Name: Beyond the Breach: Identity Resilience with Jane Frankland
Uploaded: 2025-10-16T09:01:04.411Z
Duration: 45 min 8 s
Description: Beyond the Breach: Identity Resilience with Jane Frankland

Transcript for "Beyond the Breach: Identity Resilience with Jane Frankland": Hello, everyone, and welcome to today's conversation, which is one of the most critical topics in cybersecurity, identity resilience. I'm Jane Frankland. I'm an author, an entrepreneur in cybersecurity, and a brand ambassador, and I am thrilled to be joined by someone who truly lives and breathes cybersecurity, Philip Veloy. Philip is a field CTO of Rubrik and a recognized thought leader in identity security and resilience. With years of experience helping organizations navigate the complexities of identity management, Philip has a deep understanding of how identity has become the new frontline in cybersecurity. He's worked with businesses across the globe to tackle challenges like identity continuity, zero trust implementation, and securing both human and machine identities. Philip is also passionate about helping organizations not just recover from breaches, but build resilience so that they can keep their operations running no matter what. Today, we are going to dive into some of the most pressing issues in identity security from the rise of AI and autonomous agents to the practical steps businesses can take to strengthen their identity resilience. Philip, I'm really excited about this this webinar and our discussion. Yeah. Likewise, Jane. Looking forward to the conversation. So, Yeah. Let's, jump straight in. Yeah. I wanna start off with this blog that we wrote together because it opens with a scenario where a business was completely paralyzed because its identity provider was compromised. Why do you see identity as the new battlefield in cybersecurity? Yeah. I think your identity systems are really sort of your first and last line of defense against, you know, authorized access, data exfiltration, lateral movement in the environment. I think it's really become sort of the new security parameter in in a way. It's become so much easier for, you know, malicious actors to exploit identity on the basis of, you know, typically, it's weakly the stolen credentials. Traditionally, they would have had to, like, attack a server based system that's maybe, you know, that you left online to circumvent your firewall, defenses and so on, which is a lot harder to do. So even, you know, attackers want to go for the path of least resistance, and if they have access to this, you know, working credential, potentially even, like, with working, working tokens, they can log in to your log in to your environment. And if your identity systems aren't available, then, you know, access to your applications and data aren't available either. So, it's like a high reward for, not a lot of, not a lot of risk for these malicious actors. So that's why I think it's become really, the new battlefield. Yes. Absolutely. Now can we can, in fact, you just define what identity recovery and identity resilience is in the context of of cybersecurity and and why it's crucial for organizations to focus on both? Because this is something that I don't think actually gets that much attention. We talk about cyber resilience, but not about identity resilience. Yeah. No. Absolutely. So I think if you sort of take a step back and think about cybersecurity in general, historically, we've put, I think, more emphasis on trying to keep the bad guys out, instead of coming up with strategies for bouncing back. And, today, it's even bouncing back better, hopefully, after a successful breach. If I'm not mistaken, it's it's a Gartner figure that says, like, we spend about $215,000,000,000 a year on on cybersecurity, but, you know, you mentioned a couple already. Breaches are still happening happening daily. So, obviously, just trying to keep people out isn't really isn't really working at the moment. And and that's what I think this sort of cyber resilience identity resilience story starts to make sense in that, there is recovery for identity where what if your identity provider is offline? We mentioned it before. Your entire organization sort of grinds to a halt, and, obviously, you want to be operational as quickly as possible again. And then the resilience is sort of how can we incorporate some of these preventative measures trying to shrink the identity attack surface, whilst coming up with a plan, hopefully, a battle tested and proven plan to to bounce back. So it's both preventative and reactive approaches to to identity, and I feel, at least most of the organizations that we talk to, aren't sort of quite there yet. So they're they're still, you know, putting more weight on the preventative side than they're sort of thinking about, well, what about, the recovery side? And I I do think you need both to be successful these days. Absolutely. Because you can have a situation where all your systems are there, but you your people can't log on. Your customers can't log on. And the identity recovery really is that ability to restore trusted access quickly, and then the identity resilience is that designing for continuity so that you are prepared in