Martin Hinton (00:00) Guardrails for AI, does your company have them? Host Martin Hinton and Chris Kelly, president of Delinea, get into that and all the issues with non-human next on the Cyber Insurance News Podcast. Martin Hinton (00:16) All right, welcome to the Cyber Insurance News and Information Podcast. I'm the executive editor of Cyber Insurance News and your host today, Martin Hinton. And joining us is Chris Kelly. He's the president of Delinea. That's a security firm that works both in the human and the non-human space. And with AI and all of the ⁓ non-human identities and human identities out there, it's no small issue and no small topic on the tips of tongues in the cybersecurity and cyber insurance world. So without further ado, Chris. Thanks so much for joining us. I really do appreciate it. How's your day going so far? Chris Kelly (00:50) It's great, Martin. Thank you for having me. I appreciate it. And I would concur. This is very important topic and incredibly timely based on what's going on in the industry around us. Martin Hinton (00:59) So let's dive right in. We'll expand on some of this later. But if someone hears one idea today, what should it be with regard to AI risk or identity risk? What do you think that the big headline takeaway should be for people today with regard to that topic? Chris Kelly (01:13) I mean, that's the $64,000 question. mean, identity being the control plane and with the evolution and usage adoption of AI, AI will both shrink our risk capabilities, but it will equally supercharge our attackers capabilities. So ⁓ AI is already everywhere, but the real adoption of it in certainly in corporate worlds is somewhat cautious. So we need to use this time as practitioners to really get ahead of that risk. And the AI risk is just fundamentally ⁓ an identity problem because AI is our identities. And so we need to get ahead of that, as I said. Martin Hinton (01:54) ⁓ You touch on something that I adore, the idea that as far into the tech age or the information age as we might feel, some of us been around a little longer, the truth is we're still at the very beginning of this. And AI is obviously the latest incarnation of tech and information age technology that has made that incredibly clear. I wonder in that context of the beginning, are we heading to a place where, you know, Every interaction you have needs to have layers on it that we now encounter for say a wire transfer from a bank. Chris Kelly (02:30) ⁓ Absolutely. mean, yes, is the answer to that explicit question. ⁓ It's funny you mentioned the pervasiveness of it. I'll give you one side note and then I'll get specifically to answer your question. I learned yesterday that my 80-year-old mother calls her chat GPT app her boyfriend, and she talks to her boyfriend all day long. And so as we think about the pervasiveness of what's going on out there, that's a very real-world, tangible thing that I like. It scared the hell out of me at the same time. ⁓ But when you think about kind of the challenge and using your bank wire example, if you use identity as a foundation, who are you? What can you do? What's your normal behavior? Being able to answer those questions real time is going to be pervasive. And so that's where we have to really take hold of that and have a plan for it and use the AI to combat the AI. ⁓ know, stolen or lost credentials remain the number one cause of most breaches today. So again, that makes identity the core of the control layer of modern security. ⁓ You know, at this point, the thing that keeps me up at night isn't a hacker per se, it's a legitimate service account with admin rights that nobody has looked at in 18 months, because what can you do with that? What can exploit, what kind of exploits can come with that? So absolutely we have to get to a world. where that is happening, the Bankwire example, but it has to happen in real time. And so that's what's gonna be the next wave of evolution in technology advancement. Martin Hinton (04:06) Which brings us to Delinea and you. So I know that you're new to Delinea. So tell me a little bit about what the company does with regard to that topic. Chris Kelly (04:15) Okay, I mean, ⁓ the tagline would be we secure every identity, both human and machine. So the intent is kind of what I was alluded to just before. Give you the right access for the right amount of time, and then provide full auditing capabilities. So ⁓ then remediate when you need to remove that access. And this is a problem that is massive for our customers. especially with the propagation of AI and machine identities, which there's 50 times more of them than humans. ⁓ So our ability to be able to go after and provide that right access, right amount of time and still audit it, ⁓ then revoking rights as needed is going to be critical for our customers to adopt it. Martin Hinton (05:03) And for the audience to say, we'll get into this, the obvious reality is here for controls and underwriting pressure and the AI driven sort of uncertainty of things now. These are all big issues with regard to the liability around really any business and data collection. ⁓ When you talk to customers about this, what problems or what reality are they bringing to you that sort of you see the way you do the technical side of it. How do they arrive at you and you help them sort of see the clear field and begin a process of improving their identity security? Chris Kelly (05:44) Yeah, yeah. It's also a good question because I mean, there's not a customer that I talked to that feels like they've got control of this because of that sprawl that I just alluded to. know, again, whether it's 50, 100 times, whatever the number is, the identity propagation and the, know, because of the machine and because of the agentic work that's going on is just exploding. And so for them, you know, it starts with even the ability to discover. you know, what do I have out there? Because there's shadow IT and shadow usage everywhere. ⁓ And so they've got to be able to understand what's out into their environment before they can even make a plan to address it. So I would say it's this overwhelming speed and that propagation is the first thing that they're really focused on. And that's really how we typically engage is like, let's take a look at what's out there today. And then let's see where you are and assess that. And then let's figure out how to remediate and start prioritizing, fixing and closing those gaps and reducing the risk. Martin Hinton (06:52) You remind me of the human condition to add on. We add things on to solve problems. And I can imagine someone coming to you in a scenario where you take their house and they're looking for something to do or an addition to do, and you discover like a secret room in the basement. That's the, here's another 1,500 identities you didn't even know you had, right? The proliferation part of it, it's quite remarkable, right? We solve problems by bringing in more of the same thing or something else that's similar. Is that a very simple way? I mean, tell me I'm wrong, but is that a simple way to think about? Chris Kelly (07:25) I think it's a fair way to do it. mean, again, you can't solve what you don't know. And in times past, it was a very finite or controlled amount of things that you could ⁓ look for and be able to monitor and control. In today's times, it's almost impossible because of that proliferation and the machines spinning up the identities and usage. Again, with great power comes great responsibility. mean, we're all looking to maximize and leverage AI to be able to go and run our businesses more efficiently, to cut costs. mean, all of the benefits that we know to be true, but at the same time, and especially in a CISOs world, introducing that risk safely and being able to discover those hidden rooms or those hidden areas ⁓ is really... somewhat challenging and that's where companies like ours really try to come in and help them with that upfront. Martin Hinton (08:28) Now for you personally, backing up to Chris's origin story, this is just the latest cybersecurity problem you've encountered, right? So you've been doing this, I think you said on our pre-interview, since before it was even called cybersecurity. So tell me a little bit, not to ⁓ let the cat out of the bag, but tell us a little bit about your career and sort of the path you've taken to get to dealing with this particular problem today. Chris Kelly (08:34) Yeah. Yeah. Yeah, yeah, yeah. Well, it's funny because I did fall into security. And back when I got into it, as you said, we just called it security. wasn't cybersecurity. It wasn't network security. It was just security. And I took a job with a little startup and was in sales at the time. And ⁓ the thing that I wasn't expecting, I was expecting a paycheck and to sell as much as I could and make a good