EP 26 – The tyranny of the now: identity at machine speed

David: You are listening to the Security Matters podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

For a long time, this show has lived in a specific kind of tension. People who build, people who protect what’s been built. People who try every day to break what we rely on anyway. We started as Trust Issues. We became Security Matters. But the point never changed. This has always been a story about defenders.

People who innovate under pressure, make decisions with incomplete information, and keep moving even when someone is actively trying to turn their systems into smoke. But today’s episode is a little different.

Because this will be the last episode of Security Matters, at least as we know it. With the recent Palo Alto Networks acquisition of CyberArk, I’ll no longer be hosting this show, and we don’t know yet what the future of this feed will be.

Maybe it evolves. Maybe it becomes something else. Maybe this is simply where this chapter ends.

Either way, if you’ve been listening, thank you for your curiosity, for your time, for sticking with us. We’ll see what’s next. But for now, let me tell you another story.

An organization rolls out an internal AI agent. Routine stuff these days. It’s a helpful assistant meant to answer questions, summarize documents, pull information, speed things up. Then one day someone asks it something ordinary, and the agent responds a little too helpfully. It pulls in a piece of enterprise information the user shouldn’t have had access to, not because they breached anything, but because the agent didn’t know where the line was.

The human didn’t have permission, but the machine did. And in that gap, something private spills into the open quietly, instantly, without a dramatic breach moment.

That’s the new shape of the problem. Because now we’re not just managing human identities or machine identities. We’re facing something we haven’t fully named yet.

Identities for agents. Systems that can act, retrieve, and reveal at machine speed.

So what does least privilege mean in that world? What does role-based access control look like when the role is a semi-autonomous assistant? And how do defenders keep pace when adversaries get the same tools?

That’s why today’s guest is M.K. Palmore, founder and principal advisor at Apogee Global, former FBI assistant special agent in charge of the cyber branch, and someone who has spent decades on the front lines of cyber risk across government and the private sector.

In this conversation we get into why attackers still win more than 51% of the time, why ransomware keeps working, how vendor sprawl creates gaps, why SMBs are chasing Mission Impossible, and why identity, human, machine, and agentic, is becoming the real perimeter.

I am David Puner, and as Waylon Jennings once said, I don’t know why they keep on showing my hands and not my face on TV.

This is Security Matters. Here’s my conversation with M.K. Palmore.

David: M.K. Palmore, founder and principal advisor at Apogee Global and former FBI assistant special agent in charge, cyber branch. Welcome to Security Matters. Thanks so much for coming onto the podcast.

M.K.: Hey David, thanks for having me. Appreciate it.

David: There’s so much to talk about here. Let’s start with the big picture.

From the Marines to leading the FBI’s cybersecurity branch in San Francisco, to cybersecurity leadership roles at places like Palo Alto Networks and Google Cloud, and now launching your own firm, that’s a pretty interesting wild ride there.

Is there a common thread or lesson from those experiences that still guides how you approach cybersecurity today?

M.K.: There is a common thread, and I’ve thought about this a little bit because I like to be as reflective as I possibly can in terms of my professional matriculation.

I had a very extensive career in the U.S. government. Thirty-two years in the U.S. government. I retired, then went squarely into the technology space with Palo Alto and Google Cloud.

The whole time my drive is around making sure that I’m contributing, making sure that I’m being impactful, substantively and helpful to others. And I feel that same way when it comes to the technology space.

I’m such a big fan of technology, cybersecurity in particular, that it leads me to believe that if I can be helpful getting people in a position to best leverage the existence of this technology, utilize it for their personal lives and for their professional lives, and do it in a safe and secure manner, and then help to prevent people who have an adversarial tone or nature from being successful in what it is that they do, then I feel like that’s an appropriate use of my interests and certainly has guided me through the vast majority of my career.

David: Let’s go back to when you were in the Marines starting out. You could have potentially foreseen where you are now, but what about what you were doing in those early days with the Marines? Is there a skill set that you’re still pulling from now today?

M.K.: Well, the skill set that served me well throughout my entire career is my ability to sort of plan out long term.

Frankly, there is nothing that has happened in my career that hasn’t been done without intentional planning. I have not stumbled into anything. I haven’t been given some opportunity that I wasn’t prepared for.

Throughout the entirety, from the time I graduated from Annapolis, and even before that, I have planned out where I intend to be, and I’m always looking at sort of the three-to-five-year timeline.