advance, you know, so that you don't get caught out. And it it really is we really are at the stage now, especially with AI, and we're gonna get onto onto that, of course, later. But just the the threat landscape is so vast right right now. It's it's deeply concerning. Yeah. Absolutely. And I I do think one of the benefits that we do have today as a, you know, practitioners in this field, though, is that there's more emphasis also from a regulatory perspective on building these resilience capabilities. If you look at things like Dora and these two regulation and so on, trying to drive the conversation higher up in the organization, maybe even holding some of the, you know, port level, c level, executives accountable for some of these, you know, decisions. And, you know, ultimately, it's it's about understanding the risk, of an organization. So I think, at least it's a it's a sort of helpful, you know, helpful door that we can walk through, as practitioners to have the conversation at the right level and help these organizations drive towards resilience. I I agree. And it's also a fine line between compliance and best practice, isn't it? Because I know a lot of cybersecurity, like, practitioners will will come down hard on compliance because they want that best practice, but compliance can really help us. And then it's really important that we get that awareness at the top. I always kind of say the fish rots from the top, the head down, and and we cannot outsource this. The the board, the execs, the CEOs, they have to take responsibility. And it's I think sometimes you have a situation whereby and I think some of the the recent hacks in the in The UK are a classic example of that. So it can be our friend, from the exec perspective, like, but but it has to be conveyed appropriately. Now when it comes to trends, what are you seeing in identity based, attacks, and how are attackers evolving their tactics to compromise identities today? Yeah. I think even if you do sort of all of the right things from a cyber hygiene perspective, attackers are adjusting their test rate craft. So for example, if you look at the recent, Microsoft Digital Defense report, they sort of state that, attackers when faced with companies using MFA, they're sort of shifting to this adversary in the middle type of approach whereby they're sort of using these, you know, toolkits like tycoon, tycoon two FA and so on to hijack, the session tokens. Like, they will redirect a customer to log in using a legitimate Microsoft API. It's gonna challenge them for their MFA token, and the attack is then gonna capture the MFA token and use it for for subsequent logins. So according to that report from Microsoft, they're seeing about 3,900 of these attacks, per day across across their customer base. So attackers are sort of shifting their approach and and trying to figure out, well, if these are the best practices, how do we how do we respond to that? So you you really need to think about things like phishing resistant MFA, but but still it's it's a constant cat and mouse sort of game trying to stay, one step one step ahead. And then I I think the other thing that you sort of already mentioned in the beginning is, with the use of GenAI specifically, we are seeing, like, this very, very sophisticated even, like, deep fake video calls. There's this well known example in in Hong Kong where somebody thought they were talking to the CFO and then, you know, transferring a whole lot of money to an account that ended up not being a company account and and losing hundreds and thousands of dollars. So, yeah, we are definitely seeing, you know, malicious actors adopt some of these new technologies more more rapidly and and trying to use it against, against a legitimate organization. I think I think you make some really good points there. And, you know, what I'm what I'm seeing is that it's the speed and the automation of of attacks. You know? So when, you know, you used to be used to have an attacker that could come into your system, you know, whether it's like they they hacked him, but they they would be sitting there quietly in the network for for for months. You know, those kind of days are gone. Attackers hackers are coming in, and they are they're they're literally they're they're moving from initial compromise to full privilege escalation in minutes, you know, sometimes even seconds. It's it's what I think we call the the zero the hour zero problem rather. So it's that get in and get out as fast as you can rather than lay lay and wait. So that is something that I think is is a is a trend that we're seeing that we're gonna see more of that and the the speed and intensity. And then, you know, we'll just we'll just grow. And then I think with the scale, because of because of AI, it's just scaling the problem. And we have this democratisation of hacking that is going on where you don't have to be technical anymore. And because it's so lucrative, the risk and reward, so it's it's, high reward, low risk. The chances of anyone being caught are low, although we've had some good kind of some progress made, recently, which is really encouraging. It's very attractive for, certainly, criminals to to get into the space