living. ⁓ what I didn't expect was to really find a sense of purpose. And for me, that's why I've stayed almost, ⁓ well, 27 of the 30 years I've been in tech, ⁓ cybersecurity because for me, you can sell software and there's a lot of great software capabilities and technologies out there, but what we do matters. And what I mean by that is it matters beyond a P and L, it matters beyond a balance sheet. There's nation state, there's government protection, protecting people's livelihoods, ⁓ protecting critical infrastructure. mean, there's so much of what we do. And so for me, ⁓ my career has been spent. ⁓ I worked at Cisco for a long time. I was at another startup that we sold to Cisco. My tenure at Cisco was almost exclusively in the network security side of the business. I then took a detour to Adobe where I learned my SaaS chops, not in security and marketing. software, but it did get me into the SaaS world. And then most recently, I went to a company called CyberArk, where they taught me privilege access management and really arriving at Delinea, that's the convergence of all of those. so, throughout my career, ⁓ I've really tried to steep myself in it and I love it. I I literally get out of bed every day knowing what we do makes a difference. And ⁓ in particular, what Delinea does really, really makes a difference. Martin Hinton (10:46) You know, it's funny, I'm only a journalist. And so we become maybe experts in something to the degree we could fake it at a cocktail party, like we have a real education in something. I think, you know, two and a half years or so of being immersed in the cyber insurance and quite naturally as a function of that, the cybersecurity space. And it is genuinely fascinating. And I come from, you know, a television career where I've done everything from military history documentaries to political commentary live on cable news. You make a great point just then where it sort of, it really does touch all of our lives and every part of our existence in a way that I think lots of people don't comprehend, even executives. wonder, you know, when you're thinking about it as a person who's been in this space long enough for the names of things to change, which is, you know, a thing that happens, right? What a non-cyber or non-sort of technical side executives still misunderstand about the dynamic or the threat nature or the Chris Kelly (11:36) Yeah. Martin Hinton (11:45) quote-unquote, bad people side of this situation. Chris Kelly (11:49) Yeah. Well, first I'll say there is much more awareness now at the senior executive level because it is a board discussion. It's a continuity of business discussion. I would say the majority really don't understand the depth and the breadth of it or the magnitude of it, but it is getting better. That said, ⁓ people live in their own universe. And so if you use like my Adobe example, In Martech, the worst day is a missed lead, a missed opportunity, a campaign that doesn't go well, blah, blah. In cybersecurity and what we touch, our worst day is a hospital gets owned and ⁓ insulin machines could get hacked and patients can't get treatment. And so that is where the of the shift in mindset ⁓ of executives really comes to fruition. When they start understanding You know, downtime means this. could be financial. It could be health in this particular example. ⁓ So it's becoming more aware, I would say. Like it's more of a conversation. But truthfully, I don't think that it's reached a level ⁓ more broadly that people get. And I think as you get further down into organizations, that even is less so because people have day jobs and they have to worry about writing code or they have to write about you know, nurses have to give injections and whatever that is. But you will see it continue to propagate because it does, ⁓ you know, it gets more real for people every day. That's the easiest way I could say it. Martin Hinton (13:27) Yeah, you touch on something that one of my business partners, he wrote after 9-11, he was a special forces officer in the army and involved in ⁓ that kind of world. And he wrote a textbook about post-9-11 domestic policing, to put it very vaguely. And one of the things he talked about in explaining the book was to me, suddenly now police officers in America have to do an entirely new thing in addition to something they were already doing, this sort of terrorism awareness. Is it an anthrax lab or is it a meth lab now? Chris Kelly (13:44) huh. Martin Hinton (13:57) And that layers on top of, like you said, in the case of the nurse example you used, their very important daily function of treating patients, right? That's the primary reason they exist. We know that there's a lot of paperwork for nurses and that sort of thing. You throw on top this layer of ⁓ security concern and that sort of thing. And it becomes yet another thing for employees to sort of, you you have to almost organically introduce it into their lives, maybe as children. So it becomes like washing your hands after using the bathroom and looking both ways before you cross the street. Chris Kelly (14:24) Yeah. Martin Hinton (14:26) One of the things that, you know, I'm touching the of the awareness issue of it. I've spoken to a lot of people and it comes to the realization that, you know, we think of IT and a lot of people sort of mesh IT and the security issues around technology in the same space where, you know, more and more now people talk about IT being more of a, while very important, a separate or almost very distinct function from that of, say, cybersecurity, particularly with AI. in our living rooms and stuff like that. Now, do you remember when that moment occurred to you or when you sort of made that realization like, wow, this is getting, you know, the security side of this is so significant now and the threats and what we're losing to bad security is so significant now, we need a, you know, a whole new special department, you know, almost like, you know, there was never, there wasn't an Air Force until there were airplanes, right? Well, there wasn't even an Air Force until the very end of World War II, despite us having air power. Chris Kelly (15:18) Yeah. ⁓ Martin Hinton (15:22) But that idea that you need to okay this can't just be part of the army anymore This is not IT we need to have a whole separate division with a whole separate mindset and budget items and you know authorities and that sort of thing tell me about that sort of Realization for you and and have you ever witnessed that in someone else? Chris Kelly (15:38) I mean, yeah, look, so I would say in varying degrees, it's always been there, but it's this evolution. So 30 years ago when I first started, it was regulated industries. It was financial services, healthcare, right? These are the folks that because they were regulated, because there was rulings around it, they had to take it more seriously than your average company and... the hackers and the bad actors were not as pervasive and or as capable. Nowadays, it's becoming more mainstream. And I would say, there was a real sea change for me maybe four or five years ago. And it wasn't just security, because people have been spending money on cybersecurity for a long time. And that's why it's a very healthy, profitable, Wall Street likes cybersecurity companies for that reason is because we're always chasing this ⁓ ever evolving threat. The sea change though for me was when things stopped being plumbing and started being again, I biased because I work for an identity security company, but the identity aspect of this is really been game changing. And you're even seeing in companies where identity used to be just core IT, because it was access. I'm an employee, Joe Smith, and I do work there, yes, validated, and I have access to my email. And so... You've got your OctaPing, Microsoft, whatever solution you use to provide that access. Well, then it became the attack service because, surface, because once you had access into said network, the bad actors could just go everywhere and do everything. And that's where really, to me, the big change happened. And so, you like I said, it's, people have been focused on security. It's been a major spend area, but that's when it changed to, because of the exposure that it gave the bad actors. a board discussion and the hacks were being held and extortion for hundreds of millions of dollars were happening and markets changed because an activity happened. So ⁓ it's going to continue. It's going to, and again, not to use the AI moniker too much, but AI is only gonna exasperate it. But that's really where I saw the big shift and the specialization even within. secure cybersecurity being more relevant. So you have your IT department, you typically have your cyber department, you could have identity within that. like there's that specialization, ⁓ you