little slow are opening up to the idea that, hey, we OK, we can't do this with the old tools. So what's new?

What's what's I'll do? I think we can see that in the conference a lot like even the the companies that that two years ago, three years ago, I remember talking to them and said, so we were like, it may be a better way, but we're kind of stuck with how we do things. Now they're coming back and saying OK, like we understand this is evolving and we need to catch up. What do you attribute that to?

Because I think there's this real, you know, fatigue that comes with, I need another tool to do this thing, right? Why can't Axe do this thing that I already have in place? What do you think has changed over the last year or so where those companies have started to make those investments because these things cost money? I think that one thing is that the the new generation of technologies matured a little.

I mean when we started, I mean even last time we spoke a couple of years ago when we were still growing, we had some big enterprise customers which was kind of early. A lot of the customers that started working with us in the early days took a bet on us. I think that now that it's much more established and you got we, we have like 1000 enterprise customers using this. So it's a little less of a of a risk for them and and they don't like risk, right, at least many

of them. So I think that's one thing. Second thing is the fact that the threats are evolving. I think people understand that they're going to get breached a lot if they don't figure out what to do. So I think that's partly part of it. And again, there's the overall priority that identity is getting over other categories of security because the old perimeter is gone and people are walking from anywhere.

And I think there's more understanding even at the, even at the board level and the CEO level that identity is, is critical. They can actually understand it. I think more than themselves, some others of security, they, they, they get it like they think that's one of the advantages and also disadvantages of identity. It meets the end user more than any other category of security.

Like every, every employee, every, you know, the CEO logs in and has to do like multi factor authentication and all these things. Like they actually see them as opposed to some of the stuff that like other categories where it's much more behind the scenes.

So they understand the importance and the way to put more budgets on it. I, I hear from a lot of companies that identity is now like the number one priority or the number one budget item, which is, which is great because I do believe, and I'm, I'm, I'm biased, but I, I honestly do believe that it is the most important element of security

these days. So this idea of identity being the new perimeter, I struggle with that because it's not going to different, but around for 15 years at this point. You know, there's there's this idea. Yeah, just doesn't make sense to me. I want to do a little bit of the lightning round here because you've been very jazzed. You're trying to want to get you back out onto the conference. Let's do a quick round. Let's start with shared signals and shared signals framework.

I think it's an area that's showing a lot of promise, but I'm obvious to hear what your thoughts are as someone who's on the vendor side of this, and this is an idea this, you know, the idea here is that products being able to talk to each other, which sounds good on paper, but probably more complex behind the scenes. What are your thoughts on that?

No, I completely agree. I I think that this is, we have to start working better as an industry between all the products because customers are not going to have one product. You know, some of the big vendors like to believe that they can just be the only cybersecurity product that the company has. I think the 99% of the company is just not going to work. They don't want to put all the eggs in one basket. They want some the cartridges that are are good for each space.

We all have to understand how to work together. So I think it's a great initiative, you know, very compelling to us. And I think that it's one of the things that as as our company grows, we understand more and more that are are super important to our customers because early on we only thought about what, what will make our product the best and what best features we can build.

The more we meet more real customers and deploy little environments, we understand that integrating with all the other tools they have is top priority because otherwise it's just another tool that you need to go to and log into. And then there's a cool UI. It's like, cool, but I'm not going to log into it because I have 100 other tools. So we have to figure out how to work together, I think. Yeah, I'm really glad that these initiatives are getting action.

Yeah, In the real world, that ends up being let's take the logs and just stick them in our sin. Yeah, Yeah. And then it's to die, right? And it just sits around. We started this conversation two years ago. We started it with identity threat detection or response. So here we are two years later, and it was kind of a newish term back then. Is ITDR and is in identity security? Is identity security an evolution of ITTR?

Was it always identity security? We're just finding better ways to talk about it. Where do you see that intersection between ITDR and this concept? Maybe of identity security? No, I think, I think ITDR is one element for identity security in our platform. It's one of seven different products. I think it's a very important element. But at the end of the day, ITDR is only about detecting attacks

that are happening right now. It's not about preventing future attacks, not about solving vulnerabilities. It's not about protecting different types of fidelities. It's only about telling you that you're under attack right now. So it's one element, I think that IDL did do something important. I think it what it was one of the first sub categories of identity security that got everybody to agree that there's need to be identity security category. Do you see it as like the killer

app for identity security? Is it the thing that put it on the map? I think that this together with maybe NHI security now non human identities, I think were both both played a very important role. Although there are two very specific elements of identity

security. I think what was good about them is I think people agreed that those should be kind of decoupled from the infrastructure because think about ITDR, does it make sense to do ITDR only within one IAM solution without understanding what behaviours are happening in the other? Obviously not. And I think it was so obvious that it got people to generally accept the idea that they didn't. Security has to be a layer on top.

