Transcript
Hi Mike Matchett Small World Big Data. We are here at the RSAC which is the RSA conference this year, 2025. We're at the RSA booth. You guys divested from the show, right? We did. Yes, that's absolutely correct. It got really big and now it's its own thing. It's spun off. Uh. Yeah it is. When we separated from Dell, we were like an umbrella company. We had multiple businesses. Conference was one of them. We still have a small percentage of interest in the conference, but it now is its own independent company running separately. Okay, so, Jim, you are the chief product and innovation officer or something like that. Yep. Chief Product and technology officer for RSA, not RSAC. And so my role at the company is I'm responsible for our strategy vision, what we build. So the analogy I love to use is I work in the kitchen. Whatever we create is my responsibility. You've just said we could talk for the next five hours and probably not even scratch the surface, right? Going from going from encryption all the way up to today. Uh, but let's let's just try to encapsulate then what's really hot, what's going on, what is RSA talking to people about at this show? Yeah. So, uh, absolutely. Over the last couple of years, RSA has really focused our attention on being what I would describe as an identity security vendor. So we are all things identity. We obviously have our roots and our history, as you said, in encryption and authentication in those kinds of things. But we see that it's a much bigger problem. And so we do now do all things identity. So from the initial how do I onboard my users provisioning. How do I give them access. Single sign on. How do I authenticate them all the way through the entire lifecycle of identity operations. So that's our core focus. All right. And I'm going to do this to you because I think you probably have a good answer. And that's mentioned I, I've talked to a number of people here that say, well, we're talking about non-human identity or we're talking about human identity and so on. But, you know, the truth is, there's lots of things out there that need to be identified in a zero trust environment. So how are you guys approaching that? How do you sort of categorize that? Yeah, and that's a great question. And you see it unfortunately as an industry we love those great marketable terms. Right. So I think every vendor in the show is some kind of an AI enabled platform. And I think the big question is, so what does that actually mean? Right. And identity touches a lot of different spaces. As you mentioned non-human. There's also human. There's now things like agentic AI agents. You know, it's a very broad spectrum. So our take on AI is we see it becoming a significant attack vector. We see now AI enabled attacks, right. Social engineering, you know, researching. I can go to ChatGPT and say, hey, tell me everything there is to know about Mike. Oh, he plays golf. He does this whatever, right? I can leverage AI as a tool in my arsenal. So the bad guys have somewhat of an advantage because they don't follow the rules, right? That's the whole point of the thing. So it's very important for particularly people like us to incorporate some of that technology as a countermeasure. So we use a lot of AI enabled technology in things like risk and threat and understanding context, you know, behavioral patterns, things like that. We leverage AI in our platform as a recommendation engine, not because Microsoft kind of stole the phrase, but copilot. We believe very much in the copilot model. Ai should be an assistant in your security platform to help you and make recommendations, maybe automate, you know, routine or mundane tasks. But fundamentally, it should be seeing the things that you don't see. Identity has become a data problem. There's so much data, so much scale and identity. When you add in non-human identities, thousands and thousands, millions, billions of accounts, how do I manage that fluid situation and all of those accounts? Well, I leverage AI to look at that data and to make security recommendations for me to make policy recommendations. So we're very big on incorporating AI as an enablement technology, as a recommendation engine. Yeah, I think you have to. You've got that whole Red Queen hypothesis. You have to be using the technology because the bad guys are. And this I noticed coming into your booth today that there's this key word passwordless. Yes. Maybe you could explain. Like what? What that means to the average IT person. What does passwordless mean? Yeah, absolutely. So that's a big theme that you'll see, right. We see a few big themes in the cyber space right now. Ai is one. Passwordless is another. Platformization. Right. The consolidation of functions into single products is another one. And then you get things like IPM which is identity security, posture management specifically on passwordless. We're finally yay, a 30 year career at the point of maybe seeing the death of the password. Password is a bad. They're difficult. They're hard to remember. Well, mine are easy. It's just one, two, three, four, five. Which is great and makes you one of my favorite adversaries to deal with. So passwordless is how do I take strong technology? Like for example, Fido Fido credential a passkey, which is a certificate based credential. And how do I improve the user experience? Because it's got to be easy for you, right? To leverage that and not have to remember a 12 character alphanumeric uppercase lowercase. Write it on a post-it note password, right? I don't have to reset the password. I don't have to manage the password. So passwordless is the industry as a whole moving to a point where we're saying we're going to leverage other ways of identifying and knowing that Mike is Mike, we're going to make that easy for him because we're not going to ask him to remember something. We're going to give him a credential that is unique, cannot be copied, cannot be phished we're going to leverage that flow to improve security and improve user experience at the same time. Can you give us any hints as to where that goes? Is it more biometric? Is it something you know, something you have? How does that work out? Yeah, no, that's a great question. So one of the challenges is not all passwordless. It's a there's a danger of it being a marketing term. Not all passwordless is created equal. One of the things that we believe in is you should have a range of options. You should have a range of technologies that you can then apply to the right situation. What is my security posture? What's the appropriate way to identify, to authenticate Mike to know that he is based on context. So it could be something as simple as Passkeys and Fido. It could be QR codes, it could be biometric, might be something like identity verification, where I'm going to make you turn the camera on, I'm going to, you know, hold up your driver's license and I'm going to compare. Make sure you're alive. You're