know, certainly for larger companies. Now the flip side, and you know, I know we will kind of get to the market size of things. So as you go down market, ⁓ you know, organizations just don't have those capabilities. And there's a lot of different ways that people solve. Martin Hinton (18:22) Yeah, I mean, we will touch on that. what Chris is alluding to is the idea that there are a lot of solutions out there. But when your spend is limited, to put it simply, ⁓ you make difficult choices. And you cut quarters where you can. back to your nurse analogy, you give the injection and worry about whether or not you logged out of a platform correctly if there's an urgent medical need. Maybe that's a bit hyperbolic. But we are in a situation where You know, people have daily tasks and they're quote unquote nine to five. And this again is another layer on top that, you know, I think in the case of Delinea is ⁓ something that needs to be made easier, I suppose. In that respect, when you're dealing with say, you know, a company or a disconnect, like when you're dealing with a vendor or, you what are the disconnects that exist between, you know, the vendor experience and what customers experience? You know, I mean, should know you arrived at the linear in January and I wonder if you could take me through, you know, the first day at school sort of reaction, not that you didn't do prep work, of course, and know what you were getting into, but what were your first impressions as you sort of, you know, took the reins, if you will. Chris Kelly (19:35) Yeah, yeah. Well, as I mentioned previously, I was at our probably largest competitor running the sales ⁓ organization. And so I had a unique ⁓ perspective on the market and certainly understood where things were going and the respective technologies and approaches to solving it. for me, I wasn't, I got introduced to Delinea. by a friend and had some initial conversations. And for me, the light bulb went on because what I didn't realize was going on is Delinea's approach is unique to any of our other competitors. And so I got super excited when I found out we had this cloud native capability in what traditionally or historically has been more of a legacy kind of on-premise universe. And why that's important is in a legacy on-premise environment, that's well and good if you're an enterprise and you're not going to be dealing with cloud, you're not going to be doing evolution, ⁓ or you're in a very regulated industry that won't allow it or government agencies that won't allow it. That's not the way the market's going. And what Delinea did is Delinea realized very early on, call it four years ago, that to be future proof, if you will, or to continue to evolve and be relevant to your customer base, you needed to take that legacy on-prem heritage, so your enterprise grade heritage, but then modernize it in a truly cloud native platform to be able to go and evolve as the threats matured, as the capabilities matured, to be able to provide the just-in-time access and the things that go out there. So I found out about that. through conversations I had with the executives here. And it was like, I caught the bug because this is the legacy problem. Other competitors talk about being cloud solutions or cloud platforms. In reality, what they are is they're ⁓ an amalgamation of multiple kind of different product sets that they run on virtual machines spun up in a AWS or Azure data center, not cloud native. So what that means is, they have the same kind of flaws, if you will, that the traditional on-premise machines have. Availability is not four and a half nines. When you have to do upgrades and things like that, you have to take it down for service and maintenance. You can't evolve. I mean, we bought two companies in the last year and a half. We had them natively integrated within four months. You can't do that if you're not a cloud native solution. So for me, that was the first taste, is like this tech is incredible and everyone's gonna understand the why. sorry, it a longer answer probably than you wanted, but that's what got me here. Martin Hinton (22:31) No, long answers are good. That's the beauty of a podcast, right? You let people say their piece and then I ask a question. So talk to me about cloud native. We hear that phrase. How does that actually improve security? What does it do to change those outcomes with regard to that? Just drill down on that for me so that I understand a little more clearly. Chris Kelly (22:40) Hahaha. Yeah, so I mean, there's multiple elements of it, like, you know, so everyone claims to have a platform, right? And as I said, most of them are stitched together acquisitions or legacy technologies that they, you know, provide a kind of common interface to log in and use. But ⁓ true cloud native in our world is cloud native elastic capacity. So our ability to scale up and scale down is directly corollary to that of our cloud providers. Resiliency, our architecture, I mean, there's inherent resiliency built into the cloud, right? So they've got their multiple data centers and being able to do that. And then our software being written in a native cloud means that we're doing code drops every single day. We'll do 10, 20 code drops every single day. people will not even know. We don't take it down. We don't have to schedule maintenance. We quote and we will, you know, testify to four and a half nines availability. And we think that's just kind of getting started. But what that means, because a lot of people say, well, we're four nines. The difference between four nines and four and a half nines sounds like from a marketing perspective, nothing big. But what it really is, is four nines is... five minutes a week of downtime. Four and a half nines is five minutes a year of downtime. So if you claim to be a true enterprise grade thing and you are a mission critical trading platform or the healthcare or whatever it is, and you're going down on average five minutes a week versus five minutes a year, and that, by the way, that five minutes a week is only what they're guaranteeing, because that doesn't include, they don't add in the... scheduled maintenance and downtime and repair. So it's actually more than that. that resiliency is really, really important. And then for me, the biggest part is the rapid innovation. ⁓ As I mentioned, we have an incredible development team here and we platform the whole thing, but we're constantly building new capabilities. I mentioned we bought and integrated two companies in the last year and a half. We're in the process of ⁓ acquiring one right now, which we hope to get clearance for in the next coming days. These will be inherent and native in our platform as a true extension, not as a bolt-on, not as something that's going to have a different UI, not as something like, this is what the difference in the power of cloud native capabilities are. Martin Hinton (25:30) You, I mentioned that I produced documentaries, military history documentaries, and I can imagine a World War II ship with sailors hanging off the side as it sails into battle, repairing it and painting it, like not taking out a service. This ship is still going from the battle it was in where it got damaged to the battle it needs to be in, or perhaps the painting is just routine maintenance to deal with rust and the impacts of the elements. I mean, maybe a bit silly, but. This idea that you have something that, I mean, mission critical, vital to the execution of whatever business you're in, the idea that you don't have to turn it off as often as someone else, that's a big deal. I mean, am I simplifying it too much? Chris Kelly (26:12) No, it's a massive deal. And it's a massive deal for the reason that you talked about in your example, though I've never heard that example before, I like it. ⁓ But I can steal it. Thank you. ⁓ But it's critical because of it's the way the future will evolve. you can't, I mean, my personal belief is, again, this is Chris's, I'm not saying this is delineation, Martin Hinton (26:21) It's yours! Go ahead, you can take it. All rights reserved. Chris Kelly (26:41) You can't claim to be enterprise grade from a technology solution if you don't have these capabilities and this resiliency and all of that. Because whether you're using an on-prem and legacy network, most networks in the enterprise are, after I'm dead and buried, they'll still have on-prem. People will still have data centers. It's not gonna be certain companies. Now, there are cloud native, born in the cloud companies. sitting in downtown San Francisco right now within a mile of where I sit, there's hundreds of them. But from a historical legacy ⁓ corporation, they're going to be on that gamut forever. And so we are uniquely positioned. We're the only ones, I feel, that can do that. And we have the resiliency capability built