And when I get to the end of those timelines, I have been apt to make shifts. And I did that throughout my career in the FBI. I wasn’t a cyber agent or a cyber executive the whole time.

I specifically went into the FBI because of the vast variety of things that they investigated. And I knew that I would get an opportunity to do lots of different things, and I did.

I selected everything that I did during the course of that 22-year career, to include my entrance into the cyber field. The education that the FBI gave me around the topic of cyber, and then my exposure to national security and financially motivated criminal intrusions, was all part of a plan that ultimately at those stages then got me into the technology space with a couple of Fortune 500 companies.

And all of that sort of goes into my foundational pieces that I think about when I think about what then led me to strike off on my own and create my own advisory firm.

David: The idea of leadership seems to come up a lot in your work. You said that managing risk and cybersecurity really comes down to people, talent, and leadership.

What are some leadership principles that carried over for you from the FBI to the tech world, and was there something that you had to adjust when you transitioned into the private sector?

M.K.: I think that there’s a couple of guiding principles as it relates to leadership.

One is how I look at the field of leadership or discipline. I look at it as a student. In other words, my mindset is always that I’m going into an experience with the open mind that there will be something new that I learn from these experiences.

And I think that the challenge that I see in the technology space is that I’m not sure that everyone approaches it with a learning mindset.

I think especially for those that have been around the industry for a long period of time, they get so set in their ways, they like their ideas so much, that they find it hard to actually listen to and adopt the ideas of outsiders.

And I think that’s something that hurts our industry day in and day out.

I also think that that’s part of the reason why the cybersecurity industry is sort of going in the direction that it is.

And if we go deeper into that topic, the direction I think it’s going in is not one that will eventually get us to an industry that is solution focused and solving problems.

It’s really gotten to the point where it’s dominated obviously by vendors, and the vendors are interested in creating platforms, solutions, and products that answer very specific issues within the cybersecurity domain that ultimately just lead to a lot of sprawl.

There are so many solutions available today that organizations have difficulty selecting the direction that’s best suited for our role in enabling business and helping businesses succeed.

Because the cybersecurity industry doesn’t just exist in a vacuum by itself.

Let’s go back to the roots. Cybersecurity as an industry was actually created to enable business operations and to ensure that businesses could function and do what it is that they’re tasked with doing.

And I think that for many years we probably have gone off on a tangent and are now thinking that we exist just to create new products and create value for the thousands of companies that are on the landscape.

And certainly that’s part of it. You can’t be naive to that.

But I think that as an industry, if we were to get more focused on why it is that we exist and what it is that we’re trying to do, I think we could be infinitely more helpful to the businesses that we get in front of.

David: Do you see that potentially happening in the near future, or what needs to happen for that to happen?

M.K.: I think that we need to reassess our assumptions again about how we’re functioning and what our purpose is.

Part of the reason I became a consultant leader and an advisor is because I feel as though there’s a space within enterprise, the SMB space particularly, that is essentially neglected by the folks who are creating and building some of these great products.

Oftentimes the SMB space gets ignored because they are not targets for high value in terms of revenue generation.

But yet the SMB leaders are out there trying to create cybersecurity teams that can go one-on-one with some of the biggest cybersecurity programs in the market.

There’s no reason why a small regional bank should be thinking that they need to create a cybersecurity team that’s the same size as JP Morgan Chase.

They can’t ever create the number of positions, resources, and devote the amount of financial resources necessary to build a commensurate apparatus.

So they need to be thinking differently about how they tackle their cybersecurity challenges.

Maybe thinking of it in a fractional sense, or maybe bringing on interim advisors that can help them bridge periods of their development rather than thinking, “Oh, I’m going to build my own SOC. I’m going to build my own cybersecurity team. I’m going to go out and hire a very expensive CISO who’s deeply experienced and bring them in here.”

And then that CISO says, “Oh, I need to build a team of folks to execute on my strategy and work.”

It’s chasing a fool’s goal. It’s an impossible mission that they’ve set upon themselves.

And I think that impossible mission is exactly why we continue to see the numerous breaches, the numerous failures by organizations to do what they need to do to protect their enterprise assets.

David: Is there a best approach or a common approach that you would recommend for SMBs like that? CISO as a service, that kind of stuff?

M.K.: Yeah, I think the fractional piece, which is part of what we offer from our team at Apogee, I think the fractional piece is going to take on much more of a new light, especially in light of the changes that we’ve seen in the industry probably just in the past five or six years or so.