So even though ITDRONHI are not the only pieces, I think the fact that they got action the last couple of fields did a lot of good service to the to this market. ITDLI think is gradually becoming a feature in, in bigger identity security platform. And that's what I think what what I think it should be. So it's served a very important role. It still serves as a very important functionality. We deal an identity security platform, but I don't see it as a standalone category.

I don't think many companies would buy an ITDR product these days. I think they'll they will look for a platform that also has ITDL in it. It's kind of like how I think UEBA evolved in the past. You know, we thought about it as a product and then it kind of got merged into other products and it became almost like a master feature in other products. I think ITDL is that same thing in identity, but still a very

important functionality. So when this episode airs, going to be two weeks from 2025, which blows my mind. So a little bit of let's think about the future. What's the future for identity security? No pressure. Yeah. No, I think about it a lot. It's, it's a very good question. I think that a few things that I think will happen in 2025 and beyond. One is I think that consolidation will continue. We have too many products in

this market. The fact that people need 20 different products to do identity security is a problem. Most companies can't afford it and can't manage it. So consolidation will continue to acquisitions to companies building more and more products. I think there are a lot of companies that you used to think about as a Pam company or an MFA company or ITR company. Now you go to the website and you see identity security. It's a bigger story now.

I think it's a good thing. 2nd is I think that AI will start to have much bigger impact in, in a few different ways. I think 1 is obviously attackers will start using it more. We, we already hear about more attacks. Well, somebody's using like deepfake to take someone into thinking that they're the boss or someone from IT and get them to give them the credentials or pull the MFA. It's very concerning. There's also opportunity to use

AI to our benefit. But I think even more interestingly, there's a question of how do we secure the identities of AI agents? Because AI agents are and you type of, let's call it non human identity. That is very different from what we used to call it non human identity. So this category of NHI was barely even born and how it has to reinvent itself.

It's funny, but I think that will be a big task that, you know, as a as a as an industry, I think is actually pretty exciting because we get to play a big role in what will the future of AI look like in order to to make it secure, which I think is part of a bigger thing. I mean, the last couple of years we've all been excited about Gen. AI. Think now as it matures, there's a whole ecosystem that develops around like the infrastructure for Gen. AI.

How do you secure it? How do you do compliance for it? How do you, you know, like companies that are building the actual AI, but they're building all the ways that organisations will be able to use it, you know, safely and, and, and

effectively. So I think that the identity industry actually have a huge opportunity to be part of it, you know, to to create something that will enable organisations to use AI better by securing the identity and the access that AI agents are doing within the environment. That's a pretty exciting. Thing I think about like is it more risky to use AI or is it more risky to not use AI? In my opinion, it's always good to not use AI these days.

I mean, that's my view as ACEO, not even as a as a security vendor. I mean, I have part of my job is as a, as a, you know, someone who leads the security company to think about obviously the, you know, how do we help secure AI And there's a lot of risk, a lot of questions, though on the other end, there's ACEO of, of, of any company, I think that you cannot afford to not adopt AI fully. I'm not just saying like try and test it. I think that any CEO was not jumping in to adopt AI as much

as they can. I don't think we'll be able to exist in a few years because the effect that this has on productivity is so big. I don't even know if all companies understand it. I think some companies obviously do and you see what they're doing. We're adopting it a lot internally like so many things that we are now starting to do with AI and we are only sketching the the surface. So I think that it will be almost not competitive to not adopt AI to its full potential.

And now as security vendors, we have a job. How do we help organisations do IT security. But I think that we have to run very fast because nobody's going to wait for us. Like the impact on on the business is so big if you adopt AI well that people are going to do it whether it's secure or not. So we just need to make sure that we help them do it

securely. I don't think they'll be able to afford to to not do it. Yeah, I think that if data is your crown jewel and you have competitors, if you use AI, there's a real scope. They have to open it up to our data, to our crown rules, they get stolen. That could ruin our business. But if we don't use AI to get the most out of that data and our competitors do, and there's not a breach, we're going to smoke us. Yeah, we'll, we'll be very secure losers. It's very secure. Losers, right?

It sounds very much like the cloud conversation for 20. Yeah, well, you know what I'm doing because someone else is going to have it now. Yeah, although I think that this is much bigger than the cloud revolution. You know, I think this is going to be huge and I, I don't need to, like, I'm sure enough words have been said about this, but I, I'm really, I, I believe in it.

