Matthew Chiodi (00:00)
Well, welcome to the show.

Bel Lepe (Cerby) (00:02)
Matt, thank you so much. I'm looking forward to the conversation.

Matthew Chiodi (00:06)
going to be fun. So I want to just jump right into it. You've been building software for nearly two decades from online video at scale to AI products. I'm curious, what about identity security pulled you into this space?

Bel Lepe (Cerby) (00:23)
It was a customer. having been a founder before, you should always ⁓ pay attention to the customer signal. But it was actually a customer that alerted us to this problem. And usually when a customer approaches you and says, hey, if you build a solution to this problem that we have, we'll buy it. You pay attention. And so that was the original signal. ⁓ We went out and we did more research. And what we found was,

this problem of disconnected applications, applications that don't support modern identity protocols like SAML, OpenID or SCAM was a very pervasive problem. According to Netscope, the typical business has 2,100 applications and a corresponding study from Okta states that usually only about 10%, 100 to 200 of those applications are closely managed. And so when we heard from the customer that this problem existed, and then when we were able to independently validate,

the problem. It was obvious, hey, this is an opportunity to be able to go ahead and jump in and build something that is compelling. Now, the very fascinating thing is in the five years since we started the company, ⁓ there isn't a week that goes by when we, that we're not getting validation of just the size of this problem or new permutation of the problem. And so as the expression goes, identity is the new perimeter. And there's a reason for that. It is the

Matthew Chiodi (01:37)
Mm.

Bel Lepe (Cerby) (01:45)
perimeter through which every action occurs and there's massive opportunity to be able to provide value to customers there.

Matthew Chiodi (01:52)
You had mentioned that, ⁓ you know, this isn't the first time you're, building a company. So what did you learn at UALA that shaped your approach for, founding Cerby?

Bel Lepe (Cerby) (02:02)
It's a weird name. It's Ooyala. And yeah, no, it's all good. ⁓ One of our first investors for Ooyala actually said, this looks better than it sounds. ⁓ And he was right. was a very difficult ⁓ name to pronounce. But the domain was available and also had the double O factor going for it. Google, Facebook, Yahoo. so we, guess, that factored in. ⁓

Matthew Chiodi (02:05)
my gosh, I said it wrong, sorry. ⁓

⁓ okay.

Bel Lepe (Cerby) (02:31)
But, know, answering your question, one of the most important things that I learned from building Ooyala with my fellow co-founders, Bismarck and Sean, is that, you know, there's a lot of focus placed on the product and the idea, but the reality is a good idea only has a shelf life of 12 to 18 months, right? If you're doing a good job, someone else will enter into the space. A lot of success hinges on the team that you assemble because...

Matthew Chiodi (02:52)
Hmm.

Bel Lepe (Cerby) (02:59)
things will change, competitors will arrive, and you need to be able to continue to innovate again, every software lifecycle that's every 12 to 18 months. And so we assembled a fantastic team at Ooyala, and it's ultimately what allowed us to have a great exit. We actually eventually purchased the business back and then sold it for a second time. And so going into the building of Cerby, that's something that was very top of mind. I don't have a cybersecurity background and...

going into Ooyala, we didn't have necessarily a video background either. And so it was critical to find folks like yourself actually, who joined us very early on, ⁓ who came from the security space and could compliment the skill sets that we brought to the table. And so it all starts with the team. If you have the right team, you can build a product that customers love and you can continue to iterate over time. Again, if you've assembled the right team and continue to field the right team. So that's what's always top of mind.

Matthew Chiodi (03:54)
Yeah, what you would think that so maybe give us 30 seconds. What did Ooyala now saying it correctly? What did you guys do at Ooyala and what were whether similarities between what you were doing there and what you've been building now over the past five years at Cerby?

Bel Lepe (Cerby) (04:10)
I wouldn't say there are any similarities from a product standpoint. We do have some alignment with the ICP in terms of selling to folks on the marketing side of things. as far as being a security product, that's something that is somewhat atypical about Cerby, that we have the ability to sell into the line of business owner-like marketing. basically what Ooyala did is...

we were a video platform that operated from script to screen. So we could help folks produce content, distribute content, and monetize content. So for example, if you were a fan of or are a fan of sports and you're going to espn.com, for most of the 2010s, that was powered by Ooyala. And so we were a video platform, kind of think of it as like a YouTube for enterprise that helped deliver tens of millions of

know, video plays per day help transcode content, help monetize the content.

