The Security Strategist

• Securing Assets in a Complex IT Landscape: Deterministic Automation in ITAM

  Modern enterprises face a growing challenge in managing thousands of devices, applications, and identities across increasingly complex IT environments. Unmanaged assets, shadow IT, and inconsistent processes can quietly create security gaps that expose organisations to significant risk.In this episode of Security Strategist, Syed Ali, Chief Executive Officer of EZO, joins host Chris Steffen to discuss how IT asset management (ITAM) and deterministic automation provide the visibility and control organizations need to secure their digital landscapes.“There are risks lying around in the organization,” Ali explains. “A good ITAM solution helps identify them and forms the foundation for maturing IT operations.” His insights are drawn from years of experience as both an IT practitioner and entrepreneur, offering practical lessons for IT leaders and security professionals alike.Strengthening Cybersecurity and Risk Management with ITAMEffective ITAM solutions are more than just inventory tools; they are central to reducing cybersecurity risk. By automating asset discovery, monitoring, and reporting, organizations gain accurate, up-to-date visibility into every device, software, and identity across their networks.“Automation runs in IT; it has always run in IT,” Ali notes. Deterministic automation ensures processes are consistent and predictable, allowing IT teams to spot vulnerabilities, reduce the likelihood of human error, and respond quickly to emerging threats. This approach also makes data reliable for decision-making, supporting procurement, patch management, and risk mitigation strategies.Unmanaged assets, he warns, can “come back to bite us,” particularly when organizations lack visibility into endpoints, applications, and shadow identities. Implementing ITAM proactively rather than reactively is crucial for organizations that want to minimize risk rather than simply meet compliance requirements.Future ITAM TrendsLooking forward, agentic AI and identity-aware assets are shaping the future of ITAM. While AI introduces powerful capabilities, keeping it separate from deterministic automation ensures organizations maintain control while enhancing visibility and security.Investing in effective ITAM and automation is an enduring strategy for securing assets, reducing risk, and enabling informed decision-making. As Syed explains, “The system is meant to work for you, but that only happens if there’s discipline and awareness in identifying risks. The danger of not having a solid item in place is very real. I also understand that an understaffed IT team, constantly reacting to issues, can’t always prioritise these risks effectively. Unfortunately, that’s the reality we’re dealing with.”To learn more about effective ITAM solutions, visit EZO.For more insights follow EZO:X: @ezosolutionsInstagram: @ezo.solutionsFacebook: https://www.facebook.com/EZOsolutions/LinkedIn:

  --------  

  21:44

  --------

  21:44
• How Can Businesses Address Guardrails for Autonomous AI Agents with Permissions?

  “People love the idea that an agent can go out, learn how to do something, and just do it,” Jeff Hickman, Head of Customer Engineering, Ory, said. “But that means we need to rethink authorization from the ground up. It’s not just about who can log in; it’s about who can act, on whose behalf, and under what circumstances.”In the latest episode of The Security Strategist Podcast, Ory’s Head of Customer Engineering, Jeff Hickman, speaks to host Richard Stiennon, the Chief Research Analyst at IT-Harvest. They discuss a pressing challenge for businesses adopting AI: managing permissions and identity as autonomous agents start making their own decisions.They particularly explore the implications of AI agents acting autonomously, the need for fine-grained authorization, and the importance of human oversight. The conversation also touches on the skills required for effective management of AI permissions and the key concerns for CISOs in this rapidly changing environment.The fear that AI agents can go rogue or exceed their bounds is very real. They are not just tools anymore; instead, they can now negotiate data, trigger actions, also process payments. Without the right authorisation model, Hickman warns that organizations will encounter both security gaps and operational chaos.Also Watch: Is Your CIAM Ready for Web-Scale and Agentic AI? Why Legacy Identity Can't Secure Agentic AIHuman Element Vital to Prevent AI Agent from Going WildTraditional IAM frameworks aren’t designed for agents that think, adapt, and scale quickly. Anticipating a major shift, Hickman says, “It’s not just about role-based access anymore. We’re moving toward relationship-based authorization—models that understand context, identity, and intent among users, agents, and systems.”Citing Google’s Zanzibar model, the Ory lead customer engineer says that it’s a starting point for this new era. Unlike static roles, it outlines flexible, one-to-one relationships between people, tools, and AI systems. This flexibility will be crucial as organizations deploy millions of autonomous agents operating under various levels of trust.But technology alone won’t solve the issue. Hickman stresses the importance of the human element, saying, “We need humans to define the initial set of permissions. The person who creates an agent should be able to establish the boundaries—in plain language, if possible. The AI should understand those instructions as a core part of its operating model.”This leads to a multi-pronged identity system where humans, agents, and services all verify authorization on behalf of the user before any action takes place—ensuring accountability even when AI acts autonomously.The New Organisational Skill Stack for AI SecurityAs AI systems grow more sophisticated, the people managing them must also evolve. Hickman outlines a three-part skill structure every organization should develop:Identity and Access Architects: To define how agents authenticate, represent and act on behalf of users, and scale securely.AI Behaviour Analysts: A new role that bridges technical and business insights, understanding how LLMs make decisions and how to align that behaviour with enterprise goals.Business...