and actually earn earn a lot of money from executing further hacks from, cybercrime as a service or hacking as a as a service using using the tools that are available. Yeah. Absolutely. That's like, to your point, I was just reading, like, CrowdStrike's global threat report. And according to their figures, like, the average breakout time is now sixty two minutes, and that's the average, of course. Like, so we're still feeling like saying, like, it's it could be even seconds. And there's obviously gonna be some longer ones queuing the average. But, like, from initial access to lateral movement, it's it's an hour, let's say. And having valid credentials makes it so much harder for defenders to understand what's going on. Right, so they're sort of cloaked in this in this cloak of being a real, like, company identity, whereas they're, you know, exposing this this bad behavior that's much more harder to to detect at that point. So, and, hopefully, AI, will help us in in that way as well because it's ultimately, you know, trying to filter out the signal from the noise, so to speak. And and, hopefully, automation could, you know, be like a a helpful tool for us defenders as well. Absolutely. And the the other thing that I wanna mention is because we're we're seeing this quite a lot. It's browsers. Browsers have become one of the most biggest attack surfaces, so I think that's really interesting because so much of our work really happens inside them. So we're logging into apps, we've got SAS tools, we've got admin consoles, and attackers know that. So they come after the low hanging fruit. And and I think it's important so that people are aware that we're seeing that rise in browser based malware grow and that hijack, active sessions. They're they're stealing the cookies. They're intercepting credentials in real time. So that's something really to to be aware of, as well when we're talking about this. Yeah. Absolutely. Like, I think, the average price of leaked credentials today, as you said, with valid session tokens harvested from the browser, Redline Infosteel is a good example, is is around 14 US dollars. So if you can buy legitimate access for 14 US dollars, it's we're making it so easy, essentially, for these people with bad intentions to, to go after us. This this is a and I don't wanna alarm anyone. But, yeah, this this is a a real issue. I wanna talk about cloud and hybrid environments. So how does the shift to cloud and hybrid environment complicate identity security and and recovery compared to traditional on premise infrastructure? Yeah. I think we sort of changed the application landscape in the last decade or so. Right? So we went from a very data center, single data center focused approach where everything was behind the firewall, and, we could, like, build a boat with very thick walls, very high walls, and try to keep everybody out. But today with cloud and SaaS, the attack surface is becoming very distributed. There are no walls anymore, so to speak. Like, every single SaaS application is a new attack surface. Every public cloud fender has a bunch of services that are a new attack surface if if you sort of use them. You know, historically, we were sort of very strict about separating even the user network from the admin network. I remember building, you know, internal VLAN networks where the end users could never even touch the admin interface of of of your core switching system, for example. Well, today, the admin interface lives on the public Internet. So if you know what you're doing and you have credentials, you can essentially, log in to these systems, especially if you lack some cyber hygiene. So, yeah, we we have built architectures that have greatly increased the attack surface and given more opportunity for malicious actors to sort of go after us. And then from the identity perspective, that means you now have to take care of on premises identity in the Microsoft world, let's say, active directory and then cloud based and SaaS based identity through enter ID. Both are connected, but that makes it even harder as well to sort of manage this in a in a good way and think about how can we reduce the attack surface so the identity doesn't sort of become the single weak point. Because you have all of these services, but with the right credentials, they're sort of all exposed. So, yeah, it's it's definitely opened up, a a broader set of potential attacks against against the environment by adopting, adopting these technologies. And what we what we are sort of seeing is that security investment, historical security investment doesn't necessarily keep up with those changing architectures. Right? So companies do need to rethink some of their approaches here to make sure that if you want to benefit from southern public cloud, then you also need to ensure that you're securing it in in a proper way, lest you end up, you know, sort of shifting, shifting your potential vulnerabilities from on prem to cloud and such. Again, that comes back to the awareness piece, doesn't it? And and I also think from a a security aspect, a a CISO perspective or practitioner perspective, it is about learning to speak the language that they understand. So let's have a