October 9, 2025
EP 17 – Privilege creep and the machine identity surge: Securing the modern enterprise
In this episode of Security Matters, Chris Schueler, CEO of Cyderes, joins host David Puner for a dive into the evolving challenges of enterprise security. The conversation explores the dangers of privilege creep, the explosion of machine identities, and why accountability at every point of interaction is essential for building resilient teams and systems. Chris shares insights on the risks of unmanaged access, the impact of AI and automation on both defense and attack strategies, and practical advice for CISOs and boards on managing identity risk while enabling business transformation.
Whether you’re a security leader, practitioner, or simply interested in the future of cybersecurity, this episode delivers actionable guidance and fresh perspectives on safeguarding your organization’s reputation, continuity, and trust.
You are listening to the Security Matters podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.
A finance clerk types a harmless-sounding prompt into an AI assistant: Pull the latest comp figures. Sixty-two minutes later, an attacker has persistence. Most attacks aren’t dramatic. More often, it’s a routine request, one overprivileged account that was never descoped, and suddenly the attacker is inside.
Entitlements stack up like Lego bricks—no one bothers to put them back in the box. Permissions accumulate, creating hidden vulnerabilities. The AI didn’t go rogue; it simply did what its access allowed.
In today’s enterprise, identity is the frontline of defense. When access isn’t managed, business continuity, reputation, and trust are all at risk.
If your security signals live only in one system, you risk missing threats hiding elsewhere. As AI and automation make decisions at machine speed, the difference between for you and with you becomes critical for business resilience.
Today, we’re joined by Chris Schueler, CEO of Sedarus—a cyber practitioner, identity realist, and leader who believes accountability belongs at the edge: every point where people and technology interact with your organization.
We’ll talk privilege creep, the explosion of machine identities, and how to build teams and systems that move fast without breaking the business. This is Security Matters. Let’s dive in.
David Puner:
Chris Schueler, CEO at Sedarus—thank you so much for coming onto Security Matters. Great to have you here.
Chris Schueler:
Thanks for having me.
David Puner:
Awesome. There’s so much I want to talk to you about today. Your career has already spanned nearly 30 years—from military service to leading Fortune 500 tech and top cybersecurity firms.
You’re now the CEO of a company originally founded by Robert Vic, who many of our listeners likely also know from Shark Tank. In fact, I think I heard you on another podcast say that you stepped into his shark’s shoes. I’ll let you speak to that in a moment—I’d like to know what those shoes are like. But first, what pivotal moments propelled you into cybersecurity leadership and ultimately to where you are today?
Chris Schueler:
Everything happens for a reason. Unlike a lot of people, I didn’t choose this profession—it kind of chose me. It found me in the military. I was injured and got assigned a project to help with IT systems.
Back in the day—and this is going to date me a little—before Ethernet, there was a thing called token networks. You had to run token networks via cabling and all that. We were overhauling that while also ripping out Ethernet. I got assigned a project to run a team of people doing that, and that’s what sparked my interest and passion for IT.
I thought, wow, this is incredible. I had a computer science undergrad, so I started digging into it more and more—really studying the structure of it.
Fast forward to the late ’90s, early 2000s: I got an incredible opportunity to help the Army build out its very first security operations center. At the time—and this will date me again—SOCs didn’t exist pre-2000. Before that, you had what were called computer emergency response teams, or CERTs. Everyone had a CERT—super reactive. The power and the “juice” were actually in the NOC, the network operations center, where all the telemetry came in. Once they saw something bad, they’d kick it to the CERT to deal with malware.
If you remember Blaster and Slammer, those were examples where the CERT was basically the cleanup force. That was my first real foray into cyber, and it sparked a lasting passion in me.
David Puner:
You were the director of the U.S. Army’s first security operations center—at just 25 years old—and helped build it, too.
Chris Schueler:
Yeah. I always tell people I don’t see age in others, and that’s because, at a very young age, senior and experienced leaders put a lot of trust and faith in me. They saw something in me that I didn’t see in myself.
I had the hunger and curiosity—you can’t really teach those things. But I lacked experience, so I needed mentorship. I was lucky to have senior government officials take me under their wing. They’d tell me things like, “Hey, don’t say that,” or “Next time, don’t do this.” I’d say, “Got it. Won’t do that again.”
At a young age, those lessons stuck with me. As our industry has evolved, I’ve realized that experience doesn’t necessarily make you better—it’s about adaptability, humility, and curiosity.
David Puner:
How did your 12 years in information operations command shape your philosophy on building strong, resilient teams in cybersecurity?
Chris Schueler:
The military trains one thing extremely well: accountability.
Think about a warfighter and their sector of fire—your entire team depends on you to cover that space. If you fail, a blind spot opens, and your team could suffer the ultimate consequence. Everything in the military comes down to accountability—individual accountability.
As a leader, I’ve tried to build that into my teams. You take a company’s mission or big challenges and break them down so that each individual feels accountable for their part. That’s tough to achieve in practice, because you need the right people and the right systems to give them responsibility along with accountability. There’s nothing worse than being accountable without the power to make decisions.
It’s like in sales—owning the number but not the team. I’ve been there before, and it’s not sustainable. To move fast and with precision, accountability has to exist at the lowest possible level, but you also have to equip people with the responsibility and tools to succeed.
David Puner:
Do you feel like that’s a common disconnect?
Chris Schueler:
Definitely. I think a lot of times leaders give responsibility but not accountability. We hold accountability back because we don’t think we can trust people with it. Or we make the goals too big, too complex.
We need to simplify. Break down those ten big goals into one that each person can truly own. Then ask, “Can they measure it? Can they move the needle?” Because nothing’s worse than doing work and not knowing how it connects to the mission.
That’s our job as leaders—to make those connections.
David Puner:
Interesting that you mentioned “mission,” because you’re known for a people-focused, mission-driven approach. Obviously, we’ve talked about your military background, but there’s a lot that happened between that and when you got the call from Robert Vic about joining Sedarus. What was that like—and what’s it been like stepping into the Shark’s shoes?
Chris Schueler:
It’s funny. The joke I make is that Robert’s a much better dresser than I am—I wear Jordans. But seriously, you can’t replace someone like Robert. You just bring what you’ve learned and merge it with what already works.
I’m not a big “change everything” leader. I believe in understanding where a company’s been, what’s working, and where the gaps are. Sedarus is more than 20 years old, and I wanted to build on its strengths rather than tearing things apart.
Change management matters—a company can only handle so much change. Replacing a well-known CEO is already a major shift. If you start ripping and replacing systems on top of that, you leave a trail of broken parts. So I’ve tried to balance respect for the foundation with a focus on improving what’s next.
One big advantage I brought in is that I’m not just a sales-driven CEO. I’m a cyber practitioner at heart, and I’ve been doing this for 25 years. My passion is building an organization that can truly stop threats, not just react to them.
In cybersecurity, we’ve been living in a kind of Groundhog Day—“It’s not if, it’s when.” I hate that phrase. We’ve been saying it for 20 years. It’s time to actually move beyond it. That’s what excites me about this role—the pieces are all here. Now we just have to build something great with them.
David Puner:
In this first year as CEO, what’s been the biggest surprise and the biggest challenge?
Chris Schueler:
The biggest surprise has been how well we serve large, complex enterprises. I knew Sedarus was good at it—I just didn’t realize how good.
