Artwork for podcast Security by Default
Why Identity Is Becoming Every CISO's Biggest Challenge | Vlad Shapiro
Episode 3323rd June 2026 • Security by Default • Joseph Carson
00:00:00 00:43:34

Share Episode

Shownotes

Vlad Shapiro, a distinguished mathematician turned identity management expert, articulates his transformative journey in this episode, offering profound insights into the intersection of identity and business. He elucidates how the realm of identity has evolved into a critical pillar for organizational functionality, emphasizing that without effective identity management, business operations may falter. Our discussion delves into the implications of this evolution, particularly the necessity for board members to prioritize identity governance alongside traditional business strategies. Furthermore, we explore the pressing gaps within the current identity landscape, including the challenges posed by a lack of standardization and the imperative for innovative thinking to navigate an increasingly complex digital environment. Shapiro's reflections not only highlight the significance of identity management in contemporary business but also underscore the need for a collaborative approach that integrates technological advancements with ethical considerations for future generations.

In this episode of the Security by Default podcast, host Joe Carson engages with Vladislav Shapiro, who shares his journey from a mathematician to an identity management expert. They discuss the evolution of identity management, its growing importance in business, and the innovations shaping the future of identity technology. The conversation emphasizes the need for a business-oriented approach to identity, the gaps in current practices, and the ethical considerations in technology development. In this conversation, Joseph Carson and Vladislav Shapiro explore the complexities of AI governance, drawing parallels with nuclear energy management. They discuss the importance of control mechanisms, the role of identity in AI, and the emerging threats related to computational workload theft. The conversation emphasizes the need for continuous learning in a rapidly evolving technological landscape and the significance of visibility in understanding both good and bad actors in the AI space.

The dialogue between Joe Carson and Vlad Shapiro unfolds a captivating narrative that chronicles Vlad's evolution from an accomplished mathematician to a distinguished identity management expert. Vlad's journey is steeped in serendipity and introspection, illustrating the transformative power of career shifts propelled by the dynamics of professional landscapes and personal revelations. As he delves into his past, Vlad reflects on his academic pursuits in Ukraine and his subsequent migration to the United States, where he initially aspired to teach mathematics at a university level. However, as he navigated the academic landscape and its stark contrasts to European standards, he pivoted towards industry, seeking avenues to apply his analytical skills in a pragmatic context. The discussion transitions into a broader exploration of the identity management sector, a field that has burgeoned in significance over recent years. Vlad articulates the paradigm shift that identity management has undergone, now recognized as a critical business function rather than merely an IT concern. The conversation delves into the intricacies of identity governance, emphasizing the need for organizations to reconsider how they manage identity in a world increasingly reliant on digital interactions. Vlad's insights on the intersection of identity management and business strategy underscore the imperative for organizations to engage with this evolving landscape, reflecting on how identity impacts operational efficiency and risk management. As the episode progresses, Vlad shares his perspectives on contemporary challenges within the identity management domain, notably the importance of interoperability among diverse systems and the necessity for organizations to adapt to a rapidly evolving technological environment. His reflections on the ethical dimensions of identity management, particularly concerning data privacy and consumer trust, resonate deeply within the ongoing discourse surrounding digital identities. This episode serves as a profound reminder of the critical role that identity management plays in shaping secure and efficient organizational practices, and it encapsulates the wisdom gleaned from Vlad's unique journey through the realms of mathematics and identity management.

Takeaways:

  • Vlad Shapiro's transition from a trained mathematician to an identity management expert showcases the fluidity of career paths in the technology sector.
  • The evolution of identity management has transformed it into a critical business function, emphasizing its integral role in organizational security and efficiency.
  • Understanding identity as a business imperative rather than merely a technical challenge is essential for engaging stakeholders and achieving strategic alignment.
  • The importance of fostering a culture of curiosity and continuous learning is paramount in the ever-evolving landscape of identity management and cybersecurity.
  • Innovations in identity management must prioritize interoperability to ensure seamless integration across diverse systems and platforms.
  • The conversation around identity management now encompasses ethical considerations, prompting a reevaluation of policies to mitigate risks associated with technological advancements.

Transcripts

Speaker A:

Hello everyone.

Speaker A:

Welcome back to another episode of the Security By Default podcast.

Speaker A:

I'm the host of the show with Joe Carson.

Speaker A:

It's a pleasure to be here.

Speaker A:

It's one of my favorite times of the week is to get to chat to amazing people and have, have a fun time.

Speaker A:

So I'm bringing another amazing person I've known for quite a long time now.

Speaker A:

And it's going to be a really great, fantastic conversation.

Speaker A:

So, Vladislav, Vlad, welcome to the show.

Speaker A:

Since this is your first time on the podcast, if you want to give the audience a little bit of background about yourself, your origin story, how did you get into the industry?

Speaker A:

Is this the path that you chose or is this the path that was chosen for you?

Speaker A:

Tell us a bit about yourself, your background and some fun things.

Speaker B:

Hi Joseph, thank you very much.

Speaker B:

It's a pleasure to be on your show.

Speaker B:

Big fan and being a part of it, it definitely makes my day.

Speaker A:

Fantastic.

Speaker B:

My name is Lad Shapiro.

Speaker B:

I'm originally from Ukraine.

Speaker B:

I am a mathematician by education and I never thought I will be in identity business or security business.

Speaker B:

No, no.

Speaker B:

I was trained as a professional mathematician.

Speaker B:

deis University in America in:

Speaker B:

I will be teaching at the university.

Speaker B:

What the, what actually happened is after two years in America, I realized that teaching in America is very different from teaching in Europe.

Speaker B:

You have not the same respect and definitely less money.

Speaker B:

So I said that maybe I should use my talents as someone who can help some industry to get better and to help other people to understand what's going on, get some ideas because my analytical mind definitely is with me.

Speaker B:

So I've been through many different variations of jobs.

Speaker B:

I was in bioinformatics, so that's why I'm pretty familiar with what's going on in the pharmaceutical industry.

Speaker B:

I was in the web analysis tool long time ago.

