14 12 月, 2023

EP 41 – Cyber Hygiene and the Identity Imperative

Our guest today is Rita Gurevich, the CEO and Founder of SPHERE, an identity hygiene platform. Gurevich joins host David Puner to explore the challenges and dynamics surrounding identity and cyber hygiene in today’s cybersecurity landscape. The conversation begins by addressing the accelerated pace at which cyber controls and identity hygiene requirements are evolving, emphasizing the critical role they play in cybersecurity strategies. The discussion extends to the impact of cloud and hybrid environments, the nuances of cyber insurance trends – and the challenges presented by mergers and acquisitions in relation to identity hygiene. Gurevich highlights the growing importance of considering both cloud and on-prem systems with equal rigor, emphasizing the need for comprehensive cybersecurity measures to combat threats and risks. 

[00:00:00.280] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, a global leader in identity security.

[00:00:26.140] – David Puner
We reflexively know we have to do certain things or face problems at some unknown point down the line. Tooth brushing is an obvious example. I don’t need to tell you what might happen if you don’t do it regularly, but the somewhat less obvious point is that if you let your teeth go, the negative health implications of that neglect can go way beyond mouth problems.

[00:00:46.560] – David Puner
But enough about dental things and over to cybersecurity, where the parallels between maintaining identity hygiene within digital realms, and practicing good personal hygiene in our daily lives run deep. Just as we take measures to keep ourselves physically healthy, brushing teeth and washing hands and that sort of thing, organizations must engage in similar disciplines to ensure the health and security of their digital identities.

[00:01:13.590] – David Puner
Today’s guest, Rita Gurevich, the CEO and Founder of the security firm SPHERE, is all in on identity hygiene, a practice that helps organizations identify identities within their digital ecosystems and locate and respond to vulnerabilities.

[00:01:30.480] – David Puner
As you’ll hear, our conversation delves into identity and its significance in fortifying our digital defenses. Just as we all understand the importance of personal hygiene, well, most of us, Rita argues that understanding and prioritizing identity hygiene is critical to fortifying organizations against the countless cyber threats in our interconnected world.

[00:01:54.390] – David Puner
As she points out, it can provide positive health ramifications for things like compliance requirements, mergers and acquisitions challenges, and lowering cyber insurance premiums. Here’s my conversation with Rita Gurevich. Don’t forget to floss.

[00:02:15.650] – David Puner
Rita Gurevich, Founder and CEO of SPHERE. Welcome to Trust Issues. SPHERE is a cybersecurity company that’s focused on identity hygiene. Before we get into any of that, just welcome. Thanks for coming on the podcast.

[00:02:29.810] – Rita Gurevich
It’s a pleasure to be here. I’ve been waiting all week for this.

[00:02:34.090] – David Puner
Oh, great. Me, too. You founded SPHERE in 2010. Among other places before that, you were, interestingly enough, when I was looking at your CV here, with Lehman Brothers. How did being there and being there at that particular time, we should note 2004 to 2008, contribute to you starting your own cybersecurity company a couple of years later?

[00:02:59.570] – Rita Gurevich
What’s interesting is that’s when Lehman went bankrupt. That’s the big headline story of that year. Not just Lehman, but there was a domino effect before and after that we all experienced intensely. It was an incredible time in my personal life and in my professional career. I was very young, so I was 24 when all of this went down.

[00:03:22.400] – Rita Gurevich
In some ways, I feel bad talking about those experiences because so many people lost so much. It wasn’t uncommon to see the big boxes in the hallways leading up to the bankruptcy, knowing what’s about to come that day, and seeing people with their head in their hands with a lot of pain. I try not to talk about it too lightly.

[00:03:41.130] – Rita Gurevich
But that being said, during the bankruptcy, I was put on a SWAT team that had to figure out how do you split apart and untangle the tech stack. How do you figure out what goes to Barclays, Nomura, Neuberger Berman? For a young spry 24-year-old, it was actually pretty exciting. There was an incredible sense urgency in terms of timing. There was no ability to look for tooling to do this. We had to figure out how do we build this puzzle of everything that we have and knowing full well that we were just going to tear that puzzle apart.

