The Security Gap When AI Agents Have Access/Chithra Rajagopalan, Vamshi Sriperumbudur - Governance, NRR, Buyer Groups ~ Spark of Ages Ep 51 - Spark of Ages

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Vamshi Sriperumbudur (00:00):
In security, it's the aha moment is
about visualization.

Chithra Rajagopalan (00:03):
When you're releasing something that's as
fresh as like AI, becausethere's so much noise, you
really need to know what themarket poses.
Like, do you even have aproduct market fit?
Like you think this is theright thing to build, but how
have you validated that?

AI adoption by companies is
skyrocketing, right?
But then so is the AI adoptionby adversaries.
This leaves a gap in security.
So you have to adopt AI forsecurity.
This is absolutely required,right?

Rajiv Parikh (00:32):
Welcome to the Spark of Ages podcast.
In this episode, we'renavigating the highest stakes
challenge in enterprisetechnology today, securing the
AI agent economy.
The promise of AI offersincredible velocity, but it also
introduces profound non-humanrisks that threaten to overwhelm
even the most secureorganizations.

(00:54):
We're bringing togetherenterprise security leaders in
finance and marketing to bridgethe critical gap between
go-to-market velocity andfinancial outcomes.
Two amazing guests.
First is Vamshi Sriperumbudur,who recently was the CMO for
Prisma SASE at Palo AltoNetwork, where he led a complete

(01:15):
marketing transformation,doubling their pipeline and
driving an impact of $1.3billion in ARR in 2025, which is
up 35% and establishing thatgroup as the platform leader.
Chithra Raja gopalan.
Chithra is the head of financeat Obsidian Security and former
head of finance at Glue, andshe's recognized as a leader in

(01:38):
scaling businesses.
Chithra is also an investor andadvisory board member for
Campfire, which is an AI financefirm.
And she's also serving aspresident and treasurer of
Blossom Projects, which is awonderful charity for Indian
youth.
Welcome to the Spark of Ages.
Thank you, Rajeeb.

Thanks, Rajiv.
Glad to be here.

Let's talk before we get into it a little bit
about how big this securitymarket is.
Like everyone every day isusing the internet, they're
using their computers, they'reconnecting to all sorts of
things.
And as that continues toexplode, they have to secure it.
They have to make sure that youdon't, that malactors don't get
access to data or yourinformation or your systems.

(02:19):
And we hear about it all thetime.
So just giving you a sense ofhow big this is, according to
Gartner, the total software,services, and hardware business
is about $213 billion in 2025.
And if you just look atsoftware alone, that's
somewhere, depending on who youtalk to, between $100 and $120
billion.
And it's growing at about 12% ayear, which is just a little

(02:42):
bit faster than most of theother software fields,
reflecting that as you get moreand more devices, there's
greater and greater risk.
Vamshi, your go-to-market teamsneed velocity to capitalize on
AI technology, while Chithra'sfunction requires strict
governance to minimize risk.
How do you bridge this chasm?
What minimum threshold of trustor governance readiness must a

(03:04):
new AI-driven security solutionmeet before go-to-market can
push it aggressively to themarket and finance is
comfortable allocating long-termproduction budget versus
limited pilot funds?
Chithra?

During RSA, of course, there were
announcements from Palo Alto,but there was every other vendor
was announcing that they werenow a security for AI, right?
So there's definitely a lot ofnoise in the market.
So I how I kind of think aboutit is like at the end of the
day, since security solution isvery much grounded on trust and
governance, right?
So we should be able tovalidate how is the accuracy

(03:39):
going, how is the auditability,regulatory alignment.
So even before we scale, Iwould say that's where the focus
should be.
So just like Vamshi alsomentioned, we also did a lot of
groundwork looking at what is acustomer that is looking for,
like even through our cabs, whatis the attack surface that
folks are seeing, and what isthat we can provide as immediate
value and build somethingcustomizable or even scalable

(04:01):
with along with them, becauseeveryone's trying to figure this
out as a team together, right?
So when there's a newersolution that kind of like takes
to the market, of course, youneed to like deploy what I would
kind of call it as a pilotcapital because it's before
production, it's beforescalability.
You really need to do theexperimentation at first,
whether it's digital or thoughtleadership or even like

(04:22):
framings, right?
You really want to see how is amarket taking it all in.
Of course, it's veryuncomfortable for the finance
side of things because you wantto see ROI like tomorrow, right?
So, how do you kind of balancethat out is extremely important
because you don't want to bethat person who pushes back and
disrupts hyper growth,especially for a startup like

(04:43):
ours?
We have to be innovative.
We have to go at that pace.
So it's really unrealistic toexpect ROI and results
immediately.
So as a CFO, like I would say,like, what is your innovation or
a pilot kind of capital?
What is that you're able to sitwith your execs, understand
like what does success look likefor us collectively?
And then think about okay, whatthen what production looks

(05:06):
like, what does scalability looklike?
And at the end of the day, howdo we prove that trust and
balance of that governance andbring success alongside
customers?
Right.
So that's that's how I wouldlook at it, like in a phased
approach almost.

Okay.
So you're taking it in phases,saying that as you hit, almost
like how venture capitalistslook at it anyways, they look at
things from a milestoneperspective.
Are you bringing them thefinancial milestones?
So here are the milestones thatwe should hit before you put
more into it.
Or are you saying give themroom to run and then let's see
how it goes?
You don't know everything whenyou're into this, especially

(05:39):
from a startup level.

100%, right?
Because when you're releasingsomething that's as fresh as
like AI, because there's so muchnoise, you really need to know
what the market pulse is.
Like, do you even have aproduct market fit?
Like you think this is theright thing to build, but how
have you validated that?
Like, are people signing up?
Are people downloading yourcontent?
Are people reading through it?
Are people engaging with you,whether it's through the ads or

(06:03):
through other thoughtleadership?
So having like really granularapproach towards like what does
first touch look like?
And how does followingattributions look like?
I think that's extremelycritical.
Otherwise, there's no real wayto kind of measure what the
engagement is supposed to be.

That's right.
So, Vamshi, when you'rethinking about it from that
perspective, right?
You're in go to market.
So you probably are getting asense of what the market is.
So Palo Alto Networks, right?
They're one of the largestplayers there.
They have multiple offeringsacross the entire space, right?
So for you folks, AI issomething new and emerging to
your existing portfolio.

(06:40):
Whereas I think for Jithra,that was the business, right?
So how are you hearing aboutthings from the market?
And then how are you setting upyour go-to-market capabilities?