One of our guiding principles is that we don’t do security for clients, we do it with them. That’s a huge shift from the traditional “black box” model. We pioneered the hybrid, co-managed SOC model early on, and that’s a big part of why we succeed with Fortune 500 clients. You can’t give them a cookie-cutter solution—it just breaks their business.
The biggest challenge? Our go-to-market mechanics weren’t as mature as I expected. When I came in, the engine was running, but the fundamentals weren’t all there. So we’ve been rebranding, rebuilding our website, rethinking our partner strategy, and refining how we go to market.
It’s been a lot of work, but the results are showing. And I have to say—CyberArk has been one of our best partners in all this. That kind of long-term trust makes a huge difference for clients and for us.
True teamwork.
Chris Schueler:
Yeah, this goes back to the military and my sports days. You have to trust your teammates, and your teammates are not always going to be Sedaris. The same is true for your partners and your customers. Everyone needs to build a level of trust, and transparency is key. If you are not being transparent with each other, you are never going to build enough trust to really perform at your best.
David Puner:
What was your sport, your preferred sport? I see that there is some jiu jitsu going on now, but back in the day?
Chris Schueler:
Yeah, I played all the sports. Football, baseball. Loved them all. But I gravitated toward wrestling as a young pup, and that was always my passion. Every other sport that I did, I even pole vaulted.
David Puner:
Wow.
Chris Schueler:
All right. And did quite well in pole vaulting. But it was all fringe sports to make me more well rounded and stay in shape. But yeah, wrestling was my bread and butter. And even though I have good ears, as some would call it, soft ears, I am just smart. I wore headgear a lot in my lower belts. But definitely a hobbyist and a trained black belt in Brazilian jiu jitsu. Today I train three or four times a week. I love it.
David Puner:
Wow. All right. There is a lot we could dig into there, and maybe we will have some more time at the end. But just a suggestion for the 2026 company kickoff. Maybe you come in and pole vault onto the stage. That could be pretty good.
Chris Schueler:
Could do a javelin throw. Yeah, that would be sprinkling a little disruption into the crowd.
David Puner:
It is true, it is true. Thank you for all that. And yes, I hope we can get back to sports, but let us talk a little bit about identity and identity security, our collective bread and butter here. When did identity start to become a focus for you, and was there a moment when identity security really clicked as a priority?
Chris Schueler:
For those old heads out there listening with me, we all avoided it. Our whole careers for probably 20 years I avoided it because it is hard, it is complicated, and, just to be blunt, when you mess it up, the business gets impacted immediately. Most people do not like it because it is very hard and complicated.
It hit me about seven years ago when I started really having this feeling of we have to do something different. We were just controlling data and assets, getting better at data in the cloud and on premises, getting better at controlling the assets and the endpoints, following the hype cycle of all the different EDR technologies. Yet we were still having issues. We were still having breaches, and it kept coming back. You saw the number climb. Sixty percent, seventy percent, eighty percent of all breaches start with identity. Finally, I was like, okay, I have to figure out identity.
Interesting enough, a year later I get a call. There is an identity company, a thousand employees, needs a new CEO. I was like, this is definitely a higher calling. Someone is calling me and telling me to go focus on identity now because I have avoided it for 20 years. I need to go do it. And I went and did it.
To the second part of that question, when did it click. In the first year, it did not click because it was still hyperfocused on business transformation. If you think about most identity systems up until the last couple of years, they were hyperfocused on business systems and business controls, and trying to meet compliance, regulatory, and risk mandates. They were not necessarily viewed from the cyber side as the core tenet of the three-legged stool of stopping threats.
About a year in, after doing business transformation, helping provision new users and rapidly onboard applications so that applications could get access in large organizations, and then meeting compliance mandates, even when insurance companies said, we will raise your premiums unless you have privileged access under control. Again, all reactive, all driven from non-cyber use cases. It hit me at about a year in. Wow, there actually is real cyber applicability here. The IDP is the keys to the kingdom, ultimately, and if we get control of that IDP and we monitor that IDP and interconnect that IDP to assets and data, this is the holy grail we have been looking for for so many years.
That hit me a year in. The first year was a whirlwind, COVID and everything else. But after that first year, it finally clicked, and I was like, this could finally be the thing we have all been looking for. Then I went inch wide, mile deep on identity, learning everything, asking a million questions.
Funny thing is, when you are a CEO and you start asking a bunch of technical questions, people will take you for granted at first. They will start giving you generic use cases and try to dumb it down for you. And you tell them, no, blow my mind. I will capture ten to twenty percent, but I will take great notes and I am going to circle up, and you tell me another ten to twenty percent.
The industry is very small in identity because it is still hard. It is still complicated, but I think we are simplifying it more now. The move to cloud and the simplification are driving a faster rate of adoption, both from a client perspective as well as from an administrative and employee perspective, being trained and equipped on that toolset, which to me is super exciting for our industry.
David Puner:
Harnessing your knowledge and bringing it to today, when it comes to stopping identity driven threats, what are the biggest red flags to look for?
Chris Schueler:
First of all, think about where identity threat detection and response is going, ITDR, and the co mingling of ITDR. Think about what a cyber mesh would look like. SIEM being one of them but not the only component. I always recommend to my clients, do not forget the basics. The basics are the fundamentals. Do you actually have proper joiner, mover, leaver. Are you over provisioning. Are you under provisioning. Are you over entitling. How do you have control of your entitlements. All those basic foundational elements are key. It goes back to risk exposure. The lack of control in the basics creates massive risk exposure, and then the blast radius when you have an attack gets amplified significantly.
David Puner:
When you say mesh, you are talking about a decentralized approach?
Chris Schueler:
Yeah. I am a believer in all the SIEMs of the world, and we are partners with all of them. There is an element where you pull applicable telemetry into those SIEMs. There is a lot of decentralized data that is applicable to understanding the level, depth, and breadth of an attack, as well as what we like to think about and talk about in pre crime. Where could we potentially have crime, where someone may be jiggling the door handles but we do not see it because it is not in the SIEM.
It is not some threat signal that we are pulling directly out of our workforce access dashboard or privilege console. It may be jiggling the console on a Proofpoint email security device, and then cross correlating that Proofpoint security to the KnowBe4 training that we have been doing with users, where we are testing and simulating phishing attacks. Then triangulating that to the user to say, what is this user’s risk profile.
Now take all of that telemetry and imagine how it ripples across what is on their KGI access management system, what is on Tenable, and when the last time this user patched their system was. Those are disparate, decentralized systems. As great as you create your SIEM and your SOAR and interconnect those, it does not move at speed. It is very manual. Yes, automated, but manual pulling, reviewing, and analysis are being done, and the action becomes extremely manual.
I think AI is going to help us in that process, but it cannot help us just sitting on top of a SIEM. It has to sit on top of the larger ecosystem. I have read a lot about this recently, and I think the likes of CrowdStrike and what they have done. Ultimately it comes down to what goes into that system as well. Having clean data in a clean pipe coming into it. You can prompt until you are red in the face, but if you are prompting on bad data, you are wasting cycles and training your engine incorrectly, versus training it to be efficient.
I think the decentralization and pulling in all those data fragments that are tied to an identity itself and that human risk score is where the industry is going in the next 12 months.