in. So even if they need to do part of their network on-prem, the rest of it on cloud, if there's a failover, Martin Hinton (27:15) you Chris Kelly (27:37) for the on-prem, if they lose connectivity, whatever, they're still live. Like that resiliency doesn't exist with our competition. so customers will demand this. They will expect this. And I think right now they're still trying to figure out and really understand where they're going, ⁓ but we're architected to take them on that journey. Martin Hinton (27:57) You, I may bore you as I do my children, but you remind me, I did an embed in with some special operations units once and I learned the phrase, two is one and one is none. And to your point about redundancy and resilience is, one is not having anything, That could be broken, it could not work, you could lose it. Backups and that sort of thing, again, are not new. These ideas are old facts. Yeah, yeah. Chris Kelly (28:25) Concepts. Yeah. Martin Hinton (28:27) So I want to see. Chris Kelly (28:27) But while you say that though, they're not new concepts. people have become accustomed to it because there's not been alternatives to that. And that's why you've seen, again, cloud, that's why cloud has taken off the way it has, not just resiliency, but that's a big part of it. But that speed, that ability, that flex capability of being able to do it, and then the two is one and one is none, just deep red underscores all of it because everything's mission critical now. And it doesn't matter what business you're in. I mean, truly, our offices are, we share an office with DocuSign Corporation and DocuSign, you know, think about it. Their business is doing digital signatures. If their business goes down, they're a publicly traded company. I know the president, she sits four floors above me for four minutes. How much money does that cost them? What brand defamation does that have? And what are their competitors gonna do to leverage that? So that resiliency is critical. Martin Hinton (29:30) Yeah, you make a great point. And it sort of helps us transition into the next section of our conversation, which is AI and the idea that resiliency in the AI world comes with someone who can do something that you can't do right away or it can be done while you're not watching. I wonder if you might want to talk about the sort of, I think we framed it as the three-pronged AI strategy and what customers are really doing in this space. If you could sort of take me down that road and we'll see where we go. Chris Kelly (29:57) Yeah, I'll focus it more on how we're approaching it, but certainly I think it's relevant to others because I think depending on, in my role, I talk to lot of customers. What I will say about our customers is everybody's at different phases. Everybody knows that they have to do something. Everybody wants to do something. The depth and breadth with which they're doing that and the speed with which you're doing that varies incredibly, as you'd imagine. I read an article this weekend, ⁓ two very large companies ⁓ are making it mandatory to have AI training. You will not get a bonus if you don't do AI training. Thus, start learning it. I have companies that will not allow their employees to use AI at all. And I think the majority of us live in the middle. It's like, how do we practically approach it? At Delinea, we think of, you mentioned three prong, there's kind of three ways to look at it. We're using AI for internal efficiencies, which many companies are. How do we take replicable jobs with a lot of data that we have and do them more efficiently? How do we free up cycles for humans? And it's not a cost cutting in the sense of getting rid of people, it's an efficiency of making people more efficient so that we can use them better and scale them more. We're using it. massively in the development side of the house, which is just, I mean, I won't go into details, but just scary to see how awesome it is and the way that translates. ⁓ We're securing our customers' AI usage. So again, how do we go out and help them deploy AI in a more secure fashion? And then finally, we're embedding AI into our platform. So not just bolting on a third-party model, but... You know, one example is like session recordings. know, we, ⁓ session recordings are not a very sexy part of the business, but they're critical, especially in regulated industries. So people have terabytes and terabytes of data that they record all of this stuff. Well, you only typically use it if you're having an audit, you fail an audit, or if you're looking for something and then it becomes this needle in a haystack, right? Well, we use AI to analyze these session recordings. So humans may be able to review 1 % of all this stuff. AI can go and analyze the other 99 % and then surface the critical ones that actually matter. So it's finding that needle in a haystack for you. Simple concept to get, powerful concept when needed. And so that's just one example and there's a lot more to come on that. I don't want to go into the product side of it. Martin Hinton (32:45) No, no, tell me if I'm misunderstanding, but what we're talking about there is the idea that when you engage in massive amounts of data for whatever reason, sometimes it, well, for most human beings, it's hard to go back and look at that in any kind of coherent way and see where maybe something went wrong. And what you're talking about is A, you create a record of whatever activity occurs so that there's a record. And then that gives you the ability to analyze behaviors to see where something should be adjusted so that you can improve the situation and the efficiencies and the securities going forward. Is that that's over the simplify? Chris Kelly (33:27) That's it. That's one absolute real active live use case, 100%. Right? mean, and again, AI is all based on data, right? It's all, you know, whether it's being used, the data being used or how you can maximize it. And then, you know, how do you do it in a way that's efficient? How do you do it in a way that's better than a human can do it in many cases? ⁓ Or it just doesn't make sense for a human to do it because why would you spend? Martin Hinton (33:32) Yeah. Chris Kelly (33:55) five times as long, times as long, 100 times as long to go and do this mundane task or very sophisticated task, right? And as it learns, as it becomes more intelligent, it can take on and people will have more confidence in its ability. They will trust its judgment to do that. And that's kind of the way that I see things rolling out is I don't think people are gonna go overnight, flip the switch, hand the controls over to the machine and be done with it. They will start with. assets within their organization, things they feel comfortable with, try it out, prove it out, gain the momentum, understand that they, how the machine is working, then they'll become more comfortable. So I think it'll be an evolution, but I think it'll be an evolution much faster than historically we've seen in other parts of tech. Just because it's, once people get hooked on it, it's incredible. mean, I use it every day and it's just, changes, it changes who I... how I do my job and how I think about my job, which allows me to free up and do other things, which is what it's all about for me. Martin Hinton (35:00) Yeah, well, I you touched on a pretty remarkable reality. And I I agree with you completely. is, back to what you started talking about, I was reminded of the scenario whenever you were doing any kind of, I used to work in program development and, know, program development is all about changing things and tweaking things to make them better or to change them for whatever reason. And one of the things I remember learning early on from one of my bosses was if we change too much, We're not going to know what change did what. don't do too much because then you'll be like, well, I don't know what made it better. What made it worse? We changed 11 things. I don't know which one of the 11 is it all of them combined or in particular. And that idea of sort of a regimented introduction and a disciplined approach, that's the sort of thing that we need in the adoption of a lot of technology, particularly one with the potential power of AI. Chris Kelly (35:28) Yeah. Yeah. Martin Hinton (35:51) One of the we discussed and we threw in the document that we shared prior to this was that there's a distinction between AI and cybersecurity and security for AI. And I think I understand that idea. And I wonder whether or not you might make sure I've got it right. Chris Kelly (36:08) I yeah, I touched on it a second ago, but kind of going a little deeper, as you think about the difference, ⁓ securing AI, AI, enterprises are deploying ⁓ AI agents and they have real credentials. They act autonomously in production environments. ⁓ What that means is every