Speaker B:

And finally in:

Speaker B:

And Kurt Johnson, you know, I called him from now on as my godfather in identity.

Speaker B:

And he came from little conference organized by company called Burton called Catalyst.

Speaker B:

And he came back and he started to tell us about the business roles, the rules, the policies.

Speaker B:

And I just oh my God, this is so mathematical.

Speaker B:

This is so logical.

Speaker B:

I would like to be there.

Speaker B:

That was my path.

Speaker B:

And from:

Speaker B:

Yeah.

Speaker B:

And that, that, that that's the deal.

Speaker B:

That's my story.

Speaker A:

And what.

Speaker A:

What's what?

Speaker A:

You know, any, any interesting hobbies that you have, any things that you'll participate in.

Speaker A:

Any things.

Speaker A:

What do you do in orders?

Speaker A:

Canada.

Speaker A:

You know, because in the world we live in, especially in identity, sometimes it's good to have a bit of a balance in the personal life as any hobbies that you have that keeps you fresh in your mind.

Speaker B:

I would say the best hobby I have is playing football outside.

Speaker B:

Well, we call it America.

Speaker B:

Somehow they call it soccer, but I'm from Ukraine.

Speaker B:

Football, that's my game.

Speaker B:

I'm definitely an amateur.

Speaker B:

No ever pretend I'm playing left defender, even though I'm righty.

Speaker B:

But I love that game.

Speaker B:

Since I was basically born, actually I was born at the day when my hometown Dina McKee beat Celtic Scotland with Joke Steen as a coach and kicked him out of the Champions League that time.

Speaker B:

That was Champions cup, not Champions League.

Speaker B:

That was so that I was kind of there.

Speaker B:

I had no choice.

Speaker B:

I still have a program signed by Jokestein in Ukrainian language, which is kind of, in my opinion is very important.

Speaker B:

When I was in Glasgow and people told me that is, you know, that's really valuable stuff anyway, another.

Speaker B:

I play chess, I play music, I play piano all my life mostly.

Speaker B:

I definitely can read notes, but I like to improvise, I like to get some tunes and I have pretty good ears so I can basically play anything and that's what keep me sane when I'm thinking.

Speaker B:

And definitely I love travel and me and my wife, we, you know, love culture, museums, theaters.

Speaker B:

That is something which keep me culturally connected.

Speaker A:

Those are all, all fantastic hobbies to have football.

Speaker A:

I'm a big football fan, so I love, I love football.

Speaker A:

That's, that's what I, I do two, three times a week when I'm not injured because my age, injuries come quick and they, and they last for a long time.

Speaker A:

But that's definitely, you know, something for me that allows me to take my mind off, you know, the daily work that you kind of have to focus on.

Speaker A:

You know, piano is amazing.

Speaker A:

It's amazing instrument.

Speaker A:

Not something you can easily carry around with you, but when there's a piano there, it's always amazing to hear.

Speaker A:

So absolutely it sounds, sounds like you have a lot of fun.

Speaker A:

And chess is great for the logic side.

Speaker A:

You know, it's really kind of the forward thinking strategy also a great thing.

Speaker A:

And travel is a passion of mine as well.

Speaker A:

So we have very similar hobbies and interests.

Speaker A:

So today and one Big common interest that we have is the world of identity, which is something we've both been working on for a long time.

Speaker A:

And it's evolving so fast.

Speaker A:

You know, I felt in the last five years it's become front and center about everything.

Speaker A:

It used to be something that was just part of it.

Speaker A:

It was about getting users and making sure they had access to the things they needed to do.

Speaker A:

And then it was all about interoperability.

Speaker A:

It was by connecting systems because you've got these very different systems.

Speaker A:

We had, you know, multiple identities sprawling across multiple systems, trying to manage it and federate identity and decentralized became a big important part about how do you authenticate once and not have to do it many times across many applications.

Speaker A:

So I've seen like a massive evolution in identity.

Speaker A:

You know, where it used to be 20 years ago, we were working on things like active directory and you know, NT and you know, simple, you know, single provisioned users to today it's a whole entire ecosystem.

Speaker A:

You want to say what's some of the areas that, you know, let's say amazing innovations that you've seen in Identity and also maybe some of the gaps that you see today.

Speaker A:

Where are we falling short when it comes to identity for organizations?

Speaker B:

Thank you for introduction to Identity.

Speaker B:

For people who are listening, you know, some of them are probably already tired of hearing that word.

Speaker B:

But for a lot of people who were never in identity and never in technology, the word identity right now becomes very, very popular.

Speaker B:

Thank God it's not just like AI, very specific.

Speaker B:

But here is what I think.

Speaker B:

First of all, the biggest change is that identity started to become business and everybody's talking about that.

Speaker B:

about that way back in around:

Speaker B:

I always thought of technology not as a separate fun field, but as the part of the whole environment, the whole world of people and business.

Speaker B:

Always I would say that people started to realize that business started to realize that.

Speaker B:

Look at the money.

Speaker B:

They were always saying where the money goes.

Speaker B:

Who can, I would say, 10 years ago, if anybody would tell me that any identity company would be sold for $800 million, a billion dollars, I was like, no, the whole market was a billion dollar, right?

Speaker B:

And now in the last three months, how many acquisitions do we have and how many of them were more than 800 million?

Speaker B:

Several.

Speaker B:

So what does that tell me?

Speaker B:

It tells me that we as identity practitioners did a pretty good job of promoting Identity toward the rest of the business.

Speaker B:

So that is the biggest change.

Speaker B:

Now if you think about this change now we're going to say who makes decisions about spending money?

Speaker B:

Definitely not identity people.

Speaker B:

We all say oh ciso, that's the person we have to go and ask.

Speaker B:

CISO is a beggar in the company too.

Speaker B:

He is not a decision maker.

Speaker B:

Right?

Speaker B:

Decisions makers are sitting in the boardroom and cfo, coo, CEO, that's the people who maybe recommend something.

Speaker B:

But board members.

Speaker B:

So how can we influence board members to make the decision which will reflect the future?

Speaker B:

Again, that conversation started.