[00:04:16.330] – Rita Gurevich
We started with the obvious, your accounts, your identities. We moved on to your file data, your SharePoint sites, your servers, your applications. You can imagine what something like that could look like for a company that size with that much history. That went through its own M&A leading up to that time.

[00:04:33.850] – Rita Gurevich
I would say I attribute so much of that experience to the reasons of why I did what I did. I mentioned that some of this was personal, too. I watched people’s lives be transformed in ways that they couldn’t control. I felt as a young person, I had an opportunity to take control of my professional career. I said, “I want to do something where I hold the keys to my future.” That’s really when I started to realize I need to be a business owner. I need to do something entrepreneurial.

[00:05:03.960] – Rita Gurevich
But at the same time, I became obsessed with what I was doing during that bankruptcy. I loved this concept of finding everything obvious and not so obvious and figuring out what is it, who owns it. That was the foundation of the business that I started SPHERE.

[00:05:21.900] – David Puner
Your education was in computer science and mathematics. What track were you on to that point? Where did you think you were going?

[00:05:29.420] – Rita Gurevich
I thought I was going to be a really cool developer. And I do, I still dabble. Of course, during that time, I did a lot more engineering. But I also enjoyed the people and the planning side of things, too. I loved that I was able to essentially track these programs. I loved that I was able to work with cross-functional teams.

[00:05:49.910] – Rita Gurevich
I knew I couldn’t just sit with headphones on writing code all day, even though I found it really interesting. I love the logic behind code. I love everything about how do you build something from nothing. I wasn’t the best at syntax, to be honest, but that’s what Google is for.

[00:06:06.000] – David Puner
Who is. Did your experiences at Lehman Brothers influence your thinking, what it takes to make an organization resilient? Did your experiences provide any takeaways on the importance of safeguarding key IT initiatives from any type of volatility, be it economic, operational, or security-related?

[00:06:26.830] – Rita Gurevich
Yeah, I definitely learned how important good housekeeping actually is. You can probably start to see how we branded ourselves as an identity hygiene company. The truth is, though, we live in quite a crazy world, and the challenges of our work are very much impacted by what’s going on around us, just as much as we aim to deliver value to the customers.

[00:06:51.700] – Rita Gurevich
The bankruptcy at Lehman Brothers is a great example of that. But look at what’s been going on lately. We had COVID, major implications to operations, really tested our ability to be resilient. There has also been a banking crisis this year. There’s a war. Then there’s the main challenge that we talk about every day of our lives, which is the grueling never-ending attempts of bad actors to breach our systems.

[00:07:19.150] – Rita Gurevich
What I’ve learned is having that good solid hygiene, that good foundation. Again, in my world, we’ve translated that into a go-to market plan. But it’s an incredible approach to minimizing the impact of what you can and cannot control and recovering from those unplanned emergencies. When you know what you have, how it’s being used, who owns what, it makes disaster recovery in every aspect a much more successful endeavor.

[00:07:49.210] – David Puner
When you founded and launched SPHERE, what problem were you trying to solve? Was it called identity hygiene at that point? How has that problem morphed over the years? When did identity hygiene emerge as your focus? What did it mean then? How does that compare to what it means now?

[00:08:05.540] – Rita Gurevich
Oh God, how much time do you have?

[00:08:07.860] – David Puner
We’ve got as much time as you’ve got.

[00:08:10.810] – Rita Gurevich
When I started SPHERE, the original intent was to provide services. We wanted to help companies clean up their identities, their data, the permissions across other infrastructure. We called ourselves cyber janitors for a while. We even have a funny little spoof video on our website, where we dressed up as janitors and had some fun cleaning socks on a washboard and calling it socks compliance. We definitely had a bit of a laugh at the concept of being the cleanup crew for identity.

