The Security Strategist

• The Zero Trust Conundrum: How Intelligent Friction Boosts Business Velocity

  In this episode of The Security Strategist podcast, host Jonathan Care, Lead Analyst at KuppingerCole Analysts, speaks with Sudhir Reddy, the Chief Technology Officer (CTO) of Esper, about how to build trust in ‘Zero Trust.’. They explore this paradox in Zero Trust systems, where human trust is essential for the system to function effectively. Reddy emphasises the need for intelligent friction in security measures, allowing for a balance between security and business operations. The conversation also highlights the importance of understanding user needs and building trust within security systems to ensure effective implementation of Zero Trust strategies.How to Build Trust in a "Zero Trust" World?“Security should be a seatbelt, not a straightjacket,” Esper CTO said, describing the nature of zero trust in cybersecurity. For Reddy, zero trust isn’t just about “trust no one.” It’s about verifying everything while still allowing people to do their work.“Zero Trust is really about verification,” he explains. “But the paradox is that it’s built to create trust among the people using it.” As systems, devices, and AI tools grow, security can’t just mean adding more barriers. “The number of people interacting with systems has increased a lot,” Reddy adds. “But if the system doesn’t support the business, people will find a way around it.” That, he says, poses a risk where extremely rigid security could defeat its own purpose.From “Friction” to “Intelligent Friction”The Esper CTO explains Intelligent Friction designs systems that adjust security based on the situation. “You want the least friction where there is friction,” he says. “Add friction where it matters most, and make it disappear when it doesn’t.”Alluding to an example of banking apps, Reddy explains intelligent friction as a simple login for checking balances and extra verification for large transfers. “That’s intelligent design — progressive, contextual, and trusted.”When asked about the key message for CISOs, CEOs and IT decision-makers, he urges them to “stop measuring adherence to rules.” Instead, “start measuring where people are bypassing them — that’s where your friction is hurting the business.”At Esper, this approach guides everything from device management to enterprise policy design: security that protects without slowing you down. Discover how Esper is redefining Zero Trust through Intelligent Friction. Learn more at Esper.io.TakeawaysZero Trust is fundamentally about verification at every step.The shift to Zero Trust is driven by increased exposure and sophisticated attack vectors.Human trust is essential for Zero Trust systems to function effectively.Intelligent friction allows for security measures that adapt to user needs.Security should not hinder business operations; it should support them.CISOs should measure rebellion against security rules, not just adherence.Progressive security checks can enhance user trust in systems.Cultural change is necessary for effective security implementation.Feedback...

  --------  

  20:05

  --------

  20:05
• Universal Privileged Access Authorization: Securing Humans, Machines, and Agentic AI

  Can your organization truly trust every identity, human, machine, and AI?The traditional security perimeter is no longer a reliable boundary. As enterprises adopt hybrid infrastructures, cloud services, and autonomous AI systems, identity has emerged as the central element of effective cybersecurity.In the latest episode of The Security Strategist Podcast, Richard Stiennon speaks with StrongDM’s Chief Executive Officer Tim Prendergast about how organizations can secure human users, machines, and agentic AI through identity-based controls.Identity at the Center of Zero TrustBoth Stiennon and Prendergast believe identity has become the true control plane for modern cybersecurity. While Zero Trust frameworks are widely promoted, they often remain theoretical until grounded in strong identity governance. By continuously verifying and managing every identity—human, machine, and AI—organizations can strengthen access control, reduce the risk of credential theft, and enforce clear operational boundaries across their environments.As Prendergast explains, “No one wants to go out of business tomorrow, no matter how good their security is. You have to balance the needs of the business, the needs of your user or customer populations, and practical security.Securing Human UsersFor human users, particularly those with privileged access, identity management must strike a balance between security and productivity. CISOs need visibility into who is accessing critical assets, when, and under what context. StrongDM’s approach emphasizes just-in-time access, ensuring users receive only the permissions they need, precisely when they need them.Implementation ConsiderationsDeploying identity-based security requires a strategic, phased approach. Prendergast stresses that security measures must align with business priorities to minimize disruption. By treating users, machines, and AI agents as identities rather than simply devices or services, organizations can enforce dynamic policies, respond to threats more effectively, and maintain compliance in increasingly distributed IT environments.StrongDM’s approach demonstrates that the future of security lies in identity-first models where humans, machines, and AI agents are governed under the same principles, ensuring that the right identities have the right access at the right time.TakeawaysIdentity is the new control plane for security.Zero Trust is often theoretical; real progress lies in identity-based security.Stolen credentials are the primary attack vector.A Renaissance in identity security...