Speaker B:

We have a lot of identifiers like the people doing the entities who are discussing all the angles, right?

Speaker B:

From legal to digital sovereignty, right?

Speaker B:

To how we can monetize it, to how we can use an identity.

Speaker B:

From the spend of staying away from this model of oh yeah, there is a like an enterprise identity, there is a consumer identity, there is some nhi.

Speaker B:

How can we combine them into the fact that people with no technical degrees but a lot of business acumen understand importance of that that is happening.

Speaker B:

And I like the latest movement or not I but people called it blt, Business, Legal Technology.

Speaker B:

That story definitely tells us where we're going to go.

Speaker B:

For example, for a long time there was always a discussion about who supposed to own the identity.

Speaker B:

Well, at the companies everybody know hr, right?

Speaker B:

HR is the people who are supposed to own identity.

Speaker B:

Does HR know anything about technology?

Speaker B:

No.

Speaker B:

How they can own identity?

Speaker B:

Well, because they control people coming in and out.

Speaker B:

That makes sense.

Speaker B:

Which means identity is not technical field, right?

Speaker B:

So that's where it's coming from.

Speaker B:

And then we go to the business owners, right?

Speaker B:

The policies, rules, right?

Speaker B:

Who create them.

Speaker B:

Not us.

Speaker B:

That's business.

Speaker B:

So.

Speaker B:

So they have to talk about it.

Speaker B:

And we as identity people can turn around and tell them.

Speaker B:

By the way, we can tell you that some of your rules and policies are not exactly smart.

Speaker B:

Maybe we should play with them.

Speaker B:

That's why many years ago I created my own company and I tmed an English word, Ukrainian T M A in English word custidity.

Speaker B:

What I believe is the breaching of the policies are combination of people being curious and policies being stupid.

Speaker B:

And even I created a formula for how to calculate the effect of that.

Speaker B:

And you can find my book on Amazon.

Speaker B:

Funny enough and long time ago.

Speaker B:

Sounds like weird.

Speaker B:

Today it's actually happening.

Speaker B:

Because today we're not just talking about curious people.

Speaker B:

There are some other curious creatures coming out, right?

Speaker B:

Started with letter AI.

Speaker B:

We can call them agent AI.

Speaker B:

Agentic AI.

Speaker B:

And you already Heard the story of the jailbreaking from a certain big, you know, AI company which tells me that the custodity, the story of cost of bad policies are getting serious conversation in the boardroom.

Speaker B:

And that's where we're moving.

Speaker B:

Right?

Speaker B:

So this is good.

Speaker B:

Now where we are getting short.

Speaker B:

First of all, we're getting short on explaining it to the non technical and non identical people.

Speaker B:

Our explanation usually are the horror story, oh my God, someone got hacked and they have to pay the fine.

Speaker B:

My God, somebody else got.

Speaker B:

We have a problem.

Speaker B:

We have bad people running around.

Speaker B:

We have a bad AI running around.

Speaker B:

I kind of understand this approach, but I prefer positive approach.

Speaker B:

Yeah, Ukrainian in the war.

Speaker B:

Positive approach.

Speaker B:

Trying.

Speaker B:

Okay, what is my positive approach?

Speaker B:

My positive approach is money efficiency.

Speaker B:

What do you want, Mr. CEO?

Speaker B:

What do you want the board members?

Speaker B:

Do you want your company to really compete?

Speaker B:

Well and by the way, in today's world, more and more customers going to ask the question, how safe is my data?

Speaker B:

All right, how, how safe is the situation where you're going to make a decision on my behalf, how good they are?

Speaker B:

Are you following the rules?

Speaker B:

Are we consumer safe?

Speaker B:

It seems to me that is a new mode coming in like similar thing the safety.

Speaker B:

When you're using a car or any, any equipment at home, the same will come to identity.

Speaker B:

How safe is your product for me to use?

Speaker B:

How safe is your solution for me to use?

Speaker B:

And that is the conversation with which board members definitely would like to listen.

Speaker B:

So us as identities, instead of scaring people, we have to tell them listen, do you want to make it better?

Speaker B:

Why do you want to make it better?

Speaker B:

Well, because you're going to lose a competition, the other people will do that, so you should do it too.

Speaker B:

So in my opinion that's one, one gap and the second gap definitely is we are in a complete wild wild west from standpoint of who is doing what.

Speaker B:

Recently some of our colleagues wrote an article about the.

Speaker B:

One of the biggest problems in the future will be many, many, many different ways and standards who do not talk to each other.

Speaker B:

And just imagine this in the world of agentic people agent talking to each other without even our interruption or intervenings.

Speaker B:

How do we know what's going to happen?

Speaker B:

So standardizing at least some kind of a procedures, I think that would be a good idea.

Speaker B:

And in my opinion another side is ethical and moral.

Speaker B:

This is something which some of our colleagues are talking for a while and I would love to add my voice to this saying we are leaving this world to our children and we want to make sure that they understand what we're living with, you know, and when we make decisions, we have to think about the ethical and moral consequences of our decisions.

Speaker B:

Making money is great, but if there would be no people who could benefit from that, I don't think that's a good idea.

Speaker B:

I don't want make money for robots for tomorrow.

Speaker B:

No, no, no, no.

Speaker B:

You know, so that is to me, where we should think.

Speaker B:

And in my opinion, the human factor of making our life and life of our children better should be definitely into consideration.

Speaker A:

Absolutely.

Speaker A:

Can I summarize?

Speaker A:

For me, I think the big, big important part is that absolutely, identity has become, you know, no longer a hr, no longer just an IT or a business.

Speaker A:

When identity doesn't function, the business stops.

Speaker A:

That's ultimately, it ultimately comes down to is the business can no longer function.

Speaker A:

We're in a world where identity is one of the key pillars for businesses to operate.

Speaker A:

And I think you're important, you know absolutely right that the CFO is, you know, their, their responsibility is about reducing risk, financial risk to the company.

Speaker A:

The operating officer makes sure the things, things continue to serve the customers, partners and consumers, whatever business they're doing.

Speaker A:

So absolutely, identity has now become such a critical pillar.

