Hello. I’m Anna Delaney with ISMG. I’m very pleased to be joined by Alex Weinert, chief product officer at Semperis. Great to see you, Alex. Thank you very much. Good to see you. So, Alex, you have just left a very high-profile job at Microsoft. You’ve come to Semperis. What was the draw for you? The time at Microsoft was fantastic and I’m really pleased and proud of what the team built and the team itself. And we’re in a place where we had great leaders and we’re on a really good track and it just felt like it could go out on a high note. And so I chose that time to take a change and as I looked around, one of the things with my team is we’re very focused on this mission of protecting the user and taking care of people. And Mickey really, who’s the CEO for Semperis and I connected and he’s got this “be a force for good.” This idea that your primary focus should be doing good for your community, doing good for the environment, and that really appealed to me. Now we’d already partnered as identity security people. We’re already partnering with Mickey, and Semperis really focused on the hybrid identity protection side of things, and my team at Microsoft is thinking very much about cloud identity security. And so we had a good relationship. We had very common sort of principles. It’s a really neat, big change for me. It’s like going from Microsoft to a much smaller organization, but also, you know, kind of a different focus in terms of the product areas, some really cool opportunities coming up, just a lot of fun and a person I like a lot and lined up with well. Semperis is an exciting time. Sounds like it. Yeah. So is there a specific challenge or opportunity that you that pulls you in? If you’re an identity security professional, you’ve been screaming this from the rooftops for a while, but it seems like suddenly it’s getting echoed back. It’s like, yeah, identity really is the security perimeter that kinda gates everything else. So when an attacker hacks your account, they’ve got everything regardless of what second line security you might have. And so making sure that that identity infrastructure is in a solid place is super high priority. When we look back at the kinds of attacks that we were dealing with with customers, a lot of times, almost all the time, it was their on-premises environment that had been hacked first and then that was used to propagate the attack into the cloud. So that’s where the battle is being fought, right? And so that focus on making sure that core infrastructure is in place is really key And then I think extending from that to this broader question of how do you ensure that your organization can be resilient over time? It’s unfortunately not really a question of whether but when you’re gonna have an incident, and the preparedness for that incident, the ability to respond in the moment, the ability to recover is super critical. Identity has been at the center. If you’ve lost your identity stack, you’re in deep trouble. So this is a place where you can then say, alright. How do we extend from there into thinking more comprehensively about organizational resilience and disaster management? Why do you think identity continues to be such a weak spot for organization despite all the attention it’s received? I think there’s probably nowhere where technical debt is a harder problem than around identity. While it’s tempting to go, well, it’s because Active Directory is a known attack surface. So it’s a very trusted infrastructure but it’s been around for a long time. In fact, when I started at Microsoft, that’s something I worked on, which is when like dinosaurs roamed the earth, right? And when we look at that—the known attack surfaces and the difficulty with keeping up with technical debt—that problem exists in the identity infrastructure but moreover it exists in the applications and the other things you depend on. So if your finance department relies on an application that requires Active Directory to sign in, you don’t get to just rip it out. Right? And so if we think about all the generations of apps that been introduced into an organization or they come in with a merger or whatever, like getting all of those things to snap to a new identity stack is not realistic. So everybody, every organization is in a hybrid identity environment. They’re in a hybrid infrastructure environment. That’s where the battle is because what the attackers do is they look at where are the gaps in these things? Where is the gap between that on-premises infrastructure and that cloud infrastructure? How do I get into that gap and exploit the weaknesses there? So that’s kind of where the battle is being fought. What role do you see AI and machine learning play in this identity security space as well as cyber resilience? We think about machine learning in a couple of categories. Right now mostly we talk about generative AI, but there has been a body of work in that called classifiers, which help detect risk, and that’s something we’ve been working on for a long time in the industry. As we get into generative ML, the reason I think it’s captured the imagination so much is it does stuff that a human might do, right? It kind of has that ability to look a little bit human. We saw regularly attacks in my previous role where people would simply send a message saying, hey, please send me the code on your authenticator. Like just, hey, I’m from IT. Send me the code. Like unknown phone number, unprompted. And people would respond to that. Or you know, the prince who wants to transfer you money. Right? Like people fall for these things even when they’re not customized. Generative gives you this ability to tightly customize the message. And so the average human’s ability to withstand an attack like this, to not be social, to not be fooled, is gonna plummet. So we’re gonna see that on the one hand, the attackers can use generative to really ramp up the attacks. Now the good news is that you can use robots to fight robots. So then you can also use generative to go do things like detect non-human emails coming through, and more importantly to hunt across the environment and to distill these huge amounts of information that security teams need to get their heads around into consumable bodies of work. So there’s advantages on the defender side, there’s advantages on the attacker side. It’s gonna be critical for defenders to learn how to use generative, to both be aware of the attacks and to learn how to use it to defend themselves. What’s your advice on that front? Where do you see the barriers in terms of how companies are starting to use generative AI? Where are the gaps perhaps? I think there’s a natural sort of human resistance to like, but that’s not the way I’ve done it. Right? I think the most important thing for people to do is to find the cycles to start trying things. Right? To like understand what it can do. Right? The kind of hunting it can do and where it’s good and where it’s bad. It’s not going to magically appear in your environment and fix everything or magically appear and destroy everything. It’s gonna be work. The problem is that your patterns of work are not ones that have so far incorporated generative. And so getting your head around that and starting to think, okay, I need to summarize this meeting. How do I use it? Know? Or I’m gonna go do this hunt across this document looking for lead credentials. Can I do that in a different way? And then actually ask the system, hey, find me the lead credentials in this mail rather than trying to do my normal patterns. And I think that’s step one—to familiarize yourself with it as a vendor and then from there you find places where it’ll succeed and do better. There’s a lot of good tools out there. Excellent. So what are your goals for Semperis as you lead the product team? Oh wow. I think mostly great success on the mission of being a force for good. So when we look at organizations broadly—and I’m not impugning any one organization. Everybody who listens to this could say, well, hey, I’m better than that. Great. But many organizations are not using MFA yet. Many organizations are not thinking at all about how they’ll communicate in a crisis. Many organizations have not yet figured out how to back up and restore their identity infrastructure in the case of a malware attack. And to the extent that we can, make that really easy and provide a methodology that helps people get their head around what it means to really have a resilient organization. And prepare themselves for that, unfortunately, probably inevitable moment when somebody does damage. That translates directly into say a hospital continuing to function through a crisis or a school being able to continue to teach kids during the crisis or any number of other things—electrical power or transportation—everything depends on digital identity now. To the extent that we can protect that, we can be a very powerful force for good. So I think that as the chief product officer, I hope what we can do is find ways to bring this technology really down to ground so that it meaningfully advances people’s mission of keeping these organizations alive through not just identity integrity and identity resilience but through overall crisis resilience. So say in 12-18 months, what does that success look like? I think in 18 months, I think that people really understanding the value—and here I would say Ready1 plays a really critical part of this as we look at having a platform that helps you really put your head around what does it mean to sort of train up and become a super resilient organization. What we see in 18 months is meaningful adoption there. And somewhat selfishly I’d like to see us find ways to—if you look at Purple Knight and Forest Druid, these tools that Semperis released over the last couple of years—these are public domain, free tools that you can use to do a security assessment and quickly get yourself leveled up. I think there’s an opportunity to do the same thing in terms of crisis response And so I hope we can provide some real good in that. And of course, I hope to see a lot of growth in usage and adoption and company success. Well, Alex, thank you so much for your time. Thank you. I appreciate your insights. And thank you so much for watching. For iSMG, I’m Anna Delaney.