  --------  

  24:58

  --------

  24:58
• Is Current DLP Failing Data Security in the Age of Generative AI?

  With more and more organisations adopting AI as part of their operations, a new layer of data risk has begun to emerge. In the recent episode of The Security Strategist Podcast, guest Gidi Cohen, CEO and Co-Founder of Bonfy.AI, sat down with host Richard Stiennon, Chief Research Analyst at IT Harvest. They discussed the reasons traditional data loss prevention (DLP) systems fail. Cohen stressed that understanding data context is now crucial for securing AI-driven enterprises.What Happens When “Trusted” AI Tools Become Paramount RiskThe rise of generative AI, from chatbots to embedded assistants in SaaS platforms, has created a complex web of data interactions that many organisations do not fully grasp. Cohen argues that this new reality has made legacy DLP technologies completely irrelevant.“Even before generative AI, DLP never really worked well,” he told Stiennon. “It relied on static classification and outdated detection models that created noise and false positives. Now, with dynamic content generated and shared instantly — and humans often out of the loop — those tools can’t keep up.”While “shadow AI” applications have gained much attention, Cohen believes the larger threat lies in the trusted tools organisations already use. “We’re using Microsoft 365, Google Workspace, Salesforce — all of which now embed AI models,” the Bonfy CEO explains. “They process vast amounts of sensitive data every day. Yet most companies have no control or visibility over how that data is accessed, transformed, or shared.”This lack of visibility creates a perfect storm for data exposure. “You might use an LLM to summarise a customer meeting, which is fine,” Cohen says. “But if that summary is later shared with the wrong client or synced with another app, you’ve just leaked confidential information — and no one will even notice.”The main issue, he adds, isn’t about whether AI vendors misuse data. “The model itself isn’t the main problem. It’s what happens afterwards — how the data and outputs move through the organisation.”How to Create a New Model for AI-Aware Data SecurityCohen’s solution to this growing complexity is what he calls a context-driven, multichannel architecture. Such a way perceives data protection as an ecosystem rather than a single checkpoint.“The flows are too complex for simple guardrails,” he explains. “You can’t just block uploads of credit card numbers and call it a day. You need to understand the context — who’s sharing the information, through what channel, for what purpose, and whether it’s leaving the organisation.”Bonfy’s approach looks across multiple communication layers — from email and file sharing to APIs, AI agents, and web traffic. They create a complete view of how information moves. Cohen says it’s essential for spotting risky behaviour, whether it comes from a careless employee or an autonomous AI agent working in the background.As organisations start using multimodal AI — incorporating text, images, audio, and video — this overall visibility becomes even more important. Browser extensions or regex-based filters, he notes, simply won’t catch everything. “An AI agent isn’t using a browser. It’s running somewhere on your network, processing sensitive data on its own. You need a...