David Puner:
We will get back to AI in a moment, but I want to stay on the thread about your writing. You recently wrote an article for the Forbes Technology Council on privilege creep as an overlooked or silent threat. What are the biggest challenges organizations face in managing identity sprawl, and are there any simple steps CISOs can take right now to get a handle on it?
Chris Schueler:
Privilege creep is the number one thing that we see in every client base, no matter what toolset they use. Even if they are using spreadsheets, they over privilege. Everyone wants access, everyone wants full control, and they never go back and clean it up.
Think about a basic use case. You are going to buy a company and someone needs access to the data room. You start giving everybody access to the data room, but you never pull access. You just keep giving access.
This connects with the AI conversation. When a client turns on Copilot, because of privilege creep, with basic prompts you can get the keys to the kingdom. By giving users access and having them leverage that overprivileged access, Copilot is able to aggregate the information and access they have. With basic prompts and a basic user ID, you can get down to key information that you could not get otherwise.
That goes back to 80 to 85 percent of attacks being sourced by identities. You see this on the dark web every day. Credentials are being bought and sold. Recently, someone bought credentials for someone in the finance department. Next thing you know, there were SWIFT transactions happening below the radar because they knew exactly where the radar was, so they kept them below the radar. It went on for months and siphoned off hundreds of millions of dollars. I think it was the largest ACH transfer scheme ever done, all based on credentials.
That user should have never had access to ACH. It was not the CFO or someone at that level. It was someone who should not have had that access, or if they had it, it should have been temporary. Identity geeks will say just in time. The answer is yes. Just in time access would help significantly. Give just enough access for the time needed, then pull it, or time box it. Zero standing privileges factor in as well.
The lowest common denominator goes back to the health and risk score of individuals. That can indicate whether we should give a person access in the first place, or if we do, whether it should be time boxed, limited, read only, not read write, and no admin privileges. Some employees have bad behaviors. That does not mean you let them go, but you gate access.
If your kid asks to borrow one hundred dollars and pays you back, next time you are more willing. If they do not pay you back, next time you give them ten or twenty. Same thing in organizations, especially big ones. Not all users should be given the same access if they have the wrong behaviors.
We have that in our company. If a user fails two consecutive phishing tests, we make them go back through the KnowBe4 phishing training because they cannot stop clicking. While they go through that training, in our email security we do not allow them to click links. I love all my employees, but I do not want to give them all the same access and controls based on their behaviors.
David Puner:
If an employee is accessing the dark web on a company issued laptop, is that grounds for dismissal?
Chris Schueler:
That could be. It depends, because I do have a component of my company, my cyber fusion team, but only that team. Anybody else, yes, quite nefarious.
David Puner:
Good to know. With machine identities now outnumbering human users by more than 80 to 1, according to CyberArk’s 2025 Identity Security Landscape Report, what are the biggest risks they pose, and how should organizations rethink securing non human credentials?
Chris Schueler:
We confuse non human too much. We tend to bucket IoT and OT devices as non human, but we do not think about actual machine IDs that are already in our environment. So I put non human in two buckets.
The first is IoT and OT devices, the identity of things. There is massive proliferation, there are controls you can put in place, and there have been many attacks in that ecosystem.
The second is system accounts and bots. With the dawn of AI and the speed at which bots are being created, this is becoming the main category we have to solve for. It is those system accounts, the bots, the access they have, and the decisions they are going to start making on our behalf. I am a believer in agentic tech. We love it. It has been the biggest groundbreaker outside of the initial inception of LLMs.
It will start making decisions on your behalf, and the minute you give it control and access, it is no longer a non human identity with a benign use case. It becomes an intelligent non human identity, and there is risk when you combine intelligence with automation in a non human identity. That is where the market is going rapidly.
Separately, I think the market looked at the Palo acquisition of CyberArk and thought, Palo is trying to get into the identity business, so they bought the pound for pound champ as a pure play in identity. But if you listen to the commentary, it is not for today. It is about what is coming tomorrow with AI and machines, particularly agentic machines, and how we control that access.
If you think about what Palo controls today, they control the network, the entire network ecosystem, including the cloud ecosystem with their SASE products. They control both sides, so both sides they have access and control. Now think about the non human side and the dawn of AI and the acceleration of entities. They will have the elements they need to do control on all the planes, all the surface areas.
The last component is the browser. We are seeing a lot of attacks focused on the browser. When you have a company with strong browser security and an acquirer with the same strategy, there is co mingling there too. As a partner of both, I love seeing where the strategy will play out and what we are all looking at as an industry in the next three to five years.
It comes back to how we secure AI ecosystems. We are not going to be able to have humans in the middle of all of it. You have to build it within those ecosystems and have the controls set, with framework maps and controls to secure agent systems. Agent to agent. Conceptually it is already done. Agent to agent, or AGI to AGI.
David Puner:
So that day is upon us. A lot of interesting points there, which I will let stand on their own, but I do want to stick with AI, agentic AI for that matter. How can AI and AGI help with identity analytics and detecting privilege creep or anomalous access?
Chris Schueler:
Yeah, that is probably where the immediate, exciting use cases are. Humans and systems today, without some sort of AGI background, are very limited in access to information and speed of decision process, because there is always the rate limiting between two ears and the unknown.
Think about it in terms of how to identify patterns and trends. This is an old user behavior and analytics revamp. Remember that from years ago and revamp it now. If I can start to identify patterns and trends, I can give intelligent fortification recommendations. Then, once there is comfort with those recommendations, actions.
The telemetry is there. There is not new telemetry we need to create. The challenge has always been the decision making. In the use cases, we either build static use cases for what we know, or we create the right prompts and the right decision making criteria for an engine to do it by itself. That is where I think agentic AI is going to create acceleration for us. Once we have enough of the elements of data that we need and we clean that data—so you smart-label the data elements that are most critical, versus just going to a data lake and trying to find the data. Believe me, you will burn millions of tokens doing that, and you will get garbage output. We need to make sure those elements are clean.
But once they are, now you can see the power of agentic AI, because it can make those decisions within parameters that you could not do otherwise.
David Puner:
What about the power of agentic AI for threat acceleration and attackers? How are attackers using AI in ways that concern you most?
Chris Schueler:
Yeah, we have already started to see that. There was a proof of concept done not too long ago, and now we have seen the first instances of—not agentic yet—but we have seen the first instances of AGI in attacks learning ecosystems. I think that is one of the ones. Many times when you do slow reconnaissance or the low-and-slow stuff you have heard about, the fact that you can have an AGI tool doing that and taking the decision points based on data gathered by inserting agentic tech.
Now it can pick and choose which payloads, which malware, the point of attack, how to get persistence in the network. That is the proof of concept I saw recently that scared the living daylights out of me. It is one thing when you look at the recent Ponemon Institute finding—62 minutes from point of inception to persistence. That is persistence with defined use cases. An attacker doing reconnaissance and then starting the attack, knowing where they are going to go, not learning, not adapting.
As we adapt and evolve and put best-of-breed approaches in and have our own agent engine on the flip side, what scares me is that you are prompting for what you know. It is learning as it scans and reconnoiters and sees how you react. That is what has my threat researchers the most concerned. Imagine as you try to stop the threat and control it, the adversary is learning your behavior so that next time it attacks, it knows what you will do and avoids it. Or it uses that as a smokescreen to do something else.