Speaker A:

If people can't log in, the business can't function.

Speaker A:

And that's why it's becoming such a critical, vital component.

Speaker A:

That's why it's getting the attention, I think, in the boardrooms that it should have.

Speaker A:

I completely agree that with the gap side of things is that with, you know, it not having standards, if everyone's going to do their own thing, interoperability is so crucial because we need things to work together and we need them to be able to communicate, to simplify and not over complicate things.

Speaker A:

So absolutely, interoperability across identity is so crucial to making it simple and having a good standard, whether it's a best practice framework or a regulated or a standard NRFC that basically ultimately makes sure that we all, you know, have the same goals and same understanding about how things should work together.

Speaker A:

And I completely agree.

Speaker A:

One of the things is that we need to leave the world in a better place than it was when we, when we, when we got it and for our kids to, to make sure in the future talent and generations is that we have to make sure that one for me is, you know, where we can save wasted time because only time is the most valuable asset in the world is we all have a finite amount of it.

Speaker A:

And the more we can give back to the next generation about you know, reducing wasted time, I think that's one of the biggest benefits.

Speaker A:

Absolutely.

Speaker A:

When it comes to AI and robots and other types of automation technology, it should be really there to empower us, to assist us, to help us move faster, help us do things that we want to be doing and focusing on.

Speaker A:

So absolutely, we should not be looking at it as to replace humans in the workplace.

Speaker A:

It should be to enhance us and empower us to really allow us to put what we're good at and focus on the things that we can actually contribute value to businesses and we can spend more time doing that.

Speaker A:

So getting away, you know, some of those repeatable, easy things, some people might still enjoy doing those things and we should still have a place for them to do it as a, as a hobby or as an interest or as a learning path.

Speaker A:

But we should be looking at definitely empowerment.

Speaker A:

What's some of the, what's the, of the interesting innovations you've been seeing?

Speaker A:

You know, what were things that, you know, we've seen the technology evolve so quickly.

Speaker A:

What's some of the cool, interesting innovations I've seen?

Speaker A:

We recently kind of, we both had the opportunity to kind of walk around at the RSAC conference in San Francisco recently.

Speaker A:

Is there anything that you saw there that was very forward thinking or innovative?

Speaker B:

Well, I would say a lot of things happening.

Speaker B:

Unfortunately, as usual, when you go to the conferences like rsa, the most innovative things you see are people you know and people you met for the first time.

Speaker B:

When it comes to innovations in terms of the booth, well, it's usually visual effects.

Speaker B:

Unfortunately, logically speaking, it's very hard, but there are definitely several companies who are forwardly thinking.

Speaker B:

But again, for me, the forward thinking is talking to the board, talking to the people who make decisions in this life.

Speaker B:

One of the scariest thing in the world today.

Speaker B:

And I would say I'm not, honestly not a huge fan of Yuval Harari, but that phrase I like a lot.

Speaker B:

He said, the problem of this world is irrelevance.

Speaker B:

The human irrelevance from year to year becomes bigger and bigger issue.

Speaker B:

As soon as the person realizes that he is irrelevant or she is irrelevant, then it becomes a big problem for the society, not only for the person.

Speaker B:

So whoever helps us to make us less irrelevant, in my opinion, that is the person who would like to innovate.

Speaker B:

So that is, that is from the human standpoint, from technology standpoint, I am a big fan of anything like zero standing privileges, anything which is dynamic, anything which is not defined from the start.

Speaker B:

When you can pivot when you can actually look what's happening and adjust.

Speaker B:

Guess what?

Speaker B:

Football game is a great example.

Speaker B:

You can prepare your corner kicks and free kicks as much as you want from, you know, from the board, on the board or on the practice field.

Speaker B:

As soon as you go to real game, you have to adjust.

Speaker B:

And the best coaches and the best players in the world are the ones who can adjust dynamically.

Speaker B:

So my opinion.

Speaker A:

Thank you.

Speaker B:

My opinion is that is where we're going innovation wise.

Speaker B:

A lot of companies started to think that way.

Speaker B:

I'm not going to name the names, I'm not going to promote any kind of vendors.

Speaker B:

But in my opinion, the vendors who's going to win the competition are the vendors who are thinking and pivoting really, really fast.

Speaker B:

Because technologies are changing with the speed of light.

Speaker B:

You know, anything from GPU speed to ability to take tokens, to ability to, you know, process information to maybe one day quantum computings, who knows?

Speaker B:

That would be a great story on your side, definitely, since you started with cryptic stuff.

Speaker B:

But all of that is just another tool to get where we would like to go.

Speaker B:

And we would like to go to the world, where the world dynamically adjusts to our needs, not us adjusting to the way the program creates.

Speaker B:

And one more thing is I love stories and it seems to me that people started to come up with new stories how to tell the world our problems in a completely new way.

Speaker B:

Well, you know, as a self promotion, I would like to tell a little bit of my story which I created recently.

Speaker B:

Okay.

Speaker B:

So I am seriously thinking about how close is what we're trying to do with agent to agent communications with chain reactions in nuclear physics.

Speaker B:

This idea came to me maybe around the year ago approximately.

Speaker B:

And as a result, whoever will be at the Kuppenter Cole, you know, European Identity Conference will be able to hear our presentation with actual nuclear energy physicists about how can we use the methodology of the nuclear physics to handle something called failure modes.

Speaker B:

So one of the things people don't understand is that there is a huge difference between error and failure mode.

Speaker B:

Error is when you definitely make a mistake.

Speaker B:

But failure mode is a normal process, supposed to go the way it goes, unfortunately not the way you want it.

Speaker B:

Typical example, burning food when you bought, when you warm up the food on the stove, it warms up.

Speaker B:

If you forgot to turn it off the stove, the food gets burned.

Speaker B:

From your standpoint, it's your error, but from the stove standpoint, it's a normal process, right?

Speaker A:

Yes.

Speaker B:

So now when we think about communications and all of the hype related to specific logistic AI.

Speaker B:

It reminds me the hype of the world when they realized that radiation, that the nuclear elements like uranium, like you know, can produce a lot of energy which is locked inside and we can use it for the human goods.