I think there's a couple of things,
right?
So organizations like PaulAlter Networks, there are public
companies, presumably you'reyou've got a large install base,
you know, in case of PaulAlternateworks, 70,000 plus
customers.
But it's important to you tokind of acknowledge that AI is
actually bringing new customersinto the fold, no matter how
many customers you already have.
So I think there is the notionof, I think to Chithra's point,

(07:11):
there's a notion of like thoughtleadership that needs to be put
out that, hey, you know, from ago-to market marketing
perspective, or anyorganizational aspect, whether
it's you're a startup or a largeorganization, definitely
behaves you to do that.
That you need to put outthought leadership that, hey,
you know, AI is creating allthis opportunity, increasing
productivity, creatingefficiencies for your
organization, organizationsacross the world, across

(07:33):
verticals.
But it's also a potential to,for example, simple, take simple
example, right?
Chat GPD.
And I know we have solved anumber of these problems today
in terms of technology, not interms of adoption, customers,
enterprises using it, but thefollowing example.
Chat GPD.
So I'm in marketing, I have abig launch coming up.
I'm not obviously going to putsomething that's, and I'm a

(07:54):
public company, you know, putsomething that's upcoming into
Chat GPD.
Now it's in the ether, right?
Everyone has access to it.
So there's aspects around how Ican, and that's just for
marking.
And then you talked aboutfinance, things can be even, I'm
I'm sure Chithra can talk aboutit.
But like there are things thatare, you know, your proprietary
sensitive data that you can putinto things like ChatGPD, unless

(08:15):
it's provisioned as a Gemini,as uh copilot, et cetera, within
your organization.
And then the other part is theprompt response, right?
If you're a developer, you'reusing Corium and you're checking
in the code that you got andinto your GitHub, uh, GitLab
repository, code repository.
And what if it has some issues,right?
It has aspects that could, youknow, kind of mess up your

(08:39):
application, jeopardize thesecurity of your application.
Malicious code could be anexample.
You know, there's a number ofother things.
It could draw out your data.
So I think these are some ofthe areas where you know, talk
about thought leadership interms of these possibilities and
you want to secure.

So, like you're looking at it from that
perspective, Vanshvi, where youknow you're looking at it as a
platform play, right?
As opposed to a single point,right?
So you're talking about AIagent security.
So, how do you get that messageacross to folks?
Like you have many things youcan talk about to a CISO and
CFO, or you convince CISOs orCTOs or CIOs, right?

(09:15):
And they have so many productsin front of them.
So, how do you talk about it tothem from a platform approach?
That this specific threatrequires immediate
prioritization one versus theother.

Some of the market data is very
important in this.
So I'd say, you know, when itcomes to Gen AI, right?
The single most importantadvantage you have as a go to
market leader in getting yourmessage out, your platform
message out to your customers isspeed, especially in the
context of AI.
And this advantage, you know,can be passed on to the
enterprises, your customers.

(09:46):
So let me explain this, right?
AI adoption, we you know, wetalk about it is skyrocketing.
You know, Mackenzie put out aglobal survey in AI.
78% of the companies are nowusing Gen AI in at least one
business function.
And this is the survey isgranted as of June.
So things are changing so fast.
So the numbers have probablygone up.
And this is apps, this ismodels, this is agents.

(10:07):
Virtually every businessfunction and customer segments
are using.
I do want to quote somethingvery specific here.
This is not just attack servicegrowing, it's also adversaries
going after you, right?
So Microsoft digital defensereport that just came out a
couple of weeks ago, mid-October2025.
Basically it's saying thatthreat actors are also using AI
to boost their attacks, youknow, whether it's social

(10:28):
engineering, phishing, etcetera.
80% of the cyber incidentsinvestigated, attackers want to
get your data.
And once you have the data thatis pre-II, personally
identifying information, PHI,you know, personal health
information, et cetera, patienthealth.
So all of this information, theadversaries you want to use for
financial gain.
So that's one part.

(10:49):
The other part is nation-stateadversaries.
The issue here is they'regetting AI content samples that
are you know 4x within just oneyear, went from 50 samples to
225.
You know, you read the report,you get the idea.
So there's a couple of issuesthere: financial loss and then
nation-state level, you know,information for even worse
purposes or equally worsepurposes.
AI adoption by companies isskyrocketing, right?

(11:11):
But then so is the AI adoptionby adversaries.
This leaves a gap in security.
So you have to adopt AI forsecurity.
This is absolutely required,right?
So as a CMO leading the launchtogether with my go to market
peers, new AI-driven securitysolution is important for
enterprises.
They have to get it reallyright now to secure their
sensitive data, to stop themalicious code check-ins,

(11:33):
basically to get ahead of theadversaries and threat actors.
I'd say security is the trueunlock of AI value in the
enterprise.
That's the message I would gowith my customers and which I
have.

Right.
So this is the ability tounlock it, right?
And that kind of leads to thequestion I have for Tithra,
which is that everyone seems tobe adopting, but as that recent
MIT report said, a smallpercentage of these initiatives
are actually reachingproduction.
So there's a lot, a lot ofexperimentation.
There's a lot of personal orconsumer use, but not

(12:04):
necessarily widespreadenterprise adoption from a
production point of view due tolack of governance, poor
integration into workflows, etcetera.

Yeah, before I actually jump into
that, like few things that wehave seen within our customer
data, right?
Which has been pretty alarmingif you think about kind of just
AI adoption general.
One reality is that there is somuch pressure, whether it's
from investors, whether it'sfrom the board, that hey, we
need to like adopt AI ASAP.
So the CEOs are like under somuch pressure.

(12:33):
Security kind of becomes anaftermath most of the time.
So CISOs and CIOs, so they'rekind of like stuck in the middle
of a rock and a hard place mostof the time.
So they we have seen that quitea bit.
So our own data, what we haveseen is like 50% of enterprises
have at least one shadow AI.
And even 90% of AI agents thatwe've seen are over provisioned

(12:53):
in SaaS applications.
Like over 10% of Gen AI promptsactually include sensitive
data.
Just one single element of thatcould be catastrophic to a
company, right?
So people are discovering thisas we go.

You're saying that it's not just that folks are
inside the corporate firewall,so to speak, inside the company
where things are protected.
When they're asking generallike Chat GPT or general answer
engines something, they'reputting in sensitive corporate
data into it.

So just taking a step back, right?
Like if you think about yoursecurity architecture, and
Vamshi can probably talk aboutthis more technically than I
can, but just to kind of likethink about it broadly, like you
have your identity, likeChithrad Obsidiansecurity.com,
right?
You have your zero trustarchitecture, or you have your
SSOs or MFAs that kind of takecare of your IDP or access

(13:46):
management per se vendors,right?
And then you kind of have yousecure your network, you secure
your remote employees throughCTNA or SASE.
But like what happens is noneof this is looking at AI agents
because once you kind of getinto the SaaS application, your
AI agents does not require to gothrough all of this because
it's all configured through theSaaS application per se.