an actual person, you know, and validate that. So passwordless really is a range of options. Anything where the user doesn't have to remember some long complex thing, they don't have to remember or memorize a secret. Let's use other methods. It could be something like I have your user behavior. I see you doing something routinely. Therefore I don't need a password because I have enough security context to let you in based on what you're doing. So it's important that people understand passwordless is a journey and it's a range. It's take the right technology and apply it to the right use case. All right. So that's it. I have a question that I've been asking a lot of the people we've talked to, and we've talked to a lot of the vendors on the show floor here. It's a little, uh, recursive to ask RSA this question, but but, um, this is our sassy. There's 25,000 people here. Uh, if there was some message that you, as RSA wanted everybody here at RSA conference to walk away with today or takeaway for this conference, what would you want them to know? Yeah. So, uh, I give a lot of advice to a lot of companies. And one of my roles within RSA is I also manage it. So all technology. So I'm a customer and a vendor. And so I know having a good security posture is a journey. It's about how do I solve those low hanging problems? What's my strategy? What's my journey? Sometimes, you know, vendors will say, oh my God, you got to do these 50 things. And there's so much. And their head explodes, right? It's like it's too much. Figure out where you are. Figure out what good looks like. Use a framework like NIST or something like that. Right. And plot a journey focusing on what are the most important security problems to solve. Something like MFA has been around forever, right? The amount of companies that don't use MFA is astounding. We see it in attacks. We see it all the time. Something like securing help desks right is another great example. We unfortunately have started to train our users to say, hey, you've lost your phone, you need a new credential, password recovery call, a help desk. Well, what are we doing? We're training them to be susceptible to phishing attacks. So having something that solves those types of use cases is the most important thing. Security is a journey. So long as I am more secure today than I was yesterday. As long as I'm making progress, as long as I have a strategy, I have a plan, then I'm moving in the right direction. Because the sad truth is, as you know, Mike, you've already mentioned some new technologies that have come out. There'll be a new problem to solve tomorrow. It's security is the gift that keeps on giving. We'll never be done right. As soon as we figure out how to secure a threat, the adversaries will come up with a new one. They'll change the attack vector. We see that all the time. One of the favorites now is great. We have strong authentication. Okay, I'm going to use a bypass attack. If I can't go through it, I'll go round it. So now I need to secure the help desk. Things like that. Yeah. I'm really finding the security world even more fascinating after this show, because what I'm learning is that humans aren't always the problem. But mostly and they're always changing behavior and challenging. And really, this becomes not a technology solution alone. Whatever we're doing for security is this combined world of modifying human behavior, as well as modifying of the technology and the solutions that go with it. So what do you find most fascinating about security? So so I just want to take a little bit of issue with what you said there and disagree with you slightly, uh, a fairly unpopular opinion, but people are the problem, right? If we could just get rid of all of the people, we wouldn't have a security issue. Now, that may not be so great for business, you know, may not be a great outcome, but you're exactly right, right? It's cultural. It's ingrained. It's what we learn. It's our core set of values. So you have to cater for that. So I fundamentally do believe people are the problem. I wish as a security practitioner I could just get rid of them all. Apparently I'm not allowed to. So I have to deal with them, and I have to find ways to bring them on that journey with me. Education is a huge aspect of that awareness. Another huge aspect of that. We were very guilty as a security industry for a long period of time. I can I guarantee I can make a door completely secure. I just put a thousand locks on it and give you a thousand keys. You'll go through that door once, and then you'll leave 999 of those locks unlocked. Why? Because that's human nature. So I have to solve for that. I have to make it compelling. I have to make it easy. I have to solve it in a way that my users can embrace. Yeah. That great. That kind of space. So you're obviously doing a lot of things here. I mean, we talked about some of the passwordless variations you're working on. There's tons more I'm sure you've got cooking and that you've done in the past. If someone wants to look a little bit deeper into RSA, you know, you've got things on the web. But for people who are here at the conference this year, what would you recommend they start looking at if they want to dig a little deeper? Yeah, I would say, you know, I mean, if you're here and you have the opportunity come by. We have a lot of great demos on the on the stand itself. We're showing off a lot of new technology, a lot of announcements. I would say definitely passwordless. We're in the year of passwordless. I would say it's becoming real at the enterprise level. So that's a good thing to make yourself aware of. I would say the other two big areas, we really have been talking about what we describe as the three P's of identity, the big projects that people need to focus on. Number one passwordless. Okay. Number two Platformization. Right. It's not really a word it's made up. But what does it mean? It means consolidating security infrastructure. Exactly. Exactly why? Because if you're a customer with 17 tools, you spend all your time and money and energy integrating those things together, right? So take a platform approach. Take a standards based approach. So Platformization is the second one. And then the third one is uh posture management. Identity posture management. Understand where your risks are. So as a result of posture management we've seen a big uptick in in products and technologies like identity governance and understanding. You know, the easiest way for me to reduce the risk is to never provision that risk in the first place. It's to effectively manage my users, only give them what they need. That ties into least privilege. That ties into zero trust. So posture management platformization and passwordless the three P's. All right. Thank you so much, Jim, for talking to us today. Thank you. And thank you very much for bringing your audience to visit us. We really appreciate it. And thanks to everybody out there.
