Transcript
That's kind of the triangle that I'm seeing in the marketplace right now. Mark Van Zadelhoff joins us now here in San Francisco. He is the CEO of Mimecast. Really nice to see you. Thanks for taking a few minutes. Great to be here. You've spent over two decades of your career in the cyberspace. What feels different about this particular moment that we're in? I mean, we're rising up the stack, right? So I think in those 20, 25 years in cybersecurity, we've secured the network, the endpoint, the data, the application, the identities. And at the top of that, what we've been talking about for quite a while is humans and their behavior. And obviously, now we add to that agents and what's happening there. That's kind of the top of the stack and the kind of unsecured layer of cybersecurity that Mimecast has been focusing on. So it's a good time to be at RSA. Yeah, it certainly sounds like it. How are you seeing artificial intelligence change the cybersecurity landscape for enterprises today? I mean, listen, I think it's a better attacker, right? So a mediocre attacker becomes expert attacker. I think it is affording cybersecurity teams lots of productivity. Even in my job, I feel like I now can do the job of, you know, one and a half or two and a half people just using AI. And I think you're seeing that in the SOC and in all of the skill shortages we had in cyber. Suddenly, you can use AI to start to alleviate that. And then it's creating new risk, right? These agents, whether it's the LLMs or the autonomous agents or MCP servers that you're kind of going through, create new risk out there. Are there shifts that the industry still need to make in order to better secure data as well as human behavior? Yeah, I think it all comes down to humans and agents on data. That's kind of the triangle that I'm seeing in the marketplace right now. On the human side, we've been very focused on, from our heritage in email security and data security, understanding whether the behavior is accidental and we need to train them, whether it's malicious and you need to block them. And then agents kind of fall into the same category, right? They have IDs, they have behavior, they are usually tethered to humans as much as we love talking about autonomous agents. Most of them, I say, are like dogs on a leash and the leash is still the human and they're prompting and telling them what to do. So it kind of comes back to tracking the agents, as you would a human, and tracking the humans that are directing those agents. And that's been an exciting chapter. As companies adopt AI and automation more and more, how is the attack surface itself expanding? Yeah, I think it's expanding immensely. If you think about every amateur in an organization, myself included, is making applications. I'm making HTML-based applications to execute things for me. So you think, I mean, this is outside of my directory at Mimecast, but the sprawl of applications that are probably highly vulnerable is an area. I think the biggest risk, however, in the agentic age is a data risk. These things are consuming data and if you have employees moving data into unsanctioned AI or unsanctioned data into sanctioned AI, it's a huge risk for the company. I think that's the biggest attack surface that we're trying to defend against right now. Can you talk to us a bit about the evolution from the earlier days from Mimecast, from email security now with much more of a focus on being a human risk platform? Yeah, sure. Absolutely. I mean, it's kind of a natural evolution. If you think about email security, I think 80% of all breaches are caused by, are initiated by an email attack. And what causes that attack to succeed? Well, as we were studying that with our 40,000 customers around the world, you realize it's really human behavior at the end of that. You have humans a millimeter away from keyboard and mouse that are about to open that attachment or that file. And obviously, we're stripping that and blocking it as best we can. But at the end, you realize you can't just do email security. You have to start educating the users. That got us into awareness training. And as you get into awareness training, you start to realize we can score users to figure out who is at most risk. And then you say, I want to see what they're doing beyond email into data. And that's how we acquired Insider, Code42 Insider, and you can now see their entire day and what they're doing. So it's kind of an evolution from the behavior email being the biggest instantiation of human risk and then expanding that human risk purview to everything they do and adding agents to that because agents are the ultimate insiders. As we take a look ahead, even to the pretty near-term future, how should companies better manage their cyber risk in a world, as you said, where you're combining humans, AI, and data in that triangle? Yeah, I think our approach is similar for humans and agents, which is one is visibility, right? So can you measure which of your people are the riskiest? Are you most likely to click on that link, ignore your awareness training, steal source code, and be the insider risk? So we have an ability to score users and which ones are red, yellow, green. We have an ability to nudge, train, and educate users. So we call that kind of the empowerment layer, you know, short of a brain transplant. We can do a lot to educate users on not being bad, unless they're malicious, and then we have to, you know, do the next layer, which is kind of control them in email, in all their SaaS applications, in the browser, on the endpoint, control their behavior, block them from egressing data to unsanctioned AI, block them from clicking on things by stripping out the links before they even get there, block them from stealing employee data and PII. So there's a lot of controls you can do after you measure, after you try and change a behavior, you need to have, you know, a fallback, and that's the control layer. Mark, I know it's a really busy few days for you and your team here at RSAC. Really grateful for a few minutes of your time. Thanks for joining us. Nice to be here.