agent is a non-human identity. So who authorized it? What can it access? do we do when the task is done? That's like, how do we secure that? How do we put guardrails around that and make sure that that's not being explored? So that's when I say securing AI, it's we, Delinea, as a vendor, a software provider, how do we help our customers do that more efficiently and more safely, right? So that's kind of the security for AI. AI in cybersecurity to me is the example I gave around the session recording. It's when we have capabilities in our products that improve, enhance, that can be used in service of securing that AI. you know, when we go... ⁓ build in these new capabilities and we've got a learning engine. We've got the capability actually to have an AI interaction that our customers, our existing customers use where they can go in, talk to an AI agent and solve problems. They can troubleshoot. And it's a really powerful thing. And it's interesting because we launched this maybe six months ago. The number of trouble tickets and calls to our call centers went down by something like 65, 70 % because One, they had access to the data. They can ask a question and interact where before they'd have to go to a human instead of looking it up and figuring it out. That agent has learned so much from doing this that they make that more efficient. And truthfully, the part that's kind of funny about it is the customers, because of the nature of a lot of people, they kind of prefer not talking to a human when they can avoid talking to a human. So I got a meeting at the Gartner ⁓ session in Dallas. ⁓ back a couple months ago and the customer said, our admins love this so much because they're introverts and they don't want us talk to people and be on the phone with them and go that and they can go and answer all their questions. And then if they can't get their question answered, they can open this travel ticket and they can actually get to where they need to go more efficiently. it's things like that that when I think about AI in cybersecurity are, that's an efficiency play. That's a user happiness, a customer success and customer experience enhancement. And that's why I get so excited about it. It's so multi-dimensional. And again, I'm sharing the glowing positives, but then we know that our enemies are going to be using it for nefarious purposes against that. So that's why we have to continue to focus on the second part, which was that securing for AI. So how do we secure the AI? Martin Hinton (39:18) Yeah. So you touched on when we were discussing security for a we talked about you touched on permissions and access to things and that sort of gets us into sort of the notion of identity as a core control and that you got the human and non-human and identities and then unknown identities. I wonder whether I could give you a little example of something happened to me recently if I'm right to assume that a non-human identity was responsible for this activity and it may be an issue. So I was due to take a flight at nine o'clock on Saturday night. And I'm at the airport, my flight was delayed and then eventually canceled for mechanical reasons. The airline rebooked me and I got an email saying your flight is tomorrow at nine. So the same flight 24 hours later and went home from the airport and asked questions about where I send the receipt for the extra cabs I have to take and all that sort of thing. The next day, leisurely Sunday, thinking I've got all day to, you know, relax. About three o'clock, think, you know what, maybe I'll check to make sure the flight's on time. And I open up the airline app and lo and behold, I'm booked on the five o'clock according to the app. Panicked, panicked. I called the airline, grabbed my luggage, figure, you know what, I may as well start heading to the airport, who knows, but don't sit still. Fault to action, I guess. And after 45 minutes on hold and insisting to talk to a supervisor, I learned that the email I'd received was AI generated. And the person I was talking to had no idea why it would have told me I was on that flight. I was not booked on that flight. So I'm SOL. You know, my problem. Literally, that was it. So I had to insist. Yeah, so I insisted I speak to a supervisor who then said to me, yes, know, AI generates those emails. We're not sure why I told you that. And I said, well, I mean, is there room on the nine o'clock still? Yeah. Well, can you just move me to the nine o'clock? Can you do that for me? Chris Kelly (40:56) That was their answer. You Martin Hinton (41:12) And they eventually did and the flight took off and a day later I got to where I needed to be. I wonder whether or not, for the audience, is that a very simple example of dealing with a non-human identity who has permission to impact your life? Chris Kelly (41:27) I mean, that's a very first-hand, not first-world, first-hand experience that, like, one, I'm surprised that they would implement AI in that forum with something that's so critical without it being absolutely rock solid. Like, I don't know, like, my mind immediately goes, like, how could that even happen? But yeah, mean, like if that's truly what happened, if the machine made a decision and screwed up and generated an email and sent you the email and like, mean, that's that's one I'm sorry, because that sucks. It's not fun, but. Martin Hinton (42:02) Yeah, I was assuming I was what they've told me is accurate, which, you know, I have not investigated. haven't researched. I haven't pressed the airlines public relations department for clarity about a new. I just want my eighty five dollars back. Chris Kelly (42:08) Yeah. Yeah, well, as as somebody that flies way too much, I would be on the phone with them and I would be telling them that they're going to be losing me as a customer if not. But that's just me. I'm not ⁓ giving travel advice, but ⁓ yeah, no, I mean, but I think that's a fair thing. But that's it. But that's a you know why that's great, though. I'm terrible for you, but great as an example, because that's just a real world. True customer facing issue. Now, I think that even in today's times will be. that will be a very, very rigid corner case and that will be something they correct easily. Like that's an easily correctable thing. ⁓ But I think that what you underscore there is the apprehension for deployment with people. It's the what if, it's the yes, however. And that becomes to me, it's an ROI calculation. It's like, if they screw up a little bit, what's gonna happen? A little bit of brand reputation, if it gets out, what are we doing to mitigate it? but we save on X millions of dollars on humans or other systems that we use to do it. And so that's ultimately what most of this comes down to is the ROI. It's like, can we afford to do this or can we afford not to do it? And in your example, while it was an inconvenience for you, thankfully you caught it and they were able to correct it and the human corrected it. But you know. Think about that in terms of if somebody were making decisions on wire transfers or prescription, ⁓ I pick up my prescriptions at CVS. Well, if they let a machine take the request from the doctor and go and fulfill it, what authorizations happen there? My mind can go into a bunch of different ways, ⁓ but yeah, there will be bumps along the way, no doubt. Martin Hinton (44:07) So you touch on something that we discussed prior to this, within the environment of any company there are these identities, right? Humans, non-humans, does anyone ever say they know all of them? mean, you touched on that there's, for every human being, there's 50 non-human identities that are capable of doing things like telling you on the wrong flight. Chris Kelly (44:08) It's how we respond. What? Martin Hinton (44:35) or making sure your prescription gets filled properly. They don't always go wrong. It's just an example of our tiny little inconvenience. And I wonder whether or not you could sort of talk about the sort of privilege that they have within organizations and the need to sort of organize them and rein them in, just like you would with a human. You would know where people are allowed to go in the building. I've worked in large office buildings, and sometimes my past would open doors, and sometimes it wouldn't open doors. That is a very simplified way to think about it, the way you might allow something like an AI or anything that's non-human to have access and privilege and movement through your environment, your technology. And I wonder whether you could talk about how these explode everywhere. And I'm just curious what your sort of thoughts are about the perception of that. I know we've touched on this, but tell me a bit about Chris Kelly (45:22) Yeah, well, listen, Martin, let me be really clear. I have never ever, ever heard anyone say they know where all their