I also see nowadays CISOs, folks who are deeply experienced, sort of walking out of these long-term operations and positions because they like the idea of fractional and project-based work.

I think what we’re going to see over time is a movement in the SMB space away from hiring these long-term individuals to sit in these roles.

Even at the enterprise level, the operational tempo and lifespan of a CISO is still, what, 18 months to two years?

I think we’ll start to see the SMBs take a different approach to it, and that approach will likely have some component of fractional or project-based work.

If you can build partnerships with the right organizations, then yeah, we want to be on the other end of what’s considered a right organization.

If you can build partnerships with the right organizations, I think you can grow and scale at a pace that mirrors where you are in terms of the business development cycle rather than, again, looking towards the big folks on the block and assuming that you can ever build to what they have.

Again, I think that’s Mission Impossible for most of these organizations.

And yet, because of the adversarial landscape, they have to be just as competent and capable as the big folks on the block.

But they don’t naturally have all of the same resources available to them.

So it’s a little bit of a quandary that they’re in.

David: And then you had mentioned that short lifespan of a CISO, that 18-month number that you cited there.

What is the biggest challenge facing CISOs that contributes to that short stay, and what do you think is the most pressing need to make that role more sustainable?

M.K.: I think the number one challenge that CISOs face is that in some organizations they don’t have effective placement in the C-suite. I think that in many organizations the CISOs are still reporting to top line executives that are part of the C-suite, and so they occupy and control the budgets for the security teams.

So they don’t have full ownership. They have full ownership of the accountability. In other words, they get held accountable for the security apparatus functioning, but they don’t get the full ownership in terms of being able to identify budget, and they don’t get a full voice at the table oftentimes.

In fact, if you go across the C-suite, if you pick any company, you go across their top-level board where they put the pictures up of the executives, rarely do you see a chief information security officer listed among the executives of the company. Typically they’re buried one to two levels below someone else on the C-suite.

And without full ownership, without the full ability to be, to use the expression, sitting at the big table, I think it puts CISOs in a really, really challenging position in today’s space where digital assets account for a huge component of business operations.

I mean, it is the lifeblood of any functioning company today. And protecting those assets is pretty high up on the operational viability spectrum.

And so the persons charged with protecting the assets should have a greater role in decision making.

David: As former law enforcement, what are the top concerns that come to mind when you think of this somewhat unruly situation?

M.K.: I’ll tell you my top concern is that from the adversarial vantage point I was in my executive role at the FBI responsible for outreach when I was the executive here in San Francisco for cyber.

And I would go out and give the FBI’s version of what the threat landscape looked like in lots of different settings globally.

In fact, I think the biggest thing is that the adversary, they’ve picked a winning position. They are and have been for a very, very long time in the winning role by greater than 51%.

And I think that the challenge is that the technology space and the cybersecurity industry have to match them.

David: Mm-hmm.

M.K.: I don’t think that we’re on par with what the adversary is capable of doing just yet, although I think we’re capable of getting there.

I think that the adversary wins a lot and that hasn’t changed very much in the big scheme of things.

For as much work and effort that goes into protecting organizations, you could probably pick a news article about a breach from this year and match it to a news article from 2014, and you’d find almost the exact same elements except for the company name, maybe even the avenue of approach by the adversaries exactly the same.

And what does that mean in the big picture of things? Have we really solved the problems, the most pressing problems that we were responsible for solving?

I remember distinctly the first phone call I got as an FBI executive about a major ransomware incident when I was an executive leading the cybersecurity branch for FBI San Francisco.

And I thought a couple of things when that call came in.

I thought it was a novel approach. So I was fascinated by the idea that, wow, because the FBI deals in the human element of kidnap and ransom and you hear of hostage taking and that kind of thing.

So I thought it was a novel concept. Wow, to encrypt someone’s data surreptitiously and then not return the data to them until they pay a ransom.

I thought, okay, we’re dealing with this now.

And I thought that in short order the industry would respond, the FBI, others would figure out a way to stop this from happening.

David: Right.

M.K.: And here we are, 2026.

And organizations are still falling to ransomware attacks because the adversary figures out what organizations put in place to block against these attacks and they just pivot.

They pivot ever so slightly.

They are experts at return on investment. They know exactly how much effort to put into their attack vectors so that they achieve maximum impact and maximum level of success.

And I still don’t think that we figured out a way to counter that kind of winning percentage that they have in their favor.

David: Let’s stick on ransomware and shifting to the threat landscape.