When you think about weaponizing malware in the past by understanding the reaction, you can better fortify your attack strategy and make it more successful. So we do not just have to adopt AI to get more efficient and faster reaction times. We have to adopt it because attackers are going to learn our behaviors and patterns and then counter them. We need to speed up the decision process and have our engines eventually be smarter than us. That is the only way to defend against it.
David Puner:
With many organizations rushing to adopt AI tools, what is your advice for rolling out AI safely and responsibly?
Chris Schueler:
I have seen many customers start rolling it out and then have the “oh crap” moment where data that should never have been seen gets exposed. I had one customer roll it out, a user prompted it, and next thing I know they had the executive salaries for the whole company.
There is a reason data companies are skyrocketing. If you do not have control of your data, the output will be unusable or require multiple iterations, or the access to data and what users can access will leave you vulnerable.
Before you roll out AI, two things have to be true. One, you need to know what data you are pulling from. Two, you need to make sure the controls on that data are right. Then, define the use cases and what you are trying to achieve, versus creating a generic LLM for everyone to ask questions. Knowing what you want out of your system—efficiencies or user experience—and what the output should be is vital to success.
I think recently Harvard did a study—it was like 60 or 70 percent—of AI implementations are failing. There has been almost a retraction in some ways. Companies say, we have to invest, pour more money into AI, but because they are not starting with data and data access, and are just throwing use cases at it, they are failing at a rapid rate and wasting a lot of money.
David Puner:
How do you talk to boards and executives about identity risk in business terms that actually land?
Chris Schueler:
Talking about it in business terms is the easiest. Using threats and risks is difficult to quantify. Every CISO has faced that with boards.
When you talk about business transformation and acceleration—and how AI can be an accelerant—and how securing it will allow it to further accelerate, that works. Not being the “no” police, but the “yes” police. Our job is to be enablers for the business. If we talk about enabling acquisitions, investing in AI, moving to the cloud, that hits every time.
When you start throwing out adversaries, nation-state actors, and lists of breached companies, you get analysis paralysis from the board. That is not productive. You want a productive conversation. Approach it from the business lens. You see many CISOs now moving into board seats because they understand the business has to make money and produce. Your job is to allow them to do it safely.
David Puner:
As far as the cloud goes, what misconceptions do you see about cloud security, and how can teams proactively manage risk there?
Chris Schueler:
There are two approaches. One is taking existing tools and systems and enabling them for the cloud. The second is using native cloud tooling and systems—born in the cloud. We tend to gravitate toward the first, applying what we know to the cloud workloads.
In the last five or six years, with many breaches, we have learned that does not work. Containers and microservices do not fit many traditional systems, which is why Zero Trust has gained momentum. You cannot apply the same mechanics to born-in-the-cloud applications, systems, and workloads. You need a different lens. Zero Trust reduces exposure around what is most critical and puts the right parameters around that, then works outward. Technologies like ZTNA have allowed businesses to accelerate in the cloud natively.
The big misconception is believing a vendor’s “cloud version” will just work. You must look at the workload you are running in the cloud and then figure out from there. If the CISO and team are invited to the table early, you can build the architecture from the beginning to be cloud native and accelerate. Coming in after the fact and wrapping traditional systems around it either breaks it or makes it only a little more secure, not truly secure.
David Puner:
So many things are happening, threats are evolving. If you had to define success for security leaders over the next year, what would it look like? Any trends or milestones you are watching?
Chris Schueler:
Quantum. Not necessarily seed-to-plate, but there are many things. Quantum will be here sooner than we think. You can see that from the work Microsoft and others are doing, and the recent announcement with OpenAI and Nvidia, that big partnership, and OpenAI and Oracle building data centers. One of our biggest barriers right now is data centers and power. Chris Roberts was on the news this morning talking about the lack of power in the U.S.
We talked a lot about AI for a reason. I still find too many CISOs and CIOs who have not embraced it themselves. It is a steep learning curve, but if you do not put your foot in the water and get acclimated, someone else will. Attackers already are. We need to do it for our business, ourselves, and our industry.
Some partners are doubling down on AI and making big bets and acquisitions. You saw that recently with CrowdStrike’s acquisitions, with Padea. CyberArk made big acquisitions to bring more of the ecosystem together. We need to double down. My biggest encouragement, and where I am investing my own time and energy, is AI. We have to embrace it as first movers and take our lumps. You are going to fail. One of my best mentors taught me early on, you never actually fail—you learn from every experience. So fail, but fail fast. Learn from it and get better.
From a trends perspective, the world of everything going into my SIEM is evolving. SIEMs are still there, but you can see the other components coming together in the ecosystem. Exposure management is evolving into continuous threat exposure management. It is finding its fit. I am curious to see how the industry evolves in the next 12 months with smart labeling and tagging of all the data elements for AI. That is the last mile. If we figure that out, based on the telemetry we have, we can stop threats and do pre-crime.
David Puner:
Between C-ing and writing articles—which may be part of C-ing—and jiu jitsu training three days a week, where do you find the time for all this, and how do you manage your time? I saw somewhere you want to live to be 100.
Chris Schueler:
I mean, I guess who does not, but yes, that is a goal. I want to live to be 100. Being a centenarian is a big goal of mine. Living with intention is important. Your family relies on it, your work relies on it, and you should not be wasting your time with nonsense.
Living with intention helps you identify where you have margin in your life and where you can maximize that margin to make the biggest impact and do all the things.
I would also encourage people not to separate life into buckets. Many do that—work bucket, faith bucket, hobby bucket, family bucket. I believe in work-life integration. We try to live this out inside Aris as well for our employees. We are not eight-to-five people, and life is not eight-to-five or five-to-nine when you become dad or husband. My hobbies, passions, family, faith, and work are all Chris. It is one ecosystem. How you show up then is consistent.
Chris Schueler:
You are the same version of yourself, just with a little more focus in this area or that area. And just being intentional. I wear an Oura Ring. I think data and telemetry—not to hyperfocus on it—will tell you how you can perform that day and how you can be a little better, or how you can just say, you know what, today is going to be an okay day.
Because I did not get good sleep. I traveled to Europe or whatever it is, and I need to be smarter about what I do today. I should not put myself in a situation where I get sick or make bad decisions.
David Puner:
I think you just inspired me to add to my 24 steps that I have thus far today.
Chris Schueler:
Get your steps in, man.
David Puner:
I think that is something I have to integrate into today. I may not get to 10,000, but maybe 6,000 will be good enough.
Chris Schueler:
That is all you need.
David Puner:
Chris Schueler, CEO at Sedaris, thank you so much for coming on the podcast. This has been really great.
Chris Schueler:
Appreciate it. Thank you, David. It was great being here.
David Puner:
All right, there you have it. Thanks for listening to Security Matters. If you like this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop. And if you feel so inclined, please leave us a review. We would appreciate it very much, and so will the algorithmic winds.
What else? Drop us a line with questions, comments, and if you are a cybersecurity professional and you have an idea for an episode, drop us a line. Our email address is securitymatterspodcast, all one word, at cyberark.com. We hope to see you next time.
David Puner:
You are listening to the Security Matters podcast. I am David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.
A finance clerk types a harmless-sounding prompt into an AI assistant. She types, “Pull the latest comp figures.” Sixty-two minutes later, an attacker has persistence. Most attacks are not dramatic. More often it is a routine request. One overprivileged account never descoped, and suddenly the attacker is inside.