[00:08:43.030] – Rita Gurevich
But I’ll tell you, when you clean things up by hand manually over and over and over again. We did it for like a decade as a bootstrap business, that’s probably a whole other podcast. But you keep doing the same thing, you find opportunities to automate a lot of these very repetitive tasks.

[00:09:00.080] – Rita Gurevich
That led us down the path of building what we called toolkits at the time. The original idea was these were toolkits our service delivery teams would use when we engaged with a client. Of course, clients’ shoulder surf. They watch how you work. They started to ask us to keep these toolkits. We were like, “Oh my God, they value it as much as we value it. This is so amazing.” It was heartwarming, and it felt like such an accomplishment.

[00:09:30.100] – Rita Gurevich
Now looking back, that was just almost the start of our journey. But at the time, it just felt so good to see that what we felt was so important and the way we were doing it was actually working, and people wanted to keep doing it themselves. We patted ourselves on the shoulders quite a bit during that time. They were happy because their teams were cleaning up five issues a weekend by hand, whether it was open access to a group drive or a service that account that needed to be… Whatever it could have been, they were doing like five a weekend. We got it to thousands a weekend.

[00:10:08.730] – Rita Gurevich
Imagine what they used to think was impossible is now all of a sudden possible. There was like this light at the end of the tunnel, and you can actually clean up all of your accounts now in a reasonable amount of time without breaking everything in the process.

[00:10:27.430] – Rita Gurevich
Going back to when identity hygiene emerged, that happened organically over time. I can’t say there was this one aha moment that we had. It’s just how the company organically progressed. When we started as a company, our scope really started in the data world, your unstructured data, your file systems, your SharePoint sites, all that good stuff. But of course, that led us naturally to build capabilities around active directory more broadly. If you’re looking at unstructured data and the permissions around it, you get quite good at understanding users and groups and the nuances around access controls.

[00:11:04.960] – Rita Gurevich
Of course, then we immediately saw the need to focus on identity as a core theme. We saw the world appreciate that identity is how a bad actor gets in, but what data they want and what that identity can access within the network is actually the prize. We focused on both sides of that before we really even understood why.

[00:11:28.450] – Rita Gurevich
You start to think about this problem and the specificity of issues that occur, things like service accounts or the access identities have to databases, to servers. How are you protecting all of this? It all ended up boiling down to just good high hygiene.

[00:11:45.690] – Rita Gurevich
There are a couple elements to that, really. Huge element is discovery. That’s probably the first thing we talk about when we talk about identity hygiene. But the reality is you can’t stop there. The second part is remediation, and that may mean getting rid of clutter. It may mean standardizing access. It may be going down into the weeds and even doing things like flattening your active directory groups.

[00:12:10.930] – Rita Gurevich
In terms of CyberArk, of course, it means onboarding accounts to PAM. What I love now, and I’ll end this incredible rant that I’m on.

[00:12:20.790] – David Puner
Not a rant, you’re fired up.

[00:12:23.000] – Rita Gurevich
I love it. I’m so passionate about this topic. But what makes me really excited is that everyone now understands that this is continuous. This isn’t a one-and-done. Surely you have to handle the stock of issues that are staring you dead in the face, but you also have to track and resolve any new issues that pop up as well. Good hygiene is fundamental to that. I make a joke all the time, just like personal hygiene, you don’t shower once a day, you do it every day. I think everyone now finally understands that and that’s exciting for us.

[00:12:58.090] – David Puner
That’s great. Good to know. You were talking about identity back in 2010 by name, so you had your focus at that point. Fast-forward then to today, how much of what you deal with has something to do with organizations being reactive versus proactive? What are motivating factors?

[00:13:18.830] – Rita Gurevich
I would say companies are doing both now. The truth is that companies have an incredible burden on their shoulders right now. They have tons of legacy systems. They have messiness due to M&A, that’s probably a whole topic by itself as well.