conversation and communicate the risks in language that you understand, that makes sense to you, so removing the complexity of it so that they can really make informed decisions on on the risk. And I don't think I don't think we do necessarily, as a generalisation, a good job of that. A lot of people in security will talk security language and I know from speaking to executives outside stakeholders, which are so important because they are members of your team and it's a shared responsibility. We've got to be able to speak the language that they understand in order to get that awareness and and true understanding of of the issue so that action can be taken. I'm going to ask you, why do you say most business continuity and disaster recovery plans have a blind spot when it comes to identity? Yeah. So when we talk to organizations and and then ask them, how are you protecting your identity systems? We usually get this big list of preventative measures like, oh, you require phishing phishing resistant MFA. We apply zero trust principles. We use modern LP malware. We only allow managed devices, like, bring your own devices out, like, have up to date patching, no share secrets, all of this good stuff. And you absolutely absolutely have to do that. But if you then ask the follow-up question, well, what if it happens? Like, how do you bounce back when your identity provider is compromised? There's usually this long silence, and people go, we've either we've not thought about it or they think, oh, we're using something like enter ID. So Microsoft sort of has our bag that's built in capabilities here. We we sort of can use, you know, in in Microsoft's terminology, it's then the recycle bin for identity to to get our identities back online. But that's really focused on operational recovery. It's not really focused on on cyber recovery and and bouncing back after the cyber event. So what we sort of focus on is ask yourself, do you have a recovery plan? Is it up to date? Is it tested? How long does it take you to bounce back? And that goes back to that sort of business conversation because downtime, you've mentioned some examples in The UK before. Like, downtime is when, all of a sudden, the light goes on also in the boardroom, and people start to understand the the post implication of of downtime. So traditional recovery plans, they they sort of focus on applications and data, but identity is really part of your tier zero infrastructure. If your identity is not working, then nothing else connects. Right? Nothing else really, really matters. So so that's why this is such an important part, maybe even the most important part, at least from a foundational perspective, building that into your sort of, recovery plans and making sure it's it's it's tested. So there's things that you can do, like, running through these tabletop exercises, for example, with, like, with with the entire company and making sure everybody understands and is in the same mindset and, has a tested plan from for when it really happens. So, should be a good focus point, I think. Yeah. I mean, those tabletop exercises are so worthwhile doing. I've I've done a few of them now, and it's always surprised me actually how ill prepared people are. But it it's it's like fire drills, isn't it? They need to be done like fire drills. You need to get the right people in in the room, and they need to be rehearsed regularly. And that might be monthly, it might be quarterly, might be every half year, but they need to be done so that people are prepared and they know exactly what what to do. Yeah. Yeah. I cannot cannot agree more. And and even though, it you probably have to convince some people of of the usefulness of it initially. Like, people will start to roll their eyes and so on. But what I always find is that, like, ninety plus percent of the people after the tabletop exercise walk away with new insights and are super happy they actually went went through with it. So, yeah, cannot stress how how useful those those types of, situations can be. Yeah. They they really make it real, don't they? Yeah. Absolutely. Absolutely. Now what about emerging tech like AI, Zero Trust, and Passwordless? They're they're often mentioned when it comes to I identity. How do they really help with identity continuity? Yeah. So I I do believe that we need a balance. We need to strike the right balance between preventative and reactive for sure. So building things like zero trust architectures and implementing least privileged access, maybe even just in time access, which has become pretty powerful these days. You know, instead of using, you know, passwords, use use pass keys. There's a lot of technology that can actually strengthen our our defenses quite a bit. Mentioned fish phishing resistant MFA a couple of times. That's such a such a no brainer to to implement, you know, trust Absolutely. I couldn't agree more with I do more people need to be doing that. It's it's absolutely paramount. Yeah. Like, the the way that I usually think of it is, you know, you need to make it harder for your organization to be a target than whoever is your neighbor. Right? So because everybody can can sort of be a target, but if you're making it a little bit