Entitlements stack up like Lego bricks. No one bothered to put them back in the box. Permissions accumulate, creating hidden vulnerabilities. The AI did not go rogue. It simply did what its access allowed. In today’s enterprise, identity is the frontline of defense. When access is not managed, business continuity, reputation, and trust are all at risk.
If your security signals live only in one system, you risk missing threats hiding elsewhere. As AI and automation make decisions at machine speed, the difference between “for you” and “with you” becomes critical for business resilience. Today we are joined by Chris Schueler, CEO of Sedaris, a cyber practitioner, identity realist, and leader who believes accountability belongs at the edge—every point where people and technology interact with your organization.
We will talk privilege creep, the explosion of machine identities, and how to build teams and systems that move fast without breaking the business. This is Security Matters. Let’s dive in.
David Puner:
Chris Schueler, CEO at Sedaris, thank you so much for coming onto Security Matters. Great to have you here.
Chris Schueler:
Thanks for having me.
David Puner:
Awesome. There is so much that I want to talk to you about today. Your career has spanned nearly 30 years already—from military service to leading Fortune 500 tech and top cybersecurity firms.
You are now the CEO of a company originally founded by Robert Vic, who many of our listeners likely also know from Shark Tank. In fact, I think I heard you on a podcast say that you stepped into his shark’s shoes. I will let you speak to that in a moment. I would like to know what a shark’s shoes are like, but what pivotal moments propelled you into cybersecurity leadership and ultimately to where you are today?
Chris Schueler:
Everything happens for a reason. Unlike a lot of people, I did not choose this profession as my profession. It kind of chose me. It found me in the military. I was injured and got assigned a project to help IT systems.
Back in the day—and this is going to date me a little—but before Ethernet there was a thing called token networks, and you had to run token networks via cabling and all that. We were overhauling that at the same time we were ripping out Ethernet. I got assigned a project to run a team doing that, and that sparked my interest and passion. I thought, wow, this is incredible. I had a computer science undergrad and I started digging into it more and more, really digging into the structure of it.
Fast forward to late ’99, early 2000. I got an incredible opportunity to help the Army build out its very first security operations center. At the time—and this will also date me and probably have people go Google, because you should—SOCs did not exist pre-2000. Before 2000 you had what were called computer emergency response teams, CERTs. Everyone had a CERT. It was super reactive. The power and the juice were in the NOC, the network operations center, where telemetry came in. Once they saw something bad, they would kick it to the CERT to deal with malware.
If you remember Blaster and Slammer, those were ones where the CERT was essentially the cleanup force. So that was my first foray into cyber, and that really sparked the passion in me.
David Puner:
You were the director of the U.S. Army’s first security operations center at 25 years old.
Chris Schueler:
Yeah, and building it as well. I always tell people I do not see age. At a very young age, more senior and experienced leaders put a lot of trust and faith in me. They saw something in me that I did not even see. I tend to gravitate toward the same thing. Hunger, you cannot teach. Humbleness, you cannot teach. And smarts, you cannot teach in terms of inquisitiveness.
That is something I had. I just did not have the experience. I needed mentorship, and I had senior government officials who took me under their wings, mentored me, told me, do not say these things. Next time, do not do that. I said, got it, will not do that again.
At a very young age, as our industry is evolving, it is something I gravitate toward more now because of the state of play. What we are up against means experience does not necessarily make you better at what we are doing today.
David Puner:
How did your 12 years of information operations commands shape your philosophy on building strong, resilient teams in cybersecurity?
Chris Schueler:
The military trains one thing extremely well, and that is accountability. Think about the warfighter and a sector of fire. Your entire team is counting on you in that sector. If you fail your sector of fire, a blind spot occurs and your team could suffer the ultimate consequence.
If you back that into all the things the military does, it all comes down to accountability. As a leader, I aspire to build that in my teams. How do you take a macro challenge and the company’s mission and goals and break them down so the individual in your organization really feels accountable to get the job done.
That is bold to try to do. In practice it is difficult because you need the right profiles of people, and you need the right systems to give them responsibility to be accountable. There is nothing worse than being accountable with no responsibility.
It is like in sales. Owning the number but not owning the sales team, yet you own the number. I have been in that situation before at IBM. That is another challenge.
As leaders, if accountability is going to be at the lowest level—which allows you to move with speed and precision—you also have to give responsibility and the things they need to make it happen. The military builds that in leaders very early. You will get the accountability, and you better take the responsibility as well.
David Puner:
Do you feel like that is a common disconnect?
Chris Schueler:
I do. A lot of times we give responsibility and we do not give accountability. As leaders, we hold accountability back because we do not feel like we can trust them, or it feels too big or too bold. Our job is to simplify to the lowest common denominator. We try to do too much. We boil the ocean. We create ten big goals, and it is like, what is the individual going to be accountable for? It is not all ten. It is one of the ten.
If it is one of the ten, what do they really own? What KPI do they own, and can they change that KPI based on their performance? There is nothing worse than feeling like you are doing a lot of work but you do not know how it moves the needle for the company. As leaders, it is our job to make those connections. The military taught me that extremely well.
David Puner:
It is interesting that you mentioned mission because you are known for a people-focused, mission-driven approach. A lot happens between the military and the time you get a call from Robert Vic and wind up stepping into this role. What was that call like, and how is it stepping into the shark’s shoes?
Chris Schueler:
It is funny. The joke I make is Robert is a much better dresser than I am, and I wear Jordans. I made no adjustments when I came in because you are not replacing Robert, and you need to face that immediately. You bring the great parts of what you have done in your career, and you take the best components Robert already built. You merge the two.
I am not a big change agent who comes in and puts my system in place. I have not found that to be a huge success. Some people do, but it is not my strategy. Understanding and appreciating where a 20-plus-year-old organization has been and where it is today, understanding the challenges, then going to the playbook and saying, where have I seen this, or going to my mentor network and asking how they approached it. I do not believe in recreating the wheel just to put my brand on it. That is wasteful.
There is change management. An organization can only take so much change. Taking a well-known CEO like Robert and making that change is a massive shift by itself. If you start ripping and replacing, you create a trail of broken parts. As a business that is accelerating, you do not need that. It is a delicate walk. You are not trying to replace. You take the best of both worlds, tap into where the company has had success, and then dig into where the weaknesses and holes are.
The benefit Sedaris had by bringing me in was that I am not a titan sales leader who only understands markets and how to position and sell. I am a cyber practitioner and have been for 25 years. It is a passion project to build an organization that can train, equip, and provide services that stop threats. We have been dealing with Groundhog Day in cybersecurity for too long. It is not a matter of if, it is when. I hate that saying. Twenty years later we are still saying the same thing. Breaches are still happening.
The beauty of this role is that the components were there. It is like building a great Lego kit. All the ingredients are there. We just have to build it. That is what we have been doing for the last year.
David Puner:
In this first year in the CEO role, what has been the biggest surprise and the biggest challenge for you?
Chris Schueler:
The biggest surprise has been how well we serve large, complex enterprise customers. I knew Sedaris was pretty good at it. I did not know how good. One of our ethos I came in with—taking the best of what was built and layering on—is that we do not do it for you, we do it with you. That is a big change from how the industry views services. You give us outcomes, we set SLAs, and we provide it for you. Almost black box. Sedaris approaches it differently.