(14:07):
So what happens is since AIagents are removed from this
whole access management, theyare over-configured, they are
over provisioned because nobodywants to kind of like block them
because all of the speed atwhich these workflows are going
is kind of like how productivityis being defined within the
company, right?
So nobody wants to block those.
Now that comes with a lot ofissues.

(14:29):
Like the AI agent that I'mcreating probably has more
access to a SaaS application ormultiple SaaS application than I
should technically have.
So that is the real problemthat we're dealing with, right?
Even if you think about justany third-party application that
you have, right?
At any point, even Salesforce,take that for example.
There are over 700 SaaSapplications that are connected

(14:50):
to a Salesforce instance at agiven point of time.
Like think about a largeenterprise.
And if you remember theSalesforce drift attack that
happened in August, that was notbecause Salesforce were
inherently not configured oranything, right?
Because it was an integrationto drift.
That API integration is whatgot breached and exposed over
1.5 million customer records,over 700 customers, right?

(15:13):
And exact same API integrationis being used by agents out
there.
So the attack surface has justgot multiplied just by
introducing AI agents into thisequation, right?
So I think that's the situationwe're looking at.
Multiplication of that attacksurface.
Now, going back to yourquestion, like how do we think
about outlining what is what isthe broader goal in here?

(15:37):
Like, how do we make sure thatkind of like we are maximizing
the value at the end of the day?

Before you answer that, would you say that, I
mean, if there's hundreds or awhole bunch of prompts hitting
Salesforce, would you say thatit's not necessarily true that
we are actually in production toa greater level than what's
being reported?

100%.
And we have seen this at someof the solutions that we have
been trying to solve alongsideour customers, right?
Like think about an agent thathas access to Salesforce and
your Gmail and should not havehad those access and is able to
write a prompt that summonspipeline data or closed one
customer data.
They can summon whatever theywant and send it as an email to

(16:14):
your inbox.
This is like lack ofconfiguration within that AI
agentic workflow.
Because as a SaaS application,maybe this person, whoever
created this agent, might nothave had that access.
But then just because youragent was over provisioned,
you're able to summon whateveryou want.
This is what we are seeingbecause there is a lot more
access to sensitive data.
And think about your low-code,no code applications like a

(16:38):
Glean or an NADN, right?
They can write any sorts ofagents and workflows and have
access to any kinds of dataacross any SaaS application.
Summon whatever you want innanoseconds.
Think about that.

Thinking about NADN, as long as you have the
ability to log into something,you can get it, right?
I mean, so you're saying thatthey're over provisioned.
So over provisioned means theyhave more access than they
should have.

Correct.
Correct.
And that normalization is nothappening today on like, okay,
who's this person writing allthese agentic workflows?
Do they should they even havethose accesses?
Like, are we taking a step backand looking at the overall
surface?
So this is why you will see alot of companies experiment
things, abandon it, go back tosomething else, abandon that.

(17:25):
So you'll see a lot of thisshift happen.
And I feel like it'll take sometime to kind of like fall into
place.
But if you think about how as asecurity technology or as a
security platform, how are youpartnering with your customers
throughout this journey?
I would say just narrow it downto what is the broader goal at
the end of the day?
What is a CISO looking toreport to a board?

(17:47):
What are the outcomes you'retrying to achieve for them?
Because most of the time, sincethe whole architecture is so
noisy, you really need to sitdown and discover alongside your
customer what is exactly theproblem that you're trying to
solve for, right?
Because everyone's trying tofigure out where the
vulnerabilities are, just giventhis new AI agentic, you know,

(18:08):
like a curveball that was thrownat us.
It's a discovery awareness.
So we're starting at likescratch, kind of like from an
awareness standpoint.
So I think that's where thediscovery alongside your
customer is going to beextremely important.
That's how you'll be able tounderstand outcomes, which you
can then deliver on as asecurity technology vendor.
Then you can kind of likepartner with your CISO to be

(18:30):
able to help him or her go andpress into the board in a
certain way.
And what does success look likefor them, right?
Rather than just giving them abox of like, okay, here you go,
a solution.
It doesn't work that way.
Like if you really need to comeback and ground zero and look
at outcomes that you want todrive as success.

Interesting.
Chithra, are you helping them,as in the go-to-market teams,
with helping on the riskassessment?
Or is that something that'shandled by your chief risk
officer or your own CISO, youknow, chief information security
officer, just so everyoneknows, is a CISO.

Absolutely.
So go to market is one, butthen let me talk about internal
process first, right?
So if we think about the GRCcommittee, where there's
representation from legal,representation from finance,
right?

GRC Global Risk Committee?

Yes.
So governance.

Governance risk committee committee, right?

So then there is representation from
different parts of your companywho are able to come in and talk
about vulnerabilities.
And what is that we need totighten within the internal
process, right?
So that is extremely criticalbecause we are a mid-sized
company who is going through ahypergrowth, right?
So we're not, we don't havelike a CISO org.
Like the maturity of the CISOorg is very different compared

(19:41):
to like a F1000 or G2000 companywho we serve.
But us as a company, we look atsecurity a little differently,
right?
So, really, depending on themajority, the internal process
might look a little different aswell.
Where you will have tocontribute from a CFO
standpoint, like what are youseeing?
What are the vulnerabilitiesyou're seeing?
And how I think about as afinance leader is everything you

(20:03):
touch is extremely sensitive.
So if you think about thefinance org, we have access to
all the customer data.
We have access to all employeedata, we have access to our
financial data, right?
So there's nothing that wedon't touch that is highly
sensitive.
So, how are we takingresponsibility today as a team
and working alongside our CIO orCISO to be able to protect our

(20:25):
architecture is going to beextremely important, right?
So there is a sense ofresponsibility that comes with
that power to access these data.
So I think that's extremelyimportant to understand.
So that's where I come in froma spokesperson standpoint on why
security is importantinternally.
Now, from a go-to-marketstandpoint, I think it's it's

(20:45):
more of a stakeholdership ratherthan telling them like, okay,
this is how the go-to-marketstrategy should look like.
It's more of a how do wemessage as a financier?
How do we message thatresonates with the other finance
leaders in the community?
Because finance CFO, financeleaders are a critical part of a
buying committee, if you thinkabout it, right?
So are they aware of theproblem on why they should buy a

(21:09):
security solution?
So, how are you making themaware of the problem that should
resonate with them technically,right?
Like because they have accessto all these data at a highly
regulated, sensitive kind of uhindustry, they should be able to
articulate why securityproducts should be structured in
a certain way and why theyshould partner with the CISO

(21:32):
org.