Ransomware is still one of the biggest threats out there, hitting everything from hospitals to city governments and beyond, of course.

Why do these attacks keep succeeding and what’s it going to take to stop them?

Do you think we need better teamwork between government and industry to really fight back?

M.K.: I’m a big fan of public-private partnerships.

I think that anytime that we’ve shown historically where private organizations and the government have teamed up, I think that you oftentimes find a winning formula for success.

There’s lots of reasons why entities like healthcare organizations and public sector organizations are still falling prey to these kinds of attacks.

And it’s because of the growing complexity of the digital environments that they’re responsible for protecting.

And something I noted at the top of our conversation around vendor sprawl and sort of the approach of the current security professionals is to identify a problem and buy another tool to solve that problem.

And by the time you get to the snapshot of what it is that they’re dealing with, they’ve got multiple vendors in their environment with no way to integrate all of these products.

A lack of visibility across their environment.

Just when you say that out loud you should be thinking one word, and that’s gaps.

There are natural gaps that exist when you start thinking about putting one tool on top of the other that weren’t built to be integrated together.

Again, the manifestation of an organization or an enterprise that pops up and says, hey, we’re going to solve this individual problem in the cybersecurity lane, so let’s build a tool to do that.

And this will resonate with you guys because you’re now part of the organization.

I really think that has been a champion of this.

I’m really a big fan of the platform approach.

I think that if organizations can identify a platform or two that covers the vast majority of their security use cases, I think that’s a better direction to go in rather than buying best-of-breed individual tools across the board.

Because I just don’t think that organizations have shown that they can manage those best-of-breed tools.

David: While you were talking, I noticed for the first time that you’ve got a drum set behind you. What’s going on? Are you going to drum for us at some point in the middle of the interview? Perhaps a little intermission?

M.K.: I will not be drumming for you on this call.

The drumming is just for me and my ears.

I’ve been a hobbyist drummer since I was a little kid, and I keep an acoustic set.

I have a very eclectic music taste, and I get on the set and bang around on the weekends just for my own satisfaction.

David: Little meditational aspect to it.

M.K.: It is.

David: Fantastic.

M.K.: It has medicinal properties and capabilities associated with it.

David: I think you’re our first guest who’s had a drum set right behind them while we’ve been interviewing.

And for some reason I would love to integrate that drumming into this conversation.

If you feel the need, feel free to jump on. We’ll take a break.

M.K.: Yeah. Okay. All right.

David: So then shifting from drumming and ransomware and all the good stuff that we’ve been talking about so far, not that ransomware is good stuff, let’s talk about the workforce itself.

M.K.: Yeah.

David: There’s a lot of talk about a cybersecurity talent shortage.

At the same time, the nature of security roles seems to be shifting.

How do you see the workforce evolving, and what kinds of skills or roles do you think will matter most going forward?

M.K.: Yeah, that’s a great question.

And the answer I think is fairly complex.

There’s a couple of observations that I’ll give you because I’ve paid attention to this topic quite a bit over the course of the past decade, I would say.

I think that as an industry we’ve essentially worked our way out of entry-level roles in the cybersecurity industry, and that’s been actually moving in that direction for quite some time.

And with the advent of artificial intelligence, which now is growing increasingly in terms of its capabilities, I think we’re going to work our way towards an environment where people are going to be expected to come in mid-level already with a significant amount of experience to solve very specific problems up and down the cybersecurity chain.

I think that the talent shortage that we talked very heavily about in the 2018, 2019, 2020 timeframe, I don’t know that it’ll dissipate.

I just think that the sands will shift.

And I think that what we will view as necessary roles within a cybersecurity team will change over time, and automation will have quite a bit to do with that.

And I just don’t think we know exactly what that’s going to look like.

But I do think that that picture will begin to sharpen over the course of the next three to five years as we see what kind of impact AI has on cybersecurity tooling.

David: Mm-hmm.

M.K.: I do think there’s an upside to AI as it relates to cybersecurity tooling.

I’m a little bullish on it.

I think that because the gap between reaction time has always been a huge challenge for defenders and adversaries, again with that winning percentage, adversaries have always had time on their side.

I think that AI cuts into that quite a bit.

Before I left Google I was beginning to evangelize on what I thought was sort of a military-like methodology to where I see AI bringing some parity against the adversary.

I think that will continue to even out over time, but I just think that AI gives us an advantage in terms of response, analysis, summary, and then decision-making cycle necessary in order to combat adversarial behavior.