Matthew Chiodi (05:05)
Now you actually said Cerby there because I know that's on your brain.

Bel Lepe (Cerby) (05:08)
sorry. We

all yeah, well, you know, as you would expect, but sorry, that's what we did at Ooyala. We helped ⁓ produce a video, deliver video and monetize video.

Matthew Chiodi (05:13)
Okay.

So I want to go back to the really the first question again, because I think I want to just double click on it. So you're in the video space, you're working with a different customer, you discover this new issue, you mentioned quickly disconnected applications.

That space is one that I think is there's been growing awareness over in the industry over the last five or so years. Certainly, you know, back when I was at Palo Alto networks, that wasn't something that I talked about on a regular basis. But over the last five years, I think with the movement now towards identity, bringing identity platforms up to date automation, that is something that is now, I think, a bit more front and center, but I think still early for a lot of CISOs, maybe not for

heads of IAM, people that are in the identity space, but first the CISO. Is that problem of disconnected apps, is that an ice cube that is melting? Is it going away? Is it staying the same? What does that look like, that actual problem?

Bel Lepe (Cerby) (06:20)
So a couple of statistics to throw at you to kind of contextualize this problem. 80 % of all cybersecurity incidents are identity related, right? And so there's much that's made of business email compromise and ransomware, but the reality is a lateral point in those attack chains almost always involves identity, right? And when you double click into what form of identity, it's usually of disconnected identity. So just to give you a sense of the prevalence of this.

Again, usually there's talk about business email compromise or ransomware, but inevitably what you're actually talking about is an identity getting compromised that gives access to a mission critical system or a system that is adjacent to a mission critical system. so underneath all of these taglines ⁓ and three-letter acronyms, it all mostly eventually boils down to identity.

Now, to answer your question of is this a melting ice cube problem, right? Are standards eventually going to win out and fix this disconnected application issue? ⁓ Well, another way to think about this problem is not so much disconnected applications. It's more the fact that disconnected applications have a, they over index or they over rely on humans to maintain their security posture.

Because when applications can't federate or can't connect to a central identity system like an Okta, an Entry D, a Ping, a SailPoint, a Cyborg, so on and so forth, you have to depend on the end users to do mission critical tasks like make sure that former employees are off-boarded or that passwords are regularly rotated or that MFA is enrolled on a regular basis or for all accounts. And so actually the core problem we're solving

is the pebcac problem, right? Problem exists between chair and keyboard. And it turns out that every security chain has a permutation of the pebcac problem, right? Nearly 70 % of all cybersecurity incidents are due to the human element. And so what we're actually building is a identity security automation platform that can help with both connected as well as disconnected applications. Because again, every security chain has a problem with the user forgetting to carry out mission critical tasks.

Matthew Chiodi (08:19)
Hmm.

Bel Lepe (Cerby) (08:34)
It just so happens that it's more pronounced with disconnected applications because it's a hundred percent of tasks, but connected applications like Salesforce, like Google workspace also have tasks there that Cervi can jump in and help. so that's a long-winded way of saying, no, this is not a melting ice cube problem because so long as there's a user in the security chain, the problem will exist and we're automating away the dependency on the human user.

Matthew Chiodi (08:59)
Is this something that immediately when I think about applications that aren't federated, whether it's on the authentication side, maybe they don't support single sign-on, you also mentioned onboarding and off-boarding, so that would fall typically on the IGA side of the house. Is this something in terms of the class of applications that is, is this just like shadow IT? Is this just SaaS we're talking about? From your experience over the last five years, how wide and deep is the problem?

Bel Lepe (Cerby) (09:31)
You know, there, there, there are two ways to segment this, or I should say there's one segmentation with two dimensions. There are your crown jewel apps. know, for the purposes of this conversation, I will define crown jewel apps as kind also being birthright applications. they're horizontal applications that are used horizontally across an organization, then also across verticals. This problem manifests a little bit less with birthright or crown jewel applications, because historically birthright or crown jewel apps.

Those are purchased through IT insecurity and IT insecurity can be. I don't know if that came up. Should I, should I resound that question again? Yeah.