So to prevent the churn and implementation debt
caused by many AI pilots, someof which are going or reset or
whatever, what's your breakglass finance mandate that you
would set for the go-to-marketteam to ensure that their
AI-first marketing promises arebacked by scalable, governed,
and production ready product,guaranteeing minimum time to
value for the customer?

Absolutely.
So, us as a company, we haveinvested quite a bit in our dam
organization, technical accountmanagement, right?
So, how going back to thediscovery of pain points, that's
where you'll find the outcomesyou want to drive.
Are you able to identify?
Is your team able to sit down,have a good discovery call, and
identify what is the pain pointthat your customer has that we

(22:15):
need to check off as part of theimplementation?
Of course, there is plug andplay kind of models, and that
should work.
But at the same time, if youwant to have consistent adoption
of your product, you need to beable to deliver it that
outcome.
And sometimes it's not assimple as putting it into one of
the abbreviation, right?
Or SSPM or ITDR.
Like you really need to knowwhat the pain point is and kind

(22:37):
of like provide them guidance onwhat the solution might look
like.
We have customers who come tous, oh yeah, we just need
posture configuration.
But as we talk to them, oh,they're like, oh no, I need
threat detection as well.
I need browser extension too.
I have shadow AI problem andphishing problem.
So we kind of end updiscovering a lot more, which is
extremely critical, right?
So then really tying back tothe outcomes and really tying

(22:58):
back to what a CISO's goal is,what is that they are reporting
on?
What is important to them isextremely critical to
understand.
So I would say that is kind ofthe great class, I would say
expectation I would set.
Like having that discovery callwith the prospect is more
precious than anything.

That's awesome.
So, Vamji, this leads right tothe next one.
So, in a market saturated byexpensive security platforms,
what's the single mostcounterintuitive element of
pricing or packaging?
So it could be related tousage, scope, outcome that you
would recommend today to compela buyer to recognize platform
value and move beyond theperception of security solely as
a necessary cost, Santa?

I'd say give it away, you know, trial.
And by that I mean free trialfor a couple of weeks for for a
month for a scope ofcapabilities, freemium free
trial.
Free trial tends to work reallywell because they have the full
capabilities for a short periodof time.

So this is a PLG motion.

Exactly.

Even further, like my friend Bill Mesaidos, who's
been on the show, right?
He's like, you have to letpeople try it first.

I mean, even if it's not PLG, it's still
like you're giving them earlyaccess, a free access, right?
We you don't have to have it asa PLG, but you can still have a
freemium model where, I mean,even if we think about our own
buying behavior, we want to doPOVs and freemiums, right?
Before we commit to something.

So you would say, Vamchi, go out, let them try it
first.

Yeah, unleash it, right?
I think uh when you have, youknow, whether you are a
best-of-breed technologysecurity provider, startup, or a
large organization, call alternetworks, etc., right?
I think PLG Motion has a lot ofpower, product-led growth, free
trial is definitely an avenueof doing this.
And but there are some criticalfactors, and I'll provide an
example as well, Rajiv.

(24:37):
So friction-free sign up isabsolutely important.
When someone's signing up, youknow, just take the friction out
of the system, make it reallyeasy for them.
No credit card, no need forthree days for someone, some
team in the back end to approvethat you actually have the
access to the system, etc.
Right.
So that's number one.
And the trial can be defined ina number of ways.

(24:59):
It could be a sandboxenvironment where you're just
actually entering in to playwith the product with some test
information, some demoinformation, et cetera.
It could simply be a producttour in some cases.
This is a real product, but setup in an environment with some
guardrails.

Right.
Because sometimes it's gettinginto their environment, right?
It's not just an overview ornot a defense layer.
It's actually inside theirsystem.
So you can't necessarily givethem a free trial without
impacting things dramatically.

Without some checks and balances.
So I think the whole notion offree trial or a product-led
growth is to get to the ahamoment.
What is that aha moment?
And I'll again provide theexample, but in security, it's
the aha moment is aboutvisualization.
You can quickly show a visual.
And it could be differentthings for different technology
products, but in in the contextof AI security, visualize what

(25:50):
is shadow eye, AI, what isactually provision, so on and so
forth.
So get to that ASAP, right?
So for you to get to that, thenyou obviously need to make it
easy to sign up and then show iton a sandbox data or a demo
data.
Now, then you can say, hey, youknow what?
The prospect has experiencedthe product, click through uh,
you know, my storyline that oror walk me demo or click through

(26:14):
my actual product with somehelp on it.
Then you have a productqualified lead.
At this point, the sales teamcan pick up the phone and say,
Hey, you know, it seems like youhad a chance to review our
product, its UI, its capability,et cetera.
Can we set up some time to walkthrough a demo?
Or, you know, I think asChithra mentioned, uh, have a
proof of value, proof of conceptset up.

(26:34):
Because for you to do that, youneed to get into their
environment.
And Rajiv, you also mentioned,right?
So you need to have their APIkey, you need to have their
cloud environment, whateverother credentials that are
needed for this, your AIsecurity product to get into
your customer prospectsenvironment and do that scanning
and show not a visual of asandbox information, but the
actual information.

(26:54):
Of course, once you show thevisual, then there is uh, you
know, setting up policies, etcetera.

Yeah, so you may have a situation where, on one
case, you can let them justcompletely try a solution,
right?
And showing the defense andgive them a report of how it
worked and how it was betterthan something else.
In another case where it's moredifficult to change elements in
their environment or may notwant to touch production data,
you have a sandbox of outsidedata or dummy data.
Then maybe the next step youhave is where you actually say,

(27:22):
Well, let me have a subset ofyour environment or subset of
data, and then they can try itthere, right?
So you're segmenting it, likeyou said, like this is your
product qualified lead.
Knowing you, you've thought ofmultiple segments of it so that
when you go back to the CRO orgoing back to your, you know,
any of the whole team, you'reshowing them how people are
getting through to justifyinvestments.

Exactly.
And it is end of the day, thecustomers don't care whether
you're sales, marketing,finance, what have you.
They are like, okay, you'rePaul Auto Networks, you're this
company, et cetera, right?
So they are interfacing withthe organization, your brand.
So you want to have in the backend, of course, from your
go-to-market team perspective,technology, you want to have a
seamless handoff from theproduct and the marketing guys,

(28:03):
working obviously with the restof the go-to-market team, but
seamlessly capturing thecustomer's interest in a
product, the product tool, thesandbox environment to a product
qualified lead where the BDR,the sales team picks it up and
then goes into a POC, et cetera.
But it has to be seamless.
And they know the journey, thebuyer's journey, PLG journey, is

(28:24):
seamless from a customer orprospect standpoint.
So it does require a tightcycle between product marketing,
sales, sometimes additionalorganizations involved.
I think you also mentionedanother part where your AHA
moment is not a product tour,but the AHA moment could be a
report, an audit report.
So I'll give you an example.
I was a CMR at Qualas.