And I just think that’s just going to get better over time with each iteration of these products.

David: Do you think that we’re toward a future where AI handles much of the entry-level security work, that a lot of those entry-level roles will disappear?

And if so, what would that mean for someone just getting into the field?

And how should organizations adapt their hiring or training to that reality?

M.K.: I do believe that the technology is going to get us to a point where we have essentially eliminated entry-level roles.

And if I were advising someone on getting into the industry, I would say that whatever you do in terms of the lane that you decide to go down, and one of the things that attracted me to cybersecurity, I’ve never seen a field as vast and as deep as cybersecurity.

So when I hear people call themselves cybersecurity experts or they’re referred to as cybersecurity experts, it gives me some pause.

David: Yeah.

M.K.: While I feel that there are folks who are deeply experienced in particular domains of cybersecurity and definitely have great thought leadership and opinions about things, I think it’s nearly impossible for someone to be an expert in the field, quite frankly.

Unless you’re going to show me someone who founded a game-changing cybersecurity company based upon his ideas on how to attack a particular problem.

He gets to call himself an expert.

The rest of us do not.

David: I’ve seen you credited as a cybersecurity expert, so I guess that wasn’t your choice.

M.K.: That wasn’t my choice.

Definitely not.

I’m a thought leader in the space because I like to challenge the status quo.

Not an expert.

I’m someone with particular experiences in different aspects of cybersecurity.

Those different aspects are the ones that I typically reserve my comments and thought leadership for.

David: You’re such a cybersecurity expert that you know that you should not be called a cybersecurity expert.

M.K.: I know enough to be dangerous and I know enough to know that I’m not an expert.

And I’ve only come across a handful of experts in my time in the field.

And I think the term is way overused.

Because if there were that many experts across the landscape, this industry wouldn’t be getting as much attention as it appears to get.

And the attention, the reason it gets attention, is because someone is defeating these experts day in and day out.

The adversaries are winning.

I’ve said that a couple of times already.

I think the field is changing.

And I think some of that is just we have to understand that this is where the technology is going.

We should leverage AI to take us as far as we possibly can.

And I do believe that there, maybe I’m going out on a limb here, AI has shown itself to be capable of potentially automating the vast majority of cybersecurity technology use cases.

David: Mm-hmm.

M.K.: We’re not there yet.

But I have every reason to believe that that’s a direction that we’re headed in.

So what’s that mean for the typical practitioner who used to sit with their eyes on the screen?

Computing technology can move infinitely faster than an individual can.

If it can go and collate information and pull resources together and summarize and then take action without a human being involved, if you don’t think that that’s going to be someone’s decision to move in that direction at some point, you’re not paying attention to what’s happening.

That’s absolutely the direction that we’re headed in.

And I think that if I’m lucky, I’ll be around long enough to probably see that.

David: Let’s stay with AI for a moment.

It’s obviously on everyone’s mind in cybersecurity these days.

What developments are you most excited about when it comes to AI helping defenders?

And on the flip side, what aspects of AI and security concern you?

M.K.: So I’ve said it before that I’m bullish.

I probably see the sunshine a little bit more than I see the storms.

What I’m excited about is all of the possibilities with agentic AI.

Even the glimpses that I’ve seen of it with the various products that are on the landscape, not even dealing with cybersecurity, just the idea that these LLMs, large language models, have evolved just in the short period of time to be able to take action on your behalf.

That’s amazing to me.

David: Yeah.

M.K.: I’m sorry. I’m a little bit of a fanboy when it comes to technology, so that part’s amazing to me, and I want to see where that goes because I think it’s a little bit of a game changer.

You know, I’m a family guy. I manage my professional life, and I have to help my wife manage our family life. If you’re telling me that you’re going to build a model or an agent that can one day go out and make all of our reservations for a family trip and do it under the directions that I’ve given it, and then go out and find me the best deals, I’m all for that. I’m sorry. I want to see that come to reality, and I know that it will.

And someone will probably respond in comments, there’s probably something already out there that gets you 80% down the field just because this is moving so fast.

So when I take an analogy like doing a simple thing, like going out and making family travel reservations, and I then take that capability into a more complex environment, I definitely see that there’s a possibility that this can have an overwhelmingly positive impact on an organization’s ability to protect itself.

Now, what’s the downside of that? The downside is that we’re still learning. We’re in inning three of a nine-inning game. And we’ve seen flashes of brilliance, and we just don’t know what’s around the next corner. We just don’t know who’s coming up to hit on the opposing team.