identities are in their environment. No one, not one, not one of our customers, not one of our prospects. was like, and the reality is it's simple. The problem it's growing faster, faster than they can even stay on top of. And so that underscores why this is such a problem and why they're so freaked out by it, right? And so it's growing faster than they can keep up with it. So through their current detection and controls, and then as I alluded to earlier, there's shadow IT and people being exploratory on their own and whatever tools that they happen to use on their phone. And I mean, there's a million different ways. ⁓ We are laser focused on controlling that sprawl, like on-prem and in the cloud. The non-human identities are the fastest growing attack surface, things like service accounts, AI agents, cloud workloads. I mean, that is what we're diving into. And so we've got technology that helps detect and explore and assess your environment, both cloud and on-prem, to be able to audit, if you will, or analyze and say, this is what we see out there. And it's a point in time, but it's continuous. So it's continuous identity discovery that we're out there doing. so that then you can analyze it or we can analyze it in this case, and then we can remediate or take action against it. So that is the problem. I mean, at its core level, when you talk about identity and sprawl that is just exploding. Martin Hinton (47:04) You touch on sort of what we're going to move the conversation into in this, idea that, you know, whether it's an employee or a vendor or a non-human identity, there are different types of these. And within the sort of the world we're in now where, you know, deep fakes and, you know, quite malicious weaponization of this technology to, you know, employ people who say they're someone and they're not, or quite literally just pretend to be someone so that the wire gets sent to the wrong bank, that there is... A real, you know, the phrase we use when we spoke and we put in the sort of planning document of this was the coming trust collapse. And obviously in business, one of the great things that occurs is you meet people you like, you trust, and you have a common idea. And that is sort of the core of a relationship is that you trust that people have the same goal as you or you trust them with your money or whatever it is. When that goes away, is any one particular of these sort of identities going to be the issue or worse than the other or is it? Like you said, there's a need to know what everyone's up to and where everyone's going and should they be there? And do they still need to be able to go into that space, whether they're non-human or human? Chris Kelly (48:14) You have to, you have to. Like that last piece that you said is exactly it. We can't, the minute that you don't have, you have a piece that is unprotected or unknown or unvalidated, you have risk. And so that's going to be the game of cat and mouse here, which is yes, everyone is trusted. As president of the company, I am trusted with a lot of access and information and whatever else that most of the company is not. However, I also, even as such, if somebody were to spoof me and to get access to my credentials, however that may happen, well, why would he be over there looking in financial records or why would he be monkeying in the code? Like it's also being able to, because they know the identity, they know who I am. They know what I typically do and what I have access to and what I don't have access to. So even if I have access to something, why is he spending 35 minutes over there looking at this or why is he downloading this? It's the contextual awareness of that and recognizing that and then being able to shut that down is what's key. And so it's only as strong as your weakest link. So again, it has to be everyone. It has to be all the human and non-human. And again, not to overstate it, but that is the underlying problem. How do we stay ahead of that? And as I started off earlier in the call, I think right now is a critical time. Customers need to be using this time to build policy around it, to start discovery, get like, bring us in to go work together to figure out what your strategy to go after it if you don't have one. Or it doesn't be us. mean, any partner, whether it's a GSI or a... a cybersecurity services company. there's a million places to go. You may have a fantastic team that does it, but having that approach and starting now, because the problem will only get worse. And so the sooner we use it, start now and get prepared for it and get smarter about it and build a succession plan of this is how we're going to attack it and prioritize it, the better our chances are for staying ahead of the bad guys. Martin Hinton (50:34) So the big thing we hear now when you touch on the bad guys, if you will, their first tier weapon is presented as what's called deep fake videos. And that means something to you and me. Anyone who's watched this podcast or listened to this podcast this long probably knows what that means already. But that's the idea that you could make me look like a 25-year-old blonde woman and sound just like that. And no one watching me on this podcast or on a Zoom call or telephone, video call, or whatever it might be, would be able to tell the difference with their own human skills. How much of a, I mean, does that scare you? I mean, does that worry you? We've heard stories about wire transfers and, you know, fake workers from Pyongyang and North Korea getting jobs and earning money for the regime and that sort of thing. How much of a real problem do you see that now? is it, we on the upslope or is it plateauing? What do you think? Chris Kelly (51:28) Yeah. I'm torn in answering you, but I'm going to do it because, and when I say I'm torn, I don't want to trivialize it or minimize it because it is real and it's a problem and it has the potential to be a big problem. I personally think it gets the headlines because it's the sexy, scary, cyborg thing that will get my mom freaked out when she's watching the news, right? my God, they can speak with me. And it's happening, make no mistake, it's real. But I think the quieter problem is the AI agents that have legitimate credentials acting at machine speed. So if you compromise one, and it can execute thousands of actions before anyone notices, the impact of that is far greater. Now, that's not to diminish the deep fakes in what we're doing in any way. again, it's real. ⁓ But I think the volume of potential downside or risk or things that can go wrong, ⁓ it's not as pervasive as what I was alluding to. ⁓ But at the end of the day, The countermeasure is to have that continuous verification, not just log on. At every step, at every action, is this consistent with this role? Is the behavior normal? ⁓ If no, step up the challenge or block in milliseconds. ⁓ These are the types of things that we will do to combat it. And like I said, it's a problem, it's real. Where it goes, I don't know, like how far they take it. ⁓ but it's a reality that we live in nowadays. Martin Hinton (53:12) You touch on, know, I think I mentioned to you one of the points we've spoken prior to this, that I've been in the news business for over 30 years. one of the dilemmas with reporting this information, both in my prior career and in this role, is that it's kind of hard to explain. It's very hard to visualize. And we know that the eyes are our dominant sense. Television is increasingly in our phones to use television ubiquitously. It are are how we see and receive things and the deep fake that's easy to represent a hack involving a hack involving some code change in an agent to gay I or whatever it might be that is hard to visualize and it's hard to put on the cover of the paper, know, I think that this is something really important that gets us into the next topic is that the perception of the problem is very very real and the one recently that I paid attention to is the Land Rover Jaguar or hack and they had to shut down, it's the car manufacturer in the UK, they had to shut down production and all their suppliers, excuse me, a lot of their suppliers only supplied to them. So the entire literal supply chain was frozen and the UK GDP took a hit. The government stepped in with I think one or one and a half billion dollars as a sort of government backstop to stop companies from going out of business. That is a massive story. It's incredibly important to the economy and thousands and thousands of employees and their families. It didn't get a ton of news. to talk to the people I know in the UK, everyone's aware of it, but it didn't have the news like, someone had dropped a bomb or blown up a factory that Land Rover owned. If they had the same impact with a physical attack, it would have been news for weeks. And I think that that sort of