[00:13:33.430] – David Puner
Yeah, we’ll get to that. I’m sure.

[00:13:35.460] – Rita Gurevich
All these neglected directories that are out there. Fixing this is reactive, yes, but it finally can be done reasonably fast, as we talked about earlier and again, without the fear of causing disruption to your business. That’s the biggest roadblock that people get stuck on, “I want to fix it, but I’m going to break a trading system,” or “I want to fix it, but I have no idea what this is used for.” That’s why people get stuck. We’ve solved that problem for them.

[00:14:02.090] – Rita Gurevich
But at the same time, it’s great to say I can fix the stock of issues that are staring me dead in the face, of course, but you also have to be proactive, as we talked about earlier. We preach that every single day. The beauty is, once you’ve seen this work on that crazy mountain of problems, you can actually leverage the same exact approach for anything new that pops up.

[00:14:24.530] – Rita Gurevich
It’s much easier actually dealing with these at the onset, as opposed to years down the line when bad behaviors became just embedded in everyday work. It’s fun to hear folks like Gartner really helping push this proactive need, the preventative care you need to put in place.

[00:14:44.260] – Rita Gurevich
I heard a senior analyst recently talk about ITDR. They’re putting prevention ahead of detection and response. I was so excited to hear this woman speak. For 10 minutes, she spoke so passionately, relentlessly about high as the driver for prevention, and we couldn’t agree more. This is true for organizations of all sizes. Larger companies have probably been tackling and dealing with these issues longer, and there are a lot more unknowns they have to deal with.

[00:15:14.700] – Rita Gurevich
But Of course, your SMBs, your mid-market customers, they’re struggling with this, too. I’m a little jealous and envious of the smaller companies because I think it’s a little easier for them. There’s less people, there’s more institutional knowledge. This is a problem across the board, but all types of companies can tackle this.

[00:15:36.780] – David Puner
Is the focus or the motivating factors different when it comes to large enterprise clients as opposed to the small and medium-sized business?

[00:15:46.140] – Rita Gurevich
I would say compliance definitely drives the big boys, especially in highly regulated industries like financial services, for example. But I think the truth is now all companies are dealing with the cost of a breach. All companies, large and small, deal with how to respond to it and how to recover from it. I think the implications might be a little bit different, but scary to everybody, nonetheless.

[00:16:13.690] – David Puner
You mentioned compliance, in your view, what are the key building blocks for creating a strong proactive compliance program?

[00:16:20.540] – Rita Gurevich
The beauty of identity hygiene is, yes, it can absolutely be fundamental for compliance requirements. But the truth is that these efforts also just drive better security. Lower insurance premiums help with your internal auditors getting off of your back every moment of every day. Compliance, yes, you get the bank examiners off your back for sure, but it’s good practice, and it has so many positive domino effects.

[00:16:48.600] – Rita Gurevich
I like to tell people to start with the basics. Can I inventory everything that I have? Can you answer that question confidently? If you can’t, that’s step one. Next is, what are the controls I need to have in place, and how do I report on the violations to those controls? Now, you know everything you have, but where are the problems? Where are the unsecured accounts? Where is the sensitive data that’s exposed? What rules should I put in place for this type of object versus that type of object? Then how do I know when somebody, something, somewhere somehow is breaking one of those rules? Then you got to fix it, of course.

[00:17:28.540] – Rita Gurevich
What other little tidbit of a tip that I like to talk about that falls in between that whole discovery, inventory, and fix remediate, and that’s ownership. It’s something that people don’t necessarily think about. It’s the ability to tag a human as the authoritative source for making decisions about that asset, whether it’s an account, a piece of data, teams channel, whatever it might be.

[00:17:56.200] – Rita Gurevich
Once you can figure out who owns it, there are all sorts of really cool techniques that we have in our technology to do that, you now have information about that person. You know the department, you know the region. Think about all the interesting metrics about risk you can put together when you have ownership. You can say things like investment banking in Europe has X amount of risk, while fixed income in New York has Y amount of risk. Now, that leads to something that we call the shame game.