Matthew Chiodi (10:06)
It did. Yes. You can just rewind.

I'll fix it. I'm to make a note. 10, 12. Go ahead whenever you're ready.

Bel Lepe (Cerby) (10:14)
So that's a great question. they're really the way to think about, you know, is this only shadow IT is in terms of kind of two layers of different types of applications. First, you've got your birthright applications and this problem manifests a little bit less with birthright applications because historically birthright apps, they are purchased through IT and security. And as a consequence, IT and security is able to put the hammer down and say, Hey, we're not going to purchase you if you don't support modern identity protocols. And so

Matthew Chiodi (10:40)
Hmm.

Bel Lepe (Cerby) (10:43)
It's relatively rare, but not unheard of to have birthright applications that don't support modern identity protocols. ⁓ Now, something that we do see with birthright apps is the SSO tax. And for mid-market customers, even if the application supports ⁓ single sign-on standards, provisioning standards, deprovisioning standards, there's the security poverty line, right? There's some folks that just simply cannot afford to pay for the SSO tax.

Matthew Chiodi (10:55)
Hmm.

Bel Lepe (Cerby) (11:12)
and Cerby provides a mechanism there. So that's the first layer, Birthright apps. But then once you move beyond the Birthright apps and you start talking more about applications that are specific to line of business owners or vertical applications, applications that are only used, for example, in healthcare, financial services, ⁓ real estate, for instance, you start to see hundreds, if not thousands of applications there that don't federate, that don't connect with the modern identity stack.

And I believe the reason for that is twofold. ⁓ One, once you start looking at line of business specific applications or vertical specific applications, the top two to three players have a form of a monopoly or duopoly or triopoly. Is that how you would say if there three players there? But let's say that that's how you refer to it. But that creates a very interesting dynamic where IT security teams can't say, hey, go support it.

Matthew Chiodi (11:56)
I don't know beyond too.

Bel Lepe (Cerby) (12:08)
It's like, well, I mean, you don't have very many options. if you don't use us, you kind of have to pounce and, know, like, what, you know, take a long walk off a short pier because you have to work with us. And so that's a dynamic that that's at play there with vertical or line of business specific applications. So there are a lot of them. And then the second, ⁓ dimension that's also very interesting or dynamic is that when you're selling to the line of business owner, let's be honest, someone in finance, someone in sales, someone in product, someone in marketing.

They don't care if the application supports single sign-on or SCIM, which is used for provisioning and deprovisioning. And this is actually what has allowed a lot of these applications to either never adopt identity standards or to delay a substantial amount of time before they add them. I mean, let's look at something like OpenAI. I believe they got to an excess of a billion dollars before they added single sign-on support and then an excess of $3 billion before they added SCIM. And the reason for that is...

they were able to generate revenue just fine going to the individual teams and organizations in a business before IT and security got involved. And so that's a second dynamic that keeps this problem very much alive.

Matthew Chiodi (13:16)
I saw a stat from, I think it was productive earlier this year that 46 % of the average IT stack is shadow IT. That blew me away. 46%. I know they have, I talked to their CISO and I was like, you know, talk to me about the data behind that. It's legitimate. And so if 46%, even if it's 25 % and the number's half wrong, that is really, really high. mean, what do you see as

Bel Lepe (Cerby) (13:26)
Yeah.

Matthew Chiodi (13:43)
the impact of that? Let's assume that's true. 46 % of the average IT stack is shadow IT. Where's the impact specifically with identity around that?

Bel Lepe (Cerby) (13:52)
Well, I think first and foremost, not answering your question, but something I think it's important to point out. It's like, that's no longer shadow IT. That's IT, right? When almost half of all IT is introduced by a line of business owner or someone outside of IT, I mean, it's time to call it what it is. That's IT. Like, let's just deal with it. The way that technology is entering the enterprise is fundamentally different. That is not shadow IT. It's just IT. It's line of business purchased.

Matthew Chiodi (13:59)
Right, that's right.

Bel Lepe (Cerby) (14:22)
But I understand shadow IT is such, you know, it's cool and gives it an intrigue factor. Yeah. But like that's no longer shadow IT. That's just IT. But what does it mean for identity? It means a huge attack surface, right? Because these are all applications that aren't subject to the same level of identity and governance policies as the applications that are sanctioned, that are managed by centralized IT. And so that is the risk associated with shadow IT.