gets us into the sort of perception that a lot of smaller companies won't have this problem because they don't hear about this problem happening to smaller companies. ⁓ Chris Kelly (54:56) Yeah. Martin Hinton (55:06) shift to the small and medium sized business reality and the sort of cyber insurance economics and the economics of all the, you know, the things you can buy and the services for 30, 24, 7, 365 part of me monitoring, you know, what's the, what's the transitioning this conversation into the mindset of a small and medium sized business owner? Where are they seeing this from your perspective? And what do they need to know that maybe some of them and some watching now don't? Chris Kelly (55:35) Yeah, good. That's actually it's a good, good question. And I think it's, it's an interestingly, it's a massive part of the market that we don't cause you're the large enterprises, you know, they invest heavily, you know, they're likely public companies. They've got to answer to boards and investors and all of that. When you go down, kind of down market into the SMB, into the mid market, ⁓ you have real companies, big companies, ⁓ in the sense that just because they are small from an employee-based perspective, they're relevant and they do things and they touch businesses and they provide services for other people. And so they can also be the attack target to be able to gain access into vendors supply relationships. The problem, as you rightly point out is when they're smaller, they will have smaller IT teams. They will have smaller budget, but they are still a big target. And so what I think the market and... this isn't like some epiphany, it's really going to continue to propagate in a very heavily ⁓ focused way. And I think it's relevant to your cyber insurance ⁓ clients as well, is managed service providers. So managed service providers provide pooled expertise. They can do things like have a single sock that supports a thousand customers and they can invest in the latest technologies and SIEMs and things like that. ⁓ they can go and provide these services for a fee to a smaller company. And the reason that's important is one, smaller company doesn't have to stand all of this up. They can get that overnight. They can get that protection and those capabilities overnight. ⁓ They don't have to fight for talent. mean, cybersecurity talent is some of the most coveted and expensive talent and people hop jobs because they get a bigger check to go across the street. And a small SMB company is not going to be able to write a check the size of Goldman Sachs to get the top talent. So in many ways, the SMB market and mid-market and even some upmarket for specific use cases, the MSP is a fantastic solution for them. And it's almost mandatory, like in some ways. Martin Hinton (57:47) Yeah, I you touch on it. I mean, the example I've been given and I've repeated is that, you know, I mean, if you need legal advice, you don't hire a lawyer, you hire a law firm. If you need your taxes done, you don't hire an accountant, you hire an accounting firm. You fall that work out. And I think that to think about an MSP is a bit like hiring, I don't know, you don't hire security guards, you hire a security company to have a guard at your front door of your building, right? You hire a service to provide something and it falls into a bit of an abstract space because it's... Chris Kelly (58:00) Perfect example. Martin Hinton (58:16) ones and zeros for people. There is the layered cost. I mean, I think the big takeaway that I wonder we might have comment on is from an underwriting point of view is for small companies, if you have a fire, the next time you go to get insurance, your premium could be impacted negatively. You could be paying more because you've had a problem, right? Not unlike having a house on the ocean creates issues with what kind of hurricanes patterns you might have. And if you don't get ahead of the cybersecurity problem, you create a situation where you have you know, a real punitive financial situation with regard to delayed controls and that sort of thing. that something that, you know, as much as the last thing I want to tell her? Go ahead. Chris Kelly (58:52) Let me give you an example. So you're teeing me up perfectly here. I mean, the underwriters reality is they use a lot of self attestations, know, audits, but it's done after the breach, you know, is when we find out whether people are telling the truth or not, whether they've made the changes. ⁓ And that's when premiums jump. And guess what? They don't reset in a way that the customers would like them to be. We have a customer. who I should say a prospect, it's not a customer yet, but it's a prospect, that told me a story that they had cyber insurance. And this is a large manufacturing company, not public, private company, but large, where they had a cybersecurity policy. And I'm trying to remember the exact numbers. was either 150 or $300,000 a year was their policy. They were breached. They were found to not have implemented some of the changes through their attestation that they were supposed to make. And their premiums went up to a million dollars. Okay, that sucks. know, call it triple or whatever. If it saves 300,000, it's more than triple ⁓ there. And now we're paying a million dollars a year. Unfortunately for them, they were breached again, because they didn't close the holes that they said they were going to. And their premium went up to, I think it was two or two and a half million dollars. from call it 300 to two and a half million, right? They finally did close the gaps. The company went in, meaning the insurance company went in, verified and audited that they had made the changes. So they readjusted the premium down to, I think it was a million and a half. So it's never gonna go back to 300K. It's never gonna go back that. They've lost the brand reputation. And so, these teams need to do this. It is a reality of... protecting you and you just because you're small means in no way that you're not potential victim. So anyway, I It's a very real problem Martin Hinton (1:00:53) Are there any particular controls that underwriters are coming back for and want to see that actually reduce loss? Is there anything in that space that's on your radar? Chris Kelly (1:01:04) I'm sorry, didn't, can you repeat the question? Martin Hinton (1:01:06) Sure, yeah, absolutely. I'm just talking about the controls like underwriters, know, are there any particular controls or things that they're looking for to reduce costs? You you mentioned the questionnaire, are there things that, you know, someone watching this might think, I wonder if I've got that or hey, I got that, I should make sure my broker knows ⁓ the matter. Chris Kelly (1:01:25) I mean, for the underwriters themselves, mean, they've got pretty robust requirements. I think it's three controls cover kind of 80 % of what they measure, vaulting credentials, enforce MFA on privilege access, and session recording, record sessions. So that takes care of the majority of what they need. And so if a customer that's applying for cyber insurance have those controls in place. They're way ahead of the game from the get-go. I that's kind of like, would say, MVP of minimum viable product of what they need to have. So it's like you spend money to save money. I know that sounds a little counterintuitive, but you have to do it. And these are known issues and known requirements. No one should be caught off guard by this. think to your point about SMBs, the smaller the company, the harder that becomes. And because they don't have big security programs often, they don't have ⁓ teams of people that are thinking about it. But cybersecurity is going down market because of these hacks, because our people are getting extorted. in times, in the early days, it's just like all, I gave the example of cyber in the early days. You know, it was regulated industry started and then it was financial. So, you know, it's like it starts at the top end of the enterprise that there's real dollars and regulatory compliance is why you have to have it. But now the risk has gone down market as well. And so people are looking at it. I mean, ⁓ you know, it's no longer a large public company. I guess is my point. Martin Hinton (1:03:10) Yeah, I mean, you make a great point. mean, the interconnectedness of everything and the reality that there's money to be made because of the scale you can achieve, because there's no barriers geographically and just the way you can do business all over the world. And if I have an Etsy shop, can sell a t-shirt here in America, or I can sell it to someone in, I don't know, Ireland or the South of France or something like that. There's a two-way reality to that. Chris Kelly (1:03:32) Right. Martin Hinton (1:03:36) You touched on the small business thing, the