The other component, which I’m sure everyone recognizes and I would recognize immediately as a former law enforcement guy, the adversary’s got access to these same tools.

So what’s that mean? That means that attacks are going to get more complicated. That means that their ability to prolifically identify vulnerabilities, they’re getting better at it. They have the same tools available to them that you have available to you to protect yourself.

And that’s what I meant when I made the earlier statement about parity. I think for the first time, the defender may be in a position to at least reach parity with the adversary. And maybe that brings us all to a stalemate. Maybe we get to a point eventually where understandably there are some gaps and we learn to protect against those things and implement some controls, and then quantum computing is going to come and bust all of that up and change the whole narrative to something else.

Things are changing rapidly. It’s incumbent upon all of us to pay attention to what’s happening on the landscape from lots of different angles.

David: Apologies to ask the cliché question, but does any of this keep you up at night? And if so, what?

M.K.: Nothing keeps me up at night except to build my own business. These are interesting problems to have.

I consider myself, again, experienced in a couple of different lanes, specifically around the topic of risk management. That’s why I’ve sort of come to market with my own advisory firm.

And I’m taking the Avengers approach, by the way, with my advisory firm. I am not the answer to every client’s challenge.

My whole idea about building a business, a consulting business, is I want to lead an effort where there are folks who have very, very particular deep skills, and I’m going to take those deeply skilled people and match them up with a problem that a client presents to me so we can help that client solve their problems.

I’m not going to be the answer to all of that. I’m just going to manage the environment that allows these very, very skilled people to get plugged into problems that they can be helpful in solving.

That’s my idea behind an advisory firm, not that I come in and advise on everything under the sun, because I have particular experience at particular things, and those are the things that I intend to weigh in on and potentially lead in terms of client engagements.

But I’m not going to be the perfect fit for every engagement, but I bet you I can find someone who is.

David: So then let’s talk about your perspective on identity, which identity is often called the new perimeter.

And our founder and executive chairman, CyberArk’s founder and executive chairman, Udi Mokady, who was our guest on the previous episode to this, and the episode is titled Identity Is the Threat Vector.

He says that it’s the main threat vector now. How do you see the role of identity security today, especially as organizations embrace Zero Trust, and how can companies strengthen their identity defenses without slowing down the business?

M.K.: This is a great topic. Sounds like you probably did a whole episode on it, or you could have a whole episode on it.

David: Yes.

M.K.: I’m in agreement. Identity is the keys to the kingdom.

Imagine if a requirement to use the internet was actually that you had to identify yourself as your real identity to even gain access to the information on the internet. Think of how many problems that would actually solve in terms of everything from fraud through adversarial behavior.

So at a very, very high level, I think identity is the answer to all of this.

I think that where you’ll find resistance is then, unknowingly, the people’s resistance to the idea of identifying themselves because they imagine that someone is going to be then watching all of their activity and gathering that information.

Well, I got news for you. They’re already doing that.

You know there are entities out there, both commercial and otherwise, that are already gathering details about everything that you do online.

We seem to be willing, in many respects, to allow apps to track our movement from one website to the next. But when someone thinks about the idea of having to identify themselves before they start surfing the net, that goes against my civil liberties.

Well, you’ve already given up some of that ground, quite a bit of it, already.

Our entire lives are based on what information we are required to provide in order to just go about our daily lives.

And now that these devices that we carry in our pockets basically contain access to the entirety of our lives, your information is being shared across digital lanes that you have no idea about and can’t even imagine.

So identity is the answer. I just don’t know that we’ll ever get to the point where there’s complete identity across use of the web.

I do believe that organizations that need to protect themselves, businesses, identity is a fantastic starting point for all things, to include getting to a Zero Trust architecture and restricting least privilege, all the basics that we’ve been talking about for decades.

If you can actually get through the basics and find widespread implementation, scoring yourself in the range of maturity that gets you somewhere near fully adapted, you can largely protect yourself against at least the major threats out there.

But what we find day in and day out, and this is the complexity issue that I brought up earlier, is that organizations still aren’t doing the basics.

Every breach, each one, I guarantee you if there was a postmortem that was available to everyone to read, you would find that the avenue of attack had to do with some lapse in judgment related to cybersecurity hygiene. Every one. One hundred percent.

There are very few breaches that start with a complex intrusion.