Matthew Chiodi (14:26)
Everybody knows that term.

Bel Lepe (Cerby) (14:49)
that it's a purchase that optimizes for the needs of the business, but usually at the risk of weakening the identity perimeter. And that's where customers like Productive, so we work with Productive and their platform as well is also very capable at identifying shadow IT. then, know, Cerby can play a very material role there in terms of not only detecting shadow IT, but also then helping you remediate the risks associated with shadow IT. For example,

duplicating, well, identifying duplicate subscriptions, that's a more word productive excels. And then we can help ensure that the application is connected to the right control plane and then carry out all the actions that you may have to do manually if it's an application that doesn't support modern identity standards.

Matthew Chiodi (15:36)
So switching gears a little bit, I think a lot of times when people look at startups from the outside, everything always looks rosy and like everything is amazing. What's something that you tried early on at Cerby that didn't work? And then how did that shape what you're building today?

Bel Lepe (Cerby) (15:55)
You know, something that's interesting about, well, are several things that are interesting about Servie, but that creates a fascinating balancing act for us is that the type of application that we're dealing is usually owned by the line of business owner. But more often than not, the budget for Servie comes from the, from IT, from security. And so.

We have these very different types of users who have very different requirements. ⁓ IT security sees Cerby as an extension of their existing identity plane. Whereas our line of business owner who, know, up until Cerby comes into play, they were used to fully and autonomously managing these applications. And they appreciated that technology autonomy. And so,

Matthew Chiodi (16:44)
Hmm.

Bel Lepe (Cerby) (16:49)
They see us more as a productivity tool. It's a way to get IT security off their back. But this creates a very fascinating dynamic where you have users with somewhat diametrically opposed needs, desires, and wants. so early on when we were building the product, we over-rotated on catering to the line of business owners and building the solutions for them.

⁓ at the risk of making the IT security stakeholder persona happy. And so something that I think we've gotten much better at and we're getting better at all the time is really understanding that we have two very different stakeholders and they have two very different needs and perspectives on the value that CERBIE provides. And so that's something that our product and engineering teams ⁓ always have top of mind. It's like, hey, how do we...

give IT security what they want. How do we appear like how an Okta or CyberArk or EntryD or Ping appears? And then for a line of business owner, how do we look like a consumer app that they use in their personal lives? And by the way, super hard because even from a UX perspective, what you would expect from a product that caters to these different personas is different.

Matthew Chiodi (18:01)
So you just closed Cerby's Series B. Congratulations on that. That's huge news. So most people assume that fundraising is just, it's purely about capital. My question for you is, is in terms of, you know, Cerby's existing customers, a prospect, like what does that round allow you to do? What does it allow Cerby to do that maybe wasn't possible before?

Bel Lepe (Cerby) (18:04)
Thank you so much, team effort. Congratulations to you as well.

You know, even as a series B company, you're always running experiments and ⁓ we're, you know, we're going to be announcing a 40 million or have announced a $40 million series B that's led by DTCP. We're very excited to be bringing them on as a partner. ⁓ We, we actually met them about two years ago and just kind of a quick aside. I, always try as much as possible to develop a relationship with the investor that we're bringing on.

a well ahead of time, right? You don't want a shotgun wedding. You want to be entering into a seven to 10 year relationship with someone you just met two, four, six weeks before. And so ⁓ really appreciated just meeting the entire DTCP team and just how strongly aligned the values are there. to answer your question of what does this give us or what does this enable? It gives us the ability to be able to run more experimentation, more experiments simultaneously, right? Because you're always innovating. You're always iterating.

Matthew Chiodi (19:05)
Hmm.

Bel Lepe (Cerby) (19:23)
And the ability to be able to drive more specific hyper-targeted experiments simultaneously is something that allows our customers to drive more value, right? Because we can deliver more specialized versions of ⁓ or capabilities within the product. It allows us to be able to expand and really solidify our footprints first in EMEA and then after in Asia Pacific. And so really it's the ability to continue to deliver the same high quality customer support

poor product development, but at greater scale so that our customers still perceive us and see us like that seed stage company, even though we have a hundred X, the number of customers that we had then. And that's critical for us, right? Because we live and die by the value that we're delivering to our customers. And so keeping that quality bar at the same level while doing it for more customers is critical in more regions, et cetera.