Where is your business today. Where do you want to take it, and how do we partner with you, even in a hybrid fashion. We were among the first to do hybrid co-managed SOC. If you apply that to the Fortune 500, you can understand how that is a strength. In that segment you are not given a cookie-cutter black box. It breaks their business.
That was the biggest surprise. We are really good at this, and it is hard to do. The flip side was because we were led by such an incredible seller…
Chris Schueler:
The mechanics of our go-to-market engine, compared to where I have seen the industry benchmark, were not there. That was the one where it was like, holy smokes. We are how big and growing how fast, and the mechanics are not even really there. That was when I realized we had a lot of work to do.
Let us not slow the engine down, but at the same time there is a lot we are leaving on the table because the mechanics and fundamentals are not fully there. That was the one where I thought we were way more mature on the go-to-market side. Subsequently, when I took over, we rebranded the whole company because the brand was confusing, changed our entire website, our entire go-to-market approach, and our partner ecosystem.
How we focused on partners and how we partnered in general changed. We did not really partner before. It was more like, we will work with you; we will not necessarily partner with you. My ethos with partners is that I ride or die with them. If we go into a client environment together, we either win together or we lose together, period. I think that is long lasting. CyberArk has been one of my best partners in that. It stands the test of time with clients and logos when you have that kind of trust, and what you provide to customers is such a difference from the competition. True teamwork.
Yeah, this goes back to the military and my sports days. You have to trust your teammates, and your teammates are not always going to be Sedaris. The same is true for your partners and your customers. Everyone needs to build a level of trust, and transparency is key. If you are not being transparent with each other, you will never build enough trust to really perform at your best.
David Puner:
What was your sport, your preferred sport? I see there is some jiu jitsu going on now, but back in the day?
Chris Schueler:
Yeah, I played all the sports. Football, baseball. Loved them all. But I gravitated toward wrestling as a young pup, and that was always my passion. Every other sport that I did—I even pole vaulted.
David Puner:
Wow.
Chris Schueler:
All right. And I did quite well in pole vaulting. But it was all fringe sports to make me more well rounded and stay in shape. But wrestling was my bread and butter. And even though I have good ears, as some would call it, soft ears, I am just smart. I wore headgear a lot in my lower belts. I am definitely a hobbyist and a trained black belt in Brazilian jiu jitsu. Today I train three or four times a week. I love it.
David Puner:
Wow. All right. There is a lot we could dig into there, and maybe we will have more time at the end. Just a suggestion for the 2026 company kickoff. Maybe you come in and pole vault onto the stage. That could be pretty good.
Chris Schueler:
Could do a javelin throw. Yeah, that would be sprinkling a little disruption into the crowd.
David Puner:
It is true, it is true. Thank you for all that. And yes, I hope we can get back to sports, but let us talk a little bit about identity and identity security, our collective bread and butter here. When did identity start to become a focus for you, and was there a moment when identity security really clicked as a priority?
Chris Schueler:
For those old heads out there listening with me, we all avoided it. Our whole careers for probably 20 years I avoided it because it is hard, it is complicated, and, just to be blunt, when you mess it up, the business gets impacted immediately. Most people do not like it because it is very hard and complicated.
It hit me about seven years ago when I started really having this feeling that we have to do something different. We were controlling data and assets, getting better at data in the cloud and on premises, getting better at controlling the assets and the endpoints, following the hype cycle of all the different EDR technologies. Yet we were still having issues. We were still having breaches, and it kept coming back. You saw the number climb: 60 percent, 70 percent, 80 percent of all breaches start with identity. Finally I was like, okay, I have to figure out identity.
Interestingly enough, a year later I get a call. There is an identity company with a thousand employees that needs a new CEO. I thought, this is a higher calling. Someone is telling me to focus on identity now because I avoided it for 20 years. I need to do it. And I did it.
To the second part of that question, when did it click. In the first year, it did not click because it was still hyperfocused on business transformation. If you think about most identity systems up until the last couple of years, they were hyperfocused on business systems and business controls and trying to meet compliance, regulatory, and risk mandates. They were not necessarily viewed from the cyber side as the core tenet of the three-legged stool of stopping threats.
About a year in, after doing business transformation—helping provision new users and rapidly onboard applications so that applications could get access in large organizations—and meeting compliance mandates, even when insurance companies said, we will raise your premiums unless you have privileged access under control. Again, all reactive, driven from non-cyber use cases. It hit me about a year in: there is real cyber applicability here. The IDP is the keys to the kingdom. If we get control of that IDP and we monitor it and interconnect it to assets and data, this is the holy grail we have been looking for for years.
That hit me a year in. The first year was a whirlwind, COVID and everything else. After that first year, it finally clicked, and I thought, this could be the thing we have all been looking for. Then I went inch wide, mile deep on identity, learning everything and asking a million questions.
Funny thing is, when you are a CEO and you start asking a bunch of technical questions, people will take you for granted at first. They will start giving you generic use cases and try to dumb it down. I told them, blow my mind. I will capture 10 to 20 percent, I will take great notes, and I will circle back for another 10 to 20 percent.
The industry is very small in identity because it is still hard and complicated, but I think we are simplifying it more now. The move to cloud and the simplification are driving a faster rate of adoption, both from a client perspective as well as from an administrative and employee perspective, being trained and equipped on that toolset, which to me is exciting for our industry.
David Puner:
Harnessing your knowledge and bringing it to today, when it comes to stopping identity-driven threats, what are the biggest red flags to look for?
Chris Schueler:
First, think about where identity threat detection and response is going—ITDR—and the co-mingling of ITDR. Think about what a cyber mesh would look like. SIEM being one of them, but not the only component. I always recommend to my clients, do not forget the basics. The basics are the fundamentals. Do you have proper joiner, mover, leaver. Are you over provisioning. Are you under provisioning. Are you over entitling. How do you control your entitlements. All those foundational elements are key. The lack of control in the basics creates massive risk exposure, and the blast radius when you have an attack gets amplified significantly.
David Puner:
When you say mesh, you are talking about a decentralized approach?
Chris Schueler:
Yeah. I am a huge believer in all the SIEMs of the world, and we are partners with all of them. There is an element where you pull applicable telemetry into those SIEMs. There is a lot of decentralized data that is extremely applicable to understanding the level, depth, and breadth of an attack, as well as what we like to think about and talk about as pre-crime. Where could we potentially have crime, where someone is jiggling door handles but we do not see it because it is not in the SIEM.
It is not a threat signal pulled directly out of our workforce access dashboard or privilege console. It may be jiggling the console on a Proofpoint email security device, and then cross correlating that Proofpoint security to the KnowBe4 training we have been doing with users, where we test and simulate phishing attacks. Then triangulating that to the user to say, what is this user’s risk profile.
Now, how do we take all that telemetry and have it ripple across what is on their KGI access management system, what is on Tenable, and when the last time this user patched their system was. Those are disparate, decentralized systems. As great as your SIEM and SOAR may be and interconnect those, it does not move at speed. It is very manual. Yes, automated, but manual pulling, reviewing, and analysis are being done, and the action becomes extremely manual.
I think AI will help us in that process, but it cannot help just sitting on top of a SIEM. It has to sit on top of the larger ecosystem. I have read a lot about this recently, and I think the likes of CrowdStrike and what they have done. Ultimately it comes down to what goes into that system as well: having clean data in a clean pipe. You can prompt until you are red in the face, but if you are prompting on bad data, you are wasting cycles and training your engine incorrectly, versus training it to be efficient.