[00:18:27.440] – David Puner
The shame game, all right.

[00:18:29.300] – Rita Gurevich
The shame game is an approach and a technique that we tell CISOs and risk officers to use all the time to be able to quantify and demonstrate what areas of the business are better or worse. It’s a way to encourage peers that run and can control the reaction to these issues in a way that gets them to stack up better against their peers.

[00:18:53.440] – Rita Gurevich
It’s really hard to make change culturally at a company when you don’t have data, and you can’t pinpoint where the problems are. When you can’t have accountability for the business to help you in a way that’s non-intrusive, not with a lot of friction, but with real information, that makes these things go so much faster.

[00:19:14.860] – David Puner
CISOs, you’re obviously interacting with quite a few of them. At this moment in time, which I’ll note is the very end of November 2023, what do you think if there was one biggest challenge that CISOs generally face right now, what would that biggest challenge be?

[00:19:34.070] – Rita Gurevich
I think that for the first time in my career doing what I do is the requirements are adding up fast, much faster than before. Identity hygiene, cyber hygiene, or more broadly, cyber controls, they used to come a little bit slower. You had time to acclimate, in my opinion. Now things like cyber insurance renewal applications are forcing everyone to move much faster and have to have a lot more coverage than they ever had before.

[00:20:04.940] – Rita Gurevich
We keep hearing even folks at CyberArk say, it’s not just about your most privileged, your most scary accounts. It’s all your identities. It’s all your accounts. It used to be just good Samaritans going and being proactive, but now everyone’s being forced to do this in incredible scopes across not just certain types of platforms and infrastructure, but across the board.

[00:20:31.110] – Rita Gurevich
Whether it’s all of your fancy Cloud systems, but also all of that crazy on-prem environment, all that core infrastructure, there’s no discrimination. The reason for this is the bad actors coming in from the outside trying to do harm also don’t discriminate, whether it’s something in the Cloud or on-prem. They don’t discriminate whether it’s a highly privileged account or just a regular account, so we have to react in the same way.

[00:20:56.280] – David Puner
How does the emergence of Cloud, now more than ever, as well as hybrid environments, affect your overall approach to identity hygiene?

[00:21:08.880] – Rita Gurevich
I think it expands the scope for sure. But from our perspective, it shouldn’t matter whether the account lives in AWS or in the local admin group on a Windows server. From our perspective, it’s just different connectors. But the reality is, I think people do have to think about treating these as one and the same. The same policies, processes, rigor that you’re putting in your Cloud systems you should have with your on-prem systems.

[00:21:37.390] – Rita Gurevich
I think what’s very fascinating is in the last couple of years, there are a lot of cyber companies that started focusing on Cloud. I think they created a bit of buzz around that, which made people move away from thinking about their on-prem systems. But if you take a look at, even as I mentioned earlier, cyber insurance renewals, like service accounts, have huge blocks of real estate in these applications, just as much as wanting to know about your controls across your Cloud data. I think it’s important that you look at both with equal rigor, with equal intensity, and almost pretend like It doesn’t matter where it lives. You have to protect it nonetheless.

[00:22:19.160] – David Puner
Right. What trends are you seeing with cyber insurance this year? Is there any such thing as a common client situation you deal with when it comes to cyber insurance? Are the terms becoming more favorable with the heightened geopolitical tensions and rampant ransomware going on now? Have things only become more challenging with cyber insurance in 2023?

[00:22:42.120] – Rita Gurevich
Cyber insurance is such a huge topic now. I don’t think I’ve had one interview podcast conversation where it didn’t come up in conversation. The good thing is, I think we’re starting to see themes and trends into how cyber insurance providers are analyzing companies. How they’re determining what those premiums look like.