Matthew Chiodi (20:18)
So I was doing some quick math, working with my good friend, chat GPT, just looking at how many vendors are in the IAM and IGA market. it's dozens and dozens that are in there. Of course, there's the very big players, which we mentioned before, the entrees, the octas, the sale points. In your view, though, I know we talked a little bit about disconnected apps as a challenge in the space. But in your view, what part of the problem

is left unsolved. So if somebody has, they say, hey, I'm already an octashop, right? Or maybe it's a big bank, and they're like, hey, I've got all this M &A, right? So I have them all. I've got SalePoint. I've got Saviant. I have them all. What are they missing, or what is it that they can't do with those existing investments? What's that risk that's out there?

Bel Lepe (Cerby) (21:11)
You know, it's important to frame this as not being on the identity income and platforms, right? It's not what they can't do. It's what the application vendors don't enable them to do, right? ⁓ Because the Octa's the world, the Pings of the world, the Entrez's the world, SalePoints, I'm being very careful each time I mention them because we partner with a great many of them and they all provide very robust platforms. But that's exactly it. They provide very robust platforms. What they do, they do very well.

Matthew Chiodi (21:22)
Hmm.

Bel Lepe (Cerby) (21:40)
But then there is this domain of applications that have not developed to a standard. And as a consequence, they remain just outside the reach of these identity incumbent platforms. And so I'd argue that's not on the identity incumbents, it's on the application vendors who've decided not to observe the standard. And so that's where CERBIE comes into play. That's where we bridge, quote unquote, the last mile of identity. We help bring all of those applications, workflows and identities that

don't connect or don't, they haven't built to that standard, we provide a connective tissue so that they can actually bridge that last mile and work directly with whatever ⁓ incumbent identity provider or identity governance or privilege access management or enterprise password management solution they have.

Matthew Chiodi (22:27)
So let's put this, let's contextualize it little bit. Let's say I'm a listener, I'm in a Fortune 1000 company. So I have all the tools, right? I've got one of the big incumbents. I even have some type of maybe an enterprise password manager. I enforce 2FA through my IDP. Where do I likely have gaps still in that scenario?

Bel Lepe (Cerby) (22:50)
Absolutely, you know, it's not uncommon for us to get on the phone and we describe the problem and we'll hear from the person on the other side. It's usually someone sitting in identity seat that, Hey, no, like all of my applications are connected. It's perfect. You know, the identity perimeter is robust. and that's fantastic if that's the case, but you know, what I'll usually say is, well, you know, and let's entertain this conversation for a little bit. ⁓ how do you protect your

corporate credit cards and corporate banking accounts, right? Do you do business with Wells Fargo? Do you do business with Bank of America? ⁓ And usually they say, yeah, we work with one of the top four, top five providers. I'm like, well, ⁓ where are those password store? Because they don't support single sign-on, right? Your precious capital that ⁓ is the lifeblood of your business, that's not behind the identity perimeter of your single sign-on provider. And it's like, ⁓ you're right. I don't know how finance is doing that.

And so that's kind of usually the first thing. Or, you know, let's say that they're very popular consumer app. I'll bring up their app on the Apple App Store and I'll ask them, hey, did you know that Apple Store Connect is not federated? Right? So one of your primary platforms with how you engage, someone is managing a username and password out there to protect this. How are you doing that? Because this isn't behind your single sign-on provider. And so the reality is every business

has these applications that are mission critical, that power a key part of their business operations or external platforms that I guess they just, because it's not owned by IT and security, it's just outside their purview. And so when you start to have that conversation and you start to quantify the impact, you social media is another one that we started with.

One of our customers is a major healthcare and beauty provider. They spend hundreds of millions of dollars in paid social media advertising. And prior to working with us, they were spending zero million, zero dollars on protecting that, right? And so that is the incongruities. Those are the incongruities that exist across this domain of applications. And I'll be frank, we are yet to meet a single company.

who doesn't have at least a dozen applications that are mission critical to live outside the identic room.