  --------  

  23:30

  --------

  23:30
• How Can MSPs Stay Competitive with Managed Detection and Response (MDR)?

  In today’s cybersecurity industry, Managed Service Providers (MSPs) who do not adapt risk falling behind. In the recent episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, talks with Stefanie Hammond, Head Nerd at N-able, and Jim Waggoner, Vice President of Product Management at N-able. They discuss how MSPs can tackle rising threats, bridge the talent gap, and maintain profitability in a quickly evolving market.The speakers particularly explore the critical need for MSPs to adopt Managed Detection and Response (MDR) services, the importance of internal security investments, and how AI can enhance efficiency. The conversation also touches on compliance challenges and future trends in pricing strategies for MSPs, emphasising the need for continuous adaptation in a rapidly changing threat environment.When Stiennon asked, “How quickly must an MSP change their entire model to a managed detection and response offering to stay competitive?” Hammond's answer was straightforward: “If an MSP hasn’t done that yet, I don’t know how much longer they can wait.” This sets the stage for the podcast.MDR Is No Longer Optional but Critical for MSPsFor MSPs serving clients in tightly regulated fields like finance, healthcare, government, or education, Managed Detection and Response (MDR) is a necessity.“Organisations in those sectors face a greater risk,” says Hammond. “Managed Service Providers (MSPs) need to incorporate MDR into their security offerings and make it standard for their customers to stay competitive.”However, Hammond cautions against selling MDR as a standalone solution.“We shouldn’t sell any security tools as a separate service.” Instead, she suggests packaging MDR with other prevention, detection, and recovery options—like backup and data protection—to create a layered cybersecurity package.Agreeing, Waggoner steps in and describes this as a natural growth process for MSPs: “It becomes a maturity lifecycle. You start by managing hardware and software, move on to daily security, and eventually cover full detection and response. If MSPs don’t want to develop that in-house, N-able can assist—we can co-manage it or handle it for them as they grow.”MSPs for Smarter Security and AI-Backed EfficiencyThe speakers also talked about howtalked how AI and automation are changing cybersecurity, not just for spotting threats but also for improving operations and driving sales. “We automatically handle 90 per cent of security alerts using AI,” expressed Waggoner. “If you’re not automating, you’re falling behind,” the Vice President of Product Management at N-able added.For Hammond, AI is equally beneficial in marketing and communication. She recommends MSPs not to manage sales and marketing on their own but to use AI to support themselves. Both experts agree that compliance, identity protection, and education are essential parts of a resilient security framework. “It always comes down to identity,” Waggoner emphasises. “Use unique logins, change passwords regularly, and set up...

  --------  

  28:27

  --------

  28:27
• Are Your Keys Safe? Why HSMs Are Now Essential for Cloud, Quantum, and AI Security