(28:50):
One of the things that we didwas so it's about attack
surface.
We talked about attack surface.
So there is a couple ofproducts that we have,
portfolios that we have calledattack surface management in the
category of external attacksurface management, internal, et
cetera.
So we can actually do a littlebit of a report on the prospects
based on whatever is publiclyavailable and show that report.
And that audit report is likean eye-opener.

(29:13):
And the two things that I wantto mention, and just in the
whole context of PNG.
One is the person who isreporting, receiving this report
from us, the technology vendor,security tech vendor, can
actually internally distributeand get an idea.
And then the other portion ofit is use that to engage in a
conversation.
Now that conversation can leadto a lot of additional steps, a

(29:34):
POC, what have you, right?
That is that artifact.
In case of purely PLG, also,right?
When I am a security engineer,I'm a network engineer,
DevSecOps persona, a number ofthese personas within the buyer
group, if you will, forsecurity.
When I have played with yourproduct on a sandbox
environment, now I want to putin my credentials for you to

(29:55):
scan in my environment.
It's not my decision alone.
Now I need to get on a device.
I have a sec ops person.
I need to get my securityengineer.
I need to get my admin.
Us we need to discuss and say,okay, let's bring this in and
then play.
So it's not just a one-persondecision when you're playing
with it.

It's a buying group decision, right?
And Chithra talked about itearlier, right?
The CFO is part of the buyinggroup, right?
There's a huge buying groupdecision.
So when you're thinking aboutthat buying group and putting it
together, are you mapping thatout from the beginning?
Like here's what it's likely tobe, and then experimenting on
it.
Is that how you think about it?

Yes, 100%.
100%.
Because I think we can talkabout buying group in a purely
from a demand generationperspective.
But here we're talking aboutmid-funnel to bottom funnel
customer touching the product.
And you know, you're literallysolving the problem or the
sampling them on how the problemcan be solved.
Absolutely important in termsof who you want to be playing

(30:50):
with the product.

So maybe you say there's like minimum viable
persona segmentation.
You've done this for multiplefirms as a CMO, right?
Multiple security firms.
How do you think about that?
Right.
You're doing it from ago-to-market point of view, and
then you're going from anafter-implementation point of
view because you also wantcross-sell upsell.
So take me through it, help meunderstand it.

Oh gosh.
So this is an exciting point.

But not a half an hour discussion.

Do it in like two minutes.
Two minutes.
It's ICP, two words, ICP andpersona.
So again, working with financeand sales, et cetera, right?
Go-to-market peers, you know,making sure that I have the
right accounts that I'm goingafter, my team, right?
Intent signals from six centsdemand base, engagement signals,
competitive signals fromorganizations like edues.
I'm talking about enterprisesales motion.

(31:34):
Once I have that, then I've got5,000 prospects that I'm going
after.
That's my target account list.
Because I've done all thefiltering, geography, right
intent, right engagement, whathave you.
Then I need to make sure wetalk about buyer group.
I have the right buyer groups.
Because if you think aboutbuyer groups, you've got, I
mean, medic methodology.
There's so many salesmethodologies, and marketing
needs to meet them where theyare, right?
So there is in Challenger, etcetera.

There's a million sales methodologies, but in
general, you're looking atstages of how you buy proof
points.

Correct.
And then within buyer persona,particularly buyer groups, there
is something called an economicbuyer.
This is the person who's inresponsible for signing the
check.
But then they are not, theydon't use the product.
A CISO doesn't use the productevery day.
CIO doesn't use the productevery day.
Typically, it's used by apractitioner.
So these are influencers, thesecurity engineers, et cetera.
And then there's some folks whoactually are gatekeepers and

(32:23):
call them gatekeepers.
It's not, it's a harsh word,but you got to make sure that
they're happy.
The procurement team, thefinance team at our customer
sides, right?
Making sure you're in theGartner MQ leadership, making
sure you're able to price itright, making sure there's a
number of other things that theycare about.
You're in the approved vendor,so on and so forth, right?
So these are differentpersonas.
So when you qualify a lead inthrowing it over the fence to

(32:45):
sales, that's not enough.
You need to make sure that yourminimally two or three of your
buyer group of handful of buyerdifferent personas are met so
that the sales can now not onlyset up a meeting, but have
advanced conversation to a POC,then to a court, and then
getting it further, right?
So to me, that is the criticalaspect of an enterprise sale.
Treat your customer just likeyou have sales and marketing,

(33:07):
treat them as a group and thenwork through those buying
motions that way.

And one thing I would call out on that
is like think about yourpractitioner versus your EV,
right?
If they are not aligned, that'swhen your product is not
adopted.
So this is why post-sales alsocomes into play.
But at the same time, thealignment, your sales team along
with your marketing team,should be able to make sure,
kind of like, how do we getthose early signals of that

(33:34):
alignment within that core?
Because for a large company,like if practitioner or
whoever's doing theimplementation comes like, I
don't have time for this, Idon't have resources for this.
So then you have a productthat's sitting that's not giving
any value to the customer.
And when it comes to renewal,it's a very difficult
conversation, right?
This is why understanding yourpersona at which you're and the
buying committee, having a realunderstanding of who you're

(33:55):
selling to and what you'reselling is going to be extremely
important.

From a financial perspective or just as part of
the senior group at the company,are you guys tracking to that
to see that, well, when I makethat deal, you know, everyone
wants to celebrate making thedeal, right?
But that really the deal isabout the satisfaction,
cross-sell, upsell growth.
Are you looking at thosefactors too, helping your
go-to-markets team with thatinformation?

100%.
That's where the post-salesmetrics and how we are thinking
about what are they touching?
What in the product are theyfinding helpful?
Like who are the admins thatare logging in?
Like how much is the usage andadoptability happening?
Like the outcomes that wediscovered or aligned to during
the selling process, are theygetting checked off?
Is QBR happening?

(34:39):
So there is a whole anotherelement and world that needs to
function.

Do you have like a general number or rule of
thumb?

Like if they don't do this, I would say
that's very, very businessspecific, but I would say, like
in general, like if you thinkabout like, are the right people
logging in?
Like how many times are theycoming in?
And what are they looking at?
Are they adopting or are theyexploring areas that they said
that were important?
If you're not, how do we guidethem?

That could be your customer at risk, right?
So it's a part of the overallassessment.
Yeah.