[00:23:06.900] – Rita Gurevich
More and more what we’re learning, and we’re seeing from our customers and even us internally too, we have cyber insurance, is the underwriters are putting a lot of emphasis into understanding how has your maturity improved since your last renewal application that was filled out. Is there a dramatic impact? We had a client recently share with us that he was able to decrease their premium by millions. The way he did that was by showing improvements they made. It’s shocking how much these applications are now consumed by identity and access-related questions.

[00:23:44.540] – Rita Gurevich
Just like I shared earlier, I’ve seen big blocks for things like service accounts, domain admins, et cetera. If you know the way insurance premiums work, it can help you think about where you focus. In a nutshell, the way insurance works is there is a base rate, and that’s decided by the insurance provider. Much of that is actually publicly available, so you can look it up. They make those calls based on how certain demographics of their customers claims they filed over the last year, what losses they shared over the last year. That’s how each one decides their exposure levels and what that could look like. But then there are modifiers that will add to your premium levels based on how mature you are in different areas.

[00:24:32.500] – Rita Gurevich
Again, being able to demonstrate maturity by showing that something you used to perform informally have now been moved to something that’s quantitatively controlled. That’s huge in terms of what your bill is going to look like at the end of the day. Things like being able to show an inventory of all your user and administrative accounts that you’ve established which accounts are highly-privileged, that you’re rotating those passwords much more frequently than you were a year ago, those all play a major role.

[00:25:04.790] – Rita Gurevich
One final point on insurance, which I think is really fascinating, is these underwriters are clever. They’re super technical. They can talk the talk, they can walk the walk. These individuals have been scooped up from very prestigious companies, so they understand the topic at hand very well. In some ways, that’s really great for companies that have made improvements.

[00:25:33.370] – Rita Gurevich
One final story is, I was talking to another customer, and he shared with me. He said, “I’m nervous about our insurance renewal because I’m going to tell the underwriters we have a lot more accounts than we thought we had last year, and it’s going to look like our environment is worse.”

[00:25:49.210] – Rita Gurevich
I said, “No, that’s not true. You’re going to be able to demonstrate that you’ve looked under every rock, that you went into every drawer. You finally feel that you have a good inventory. You can show them with evidence that every week when you refresh that data, it’s consistent and that you know what everything in that list is all about. Just because you have more than you had the year before, does not mean that the underwriters are going to look at you in a negative way.” But if the underwriter wasn’t technical, and it was the type of underwriters that we worked with 10 years ago, the story would probably be a little bit different.

[00:26:29.640] – David Puner
Really interesting. You also made me think of something when you were talking about that there’s probably a burgeoning market for cyber insurance underwriters at this point.

[00:26:38.250] – Rita Gurevich
The skill sets to be able to decide for an insurance company how secure or insecure company is highly-valued. It’s not that common. There’s not a billion identity hygiene companies out there, that’s for sure. It is a bit of a niche space, but it’s all achievable.

[00:26:58.640] – David Puner
I’m seeing in the news today that Amazon is debuting a cyber insurance program for speedy policy estimates. Did you see that? If you did, what do you think that potentially means?

[00:27:09.810] – Rita Gurevich
Definitely, I think it leads back to the conversation we had a few moments ago about Cloud. I think cyber insurers are asking as much about Cloud as they should. AWS is one of the most prominent platforms out there. Their customers are very nervous about using those platforms in ways that they shouldn’t, putting them at risk, of course. What does that also lead to? Potentially higher cyber insurance premiums.

[00:27:38.740] – David Puner
There’s a lot to think about there.

[00:27:40.600] – Rita Gurevich
A lot to unpack.

[00:27:41.510] – David Puner
Yeah, a lot to unpack, and we’ll keep on doing it. How do mergers and acquisitions compound the hygiene problem? Are your customers experiencing challenges when it comes to addressing any security gaps they’ve uncovered within the organizations they’ve acquired? Or are there maybe differences in how the acquired organizations view key security issues?