Matthew Chiodi (25:07)
So let's get to some of the research. know that Cerby recently did some research with over 500 IT and security pros. And so let's put some numbers on what we've been kind of talking about somewhat anecdotally. When you saw the research, was there any stat that kind of jumped out at you that made you say like, this is exactly why we exist?

Bel Lepe (Cerby) (25:30)
There are several, but the one that is very top of mind was around the percentage of users who participated in the survey who said that certain security hygiene tasks are still manual. And specifically it was 56 % of those that participated in the survey said that doing things like password rotation, two-fee enforcement, onboarding and offboarding employees is still handled manually.

Now, why is that scary, right? According to Microsoft, 99 % of cybersecurity incidents could be avoided if some form of MFA were turned on. And let me give you another statistic that's potentially horrifying. We do a lot of migrations from password vaults to our system or to another system. ⁓ You've probably heard this one before, so ⁓ play along and feign some ignorance around this, but...

If you had to guess what percentage of accounts that are eligible for MFA actually have MFA turned on, what would you guess?

Matthew Chiodi (26:33)
less than 50 percent 20 my gosh that's way lower than i thought

Bel Lepe (Cerby) (26:35)
7%, 7%, 7%,

right? But I mean, this lines up with that percentage of 50, and sorry, actually it was 59 % of the time they are still manually doing things like enrolling MFA. And so that's just such a powerful example of why Cerby is so helpful. We jump in and do that work that is left to humans. And let's be honest, the vast majority of the time is not actually carried out by the human end user.

Matthew Chiodi (27:05)
I think there's a big assumption. I know I would have had this assumption a couple of years ago, which again, is if I've made an investment in one of the big IDPs ⁓ that I can just turn on 2FA globally and it's good and I'm good to go. looking at the statistics here, I these numbers are crazy high.

⁓ I added up a couple of the numbers that were in this report and we'll link to it in the show notes, but it's close to 90, actually 90 % of users who say they have to manually turn on MFA or pass keys. And this is not actually the user. So the survey looking at the methodology, it wasn't actually talking to the end users. This was talking to IT and security.

and line of business owners that own the apps. So the vast majority of them, close to 90%, say their users still have to manually turn on two of their pass keys. you know, like you mentioned, Microsoft came out and Sista came out, I it was a year or two ago, saying, hey, if you have 2FA turned on, you can like eliminate 99 % of attacks. Like, why is this true if we know that MFA is so critical to good security?

Bel Lepe (Cerby) (28:15)
I mean, this is the pepcak problem, right? Problem exists between sharing keyboard. ⁓ You know, one of our automations that we support is the ability to, when a user is logging in, we have an extension that lives in the browser that can detect when, when they're dealing with an identity that's eligible for MFA. And then if we don't see the prompt during the login process, we'll prompt them to actually enroll it. And it's like a 10 second process. It literally says, let Serbian ⁓ enroll MFA for you. And it just, you know, it's an agent running in the browser that does it.

we have a 73 % opt-in rate for that, right? So almost three quarters of the time the users will jump in and do that. And the reason why I highlight that statistic is I don't think users are trying to be malicious. I don't necessarily think that it's ⁓ laziness on the behalf of the user. It's actually hard, right? A CRM that will not be named, but starts with an S ⁓ and rolling MFA is seven clicks deep ⁓ in their process. It's just, it's difficult. Like they don't make it easy.

to be able to enroll in the FA. And I think that's the problem with a lot of security products out there. They optimize for security at the risk of convenience. And I won't say that we've nailed that. I think there are places in our product that we can still get better. But this is where an automation platform like the one that Cervi provides is very effective. Because the reality is security is still hard. It's still an overhead for a vast majority of users. And they're trying to get their job done, right? They're not trying to necessarily be security practitioners.

And that's where our approach is actually very helpful because you don't want to harass users into doing the work. Just do it for them, right? Just do the work for them. And that's our approach. That's our philosophy around our identity automation platform.

Matthew Chiodi (29:55)
You know, it's difficult to talk about automation without talking about AI and agents. So one of the other pieces of information that stood out to me in the research was that, um, I think about 25 % of respondents said that they would trust AI agents to perform identity tasks autonomously without them or on their behalf. So 25 % said like only 25 % said, I would, I would trust an agent to do something on my behalf from an identity perspective.