Speaker B:

So people are thinking about, hey, if we could put piece of uranium or piece of radium inside of the watch or lamp, it will run forever, like for many, many years.

Speaker B:

We'll save a lot of money.

Speaker B:

What they didn't realize there's something failure mode.

Speaker B:

One of the failure modes of that is you're going to die.

Speaker A:

Okay, now watch will still run.

Speaker B:

Well, watch will still run.

Speaker A:

Yeah, but you know, but the person, the person who's depending on it, probably getting any value from it.

Speaker B:

If you think about the agentic AI spread, it reminds me a nuclear reaction because you started with request on prompt, it goes to place.

Speaker B:

I don't know, MCP 8 to A doesn't really matter.

Speaker B:

And it start asking questions other people.

Speaker B:

The other people will start to ask questions.

Speaker B:

Not people, agents.

Speaker B:

The other agents will start other agents.

Speaker B:

So as a result, you've got the chain reaction.

Speaker B:

Now, in the reactor we do have two control things.

Speaker B:

One of them called the container and another one called graphite rods.

Speaker B:

Why container is containing things inside and graphite rods are reducing the energy if it's too much.

Speaker B:

Because I would like to produce as much energy as I can, but the pipe can handle only so much.

Speaker B:

And if the energy going through the pipe, through the wire is too big, what's going to happen to the wire?

Speaker B:

It will burn.

Speaker B:

Right.

Speaker B:

And instead of nuclear reactor, we will have what?

Speaker B:

A nuclear bomb?

Speaker B:

We don't want that.

Speaker B:

So the whole idea is nuclear energy has a lot of methodologies and words to catch failure modes before it becomes dangerous to mitigate it.

Speaker B:

And technology is different, the physics different, but the idea is exactly the same.

Speaker B:

In nuclear energy, nobody controls a specific atom of uranium.

Speaker B:

They control the whole system.

Speaker B:

So when we are thinking about controlling one AI agent.

Speaker B:

No, that's not going to happen.

Speaker B:

Going to be swarm of them.

Speaker B:

Right.

Speaker B:

We need to control what happened after that.

Speaker B:

So we need to figure out indicators.

Speaker B:

So that is to me this is very interesting point and a lot of colleagues of mine love to hear more and maybe have a discussion.

Speaker B:

This is one of the examples of how can we easily tell business and leaders of the companies by the way nuclear energy spend 10 to 15% of all of the budget before the program starts, before the nuclear reactor is built towards security, why we're not doing the Same thing we should, right?

Speaker B:

Yes.

Speaker B:

We can define how we're going to spend it, but it has to be from day one.

Speaker B:

So that is analogies and in my opinion there are other analogies.

Speaker B:

I've heard Richard Byrd recently said about that identity is a central nervous system.

Speaker B:

That's an interesting conversation.

Speaker A:

I call it the connective tissue between our civilization.

Speaker A:

It's a connective tissue between our civilization today.

Speaker A:

It's the relationship about how everything works in our rights.

Speaker B:

I agree.

Speaker A:

And it's for me it's kind of what, you know, what makes us have.

Speaker A:

It's a relationship.

Speaker A:

Identity is about defining how you're unique in all of those connective or, you know, attributes.

Speaker A:

I always love Paul Simmons session at RSA conference as well.

Speaker A:

I really, I was excited because I've seen the session many, many times years ago.

Speaker A:

You're back with the Jericho forum and I've seen the evolution of it including the agentic AI portion which was really interesting.

Speaker A:

So I wanted to see that update.

Speaker A:

So definitely I'll make sure that, you know, for those one that's release of the RSA on demand stuff, you know, definitely link it back.

Speaker A:

But going back to one of the things absolutely.

Speaker A:

For me I've, I've learned a lot in doing GPT coding in the last year code templates in the last couple of years.

Speaker A:

And one of the things just as you as you're mentioning is that a lot of times what we're focusing on is what we want things to do.

Speaker A:

So we focus on.

Speaker A:

I want to generate a certain code in order to have these outcomes.

Speaker A:

And as I've been coding more using AI in the past couple of years, I started finding is that it does stuff that I don't want it to do.

Speaker A:

It starts going outside, it starts creating assumptions, it starts hyperbowling, it starts getting.

Speaker A:

Having fantasies and that kind of gets it out of control.

Speaker A:

And what I ended up doing it was one of the examples.

Speaker A:

I find one I had a bunch of old WI scripts from years ago and I wanted to port it to partial and updated code bases Python and so forth.

Speaker A:

So, so I asked it to here's my code, look at what it does and just port it over to Python and partial.

Speaker A:

And it did it.

Speaker A:

lines of code and made it:

Speaker A:

And I'm going what I thought, I thought it would be even smaller.

Speaker A:

I was hoping it'd be optimized.

Speaker A:

And that was my mistake is because what happened is, is that it made lots of assumptions, even said it was finished when it wasn't finished because there's lots of to be done within the code itself.

Speaker A:

And talking to a friend of mine, what I realized heavily was that it became more important for me to tell it what I don't want it to do.

Speaker A:

And I think so going into the fails, the fail safes is those control mechanisms about what we don't want it to do.

Speaker A:

And these are the guardrails.

Speaker A:

These become the guardrails that become very critical to making sure that we get closer to that optimum outcome or result that we're looking for and it doesn't start creating these assumptions.

Speaker A:

I think one example you used about cooking food is that in order to make sure you don't burn it that there's control mechanisms that prevent you from turning the heat up too high for certain types of food.

Speaker A:

I'm going to be doing on this pan chicken.

Speaker A:

So therefore I can't turn it up to a certain.

Speaker A:

So context becomes critical and the fail safes which for me is the very explicit things about how the guardrails and what I don't want this algorithm to be performing become crucial.

Speaker A:

Sometimes it's we get into the whole skynet about, you know, you know, the terminator side of things is that you put the sales don't harm humans and all of those things, all of those movies over years there's always those humans becomes as vital.

Speaker A:

But if you don't think about all the scenarios and fail safes then there can be gaps.