three primary controls that do the most so far to make you quite secure, bring your security grade up to a B minus at least, an MFA and session recording. For the small business owners, are those the big three things that you touched on? Is there anything else in that space that helps them achieve some level of security or make them a little more secure than the person next door? Chris Kelly (1:03:47) Yeah. I mean, I think at the end of the day, we were talking about that was more in the context of the underwriters and how do you kind of prepare yourself for that? I mean, the needs are no different than large companies. They need to have all of it, which is why the MSP is the answer for the small companies. It just is. mean, because all aspects of security are covered by the MSPs. Now, they will come in and they will assess what are your primary requirements and what's the most pressing. void that we need to fill for you. I wouldn't even try to kind of give you a pointed, go look at this technology next to that. Those are just three core elements when you're trying to go get cyber insurance that if you don't have them, you're gonna pay a lot more money and they're gonna tell you to fix it anyway. There's a million SMB, I'm sorry, MSPs. out there that fit. Some of them are very vertically specific too. Like, you know, there are healthcare MSPs that understand all the regulatory, all the tools and all the software packages that most healthcare providers work with. You know, there's a lot of verticalization within that. But I don't want to go down a path and say, the next step should be go get X from a technology perspective. Because every customer is different and every market is different. You know, I'm very, very biased in what I say that I truly believe that's why I'm here is identity is the battlefield and you have to shore that up. And in shoring that up, there's multiple ways to, multiple things that you have to factor in it. But ⁓ you get a good MSP, they can help you with the plan, with the strategy, with the auditing, with the reporting. ⁓ And I think that's just the answer. Martin Hinton (1:05:51) So we've Chris we've been talking a little bit over an hour. So I'm gonna move to sort of the close here I'm gonna shoot some questions at you and the idea is you answer quick But as I said to you before we began you can you can answer slow, too It doesn't matter. So I wonder whether if there's one security habit you wish every executive Chris Kelly (1:06:08) Ask questions. Who has access to this? Who is going to do this? What is it like? Be provocative and be inquisitive. If executives ask questions, specifically, who has access to X? That will be enlightening. If people can or can't answer it, when they get the answer of who can and can't access it, that will get stuff done in ways that I think, in Move Mountains and and focus people's energies, efforts and dollars to get it done. That to me is the thing. So who has access to this is a simple question. Martin Hinton (1:06:45) Is there an overrated security control? Chris Kelly (1:06:47) Hmm I don't know about control as much as I think practice. Annual access reviews. People go in and look at this once a year. The damage is done. It's gotta be an evergreen focus. you know, doing something once a year, especially when you talk about access and who has visibility to what, you gotta continuously do that. And I just think so many people, because in times past it was mandated that we do an annual, ⁓ we don't live in that world anymore. Martin Hinton (1:07:25) No, mean, listen, I if you had a company with human employees, you wouldn't cancel ID badges only once a year. When it was let go six months ago, still have access, would, okay, this person no longer needs to be here. Turn off their access. ⁓ It seems pretty simple when I say it. Is there one thing AI will improve in the next 12 months that you want to put a bet on? Chris Kelly (1:07:32) Right? I agree, totally agree. The easy obvious one is the example I gave earlier, that audit coverage. When you think about historically 1 % kind of audit coverage to now 100%, that's a pretty big improvement to me and a pretty powerful one for the customer base. Martin Hinton (1:08:07) And what about worse? Is there anything AI is going to worsen in the next 12 months? Chris Kelly (1:08:10) You got to be careful. I don't want to be seen as doom and gloom because I ⁓ actually don't feel the world is... I'm not chicken little. I don't think the sky's falling, but it's the speed. Speed of compromise, attacks, being able to work at machine speeds, authorization has to be automated. We've got to keep up with the speed of that. Otherwise, we'll be looking at the... tailpipes of whatever's been compromised off in the distance. Martin Hinton (1:08:44) Let's put ourselves in a bank heist movie. The safe that takes two hours to drill through is worse than the one that takes five minutes. And that's the idea that you can gain entry and access and be inside before you notice these are, go watch your favorite heist movie. It's all right there in an exciting with music. Exactly, exactly. Very well put. All right, so last lightning round question. One of the things I've grown up remembering and trying to instill in my life is that we generally only regret putting off difficult conversations, not having had them. And when we have them, we wish we'd done them sooner. If I'm a CISO, what's one conversation I should stop delaying? Chris Kelly (1:09:28) That's so easy. Non-human identities. If it's 50 or 100 or a million, whatever the number is, more machine identities in people, and that ratio will only increase. Most of them have standing privileges that nobody's reviewed. You cannot wait for that. Start today. Martin Hinton (1:09:49) Yeah, I mean, I, know, if you will, if I could speak to the C-suite and the boards listening, you're all saying I'm going to embrace AI. We've got to talk about AI because it makes us sound like we've got our finger on the pulse of where modern business is. Every time you introduce a new one of these, you're letting someone in. And to be honest, I suspect many of you don't understand exactly what that means. And I think that you should, to your point about asking the difficult question, like what's going on here. ⁓ That's the last of it. So we're about done, Chris, but as promised, is there anything we didn't get to that you wanted to discuss or anything we did discuss that you want to put a final thought to? Chris Kelly (1:10:25) I mean, first of all, thank you again. mean, I think you've done a very comprehensive job and covered a lot. mean, I've said it. I think the only kind of parting thought I would leave is kind of what I just alluded to is, ⁓ you know, this identity problem is no longer about humans. ⁓ You know, that's what it's been for a long time. And in many ways, while we thought that was a challenge, it clearly is not relative to what we see today. ⁓ You know, every entity that touches your systems needs to be analyzed, reviewed, human, non-human. so ⁓ if you can't see them, you can't govern them, you can't provoke them, and thus you don't have identity security. So to me, it's that non-human element again that you got to jump all over yesterday. Martin Hinton (1:11:21) Yeah, particularly as we embrace the upside, right? Again, to your Chicken Little point, know, there's a lot of great value here, but, you know, ⁓ when we introduce cars into our culture and economy, we've got car crashes, and then we introduce brakes and seat belts and airbags and all these things to make them safer and safer and safer. And I think that that idea that there's stuff to be done, you know, at least you and I are AmeriCANS, not AmeriCANT'S. So we'll do our best. ⁓ Anything else? Chris Kelly (1:11:48) love it. No, Martin, I just really genuinely appreciate you inviting me, making the time, and caring. Martin Hinton (1:11:55) My pleasure. Really, really enjoyed the conversation. Thank you very much. Chris Kelly, President of Delinea. Again, thank you so much for taking the time to chat with us today. Chris, you too have a great evening. Chris's contact information and Delinea, there's links in the show notes, so you'll be able to find him there. If you've got a question or want to follow up, please drop it in there and we'll get an answer to you to the best of our ability. And if not, we'll go back to Chris. Chris Kelly (1:12:04) Thanks, Martin. Have a great evening. Martin Hinton (1:12:24) I'm Martin Hinton. is the Cyber Insurance News and Information Podcast. Thank you so much for watching. If you could share, like, subscribe, all those things that I should probably tell you to do at the beginning of this. I really appreciate that. Thank you so much for taking the time to listen in today. And with the rest of your day, I hope you enjoy it. Take care.