[00:28:03.580] – Rita Gurevich
Yeah, that’s always a problem for sure. Think about how little people know about their own environments, the ones that they work in every single day. Now, they are tasked with taking over yet a whole other set of environments that they have a lot less exposure to.

[00:28:23.600] – Rita Gurevich
It’s an instascope expansion with a ton of unknowns. Sometimes M&A aren’t happy-sunshines-and-rainbows. Sometimes you have competing people with the same role, vying for the same long-term position. There are cultural issues that pack on the challenges for sure. Yeah, it’s a big problem. It’s a huge problem. The neglected directories, the legacy systems, it’s double because there’s now other companies you have to care about.

[00:28:53.660] – Rita Gurevich
But I have seen some signs of goodies in terms of how companies approach M&A recently as well. More and more, you see CISOs participating in the earlier discussions around what could this look like post-acquisition. That’s really important. I think companies have been burned by not looking at that. Then the CISOs and CIOs come in later and say, “Well, this is how much it’s going to cost to do this, and this is how much security is lacking here, or these are the inconsistencies between our two companies that we have to now fix.” I think also the cost of acquisition and the final numbers on paper are also impacted, or security impacts those numbers on the paper at the end of the day.

[00:29:39.520] – Rita Gurevich
I think that’s actually a positive. I think it’s showing CEOs and boards not to underestimate the importance of looking into this before you make a decision. One other point that’s interesting, and we’ve seen this in the news, is companies are sold at very favorable price points the buyers because of security issues. Big banks have to peel off business units because they can’t get out of an MRA or MRIA. Then the acquirer says, “I’m going to buy this company at a really competitive price point because I think I can resolve that MRA and take advantage of this opportunity.” It is interesting that security is playing a front-and-center role in some cases in M&A activity.

[00:30:24.460] – David Puner
Do you ever feel like you get to the point where you’ve seen everything when it comes to identity hygiene, or does every day bring something new?

[00:30:32.870] – Rita Gurevich
I would say I’ve seen a lot. The business is 13 years old. I’ve been doing this a really long time. Even though, maybe we started in data, and then we moved to active directory and so on and so forth, but really, we have been doing the same thing every single day. Call it being a janitor, call it being a hygienist. It’s the same core themes that we’ve been looking at every single day for 13 years.

[00:30:58.160] – Rita Gurevich
Sure, I learned a lot of Cloud. That’s fairly new. Last few years, we’ve become immersed ourselves, as the world has as well. I don’t see that changing. There are new trends that everyone’s really focused on, like AI and other areas as well. I don’t think there’s ever going to be a pause in the ability to learn more, go deeper, go wider within the identity space and cybersecurity more broadly as well.

[00:31:26.780] – David Puner
As we close in on the end of 2023, of course, this has been GenAI’s breakout year. Not to pre-empt what you may potentially say here, but what have been your customers’ biggest challenges this year? Were there any big surprises? Then, once we hear about that, we’ll do the inevitable shift and look into 2024.

[00:31:51.150] – Rita Gurevich
I don’t think there is anything monumental from an identity perspective. I think what happened this past year is everyone had to do the things that they’ve always either wanted to do or put in the corner for a while. I’ll give you an example. Somebody, another customer, said this to me. He said, “I know I have a problem in SharePoint. I know it. I want to start being able to take advantage of technologies like Microsoft Copilot. But I’m scared because I know there’s all these permissions issues.”

[00:32:24.360] – Rita Gurevich
It used to be that somebody had to know where to look. Now, with Search and Copilot and all of these new productivity tools, that information that was overexposed from an access control perspective, now is like front and center. Think about what it used to be like if you had to go find salary information. You’d have to know what file server to go to or what site to navigate to, and you’d have to know where to look. Now, you just type it into the search field, and if you have access, you’ll see it. That’s scary.

[00:32:56.290] – Rita Gurevich
What used to be this concept of, “I know it’s a problem. It’s staring at me from the corner,” has shifted from, “My auditors want me to do it. My bank examiners are forcing me to do it. My cyber insurance renewal is suggesting I do this.”