just a little bit too difficult for adversaries to target you, they might just, you know, go on to the next one. So you might have saved yourself quite a lot of quite a lot of, headache. And then, of course, AI mentioned it a couple of times before, could be a potential game changer on the defensive side as well. I I sort of alluded to it before. I really think securities is a big data problem. Like, there's a lot of noise. There's, you know, this capability with AI to find the needle in the haystack, so to speak, and help us filter, the signal from the noise and then respond to what's actually what's actually important. But, also, as you mentioned before, the speed at which some of these attacks happen, how do you respond, right, if you haven't if you don't have an automated response? And some of these automated responses could be AI driven. Like, if you have well defined procedures, we could at least implement containment in an automated way so a threat doesn't necessarily spread in the environment, and then understand, like, if if there was a breach, if there was ransomware, for example, can we use AI bound tools to help us identify what is the safe version of data, what is the safe version of identity to restore so we're not gonna reinfect ourselves and sort of have to keep playing this game over and over until we, until we can successfully bounce back. So I I do believe there's a massive opportunity there for us. It's just try not to get overhyped by some of these things, either. But if you implement it in in a sort of, in a sort of pragmatic way, I think opportunity is there. And I I think it's it's also a case of not being overwhelmed by it. Again, this is a conversation that I've been having a lot recently, especially with so many cyberattacks in in the news because it it's it's good for business. Like, more people are aware, more people are taking action, whether that whether that's individuals or whether it's small business owners or whether it's, like, larger larger businesses. But it's a case of having enough pressure so that action is taken rather than too much pressure so that so that they're overwhelmed and they just don't know where to to start. Because one of the problems that we have with cyber is the complexity of it. It it it it comes across as being really difficult and really complicated. And I know when you when you're talking to business owners, all sizes, sometimes it's a case of, well, I just don't know. I don't know what we have. I, you know, I don't know what our environment looks like. I don't know about the assets that's not being mapped, and I don't know what to do. Where where should I start? It's it is it is made to be complicated, and it doesn't have to be. Yeah. No. Absolutely. Yeah. So how do CSOs, COOs, and risk leaders, how do they need to come together on this issue? Yeah. I think identity is sort of the threat that connects or potentially connects, like, the CISO security domain, the CIO's operational realm, and then the risk leaders governance landscape together because these things are sort of a real linchpin or really core to to the sort of conversation. So when these leaders sort of operate in silos, identity resilience will be treated as a purely technical problem. It sort of goes back to not speaking the right language as we mentioned before. So they are to think of it as a technical problem. It's It's like a business process or maybe it's a compliance checkbox. So to overcome that, we need to step out of this fragmented approach because it leaves sort of critical gaps. So I think if you think about true resilience, you can only achieve that when you sort of come together and create a unified strategy that integrates security operations and and and the risk management. So I think you have to frame the conversation in terms of business risk and and business continuity. And and one way to to look at it is, like, if you think about what what what it sort of looks like in practice so instead of a a seesaw talking about, you know, multifactor authentication and the COO discusses proper client throughput. And then what if you collaborate to quantify the impact of a failure, right, in terms of Mhmm. In terms of sort of the entire business can understand? Like, if you say, well, what happens if there's a thirty minute outage, on our production line? Like, what does that mean for factory floor output, etcetera? Real example, JLR in The UK haven't been able to produce a car in over a month. Like, that's real. Right? So so people can rally around this concept and sort of understand throughout the organization, well, what does that mean? And then you can't really take a step back and say, well, that's the CISOs problem or that's the CLO problem because you needed to have, like, a standby system that could operate without these automated tools. Well, no. It's both. And you have to sort of come together and understand, like, how do we put this in the risk register and what's the financial and reputational impact that that represents. It's really interesting because what I also think is, like, it has to be embedded in into the culture of the organization. If we have KPIs, and I know some companies do this, like Microsoft is