Why do you think there's so much skepticism? Like, are they right? Should they be skeptical? Like, is this a, like, how do you see this?

Bel Lepe (Cerby) (30:33)
You know, the typical, depending upon the LLM that you're using and what you're using it for, the typical hallucination rate for an agent, know, a Gentic capability is something like 40%, which is crazy high. When you're dealing with security, the outcome needs to be 100 % of the time, 100 % deterministic. There cannot be any deviation. You cannot afford to put the password in the wrong field or send the password to the wrong user.

or mispermission a user, right? And so that's where there's a great deal of difficulty around deploying AI to do anything that is remediation oriented, right? Now it's great for being able to do analysis because it's handing off the insights to a human user who makes the call. And so that fact, it's not an opinion, that's a fact we've heard from...

hundreds if not thousands of CIOs and CISOs about this issue around hallucinations and the fact that the outcomes need to be deterministic, that has very much influenced how we use AI. It is a important step in our automation assembly line, but it is not the only step, right? There are a series of reinforcing loops, some of which are human-centric, some of which are proactive, some of which are passive, that allow us to ensure that we can scale to thousands of integrations.

⁓ but that we completely remove the risk of hallucination that comes from AIs.

Matthew Chiodi (32:04)
So where do you put on your wizard cap? Get out your crystal ball. Where do you see this all going? Fast forward five years. What role do you see AI playing in managing identity? And what's the risk if organizations don't start to close some of those last mile gaps? Maybe talk again, last mile, what is that? But five years in the future, what role do you see AI playing in managing identity?

Bel Lepe (Cerby) (32:31)
I'm going to take the optimistic tone here because I think there are a lot of doomsayers out there and it's easy to talk about all the negative things you get from AI. And by the end of my response, hopefully you agree, the first part of the response will be a little bit negative. the fascinating thing about security, and I've been now in the security space for half a decade, is the asymmetric nature of it. The defenders need to be perfect, 100 % perfect. Whereas the attackers only need to get through once.

It's it's unbelievably unfair. ⁓ Yeah, and so the reason why I mentioned that is it's an unfair playing field. ⁓ And it's actually been the attackers, malicious threat actors, who have, I would say, taken most advantage of generative AI so far. But over the next three to five years, as the hallucination rates improve, one of the most exciting aspects of AI is it has the potential to even the playing field.

Matthew Chiodi (33:03)
Yeah, it's disproportionate.

Bel Lepe (Cerby) (33:29)
Right. And that is exciting. Right. One of the things that's often cited within the security space is there's just a real lack of deep security talent and experience. There aren't enough security practitioners. Go to virtually any Fortune 2000 company and you will see that they have, you know, open headcount for someone on the security team. And the reality is there's just, there's not enough of it. Right. ⁓ Because, and especially in a down economy, whether or not you want to say that's where we are right now, though this week has been a little bit better than, than, than previous.

Matthew Chiodi (33:40)
Hmm.

Bel Lepe (Cerby) (33:59)
cybercrime increases. And so the potential of AI is that it has the ability to fill that gap, make the existing security practitioners more productive, and to finally even the playing field. And so I think that's exciting. And why there is as much interest in AI as there is. You look at RSA, ⁓ this that happened back in April. ⁓ I think one of the biggest things that was highlighted was the SOC copilot, right?

Matthew Chiodi (34:28)
Hmm.

Bel Lepe (Cerby) (34:29)
It was a really big theme. And I think that's an indication of how this industry is thinking about AI. It's a mechanism to multiply those that are in the space and then fill in some of the empty seats that exist on the defender side.

Matthew Chiodi (34:42)
This has been super interesting. there anything else that you wanted to cover or highlight that I didn't ask you about?

Bel Lepe (Cerby) (34:49)
⁓ If you're interested in learning more about our platform, feel free to reach out. This is the shameless ⁓ plug part of the overall podcast, but feel free to reach out to me personally at bell, B-E-L at cerby.com or sales, you know how to spell sales at cerby.com. We'd love to have a conversation.

Matthew Chiodi (35:07)
Awesome. Well, Bel, thanks for coming to show. This has been fun.

Bel Lepe (Cerby) (35:09)
Thank you for having me. Thanks, Matt.