I think the decentralization and pulling in those data fragments tied to an identity and the human risk score is where the industry is going in the next 12 months.
David Puner:
We will get back to AI in a moment, but I want to stay on the thread about your writing. You recently wrote an article for the Forbes Technology Council on privilege creep as an overlooked or silent threat. What are the biggest challenges organizations face in managing identity sprawl, and are there any simple steps CISOs can take right now to get a handle on it?
Chris Schueler:
Privilege creep is the number one thing we see in assessments in every client base, no matter what toolset they use. Even if they are using spreadsheets, they over privilege. Everyone wants access, everyone wants full control, and they never go back and clean it up.
Think about a basic use case. You are going to buy a company and someone needs access to the data room. You start giving everybody access to the data room, but you never pull access. You just keep giving access.
This connects with the AI conversation. When a client turns on Copilot, because of privilege creep, with basic prompts we can get the keys to the kingdom. By giving users access and having them leverage that overprivileged access, Copilot can aggregate the information and access they have. With basic prompts and a basic user ID, you can get down to key information you could not get otherwise.
That goes back to 80 to 85 percent of attacks being sourced by identities. You see this on the dark web every day. Credentials are bought and sold. Recently, someone bought credentials for someone in the finance department. Next thing I know, there were SWIFT transactions happening below the radar because they knew exactly where the radar was, so they kept them below it. It went on for months and siphoned off hundreds of millions of dollars. I think it was the largest ACH transfer scheme ever done, all based on credentials.
That user should never have had access to ACH. It was not the CFO or someone at that level. It was someone who should not have had that access, or if they had it, it should have been temporary. Identity folks will say “just in time.” The answer is yes. Just-in-time access would help significantly. Give just enough access for the time needed, then pull it or time box it. Zero standing privileges factor in as well.
The lowest common denominator goes back to the health and risk score of individuals. That can indicate whether we should give a person access in the first place, or if we do, whether it should be time boxed, limited, read only, not read write, and no admin privileges. Some employees have bad behaviors. That does not mean you let them go, but you gate access.
We have that in our company. If a user fails two consecutive phishing tests—we run tests constantly—we make them go back through the KnowBe4 phishing training because they cannot stop clicking. While they go through that training, in our email security we do not allow them to click links. I love my employees, but I do not want to give them all the same access and controls based on their behaviors.
David Puner:
If an employee is accessing the dark web on a company-issued laptop, is that grounds for dismissal?
Chris Schueler:
That could be. It depends, because I do have a component of my company—my cyber fusion team—but only that team. Anybody else, yes, that is quite nefarious.
David Puner:
Okay, good to know. With machine identities now outnumbering human users by more than 80 to 1, according to CyberArk’s 2025 Identity Security Landscape Report, what are the biggest risks they pose, and how should organizations rethink securing non-human credentials?
Chris Schueler:
We confuse non-human too much. We tend to bucket IoT and OT devices as non-human, but we do not think about actual machine IDs already in our environment. So I put non-human in two buckets.
The non-human that are IoT and OT devices—the identity of things. There is massive proliferation, and there are controls you can put in place to regulate that. There have been many attacks in that ecosystem as well.
But with the dawn of AI and the speed at which bots are being created, the second category is becoming the main category we have to solve for. It is those system accounts, the bots, the access they have, and the decisions they are going to start making on our behalf. I am a believer in agentic tech. We love it. It has been the biggest groundbreaker outside of the initial inception of LLMs. It is going to start making decisions on your behalf, and the minute you give it control and access, it is no longer just a non-human identity with a benign use case. It becomes an intelligent non-human identity, and there is a lot of risk when you combine intelligence with automation in a non-human identity. That is where the market is going very rapidly.
Separately—and this is from Chris Schueler at Sedaris—I think the market looked at the Palo acquisition of CyberArk and thought, CyberArk or Palo is trying to get into the identity business, so they bought the pound-for-pound champ right now as a pure play in identity.
Chris Schueler:
But then if you listen to Nikesh’s commentary and what he wrote up, it is not for today. The acquisition, from his lens, is about what is coming tomorrow with AI and machines—particularly AI, agentic machines, and whatever the derivation of that is going to be in the next one, two, three years—and how we control that access.
That is where, personally, I feel the acquisition was very smart. If you think about what Palo controls today, they control the network—the entire network ecosystem, including the cloud ecosystem—with their SASE products. They control both sides, so they have access and control into both.
Now, when you think about the non-human side of it, and the dawn of AI and the acceleration of entities, they will have the elements they need to do control on all the planes—all of the surface areas. And the last component: we are seeing a lot of attacks focused on the browser. Specifically, you have a company that has an incredible capability around browser security, as well as an acquirer with the same strategy around browser security. You see a great co-mingling of those two as well.
So that, to me, as a bystander and a partner of both, is exciting. I love seeing where the strategy will play out and what we are all looking at from an industry perspective in the next three to five years. I think it comes back to how we ultimately secure these AI ecosystems. We are not going to be able to have humans in the middle of all of it. That is not going to happen.
You have to build it inherently within those ecosystems and have the controls set—the framework maps with those controls—to secure those agent systems. A-to-A… Google came out with it six months ago. Conceptually it is already been done: agent to agent. Or AGI—and basic AGI to AGI.
David Puner:
So that day is upon us. A lot of interesting points there, which I will let stand on their own, but I do want to stick with AI—agentic AI, for that matter. How can AI and AGI help with identity analytics and detecting privilege creep or anomalous access?
Chris Schueler:
That is probably where the immediate, exciting use cases are. Humans and systems today, without some sort of AGI background, are very limited in access to information and speed of decision process, because there is always the rate limiting between two ears and the unknown.
Think about it in terms of how to identify patterns and trends. This is an old user-behavior-and-analytics revamp. Remember that from years ago and revamp it now. If I can start to identify patterns and trends, I can give intelligent fortification recommendations. Then, once there is comfort with those recommendations, actions.
The telemetry is there. There is not new telemetry we need to create. The challenge has always been the decision making. In the use cases, we either build static use cases for what we know, or we create the right prompts and the right decision-making criteria for an engine to do it by itself. That is where I think agentic AI will create acceleration for us. Once we have enough of the data elements we need—and we clean that data; in other words, you smart-label the data elements that are most critical, versus just going to a data lake to find the data—you will burn millions of tokens doing that and get garbage output. We need to make sure those elements are clean.
But once they are, you can see the power of agentic AI, because it can make those decisions within parameters you could not otherwise.
David Puner:
What about the power of agentic AI for threat acceleration and attackers? How are attackers using AI in ways that concern you most?
Chris Schueler:
We have already started to see that. There was a proof of concept done not too long ago, and now we have seen the first instances—not agentic yet—but the first instances of AGI in attacks learning ecosystems. Many times, when you do slow reconnaissance or the low-and-slow stuff you have heard about, the fact that you can have an AGI tool doing that and taking decision points based on data gathered by inserting agentic tech…
Now it can pick and choose which payloads, which malware, the point of attack, and how to get persistence in the network. That proof of concept scared the living daylights out of me. It is one thing when you look at the recent Ponemon Institute finding: 62 minutes from point of inception to persistence. That is persistence with defined use cases—an attacker doing reconnaissance and then starting the attack, knowing where they will go, not learning, not adapting.