Exactly.
That's ultimately defining whatthe health of that customer is,
which then gives you earlyindication of whether there's a
churn risk or not.
Or maybe at the end of the day,this is where a TAM
organization would adds so muchvalue because maybe they
discover new things, whichbecomes an upsell opportunity.
So how are they transferringthat information back to the
sales organization and the repsto be able to kind of have that

(35:31):
seamless conversation with thecustomer?

And you've done some pretty big fundraising
rounds.
When you do the later stagerounds, do the investors demand
that data?

Not in that sense, because if you think
about your NRR and GRR,ultimately that's what cries the
most, right?
Like if you're not able to showa NRR percentage going up.

Net retention revenue, gross retention
revenue.

Yes.
So that is a huge indicator.
And that married along with thegross margin percentage should
be able to tell you in whathealthy way you're able to kind
of look at the magic number,look at like the retention, look
at churn.
Like it gives you very earlysignals of how light your
product is, how sticky yourproduct is.

That's what really matters.
So now I'm gonna have us jumpinto opinions about security.
So for this segment, we'rediving into the turbulent world
of security services where thestakes are measured and billions
and threats are evolving by theminute.
For global enterprises, digitalsecurity is no longer a
checklist item.
It's a core competitivebattleground.
But how are we spending thosemassive security budgets?
Are we winning the war or justinvesting in an illusion of

(36:31):
safety?
So we've compiled somecontroversial opinions that
challenge the industry's biggestsacred cows.
So here we go.
I'm gonna ask the question andjust give me a quick response to
it.
Okay, so we're gonna talk aboutzero trust, right?
Zero trust is the notion thatyou are taking everything from
the point of view that it hasbeen hacked.
Not just could be hacked, ithas been hacked.
The ideology of zero trust is afiscally irresponsible fantasy

(36:55):
for global enterprises.
The cost of implementing andrigorously maintaining universal
authentication andmicro-segmentation across legacy
systems, vast global networks,and a diverse vendor ecosystem
will always exceed the economicbenefit of minor risk reduction.

I think for me, like when I think about
zero trust, it's for manyorganizations, zero trust does
make sense if it's done well orphased properly or have like
measurable outcomes for kind oflike aligning back to the
business risk, right?
But zero trust, depending on itreally depends on the
organization size and thecomplexity of what you're
dealing with.
So attackers are no longer likebreaking in, they're logging

(37:33):
in.
And once inside, they'reblending in, right?
So traditional identity toolsbuild on on-prem, like they
can't detect like assassinativethreats, like token theft or
third-party integrations,militia third-party integration,
or even like token hijacks orsession hijacks.
So even zero trust models willfall short when attackers use

(37:54):
valid credentials or like bypassMFA.
So it's just one part of thesolution.
Just because you have zerotrust, that doesn't mean your
entire surface area, kind oflike the attack surface area, is
now secure.
So I would say like it's a justpart of the problem, not the
entire problem.

Okay, so you're not just saying that zero trust
or nothing, it may not even beabout zero trust.
Yes, exactly.

Great answer.
Bamchi.
I think for large enterprises,zero trust is an absolute must
framework.
Define it right, right?
Zero trust.
By nature, basically, you don'ttrust anything, anybody.
So you, in case of secureaccess services, you're not
trusting the user who got accessto your application today is
actually going to have the sameaccess tomorrow, or the act, the
amount of access he or she orthey have will change over time,

(38:39):
right?
So you're continuously checkingtrust.
Uh, that's in the accessaspect.
In terms of uh identity, that'sin yet another zero trust,
network, zero trust, data, zerotrust, access to data.
And now I know Chitter talkedabout this as well, which with
agents now there is so muchemphasis on zero trust before
somebody gets into your network,right?

(39:00):
Into your system, into yourperiphery.
But once they are in, there isa lot of lateral movement that's
very dangerous, right?
So, how do you contain, let'ssay, if there is a breach?
And in the world of agents,agents talking to agents, this
is absolutely new world that weare stepping into.
And zero trust principle isabsolutely important in terms of
your agent having access toanother agent and that all the

(39:22):
integration happening, and theseare non-human identities.
How do you manage that?
So, having a framework of hey,zero trust, then apply to
various points of data, network,agents, AI agents, that is
absolutely required.

Great.
Thank you for that.
Next question Mandatory breachdisclosure laws are a greater
threat to a company's financialstability than the breach
itself.
These regulations forcecompanies to prematurely reveal
vulnerabilities and competitiveinformation to rivals, making
the legal and PR fallout theprimary motivation for hiding
attacks.

Amshi, you want to take a shot at it?
I'm very much in support ofbreach disclosures.
This is absolutely important.
It's not about the technologyvendor anymore.
It's not about the customer ofthe company that are that has a
breach anymore.
It's about their customers,it's about their partners, it's
about consumers.
This is absolutely important tonot only report it so that
while you, who is a factor, istaking care of what needs to be

(40:16):
done, the customers, thepartners, the consumers are also
doing what they can.
This is sharing informationabsolutely required in my
opinion.
Chithra, you're willing to takethe stock yet?

Absolutely.
So I think I'm totally alignedwith what Bamshi said.
There should be anincentivization for improving
security investment.
So and I'm gonna take it up onemore level and challenge that
there is also a vendorresponsibility aspect to this.
So as vendors and consumers, weneed to up our standards on
what security standards shouldbe, right?
So today, if you think aboutvendors out there, security or

(40:49):
not, right?
Like the settings andpermissions are so different,
app to app.
Like it's so hard to make itconsistent from a risk
management standpoint.
Even API configurations andaccess to APIs, right?
And that'll worsen the posture,not having proper logs or like
not being able to reallyinvestigate threat and response.
So this is a collective effort.
And to Vamshi's point, it'slike the customers, it's about

(41:11):
the partners, it's about thevendors.
So it's about like us comingtogether.
And given the AI situation inthis, like the problem area is a
lot more amplified.
So I think us as an industry, Ithink we should all come
together.
Our security leaders should allcome together and have an
understanding, even with thevendors, to have like a baseline
expectation.
This will help security vendorslike us, like Palalt or

(41:35):
Obsidian, really provide maximumvalue to the customer
environment.
So I feel like this is a jointresponsibility where it's not
about the disclosure, it's abouthow are we taking the
information we need to cometogether and kind of like help
elevate our standards.

It's not a competitive thing where you're
like celebrating that one ofyour competitors, you know, got
hacked or one of yourcompetitors' products got
hacked.
It's about this is an industryproblem.

And shame on us, right?
If you're not able to figure itout, because it's not like
attackers are gonna go back.
They're gonna get more and moreintelligent.
They're gonna come up withcreative things to, you know,
like have a breach.
So, how are we elevatingourselves is the biggest
question.

Great one.
Okay.
Next one.
Global enterprises areovercomplying with redundant
country-specific regulationslike GDPR, CCPA, CPRA.
These excessive regulatoryburdens consume so much budget
and development time that itstifles true digital innovation
and makes the business slowerthan its less regulated

(42:36):
competitors.