  --------  

  20:17

  --------

  20:17
• The Zero Trust Conundrum: How Intelligent Friction Boosts Business Velocity

  In this episode of The Security Strategist podcast, host Jonathan Care, Lead Analyst at KuppingerCole Analysts, speaks with Sudhir Reddy, the Chief Technology Officer (CTO) of Esper, about how to build trust in ‘Zero Trust.’. They explore this paradox in Zero Trust systems, where human trust is essential for the system to function effectively. Reddy emphasises the need for intelligent friction in security measures, allowing for a balance between security and business operations. The conversation also highlights the importance of understanding user needs and building trust within security systems to ensure effective implementation of Zero Trust strategies.How to Build Trust in a "Zero Trust" World?“Security should be a seatbelt, not a straightjacket,” Esper CTO said, describing the nature of zero trust in cybersecurity. For Reddy, zero trust isn’t just about “trust no one.” It’s about verifying everything while still allowing people to do their work.“Zero Trust is really about verification,” he explains. “But the paradox is that it’s built to create trust among the people using it.” As systems, devices, and AI tools grow, security can’t just mean adding more barriers. “The number of people interacting with systems has increased a lot,” Reddy adds. “But if the system doesn’t support the business, people will find a way around it.” That, he says, poses a risk where extremely rigid security could defeat its own purpose.From “Friction” to “Intelligent Friction”The Esper CTO explains Intelligent Friction designs systems that adjust security based on the situation. “You want the least friction where there is friction,” he says. “Add friction where it matters most, and make it disappear when it doesn’t.”Alluding to an example of banking apps, Reddy explains intelligent friction as a simple login for checking balances and extra verification for large transfers. “That’s intelligent design — progressive, contextual, and trusted.”When asked about the key message for CISOs, CEOs and IT decision-makers, he urges them to “stop measuring adherence to rules.” Instead, “start measuring where people are bypassing them — that’s where your friction is hurting the business.”At Esper, this approach guides everything from device management to enterprise policy design: security that protects without slowing you down. Discover how Esper is redefining Zero Trust through Intelligent Friction. Learn more at Esper.io.TakeawaysZero Trust is fundamentally about verification at every step.The shift to Zero Trust is driven by increased exposure and sophisticated attack vectors.Human trust is essential for Zero Trust systems to function effectively.Intelligent friction allows for security measures that adapt to user needs.Security should not hinder business operations; it should support them.CISOs should measure rebellion against security rules, not just adherence.Progressive security checks can enhance user trust in systems.Cultural change is necessary for effective security implementation.Feedback...

  --------  

  20:05

  --------

  20:05
• Universal Privileged Access Authorization: Securing Humans, Machines, and Agentic AI

  Can your organization truly trust every identity, human, machine, and AI?The traditional security perimeter is no longer a reliable boundary. As enterprises adopt hybrid infrastructures, cloud services, and autonomous AI systems, identity has emerged as the central element of effective cybersecurity.In the latest episode of The Security Strategist Podcast, Richard Stiennon speaks with StrongDM’s Chief Executive Officer Tim Prendergast about how organizations can secure human users, machines, and agentic AI through identity-based controls.Identity at the Center of Zero TrustBoth Stiennon and Prendergast believe identity has become the true control plane for modern cybersecurity. While Zero Trust frameworks are widely promoted, they often remain theoretical until grounded in strong identity governance. By continuously verifying and managing every identity—human, machine, and AI—organizations can strengthen access control, reduce the risk of credential theft, and enforce clear operational boundaries across their environments.As Prendergast explains, “No one wants to go out of business tomorrow, no matter how good their security is. You have to balance the needs of the business, the needs of your user or customer populations, and practical security.Securing Human UsersFor human users, particularly those with privileged access, identity management must strike a balance between security and productivity. CISOs need visibility into who is accessing critical assets, when, and under what context. StrongDM’s approach emphasizes just-in-time access, ensuring users receive only the permissions they need, precisely when they need them.Implementation ConsiderationsDeploying identity-based security requires a strategic, phased approach. Prendergast stresses that security measures must align with business priorities to minimize disruption. By treating users, machines, and AI agents as identities rather than simply devices or services, organizations can enforce dynamic policies, respond to threats more effectively, and maintain compliance in increasingly distributed IT environments.StrongDM’s approach demonstrates that the future of security lies in identity-first models where humans, machines, and AI agents are governed under the same principles, ensuring that the right identities have the right access at the right time.TakeawaysIdentity is the new control plane for security.Zero Trust is often theoretical; real progress lies in identity-based security.Stolen credentials are the primary attack vector.A Renaissance in identity security...

  --------  

  23:30

  --------

  23:30

More Business podcasts

Trending Business podcasts

About The Security Strategist

The Security Strategist: Podcasts in Family