Speaker A:

And it's important for us to identify all as many gaps early in the process as we can to make sure that these things don't go rogue and don't go off and doing their own things.

Speaker B:

I would say one more thing is concentration at RSA.

Speaker B:

What they start learning the concentration of most of the vendors were still bad guys.

Speaker B:

But I am insisting and I'm telling everybody, please, I want similar solution for good guys.

Speaker B:

I want to know what my people doing in my company doing their job.

Speaker B:

I called it task based governance.

Speaker B:

Person is performing a task, sometimes it performs it not great way.

Speaker B:

Why?

Speaker B:

Because it was told that this is the way to do it.

Speaker B:

If we can help them out to say don't do this, this is easier for you.

Speaker B:

Maybe for the first two, three days it will be not that, but then the person will realize oh yeah, this is a much better idea.

Speaker B:

But to be able to do that we need visibility.

Speaker B:

The whole industry is concentrated on visibility.

Speaker B:

What the bad guys do or what the potentially bad guys will do.

Speaker B:

And almost nobody is concentrating on the visibility of what the good guys do.

Speaker B:

And I think I started to see the shift.

Speaker B:

I don't know if it's related to me or not, but I started to see the shift that people start to realize that the monies are actually in what the good guys do because that's what they're paid for.

Speaker A:

That's the return on investment.

Speaker A:

One is, you know, one is optimization and return on investment, which is typically, you know, how, you know, the good guys in the candidate, those who have the intention of using it as efficient, as effective as you possibly can.

Speaker A:

Those are ones that save money.

Speaker A:

The other, you know, is cost avoidance.

Speaker A:

This is preventing waste being spent on things that, you know, just because an incident or a attack or some breach happened.

Speaker A:

Those are cost avoidances.

Speaker A:

We come back to, you know, the conversations you want to have with the board is you want to be making sure that one is Identity is interesting because it's one of those things that it does both.

Speaker A:

You know, there's a lot of security solutions out there that just focuses on the cost cost avoidance.

Speaker A:

It's the one that stops the bad things from happening.

Speaker A:

But identity is a very unique situation because one is it.

Speaker A:

While it, it does reduce the risk from the bad incidents and the threat actors, it also has one of the biggest areas that actually has optimization efficiencies.

Speaker A:

Improvements can reduce wasted time, it can help employees be more productive, it can help automate, it can help innovate, it can help do things faster.

Speaker A:

And that's why I was saying, you know, with Identity as well, is that for us to do the things we need to do at the pace we need to do, we definitely need AI to help us.

Speaker A:

AI is definitely.

Speaker A:

And identity is two amazing things that when they come together, very creative, innovative things can happen.

Speaker A:

But at the same time, AI needs us in order to make sure.

Speaker A:

Because identity, as I mentioned, is the connective tissue that allows AI to do the things it needs to do.

Speaker A:

To your point, zero persistent privilege, the principle of least privilege, zero trust, ephemeral tokens and keys, getting words just in time to do only the task that is designed and should be enabled to do and nothing more.

Speaker A:

And that's what, you know, that's where you get the fail safes in place.

Speaker A:

That's where you get the preventive controls where it, you know, can't go off and you know, start, you know, doing its own thing.

Speaker A:

It's got very micro focus, very kind of small task rather than just, you know, I'm starting to see these massive big agents that can do huge amounts of things.

Speaker A:

And that's a concern.

Speaker A:

You want to, you want to simplify it.

Speaker A:

You want to get into micro things where you can actually, it becomes more manageable as well.

Speaker B:

I have an interesting idea recently.

Speaker B:

I'm not sure if it's already happening, but it will happen.

Speaker B:

You as a person who's doing a lot of watt hate, white hat worker, will understand that.

Speaker B:

I think that the future bad guys will try to bankrupt you using AI, if they can influence the way their model is trained to use as many tokens as possible and even do it more and more and looping, memory leak, whatever you want to call it.

Speaker B:

So your bill will go really up.

Speaker B:

You have no idea why.

Speaker B:

Your management say, like, we're just doing the work.

Speaker B:

And then somebody going to call you say, hey, listen, I know you spent a million dollar yesterday, like on, on a tropic.

Speaker B:

Would you like to cut the bill to 10,000?

Speaker B:

And it's like, whoa.

Speaker B:

It's like, well, if you pay me a little bit, your model will start working better.

Speaker B:

I mean, I can clearly see this happening.

Speaker B:

What are your opinion?

Speaker A:

Absolutely.

Speaker A:

So one of the things we've seen, this, this is played out many times over many years.

Speaker A:

So absolutely.

Speaker A:

Is that where you can save.

Speaker A:

Right now we're looking at two, two major things is energy cost and token cost.

Speaker A:

It is, and, and, and they're very related.

Speaker A:

A lot of the token usage relates to computational power and workloads.

Speaker A:

So that's where you're ultimately getting, getting the throughput.

Speaker A:

We've seen this years ago with the seti, the search for extraterrestrial, you know, aliens and whatever it may have been.

Speaker A:

And SETI was the same thing as you would run a screensaver on your computer desktop.

Speaker A:

And when you weren't working, that screensaver was using the computational processing power of your computer to search for extraterrestrial space.

Speaker A:

But what happened was, is that people were doing that because it was using computational power.

Speaker A:

It was operating when I wasn't in the office, your computer would be operating as if it was like a fully loaded user on that system.

Speaker A:

So the energy consumption was huge.

Speaker A:

Many organizations, all of a sudden, as employees started installing the SETI screensaver, they saw the energy costs soar, like, you know, from a few thousand euros or whatever to tens of thousands of euros.

Speaker A:

And it's because their computers were operating at maximum power when employees weren't even in the office.

Speaker A:

And we've seen this play out.

Speaker A:

You know, we've seen it with crypto mining, you know, with crypto Miners installing it in the background and using computational power of victims in order to mine cryptocurrency in order to offset energy.

Speaker A:

And they're always looking for where's the most energy efficient.