David: And then when you bring machine identities into the equation, which we found in 2025 in our identity security landscape report outnumber humans by more than 80 to 1, and that was about a year ago, so who knows what it’s going to be this year, and then you start to consider AI agents and the identities that come from agentic AI, how does that factor into the equation for you?

M.K.: No, I think that’s an interesting challenge.

I can’t remember, I have lots of these conversations, someone brought up the idea of role-based access for even agents, which I thought is a little bit of a novel concept.

We’re clearly not there yet because the reason they brought it up was because they had an example of an agent providing enterprise information to a user that the user should not have access to, but that the agent had access to and included that information in its return of data in a query or prompt that was put into the system.

That’s a great example of how we need to be thinking about RBAC for agents and making sure that from an identity standpoint we understand these agents should have limitations associated with them.

And I don’t know that the entities that are building these agents have solved that issue yet, but I think that’ll become more and more prevalent.

And I think eventually we’ll get to the point where the agents will have identities in and of themselves, and they’ll have limited access based on their roles and permissions.

But that’s going to require, I think, a different approach to architecting.

David: So then from AI agents and architecting to cloud security blind spots, you spent nearly four years at Google Cloud. When organizations migrate to the cloud, what’s one security blind spot that tends to catch them off guard, if there is one? Was there something you saw time and again during your work at Google Cloud?

M.K.: I don’t know that I would call it a blind spot.

David: Okay.

M.K.: I am amazed that with each report that comes out, I’m sure Amazon puts out a report, I know Google puts out a report, I have quite a few actual reports that they put out, and I’m sure Microsoft does as well.

I guarantee you annually in each of those reports you will find issues still with configuration of cloud workloads.

I think it’s still the number one or two issue for organizations.

And unless and until we get to the point where the cloud service providers are providing a golden configuration by default for cloud workloads, I think we’ll continue to see organizations sort of build out their configurations in a way that puts them at greater risk for potential security issues.

David: Let’s turn to cybersecurity fundamentals for a moment. To zoom in a bit, fundamentals is one of the best defenses when it comes to cybersecurity. So which fundamentals do companies still tend to struggle with, and why do you think those basics get overlooked?

M.K.: I’ll start with the last question first.

I think the basics get overlooked because the environments are just so complex that without some level of automation and the right set of tools or the right approach, I just think that the environments become so complex that the leaders who know what needs to be done just get overwhelmed by the complexity of the environment.

And they get mired in the tyranny of the now. In other words, there’s so much that needs to be done that they don’t know how to prioritize it, and they begin tackling things that don’t necessarily have the greatest impact on their resilience.

I think some organizations need help with that, and that’s part of the remit that companies like mine have, that we help organizations get their hands wrapped around prioritization of what they should be doing.

In other words, what presents the greatest probability and highest impact to their organization? Prioritize those things first and then go about covering down on it.

Things like the CIS critical controls are still super relevant to organizations, especially public sector organizations. That’s an area where I’ve had quite a bit of exposure and experience, and I find that those organizations are the ones I think that need the most help, but oftentimes don’t know how to ask for it or are unwilling to hear about potential changes.

Public sector environments are unique and very different from corporate or enterprise environments.

The teams are typically much, much smaller. Folks are wearing multiple hats. They are trying, again, that analogy I gave earlier, they are trying to build a security team, an apparatus, that matches something that’s outside of even the realm of possibility for them.

And so they don’t even think about how could we offset some of these responsibilities by bringing in extra help and or bringing in consulting or partners or others that could take off the load of some of this, but do it in a way that’s not just, hey, let’s pick the lowest bidder out there who’s going to provide some service to us.

And it’s that model, the contracting model. There’s lots involved with why they can’t seem to rightsize themselves.

But I think that following the basics is the starting point to building programs that oftentimes will show a level of resilience that reflects the amount of effort put into it.

One of the other challenges I see across the board is because these leaders are so ensconced and so invested in the day-to-day attacks and challenges that they see and alerts and things like that, they don’t have time to think strategically about how to change their programs.

So you find oftentimes that strategy layer is missing from a lot of programs.

If you go in and ask a security leader, again using the public sector as an example, what their strategy is for the security team, oftentimes their response will be, well, this year we’re going to buy CrowdStrike, or this year we’re going to go buy, you know, they start listing tools that they intend to go buy.

That’s not strategy. That’s how you intend to execute on a particular aspect of the strategy.

And most don’t have a longer-term vision around building a security apparatus that’s going to protect against the threats of the future.