You know, I've seen already and also like talking to other CE OS of other companies, not even in cybersecurity, just in general. I'm already seeing the impact and, and we are only starting, like this is only the beginning. So it's, it's hard to even understand how much this is going to change everything. And I think that we have a chance as a security industry, as I think especially as, as identity and the identity security industry to have a play a role in how can we make it

secure. I think it is possible. I think there is a way to make AI secure. And that's something that I'm, I'm, you know, very passionate about and I'm talking to other vendors and customers about. And I think there's, there's so much we can innovate and do in this space. So that's one thing that I think I don't think we're fully get to its full potential in 2025, but it will definitely make a big step, yeah. So here's my prediction for next year, 2025.

I don't know if I'll go to RSA, probably not, but I'm going to guess I'm going to walk through the vendor halls and see a whole new cottage crop of AI security units, right? It's, you know, it's out there, it's going to happen and it's going to be, you know, but that'll be the RSA, the conference trend for last year and maybe the year after that, right? Just like we saw with Zero Trust and AI, right? Half of them would be called

something AI, right? Yeah. Because you don't want to miss the the fact that the AI companies. So it's important to put it in the name. Yeah, I think, I mean, if you look at how investors now choose where to invest, I think that it's very hard for an investor these days to even even justify investment in a company. It is not about AI even to their investors, you know, to their LP's because it's it's such a game changer. Everybody want to be part of it.

They don't know even like where where to put the money split every. But yeah. So that's that's the strategy. Like let's just put it everywhere. But I think that it is becoming more difficult. If you were startup, early stage startup, not in AIII kind of I'm happy that we started backward. Not being an AI company was was OK.

And now because our business is, is, is big, we get to, I mean, raise money based on our performance and not just based on an idea, because I think these days raising money for an idea that is not related to AI, it's actually pretty hard. The investors are very embarrassing. I, I, I don't think it's just another trend that will be replaced in a year. I think it's going to be with us for the next, you know, long time. Oh, so AI is not going away? OK, interesting.

No, it's a full state. I don't mean. I mean that the, the fact that investors, yeah, almost solely you want to invest in it, I think is, is going to change the way it's, I mean for, for for a long time, the way that start-ups even come up with what idea they're going to go after, which is which is pretty crazy. So yeah, I, I think it's going to be an interesting year in general for I mean all technology, but but also an identity.

There's so much going on. And I think that with the momentum that is now kind of coming to identity security, I think it's, it's really the most exciting time that that I mean that we have since we started at least eight years ago to be in this market. It's it's what we've been waiting for for years, honestly. It's exciting spot. I am very bullish on AI. We've choked about turning this

into the AI the center podcast. I want to get you back out there, but we always enter the lighter note and we're hidden night. And for your course, hey, you know, what kind of hobbies do you have? He said, well, I used to have hobbies. And you mentioned things like being an artist and being a bartender. And I was, I used to be a bartender as well. We started talking about that. Tell me about give me your craziest or wildest bar story because I feel like we all have something like that.

Oh yeah, those, no, those too many. Yeah, it's, you know, it's been the, for me, not even before I joined the, the security industry, it was kind of in the middle because I was in 8200. It's like a technology unit for enough like doing cyber offence. And then when I left the military, that's where I I did this. So I was, I was doing it almost as a break. You know, I didn't want to jump right straight into to

technology again. And I, I just walked as a bartender and yeah, it was, it was pretty insane. I, I, I had, you know, a couple of years Will, Will, you know, I, I only worked there and it was honestly amazing. Like, I used to meet so many, you know, amazing people and have like, crazy stories and then wake up at noon and, you know, it was a very different life. I feel like you're dodging the question a little bit. Yeah, yeah. Give me a story.

Yeah, yeah. No, it's, I mean, there, there was some obviously some crazy nights, like I think we'll, we'll leave it at that. And and, you know, once that they don't even remember sometimes I have to admit, but it was it was awesome. I I'm I'm glad that I've I've done it. And I think that I learned so much about like how to treat people and work with people even more than I learned in the tech industry that I took with me to, you know, managing a company and, and, and the sales, right?

And managing people. I feel like it was such a good lesson on, on just how to communicate with people of all kinds and, and, and create friendships very quickly, right? Because that's what you do as a bartender. You need to talk to someone and almost immediately become the friend, right? And I think that's such a great skill that sometimes technology founders are missing because they, they, they care so much about the technology and they're so focused on it, so passionate about it.

And I, I am too, they missed that element, the human element of like building a good bond with, with someone that at the end of the day, even in the colleges, still the, the most important thing because we're all people. And as much as everyone is like could be excited about your technology, I think that as a founder, you need to also build relationship like really quickly with investors, with customers, with employees and, and know how to treat them.