Speaker A:

And absolutely, when it gets into today, attackers, they want to steal not just your data on your credentials and your identities and access and everything, you know, intellectual property in order to make money, but they'll definitely want to steal your computational workload and also your tokens in order to actually process.

Speaker A:

So they become the next target is your computational power, which all comes back to energy costs.

Speaker A:

It means is your energy bill over the next five years.

Speaker A:

If you're not managing all of this infrastructure densities, your AI and everything really well, there's going to be a cost, your cost is going to be your energy bill and your tokens that's associated to that.

Speaker A:

And attackers will look for that.

Speaker A:

They want to mine, they want to get computational workloads, they want to use that power to attack other infrastructure.

Speaker A:

Used to be the, you know, 10 years ago it was botnets.

Speaker A:

You know, you'd sell your botnet to do DDoS attacks and that's one of the things that, you know, attackers made money.

Speaker A:

Now it's going to be selling, you know, your AI workloads and tokens in order to do the same thing.

Speaker A:

So absolutely, it's something that everyone needs to be thinking about to make sure that you're protecting this as another threat vector and making sure that they have the right controls in place.

Speaker A:

And I also predict as well is that, you know, as these agentic AI agents get out of hand and no one's thinking about proper policies, governance roles, organizations within, you know, it is the new insider risk is that organizations, if they're not looking at these as privileged identities and credentials, is that ultimately they will be abused either to create that, you know, AI kind of workload theft, or is going to be basically using it to steal data.

Speaker A:

And you will see agentic AI, you know, agents being attributed to data breaches with probably within this year.

Speaker A:

So absolutely, it's, it's a massive threat landscape that it's getting bigger.

Speaker A:

And we need to make sure as we're deploying and rolling these out, is that we all, we understand the risk.

Speaker A:

And I think it goes back to one of the most important things that you mentioned is visibility is for the defenders is, you know, primarily is we need to have visibility about all of these workloads and we should be, you know, one of the biggest metrics you should be measuring is your token usage.

Speaker A:

And also your energy consumption and your agent workload and your computational power and your AI usage.

Speaker A:

Those we should be thinking you should be wanting to get visibility of immediately before you really let AI to, to operate and take control of your business.

Speaker A:

You want to have visibility into how much it's consuming and the efficiency that it's also creating, but also that you've got the protections in place to have control of it.

Speaker B:

Yeah.

Speaker B:

So those are going back to my analogy for nuclear energy.

Speaker B:

Those are gauges, those are the indicators which similarly to nuclear world, they put it on the container.

Speaker B:

That's where we're going to put this thing in.

Speaker B:

I think.

Speaker B:

I absolutely agree.

Speaker A:

Absolutely.

Speaker A:

I'm really excited.

Speaker A:

I'm looking forward to your session.

Speaker A:

I think for the audience this episode might be out around the same time as your session.

Speaker A:

So be exciting to see that we can connect it.

Speaker A:

I'll make sure at least it's linked into the show notes so people want to find it.

Speaker A:

Absolutely.

Speaker A:

So in this crazy, this crazy world of, you know, everything's fast paced, moving, I think one of the most, I think going back to one of the things we talked about a little bit earlier is that in today's world, we're no longer in this world of trades.

Speaker A:

When my father and you know, his parents and stuff, that they would have had a trade for their entire career, they would have from the day that they finished school until the day that they retired, they may have worked one or two jobs over that entire lifespan.

Speaker A:

That kind of society is no longer here today is because we're seeing a lot of those traditional trades moving.

Speaker A:

So it really means that even on my career, I think every five years I have to retrain myself and I have to spend a lot of time, you know, either doing courses, reading, learning, staying up to date, attending conferences, I'm dedicated.

Speaker A:

I find that I'm a life learner.

Speaker A:

But because I have to, in order to stay valuable, I have to keep learning.

Speaker A:

Because every five years the technology changes so much that I have to learn.

Speaker A:

What's the new kind of what's the new hot topic or what's the new trend?

Speaker A:

How do you stay up to date?

Speaker A:

What's some of your methods that you do in order to stay current in this ever changing world?

Speaker B:

My method is exactly the same as ancient Greek philosophers said, right.

Speaker B:

The more I learn more I realize I don't know nothing.

Speaker B:

Right.

Speaker B:

There is an overload of information.

Speaker B:

So usually what I do, I start to concentrate on certain topic and also I followed a certain people.

Speaker B:

Especially when it comes To Identity World, Identity World ID Pro.

Speaker B:

Id.

Speaker B:

I'm not going to name the names, you know, all of them.

Speaker B:

But please, if you're not a member of ID Pro, I readily recommend you to do that.

Speaker B:

We have a great slack and basically you can see what people writing.

Speaker B:

I like to read thoughts, ideas, images and definitely stories.

Speaker B:

I would never remember all of the details of MCP protocol or any other new protocol or how to do this or that.

Speaker B:

But the idea of where we're going, what are the new methods existing, what are the new principle we're trying to build in that becomes the story and definitely the best place to learn conferences.

Speaker B:

Because in the conferences outside in the hall after a fantastic presentation, you can overhear so many great conversations of practitioners who know what they're doing.

Speaker B:

That is probably the most important thing.

Speaker B:

And one day maybe I will create my own Claudrie Hepburn and maybe that will help me.

Speaker B:

I don't know.

Speaker B:

I'm still old school.

Speaker B:

I like to learn myself.

Speaker B:

Sarah.

Speaker B:

Hi.

Speaker B:

So but to me, conferences and human interactions, that's when I learn the most.

Speaker B:

That's where the idea is coming up.

Speaker B:

That's what some thing writing and then verifying it against the practical world that becomes another learning experience.

Speaker B:

So encouraging people to attend conferences.

Speaker B:

My favorites, Dyniverse, definitely Gartner Identity and Access Management are definitely many other local conferences happening around cybersecurity.

Speaker B:

RSA is a little bit too big, but you know, it's kind of.

Speaker A:

It's very, very big.

Speaker A:

But it allows you a lot of people in the same place at once.

Speaker B:

A lot of people.

Speaker B:

And you know, thank city of San Francisco, thank you very much.