Because, oh by the way, if your strategy is you’re protecting against the threats from five years ago, which you haven’t even caught up to, you’re not in a good spot and will likely never get to the point where you need to be.

David: After all you’ve accomplished, what keeps you excited about the cybersecurity field and what kind of impact are you still hoping to make going forward?

M.K.: The thing that keeps me excited is the idea of actually helping folks, which is part of the reason that I put up my own shingle and left a very comfortable role at a Fortune 5 company.

I want to help folks. I want to help them achieve their intended plans.

And if I can be helpful at all in seeing that happen, helpful in terms of transformation, that’s a good win. And that’s a good way for me to continue to plow through this professional existence that I have.

So, I mean, for me it’s all about continuing to grow, continuing to build, pouring into others, making sure again that nothing gives me more pleasure than to plug someone into a great opportunity for them to excel and show the skills that they have.

And if I can build a business around that model, then I think again it’s time well spent.

David: And how does your podcasting side hustle figure into all this?

M.K.: I love having conversations. I had a great conversation. I recorded a podcast yesterday. I’m not sure when that will hit the streets, but I finally did it in person.

I don’t know if you’ve done some in-person podcasting.

David: You mean like face-to-face?

M.K.: Face-to-face.

David: A few. Not many.

M.K.: It’s a whole different opportunity, I think, for both the host and the guest to learn.

And I just think that the more and more I do that, the more I invest in that, it’s an opportunity for me, in these conversations, I learn something every time.

So it’s an opportunity again to pick up some additional pieces of information that I can hopefully put in my toolkit.

David: Excellent. Would you like to plug the podcast?

M.K.: The podcast is forthcoming. It’s called The Risk Apogee.

David: Oh, okay. A new one.

M.K.: A new one that’s coming.

My existing podcast, Amplified: The Leadership Student 2.0, is all around the topic of leadership, leadership development, pouring into people, what it means to be a good leader in today’s environment.

One of my colleagues is going to be taking over the hosting duties of that, and I’m going to be taking off on The Risk Apogee to really get into these conversations around risk in the enterprise environment and what we should be doing in order to support resilience across the board.

David: Has there been any particular or most influential leader that you’ve had in your career?

M.K.: It’s funny, this topic came up the other day.

I’ve seen a handful of really, really good leaders across my career. My time in the Marines, a couple of people come to mind, very, very senior folks who I saw day in and day out who were just exceptional leaders.

There are a handful I came across in the FBI. The ones that I saw in the FBI who I thought were exceptional leaders were the ones focused in on people and what it meant to mentor people.

And those were the lessons that I took with me going into the commercial space.

And I always think that one of my biggest responsibilities as a leader is to actually mentor folks, to provide insights.

And I like to say that a lot of people over the years have reached out to me, especially a lot of young folks, and I take time to have conversations with almost all of them.

And so I think being people-focused is the example that stands out.

And while I will refrain from naming people individually, I’ve only seen a handful of really exceptional leaders during the course of my career, and I think that’s the way it is.

I’ve seen probably more bad than I have good.

David: You learn, you pick up the pieces of good and you put them all together and you try to practice them yourself.

M.K.: Yeah. And you acknowledge the bad ones as well because there’s something to be learned from those experiences too.

David: Absolutely. M.K. Palmore, it’s been really nice chatting with you. Thanks for coming onto the podcast.

If you want, I can give you a few seconds to get back to the drum set. Take us out with maybe a little snare or hi-hat or something like that?

M.K.: No, there again, there will be no drumming on the podcast. That will live in infamy, and I’d be chasing around the internet trying to bring those videos down.

David: Do you have a favorite drummer?

M.K.: I have a couple that are recent for me.

During the pandemic, I discovered a band called Snarky Puppy. I had never heard of them.

David: Snarky Puppy. Okay.

M.K.: And the drummer is a guy named Larnell Lewis.

And for me, since discovering that band, he’s one of their drummers. They’re a composite band, jazz fusion, that brings in different musicians.

When I see that guy drum, I know I can never even aspire to his skill set, but it gives me a lot of joy to watch him tool up on a kit.

David: I’ll have to check him out. I was expecting to hear like John Bonham or something like that, but that’s…

M.K.: Yeah, check out Snarky Puppy.

David: I will check out Snarky Puppy. Really nice speaking with you, M.K. Thanks for coming on.

M.K.: Yeah, I appreciate it. Thanks for having me.