As we adapt and evolve and put best-of-breed approaches in and have our own agent engine, what scares me is that you are prompting for what you know; it is learning as it scans and reconnoiters and sees how you react. That is what has my threat researchers the most concerned. Imagine as you try to stop the threat and control it, the adversary is learning your behavior so that next time it attacks, it knows what you will do and avoids it. Or it uses that as a smokescreen to do something else.
When you think about weaponizing malware in the past by understanding the reaction, you can better fortify your attack strategy and make it more successful. So we do not just adopt it to get more efficient and faster reaction times; we have to adopt it because attackers will learn our behaviors and patterns and then counter them. We need to speed up the decision process and eventually have our engines be smarter than us. That is the only way to defend against it.
David Puner:
With many organizations rushing to adopt AI tools, what is your advice for rolling them out safely and responsibly?
Chris Schueler:
I have seen many customers roll it out and then have the “oh crap” moment where data that should never have been seen gets exposed. I had one customer roll it out, a user prompted it, and next thing I know they had the executive salaries for the whole company.
There is a reason data companies are skyrocketing. If you do not have control of your data, the output will be almost unusable or require multiple iterations; or the access to data and what users can access will leave you vulnerable.
Before you roll out AI, two things have to be true. One, you need to know what data you are pulling from. Two, you need to make sure the controls on that data are right. Then consider the use cases and what you are trying to achieve, versus creating a generic LLM for everyone to ask questions. Knowing what you want out of your system—efficiencies or user experience—and what the output should be is vital to success.
I think recently Harvard did a study—it was like 60 to 70 percent—of AI implementations are failing. There has been a retraction in some ways. Companies know they have to invest and pour more money into AI, but because they are not starting with data and data access, and are just throwing use cases at it, they are failing at a rapid rate and wasting a lot of money.
David Puner:
How do you talk to boards and executives about identity risk in business terms that land?
Chris Schueler:
Talking about it in business terms is the easiest. Using threats and risks is difficult to quantify—every CISO has faced that with boards.
When you talk about business transformation and acceleration—and how AI can be an accelerant—and how securing it will allow it to further accelerate, that works. Do not be the “no” police; be the “yes” police. Our job is to enable the business. If we talk about enabling acquisitions, investing in AI, moving to the cloud, that hits every time.
When you start throwing out adversaries and nation-state actors and lists of breached companies, you get analysis paralysis from the board. That is not productive. You want a productive conversation. Approach it from the business lens. You see many CISOs moving into board seats because they understand the business has to make money and produce. Your job is to allow them to do it safely.
David Puner:
As far as the cloud goes, what misconceptions do you see about cloud security, and how can teams proactively manage risk there?
Chris Schueler:
There are two approaches. One is taking existing tools and systems and enabling them for the cloud. The second is using native cloud tooling and systems—born in the cloud. We tend to gravitate toward the first, applying what we know to cloud workloads.
In the last five or six years, with many breaches, we have learned that does not work. Containers and microservices do not fit many traditional systems, which is why Zero Trust has gained momentum. You cannot apply the same mechanics to born-in-the-cloud applications, systems, and workloads. You need a different lens. Zero Trust reduces exposure around what is most critical and puts the right parameters around that, then works outward. ZTNA has allowed businesses to accelerate in the cloud natively.
The big misconception is believing a vendor’s “cloud version” will just work. You must look at the workload you are running in the cloud and figure it out from there. If the CISO and team are invited to the table early, you can build the architecture from the beginning to be cloud-native and accelerate. Coming in after the fact and wrapping traditional systems around it either breaks it or makes it only a little more secure—not truly secure.
David Puner:
So many things are happening and threats are evolving. If you had to define success for security leaders over the next year, what would it look like? Any trends or milestones you are watching?
Chris Schueler:
Quantum. There are many things, but quantum will be here sooner than we think. You can see that from the work Microsoft and others are doing, and the recent announcement with OpenAI and Nvidia—the big partnership—and OpenAI and Oracle building data centers. One of our biggest barriers right now is data centers and power. Chris Roberts was on the news this morning talking about the lack of power in the U.S.
We talked a lot about AI for a reason. I still find too many CISOs and CIOs who have not embraced it themselves. It is a steep learning curve, but if you do not put your foot in the water and get acclimated, someone else will. Attackers already are. We need to do it for our business, ourselves, and our industry.
Some partners are doubling down on AI and making big bets and acquisitions. You saw that recently with CrowdStrike’s acquisitions, with Padea. CyberArk made big acquisitions to bring more of the ecosystem together. We need to double down. My encouragement, and where I am investing my time and energy, is AI. We have to embrace it as first movers and take our lumps. You are going to fail. One of my best mentors taught me early on: you never actually fail—you learn from every experience. So fail, but fail fast. Learn from it and get better.
From a trends perspective, everything going into my SIEM is evolving. SIEMs are still there, but other components are coming together in the ecosystem. Exposure management is evolving into continuous threat exposure management; it is finding its fit. I am curious to see how the industry evolves in the next 12 months with smart labeling and tagging of all the data elements for AI. That is the last mile. If we figure that out, based on the telemetry we have, we can stop threats and do pre-crime.
David Puner:
Between hosting and writing articles—which may be part of hosting—and jiu jitsu training three days a week, where do you find the time for all this, and how do you manage your time? I saw somewhere you want to live to be 100.
Chris Schueler:
I mean, who does not—but yes, that is a goal. I want to live to be 100. Being a centenarian is a big goal of mine. Living with intention is important. Your family relies on it, your work relies on it, and you should not waste your time with nonsense.
Living with intention helps you identify where you have margin in your life and where you can maximize that margin to make the biggest impact and do all the things.
I would also encourage people not to separate life into buckets. Many do that—work, faith, hobby, family. I believe in work-life integration. We try to live this out inside Sedaris as well. We are not eight-to-five people, and life is not eight-to-five or five-to-nine when you become dad or husband. My hobbies, passions, family, faith, and work are all Chris. It is one ecosystem. How you show up then is consistent.
You are the same version of yourself, just with a little more focus in this area or that area. And just being intentional. I wear an Oura Ring. I think data and telemetry—not to hyperfocus on it—will tell you how you can perform that day and how you can be a little better, or how you can say, today is going to be an okay day. Because I did not get good sleep, I traveled to Europe, or whatever, and I need to be smarter about what I do today. I should not put myself in a situation where I get sick or make bad decisions.
David Puner:
I think you just inspired me to add to my 24 steps that I have thus far today.
Chris Schueler:
Get your steps in, man.
David Puner:
I think that is something I have to integrate into today. I may not get to 10,000, but maybe 6,000 will be good enough.
Chris Schueler:
That is all you need.
David Puner:
Chris Schueler, CEO at Sedaris, thank you so much for coming on the podcast. This has been really great.
Chris Schueler:
Appreciate it. Thank you, David. It was great being here.
David Puner:
All right, there you have it. Thanks for listening to Security Matters. If you like this episode, please follow us wherever you do your podcast thing so you can catch new episodes as they drop. And if you feel so inclined, please leave us a review. We would appreciate it very much, and so will the algorithmic winds.
What else? Drop us a line with questions, comments, and if you are a cybersecurity professional and have an idea for an episode, drop us a line. Our email address is securitymatterspodcast, all one word, at cyberark.com. We hope to see you next time.