And I think that's one of the biggest advantages we have as a company in Silapolis is the, the people element and the culture. So that's part of it. And by the way, we just moved to a new office, like really big office space. And one of my projects that even some of my team may find out about only in this, in this episode is that I actually want to build a small bar in the, it's a big office.

We have like a big dining room and there's this small room next to it that we didn't know what to do with. We said, hey, maybe we'll just put a few shells there because it's like a small, tiny room. And I said no, no, we're going to do a small bowl in the office. And that to me would be like a little closer. So when you build that and you get that set up, what's the first drink you make to sort of christen the, you know, the, the big, the opening of the bar, so to speak?

That, that's a good question. I, I, I change my favorite drink every few years, but right now for the few years it's been there in Gwani. OK, yeah, I, I like it a lot. And I also drink whiskey a lot. Yeah, there'll be something for everyone, but hopefully not as not as many crazy stories awfully in in the office. Not in the office we got, which are policies now, all that kind of work. We'll keep it lighter there, but but no, you need to enjoy, walk

a bit. I mean, I, I generally believe that in a start up, you need people to do amazing things, right? To go above and beyond and build innovative amazing things. And I think people can only do that when they're happy, you know, when they actually enjoy what they do and who they do it with. I mean, you can go and walk in in a company and do your job, but to really do amazing things, I think that you can't do that unless you really enjoy the people that you do it with.

You know that you kind of want you want to make this happen, not just because you want to get paid because you can't get paid even if you do average walk, but if you really care about the people that do it with and you all that all of it to succeed. So I really do believe that it's important to create an environment where people actually love what they do and love the people they do it with. And that's like the the most important thing you can do to build a successful start up.

Because all the rest of it now, the technology and the, the cells and all, all of that will happen if the people that work for you actually love what they do and they're happy where they are. Because the, the other ones we need to do it like I have 400 employees right now. If I close another deal or, or, or think about another feature that that's almost meaningless. The people that work in the company, the other ones who need to, to do all these things.

And you know, they, they will probably never like show by how much I care about the company. But but if I can get them to really feel at home in this company and to really feel like it's, it's theirs and, and, and they care, I think that that's the thing that makes start-ups successful. So, you know, if part of that is having the best ball in town, you know? Sometimes it's the little things. That's all it takes you.

Know I was at a very large technology company recently and they had like a prohibition era Speakeasy. It was hidden behind a false wall, so it was like bookshelf. I was wondering, but I know exactly you're talking about. Yeah. He was like, I'm not sure how how to bring that up, but. Yeah, you'll have to tell me more about it, because that's exactly what I want. To do, but if you have enough space, I mean, yeah.

Yeah. Yeah, we'll do that off the recording, install it, OK. I'll shoot, I'll invite you. Maybe the next episode we can shoot the drink. I would have I I don't remember how to bartend, but I'll do my best. It's, it's funny that you you come from that back onto it. I think it's. Ten years in food service, you know, a lot of people, you know, just kind of assume I've been in this forever is like, no, I had a full career, you know, waiting table.

There's, you know, there's nothing as stressful as A5 table section on A at a Chili's on a Friday night outside of a movie theater. That's the most stress that I've ever been in any job ever and any nothing has ever come close. I, I actually agree. I think that people underestimate it. I think that the amount of like what you learn about, you know, about service and about sales and about people in, in the, you know, in the service and for the

industry is so much more. I, I think that the, it's actually a really good background that I also have like a few employees that come from this. And I, I, I actually see this today as a huge advantage when I see it in some of the resume, which most people wouldn't think about. I think everybody should have to serve one way or another and that and just that. That's the service. Everyone needs to understand that. Ian. All right, Jim, last statement for the year 2024.

Let's go 2025. OK, we'll go ahead and wrap it up there head. Thank you so much. Yeah, thank you. Yeah, we're going to get that fun. I'm going to put your LinkedIn back in our show notes so people can reach out by the vice of macaroni recipes or whiskey any, or, you know, whatever. Anyone who wants to talk about the Saudi city, I'm really happy to talk, so feel free to reach out. So that's great. We're going to leave it for this week and for this year, which is crazy to say.

We have the YouTube channel, we're at idacpodcast.com. If you go to idacpodcast.tv, you can find our YouTube channel. So for now, we're planning to continue to that. We'll see, but like and subscribe that shows support for that as well. And of course, you can connect with any of us on LinkedIn as well for any thoughts, ideas, clients, concerns, it's we read them all. So with that, we'll go ahead and leave it.

Thank you everybody for watching and we're listening this year and we'll talk with you all the next one. You've been listening to Identity at the Center. We hope you've enjoyed the show. Make sure to like, rate and review, and we'll be back soon. But in the meantime, hit the website at identity@thecenter.com. See you next time on Identity at the Center.