If you think about like breaches,
right, like breaches alwaysfollow data and regulations
always follow a breach.
So technically it's inevitable,detail, that our data exposure
will get tricky.
So, yes, compliance might beexpensive, but it's also forcing
us to modernize our datamanagement, right?
Or improve transparency, buildcustomer trust.

(42:59):
So these are like prerequisitesfor a long-term investment and
innovation.
So the goal here is to optimizecompliance, not resist it.
Like use it to scale yourtechnology landscape, especially
like when we deal with ourcustomers who are like from
highly regulated industries likefinance or healthcare.
It's actually a necessity, nota burden.
So if you think aboutnon-compliance risk, like fine

(43:20):
lawsuit or reputational, it'sactually far more risk uh
expensive.
So treat this complianceefficiency or requirement as a
competitive advantage.

You don't see it as a patchwork.
One country is this, anotherregion is this, one state is
this.

Yeah, because because at the end of
the day, like this this is anevolving space, right?
Like, and how you kind of likego to market is also going to be
challenged.
And how you're kind of likewhat kind of data you're dealing
with, who's consuming the data,what kind of data are you
extracting will be different.
But of course, at the sametime, you want to have like a
standardization of these things.
But what I'm trying to say islike as we kind of like evolve

(43:56):
in the space, you will see a lotof curveballs being thrown at
you, whether it's from aregulatory standpoint.
But how are you using that as acompetitive advantage is
probably the question I wouldask.
Because at the end of the day,that's how you're building
customer trust, whether you likeit or not.

So, Vamshi, does this help you make better
product?

So I think it does, because I think end of
the day, CISOs at the world'slargest organizations, CIOs,
right?
They want to go above andbeyond CCP, GDPR, data
sovereignty requirements.
There's so much aboutcompliance.
Because I think those are tablestakes.
The moment something becomes acompliance, it's happening
everywhere.
And you want to, you know, curbthat issue in a tech, you know,

(44:34):
a particular region, et cetera,right?
In a particular industrysegment, SOCs and Sarbins, I
don't come GLBA, et cetera,right?
In financial industry, etcetera.
So that's to me, thesecompliances are table stakes.
CISOs and CIOs aim forsomething higher than that in
terms of having security, etcetera.
So that is absolutelyimportant.

Then the benefit in yours goes to the companies
that have real money, just youknow, have significant money to
spend, can afford it.
What about the startupecosystem?
Like it's no fun getting one ofthose FedExes from an attorney
making up a case about someonethat you know you're supposedly
stealing information from.

So it depends, right?
To me, it's about who are youserving.
You may be a startup, but ifyou're serving the world's
largest organizations, Fortuneuh 500, global 2000, what have
you.
They have offices globally,presumably.
Most organizations do, right?
Retail, healthcare, or whathave you, utilities, financial
services, more so.
Then you need to comply withwhat they will comply with.

(45:29):
So that's kind of what it comesdown to.

Because it's global, you have to nail it.

So we are a great example of that, Rajiv,
right?
Like our core ICP, our breadand butter is F1000, G2000
customers, right?
And we are a startup ourselves,but then we are like kind of a
mid-sized company, I would say.
But we have to be extremelystrict about how we think about
compliance to be able to serveour customers who are in highly
regulated industries.

(45:53):
So we don't take that lightly.
So for us, that is a pride forus that we are compliant and we
are able to give the maximumtrusted experience for our
customers.

That's great.
And I'll say that I was usingit to push you guys, but even
for a company of my size, we aresigning up for all the
appropriate certifications,whether it's ISO 27,001 or SOC2
or for the medical industry,HIPAA, because you want to make
sure that your clients arewhatever we're building for them
as well secure.
So let me go to the next one.
Here's an interesting pointinternal corporate security

(46:23):
teams are structurally incapableof keeping up with global
threats.
For any enterprise over abillion dollars in revenue, the
only viable and responsiblemodel is to fully outsource 90%
of detection and response tomanaged security service
providers or MSSPs.

Yes, of outsourcing detection response
to MSSP.
Yeah, financially efficient,operationally pragmatic.
But I don't think 90% ofoutsourcing really seems
responsible, in my opinion.
I think cybersecurity is a coreenterprise risk.
It's not an IT function.
It's not like, oh, okay, thisis my problem.

(47:00):
No, it's an entire companyproblem.
So it requires an internaloversight or accountability or
governance.
So I think the right approach,I would say, is more of a
co-sourcing, right?
Like if you leverage the MSSPsfor like the scale and certain
expertise, but retain like thatstrategic control or the
compliance ownership and all thehigh value incident decision

(47:22):
making in-house.
I think this is where differentsecurity vendors can also be
extremely helpful in kind oflike scaling that model, which
still keeps the core intact.

Vamshi Sriperumbud (47:31):
Interesting.
Bamshi?
Yeah, I know.
I think look, it security takesa village and you can never
have enough because the pace ofinnovation, AI, we talked about
a lot, AI agents and howadversaries are good.
So whether you're a security,large security vendor, and
you're eating your own dog food,securing your own, you know,
network, data, applications,etc., or you're a large

(47:54):
organization in a highlyregulated industry, it does take
a lot of people, process, andtechnology.
Let's put it this way.
Your internal teams to beupskilled, your security
personnel, all your entire teamneeds to be upskilled.
Would you suggest a mix, or doyou think fully or mix?
It's a good mix.
I wouldn't say what is theright mix because it depends on
the company, depends on thevertical geography, et cetera,

(48:17):
and size of the company, also,right?
But it is something between theCISO and CIO.
And let's put it this wayCISOs, in some cases, their
conversations are board-leveltopics.
And for that reason, this islike overarching.
It's not just your employeesand your partners, it's about
shareholders, everybody, right?

Yeah, and you know, just like anything, like
there's always the legal impact,especially for the largest
companies.
As soon as you know that youare at risk, you are a subject
to lawsuits, right?
And I'm sure that's a method ofselling too for security firms.
So this is really helpful.
So, folks, welcome to the SparkTank.
Today on the Spark Tank, we arejoined by two leaders who excel
at maximizing scale, value, andstrategic impact.

(48:55):
Bamsi, Sri Peram Budur, globalCMO for Prisma Sasi at Palo Alto
Networks, and Chetra RajaKopalin, head of finance at
Obsidian Security.
But for now, we're settingaside enterprise security and
financial resilience to explorethe wild side of disruption.
Hilarious hacks.
We're not talking aboutproductivity tips, we're talking
about the brilliant,ridiculous, or sometimes just

(49:17):
plain absurd things thatcomputer hackers have done,
often with a sense of humor.
So here's the deal.
I'm gonna read you threestatements.
Two of them are absolutely trueand functional.
One is a complete fabricationdesigned to sound just plausible
enough to make you doubt yourown common sense.
So the way the game goes isI'll count down three, two, one,
and you both reveal youranswers simultaneously.