  "You have to think about how the online world really operates and how we make sure that data is secure. How can we trust each other in the digital world?" Robert Rogenmoser, the CEO of Securosys, asks. The answer is "encryption and digital signature."According to Robert Rogenmoser, the CEO of Securosys, storing keys insecurely creates immediate risk. This makes it crucial to maintain strong key security. "If it's just in a software system, you can easily get hacked. If I have your encryption key, I can read your data. If I have your Bitcoin keys, I can spend your money,” says Rogenmoser.In the recent episode of The Security Strategist podcast, host Richard Stiennon, Chief Research Analyst at IT-Harvest, speaks to Robert Rogenmoser, the CEO of Securosys, about safeguarding the digital world with cryptographic keys. Rogenmoser puts up a case to rally Hardware Security Modules (HSMs) as the best solution for this critical challenge.In addition to discussing how hardware security modules (HSMs) protect encryption keys, they also talk about the evolution of HSMs, their applications in financial services, the implications of post-quantum cryptography, and the integration of AI in security practices. Are Hardware Security Modules (HSMs) the Ultimate Solution?The conversation stresses the importance of key management and the need for organisations to adapt to emerging technologies while ensuring data security.In order to mitigate the cybersecurity risks, the priority is to securely store the keys, control access, and generate impenetrable keys that cannot be easily guessed by cyber criminals. HSMs are the ultimate solution to the key issue, believes Rogenmoser. Firms tend to shift their data to the cloud, making it even more essential to secure keys. The main challenge arises when both the data and the keys are managed by the same cloud provider, as this setup can compromise the integrity of key control and raise concerns about data sovereignty. However, Securosys approaches this challenge differently. Rogenmoser explains that organisations can keep their data encrypted in the cloud. At the same time, they keep the key somewhere else, where only they have control over it.Multi-Authorisation System for High-Stakes TransactionsRogenmoser pointed out the company's patented system for multi-authorisation of Bitcoin keys. This system is essential because blockchain transactions are high-stakes and irreversible."Crypto custody for bitcoins or any cryptocurrency is a major business for our HSM," he said. Banks that hold large amounts of customer crypto cannot afford a single point of failure. "A blockchain operation is a one-way thing. You sign a transaction, and the money is gone."The multi-authorisation system addresses this issue by requiring a "quorum" of people to approve each transaction. Rogenmoser explained, "You can say this transaction can only be signed and sent to the blockchain if one out of three compliance officers signs this, plus two out of five traders." This approach creates a "more secure system" because "the HSM then checks, do we have a quorum? Did everyone actually sign the same transaction?" Only after verification is "the actual key for the blockchain […] used to sign a...

  --------  

  19:19

  --------

  19:19
• Is Your CIAM Ready for Web-Scale and Agentic AI? Why Legacy Identity Can't Secure Agentic AI

  "With any new technology, there's always a turning point: we need something new to solve the old problems,” states Jeffrey Hickman, Head of Customer Engineering at ORY, setting the stage for this episode of The Security Strategist podcast.The key challenge enterprises face today, pertaining to identity and security, particularly, is the quick rise of AI agents. Many organisations are trying to annex advanced AI features into old systems, only to realise, post-cost investment, that serious issues have come to the surface. The high number of automated interactions could easily overload the current infrastructure. "The scale of agent workloads will be the weak spot for organisations that simply try to apply current identity solutions to the rapidly growing interaction volume,” cautions Hickman. In this episode of The Security Strategist podcast, Alejandro Leal, Host, Cybersecurity Thought Leader, and Senior Analyst at KuppingerCole Analysts AG, speaks with Jeffrey Hickman, Head of Customer Engineering at ORY, about customer identity and access management in the age of AI agents. They discuss the urgent need for new self-managed identity solutions to address the challenges posed by AI, the limitations of traditional Customer Identity and Access Management (CIAM), and the importance of adaptability and control in identity management. The conversation also explores the future of AI agents as coworkers and customers, emphasising the need for secure practices and the role of CISOs in pulling through these changes.AI Agents – The Achilles Heel of Legacy IdentityHickman explains that many companies face an immediate and serious issue at the moment. He said: "The scale of agentic workloads will be the Achilles heel for organisations that simply try to map existing identity solutions onto the drastically ballooning interaction volume."This scale not only overwhelms current systems but also creates perilous complexity. AI agents, acting on their own or on behalf of humans, lead to a huge increase in authentication events. This is called an "authentication sprawl." Such strain on old technology often positions security as an afterthought.The main unresolved technical issue is context: figuring out what an individual agent is allowed to do and what specific data it can access, Hickman tells Leal. "The problem is defining the context—what an agent is allowed to do and gather. Legacy IM solutions don't address this well; it's an unsolved area."To gain the necessary control, organisations must move beyond complicated scope chains and rethink how granular permissions function. Meanwhile, the risk of AI-driven phishing targeting human users, fueled by manipulated prompts, will grow until we can ensure the authenticity of human-in-the-loop moments using technologies like Passkeys.Also Read: OpenAI leverages Ory platform to support over 400M weekly active usersTakeawaysThe rise of AI agents is reshaping customer identity management.Traditional SIAM systems struggle with the scale of AI interactions.Adaptability is crucial for organisations facing new identity challenges.Control over identity solutions is essential for enterprises.Security must not be sacrificed for user experience.AI agents can amplify existing identity management...

  --------  

  21:48

  --------

  21:48

More Business podcasts

Trending Business podcasts

About The Security Strategist

The Security Strategist: Podcasts in Family