a good example of that. But it's just like when we've got KPIs set, then it helps to become culture. And if we have these psychological safe cultures whereby you're not going to be ostracized or, ashamed for clicking on a link or for for doing something that's not good security practice, you can you can improve. So so they're really, really important that and it comes back to this whole shared responsibility aspect, it really needs to be and for for us to do better, we need to, speak the language of the business, speak the language that people understand, make it relatable, and get it embedded into into the culture of our organisation so that we can we can we can be better defended. Because security, when we when we think about people, they're often regarded as as the weakest link but they can be a strong shield and we need people because they are being targeted to to be stronger defenders and each person plays a part in that. Yeah. I I really love that. I think I think that's absolutely true. Like, my as you mentioned, Microsoft is a great example. They say, like, what is their number one priorities is security. AWS sort of says says the same thing as well. And I think if if you're, like, Sachin Adela and you're the CEO of Microsoft and you repeat this mandate over and over again, everybody feels comfortable in your organization saying the same thing and driving towards that same goal. Whereas if leadership doesn't explicitly say it, it probably gets lost in a lot of other messages. So, yeah, I I really absolutely agree with what you're saying. This this is, and almost like it's the outsourcing. Oh, I thought it was your responsibility. Oh, but that's that's IT. That's security. It's not mine. It's it's so important we change that, and I do believe that has to be set by those at the top. The the CEO has to be mandated, and they have to practice it. Yeah. A 100%. What practical steps can an enterprise take to move from ad hoc recovery process to a documented actionable identity continuity plan? Yeah. So I think if you're thinking about building such a plan, you need to account for both the time during an attack and the eventual, like, full recovery, how do we bounce back after the adversary has been expelled from the environment. So, the like, even tactic tactically, there's some things that people don't necessarily think about. So what if your email system is compromised? What if your teams doesn't work anymore? How do you even communicate between, you know, your your team members to try and, sort of defend yourself and bounce back? Like, do you have a calling tree implemented in the environment? Are you gonna use WhatsApp? Like, what are you gonna do? What is the actual plan? So people typically assume some of these things will be available when they most likely won't be. So, another way to think about it from a practical perspective and and, again, it's sort of driven through some of these regulations as well. It's thinking about it in terms of what is the minimum viable business or what is the minimum viable company. And then that sort of forces you to think about, well, what are my important business services? What are the things that absolutely need to be operational? Otherwise, either we lose money, we can't serve our customers. And if those things aren't available, then, you know, the company as a whole is gonna be, at risk. So if you define those things and put them in your plan in terms of, well, if these five or 10 systems, these IVS systems aren't available, what do we need to do? What are the practical steps that that we need to do? And then if you think you have the plan, that's the plan. That's always a good practical step as well. Yeah. It's it's it's it's really interesting. You make some really good points there. What I'm thinking of I mean, there there have been, like, many companies that have got creative, you know, that so they haven't been prepared. An attack has happened, and they've thought creatively, and they've they've recovered. But what I'm thinking right now is, again, from an exploitability, If they're going on to WhatsApp, it's that how do we know that you are you? How do we know that you are you? You're saying that you're, Joe from from IT, but how do I actually know you're Joe from from IT? So that I think I think it's gonna be it's more interesting using some of the some of those technologies in the era that we are now compared to how it was a few years back. Yeah. Yeah. Absolutely. There's there's definitely a world in which you can imagine a multistage attack where somebody knocks off your communication line then understands or assumes you're gonna use something like WhatsApp and uses that to sort of further infiltrate into your system. Yeah. So definitely having this, like, okay. What's our plan? What does our calling tree look like? I think it's it's really important. Abs absolutely. How how do you measure ROI on identity continuity? What are what are the key performance indicators that really matter most? So I think today, everything is digital, of course. So ensuring, like, you have uninterrupted and secured access to those digital systems is is not an IT concern. It's a fundamental business concern. I was watching