[00:33:12.550] – Rita Gurevich
It’s also impeding innovation. It’s really cool, it’s going to change the way we work. But people also now understand that they have to take control of their permissions and understand what access exists out there and lock it down before they can calmly, safely, and effectively really take advantage of all of these tools.

[00:33:32.940] – Rita Gurevich
That definitely is going to become a theme moving into 2024, I think, is AI is the buzz for sure. But what happens when you start looking at data that you shouldn’t even ever have been able to see? What’s that going to look like next year?

[00:33:49.460] – David Puner
What does that look like?

[00:33:51.220] – Rita Gurevich
I think it’s going to be scary. Also, in the last couple of years, we’ve talked a little bit less about internal threats. A disgruntled employee doing something they shouldn’t do or accidentally stumbling on something and then learning there could be a monetary advantage to that information. The world started talking more about the bad actors, the nation-state attacks.

[00:34:14.500] – Rita Gurevich
But I think with tools like Copilot, people are starting to think again about the concept of inside our four walls, whether it’s physical or proverbial four walls, what does that look like when we start to really learn that our permissions are a mess and our data is exposed, and our accounts aren’t protected? It’s not just from bad actors getting in from the outside. It’s also our internal staff that either by accident or sadly, sometimes by design, does something inappropriate.

[00:34:46.460] – David Puner
The insider threat, yes, always a challenge, always something to keep an eye on. What else in 2024 do you think we should be keeping an eye out from an emerging threat standpoint?

[00:34:58.720] – Rita Gurevich
I think a lot is going to happen, what’s going on geographically, in terms of the war and how that’s going to progress? I think that’s going to create a right playing field for all sorts of cybercrime. I think we’ve all said over the last decade, the next war will be a cyberwar. Maybe that’s true, maybe it’s not, but it surely will increase. I think turmoil physically only creates the cesspool of desires to hurt people electronically and through cyber warfare. I think we’re going to see a lot of that next year, unfortunately.

[00:35:38.550] – David Puner
That’s not great, to say the least. Anything from an uplifting standpoint we can look forward to in 2024?

[00:35:47.240] – Rita Gurevich
I did paint a quite scary picture, but also at the end of the day, as humans, many of us have entrepreneurial mindsets, and problems breed innovation also. I think we’re going to see some really interesting new solutions to these problems. I think we’re going to take advantage of AI. I think that we are going to move faster than we have in the past because I think the outside world is going to move pretty fast.

[00:36:13.100] – Rita Gurevich
At the same time, scary, yes, everything I mentioned is pretty intense, but I think there’s going to be some incredible startups. I’ve seen some pitch ideas that blew my mind, and I think that there’s going to be a lot of companies coming together, too. I think there’s the business reasons, the financial reasons that we see about consolidating of companies and all sorts of M&A on the tech side of the house. But I also think that’s going to breed really interesting capabilities for the customers to defend themselves better against this onslaught of challenge that they’re experiencing. I think it’s going to be an interesting balancing act.

[00:36:51.910] – David Puner
Good stuff. I guess the most important question that I need to ask you at the end of this interview is-

[00:36:56.850] – Rita Gurevich
Let’s go get some ice cream. I’ll feel better.

[00:36:59.010] – David Puner
Yes. I was going to I want to ask you if there’s a bagel in your future today.

[00:37:02.640] – Rita Gurevich
A bagel, maybe some ice cream. I don’t know. I think it’s a chocolate evening, too.

[00:37:07.140] – David Puner
All right. That sounds good. Rita Gurevich, thank you so much for coming on to Trust Issues. Really appreciate it. It’s been great.

[00:37:14.670] – Rita Gurevich
Awesome. This was great. Thank you so much.

[00:37:25.340] – David Puner
Thanks for listening to Trust Issues. If you like this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it are like comments. Our email address is [email protected]. See you next time.