Speaker B:

Because now every big company can have a hospital suite formerly known as store.

Speaker B:

Right?

Speaker B:

No more stores.

Speaker B:

But you know, so I, I like that idea at.

Speaker B:

AT in San Francisco.

Speaker B:

So please definitely communications with the people who understand.

Speaker B:

We live in a very strange world where there is no more authorities in terms of like a person who knows stuff.

Speaker B:

No more.

Speaker B:

I don't want to call it guru.

Speaker B:

I call it people who, who are respected in the field.

Speaker B:

Please, let's go back to that model.

Speaker B:

Let's listen to people who respect it, have a chat with them instead of trying to understand everything what's going on online.

Speaker B:

Because I have no idea how much online product is created by People versus ChatGPT.

Speaker B:

You know, I really don't know.

Speaker B:

But when you see the people in person ask them questions and I'll tell you right now, between me and Joseph and everybody else, we know if someone asks the question we love it even.

Speaker B:

It looks simple for us, but we love it because people are interested in our field.

Speaker B:

For any young persons to listen to this, please come over to us.

Speaker B:

We would like to bring you in.

Speaker B:

At the identiverse, we always have the great event of ID Pro and a lot of young people coming in.

Speaker B:

We invited everybody just to listen to see and maybe you get the vibe.

Speaker B:

One of the greatest thing about identivati, we're not techies only.

Speaker B:

We're somehow philosophers, you know.

Speaker B:

Yeah.

Speaker B:

Somehow funny people.

Speaker B:

Comedians.

Speaker B:

Right.

Speaker A:

There's quite a few philosophers in that group, you know.

Speaker B:

Hi, Jonathan Sander.

Speaker A:

We were thinking about the same person as we said.

Speaker B:

Exactly.

Speaker B:

And it is such a diverse.

Speaker B:

By the way, diversity is a huge thing for us.

Speaker B:

We have people from all over the country, all over the world with completely different backgrounds, completely different education background, but this atmosphere of thinkers in one place.

Speaker B:

Right.

Speaker B:

This is amazing.

Speaker B:

This is absolutely amazing.

Speaker B:

That's the best place to learn.

Speaker A:

And absolutely for me, I always remember back to, I think it was my first outing at years ago, must be 10 years ago now, at Kuppanco's EIC European Identity Cloud Conference.

Speaker A:

And the ID Pro Group had their, you know, evening at Denti Beer activity.

Speaker A:

And it was so fascinating because for me, I live in the world of security and I moved from security to identity security and a lot of people, you know, went from identity provisioning and enablement, you know, to being also security as well.

Speaker A:

So we somewhat came from two different worlds and for me it was such a fresh perspective on the world that I live in.

Speaker A:

Coming from a lot of the people in the, you know, Identity Ready and the ID Pro and Identity Beer, all of those things.

Speaker A:

It was so refreshing for me and such a great new perspective on a world that I, you know, came from a slightly different universe in that regards.

Speaker A:

But for me it was, it was eye opening and so I always enjoy absolutely when I, when I go, I've got questions, I've got things in my mind that I always get amazing conversations and amazing insights that allows me to go back and enhance the work that I'm working on and really improve it with different viewpoints.

Speaker A:

So it's always great.

Speaker B:

Yes, thank you.

Speaker B:

I mean, yeah, so.

Speaker A:

So for, for the audience that might have questions afterwards, what's the best way for them to contact you?

Speaker A:

Reach out, what's.

Speaker A:

What's kind of the best way for them to, to follow up?

Speaker B:

I prefer LinkedIn, honestly.

Speaker B:

It's probably the most controlled, I would say social network in terms of at least having some kind of a guardrails, I can look who this person is and please send me any questions you would like to contact.

Speaker B:

You would like to have a conversation.

Speaker B:

I'm always open for continuing working on ideas and talking about it and any kind of webinars which promotes our industry.

Speaker B:

I'm always open and if anybody has any questions, please contact me.

Speaker B:

I would be very happy to.

Speaker A:

Fantastic.

Speaker A:

I'll make sure that I get those added to the show notes as well.

Speaker A:

Do you also want to give a pitch for your book as well?

Speaker A:

So if you want to give, you know, the book that you have also, I'll also include it in the show notes as well.

Speaker B:

Yeah, the book was printed long time.

Speaker B:

I printed them digitally printed, I would say a long time ago.

Speaker B:

But yes, if somebody is interested in cost of curiosity and stupidity, also known as custody, please let me know.

Speaker B:

I would love to implement it somewhere and you know, to actually show people that it works.

Speaker B:

Now we have AI who can write the code for us.

Speaker B:

Thank you.

Speaker A:

Absolutely.

Speaker A:

Well, it's awesome having you on and Vlad, it's always great to chat with you and your insights and knowledge, you know, definitely makes this industry much better with you in it.

Speaker A:

And also, you know, you're definitely helping contribute to make the world a safer place and, and hopefully we, we both will leave the world in a better place for the next generation of talent that that comes after us.

Speaker A:

So again, many thanks for, for joining me on the show today.

Speaker A:

So for everyone, this is the Security By Default podcast.

Speaker A:

Another awesome episode, another fantastic, insightful discussion bringing you kind of, you know, clarity to the chaos world that we live in.

Speaker A:

It's really about making sure that you've got insights, you've got knowledge, you've got thought leadership, you've got different topics that can help you either kind of, you know, solve problems or, you know, look for answers that can help you find, you know, how to make your organization much safer, to make it more optimized to be able to go have better conversations with the executive team as well in order to get the budget you need.

Speaker A:

And also at the same time is hopefully it will, you know, provide you insights into maybe your career, future career development and areas that you can evolve into.

Speaker A:

So hopefully it's been educational, insightful.

Speaker A:

So for everyone, tune in every two weeks for new episodes.

Speaker A:

Security By Default podcast available on Spotify, Apple, every place you could find a podcast streaming.

Speaker A:

So take care until the next time.

Speaker A:

Stay safe.

Speaker A:

Thank you.

Speaker B:

Thank you.

Speaker B:

Bye.

Links

Chapters

Video

More from YouTube