this interview with, Jamie Dimon from, JPMorgan Chase, and they asked him, what's the one thing that keeps you up at night? And he said cyber. Cyber is the biggest thing that keeps me up at night. Interestingly enough, it didn't say AI or whatever. He said cyber. They spend about $800,000,000 a year on on cyber. I think I mentioned $215,000,000,000 yearly before as a government. Well, if they already spent $800,000,000, it's it's quite a lot. But but the idea is, like, think about things like what is the financial impact of downtime avoidance. You know, off too often, we still think of this as, like, insurance. Like, okay. We need, these identity continuity plans in case something happens, but it will never happen. Like, the fire will never burn down our factory. It will be somebody else's factory. But the chances are, like, extremely high that it that it will happen at at some point. So if you can then understand, like, what is the amount of money that we will lose, let's say, per hour, per day, per week, if we are down, then that's something that should wake a lot of people up. It could be lost revenue. It could be lost productivity. It could be regulatory fines. Or as you mentioned, it could even just be, like, brand damage. So so, you know, do I still want to bank with this bank that's been offline for a number of, a number of months or a a number of hours or has leaked all of my personal data on the dark web? These are questions that, especially when, you know, younger people enter enter the, enter the workforce, will start to matter more and more as well. Yeah. Abs absolutely. And then there are you know, for, for people who are wondering about this or need guidance, then there are, some frameworks that that you can use. I'm I'm often directing people to to FAIR, the factor analysis of information risk. I think that's a really good one for, like, quantifying your risk and having those. That then helps you have those conversations higher higher up so that you can get the your execs buy in. And then NIST cybersecurity framework, that can also help you as well. Yeah. A 100%. And I think one of the things that we talk about a lot as a KPI, like, business continuity, and it's also valid for identity continuity is this mean time to recovery. But mean time to recovery is is actually old. I think you should think about mean time to clean recovery because those are two very, very different things. And, usually, the way that we've built systems is, can we bounce back? Like, can we restore from a backup, for example? Or do we have a a standby system that we can run? But today in the world of cyber, a standby system might just as easily be impacted, right, than than your production system. If you restore from backup, you might be restoring malware into your environment, reinfecting yourself. So meantime to clean recovery, I think, is a more, functional KPI that that we should focus on. Yeah. That's a really good point. So what who in an organization should be responsible for identity resilience? Is it solely an IT or security team responsibility, or is it broader? Definitely a shared responsibility, I would say. Everything extends well beyond IT. Like, IT is a means to an end, ultimately, and it's all about the business. Right? So IT operates to serve the business. So, ultimately, that's what the business is built on top of. So that means that the responsibility for keeping the system safe should also extend broader into into into the organization. You mentioned the point about awareness before. I think this goes into the same direction. Like, if you make some of, for example, business line leaders responsible for some of those things, that will drive awareness, but it also will change the way that people think about some of these things. Because if you think about implementing security, you're always gonna implement a little bit of, I wouldn't say frustration, but it's like it makes things work a little bit less intuitively than some, you know, consumers or customers or users in your organization might like. But if you understand the why of it, that's gonna help, that's gonna help quite a bit as well. Absolutely. I I completely agree. Now we couldn't have a we couldn't have a conversation without talking about AI. So what what is the impact of GenAI and Agentic AI usage on identity security, and how do you think that it is gonna change the way we approach identity resilience in the next few years? Yeah. I think we we mentioned, like, some of the potential benefits a a couple of times. So so maybe I'll focus on on some of the additional challenges that AI and agentic AI brings from from an identity and a sort of security and resilience perspective. So, to some extent, a lot of people equate AI to nonhuman identities when it comes to trying, you know, trying to secure identities, related to related to AI, but it's actually more more than that. So there's a lot of questions that still remain to be answered when it comes to using Gen AI and AgenTek AI in the environment and how to best secure them. Like, ultimately, you're allowing Gen AI access to data. You have to understand, like, what sensitive data are we potentially processing through these systems. If you're thinking about the Genpik AI, it's using tools to call and to automate certain things in the environment. Well, those agents and AI as such is stochastic. It's nondeterministic. Like, you can't really predict what it's what it's going to do, which means, ultimately, it will make some mistakes as well, and it will use some of the tools that it has access to to maybe delete some data, maybe change some configurations in your environment. So from an identity perspective, you really have to understand, like, who is calling the agent, under which persona is the agent operating, what is it doing, what data is exposed on the back of it, and if something goes wrong, can we undo some of those changes? Can we rewind some of those, some of those issues that we've seen? So when we sort of think about identity resilience and and project it into the future, like unwinding and rolling back some of these changes through agenda k I, but also just identity in general, is gonna become, you know, more and more in important. It's not just about restoring identity, systems anymore. It's about how do we undo some of these unexpected changes that were made on the back of these systems. And I think that's where secure by design, and secure by default really comes into play, doesn't it? That can really help us because that's absolutely imperative with more AI that is being used that it has actually be be been designed with security in in mind. So, again, it's more awareness in terms of that and also more pushback from a procurement perspective, you know, more checking, when companies are implementing the these tools. Because then, again, if it's a shared responsibility, it suddenly makes our life easier in security if we know that there has been that due diligence happening before they're being used in the organization. Yeah. Absolutely. So one example is think about having bad data or security hygiene in your environment and then turning on something like a Microsoft Copilot while you will be confronted with how bad your security hygiene is in a really, really quick way. Right? So these tools assume access that these users have, and they don't really care about how you set things up if it's not, you know, following best practices, as you say, secured by design. So, yeah, people are often very, very surprised when they turn on some of these capabilities in their environment and are then confronted with what it actually means and having to go back. And, it's sometimes very hard to put the genie back in the compost, so to speak. So, yeah, think about it before you roll it out. Absolutely. Now I know we've got some questions from from the audience, which I wanna go through with you. But just before I ask those, what is your one piece of advice for executives who might think that identity continuity is too technical or a CISO issue? In all honesty, pick up the phone and call your colleagues at Marks and Spencer's co op j l r, have the conversation. I think you'll change your mind. I love that. That's so good. Okay. So we have got some questions, that we gathered from attendees during registration. So I'm gonna ask some that jumped out to me. Philip, how do you onboard a new customer to your identity recovery platform? Yeah. So I spoke about on prem and cloud and SaaS. So it it sort of depends on what you're going for. Most of our customers, customers are hybrid, so sort of do both. It's it's really straightforward. So everything today is API based. That's the way the cloud operates. That's the way SaaS operates. It's also the way that we operate. So it's actually very, very straightforward to, get going with some of these, some of these capabilities from a from a Rubrik perspective. So, yeah, it's a matter of, setting up connectivity between the Rubrik SaaS platform and the customer environment and onboarding, for example, your Entra, really, really straightforward. Great. That's so good. And I've got another question here. Why would the built in Microsoft recovery capabilities not be sufficient? Yeah. So Microsoft is really focused on operational recovery. So in a lot of cases, if you're, an existing cloud user, you've heard about the shared responsibility model. Right? So, So, typically, cloud providers, they will provide you with the infrastructure, and they'll make sure that the services are delivered. But you are typically still responsible for the data that you use in those services and also the identities that you use to access those services and that data. So typically built in Microsoft capability is the recycle bin for end run active directory, which sort of is a thirty day period that you have. If something gets deleted, you can undo the deletion. Usually, what we see these malicious actors do, like scattered spiders, for example, is they'll come in and then do a hard delete of your identities, and then your operational recovery capabilities from Microsoft won't suffice. So you'll actually need an external system that's air gapped, that's immutable, that can help you bounce back. That's really that's really good to, it's really good to know. What which identity providers do you support? Yeah. So we started out with, Active Directory. We've been doing this since 2017, and