(49:39):
So are you ready to separategenius hack from absolute fluff?

Yep.
Ready.

All right, good, good.
Here's number one.
This is the game.
We're gonna see who can winthis, who can find the lie.
Question one.
In 2021, students in CookCounty, Illinois hacked every
classroom projector and publicaddress system to orchestrate a
school-wide Rick roll withhundreds of screens playing
never gonna give you up inperfect sync.
That's number one.

(50:05):
Number two, a clever pranksteronce changed all the road sign
traffic alerts in New York Cityto display the message caution
penguins crossing for an entireafternoon during rush hour.
And number three, a hackercompromised the printers of
150,000 businesses worldwide,causing them all to print out,

(50:25):
for the love of God, pleaseclose this port with a little
robot cartoon as a warning.
All right.
So first is the never gonnagive you up.
Next is the penguins crossing,and third is the printer one.
Ready?
Three, two, one.
All right.
Mom she's two, shits three.

Yes.

Okay, so this one is two is false.
While the road sign hacks haveoccurred, usually a warning
about zombies or raptors,penguins crossing signs weren't
reported in New York City.

So it's close.
I heard about the news aboutroad signs being hacked.
It's happened.
Not for penguins.
Technicality.

Technicality.
This is the game.

Yeah, with the gut, which one has the
threat analysis, which one hasthe most impact?

But it has happened.
Yeah, I remember reading aboutthis.

It's definitely happened.
So number one is true.
Four students exploited weakdefault passwords across the
school's tech systems, prankingthousands of classmates and
teachers, then responsiblyreporting their findings in a
26-page security memo.
And number three, a hackerthat's also true, sent out
custom funny warnings byaccessing exposed internet

(51:38):
connected printers starting in2017, reminding owners in a
cheeky way about cybersecurityflaws.
So these are all off the wall.
I don't get them right.
So that's why I don't playanymore.
So, okay, question number two.
Number one, a notorious prankgroup once locked users out of
their computers unless they beatthe game Tetris in under one
minute.
Those that failed had thedesktop automatically filled

(52:02):
with quote 404 cat videos notfound.
Number two, in 2011, Britishcyber agents replaced Al-Qaeda
bomb-making manuals online witha recipe for mojito cupcakes in
an op called Operation Cupcake.
And number three, hackersexposed a flaw in Lenovo's
website, redirecting visitors toa prank page full of bored

(52:25):
teenagers and high schoolmusical songs to shame the
company's bad software.
Okay, so one is the Tetris gamein one minute.
Number two is mojito cupcakes,number three is the Lenovo flaw.
Ready?
Three, two, one.
You both selected two, and itis not the cupcakes.

(52:50):
That is true.

What?

Okay, what did we what was it?
MI6 waged a bake-off againstterrorists by swapping bomb
instructions for cupcakerecipes.
Crazy.
A playful win for Britishintelligence.

Hmm.
Interesting.

Crazy can be true.
And number three is also true.
The Lizard Squad hackedLenovo's domain to show humorous
images and silly music,targeted its controversial ad
software, superfish.
And number one is false.
There's no verified ransomwarerequiring Tetris speedruns.
But you know, a cat video wouldbe funnier than most malware.

I was thinking maybe it's a
possibility because Yeah,exactly.

It seems pretty doable thing.

Yeah, when you lock a computer, how would
you play Tetris unless it's ascreensaver game?
Which I mean, I don't thinkit's possible.

So I kind of like that one.
So maybe somebody will let themdown.
But it would she would reallyfreak me out.
Okay, here's question numberthree.
So far, Vamshi's in the lead byone.
And I think this could be thelast answer.
So what I'm gonna do is whoevergets this one gets two points.
So Chithra, if you happen toget this and Vamshi doesn't get
it, you have a chance to win itall.
So here we are.

(53:58):
Number one, a British pranksterhacked a smart billboard in
London to display free kittensat 2 p.m.
every hour, causing dozens ofhopeful animal lovers to descend
on Piccadilly Circus.
Number two, the pizza hackinggang breached Domino's UK
servers and replaced all menuphotos with real images of

(54:20):
pineapple on pizza, sparkingoutrage that reached parliament.
And number three, securityresearchers implanted a
Wi-Fi-enabled USB device calledPeg Leg into their own leg so
they could literally smuggledata under their skin across
national borders.
Okay, so it's either the freekittens at two in London, the

(54:43):
pizza hacking gang, pineapple onpizza, or number three
implanting USB devices into yourown leg.
Ready?
Three, two, one.

Three?
Uh why?
The first two definitely feelsdoable.
Doable?
Yeah, no, three seems USBdevice.

Yeah, you can like peg leg a USB device.
I mean, I haven't seen a USBdevice.

Why a USB device?

I haven't seen one in ten years.

So yeah, exactly.

Well, the answer was the false one was number
two.
Oh, that's crazy.
Oh my god.
Pineapple on pizza.
Oh no.
Pineapple pizza.
While menu hacks are real andpineapple pizza is
controversial, there's no recordof Parliament weighing in on
hack dominoes images.
So menu hacks are real.
The peg leg one.
So this is the peg leg implantcreated by biohackers.

(55:41):
They could store Wi-Fi data andwas surgically embedded,
pushing the boundaries ofpersonal gadget security.
And even I asked about it.
Was this embedded?
Was it on the skin?
The biohacker was named RichLee, and he aimed to show that
data storage and transmissiondevices could be hidden within
the body for privacy, personalsecurity, and a sheer
demonstration of what wastechnologically possible.

(56:02):
It sounds crazy and it's true.

Yeah.
Imagine if humans can do that,what can agents do?

Pretty good.
So great job, guys.
This was a tough game, but Ihope you had fun.
And Bob She, you can walk awayand say you got the win, and I'm
sure it's your thrill will makeyou buy the next drink.

Let's put it this way if you're in
security business, you'rewinning for your customers.
You're winning.

Exactly.
Our product team is likefrantically taking notes right
now.

All right, let's talk about some great personal
things for both of you.
So I'm just gonna go back andforth and ask you just a quick
question and come out with justwhatever comes off the top of
your head.
From sheep, what's somethingyou're surprisingly good at that
has nothing to do with yourcareer?
And how'd you discover thishidden talent?

Oh wow.
So let's say my ability to DVRin a conversation.
So sometimes I may have notpaid attention and sometimes it
helps in a social setting.

That's your hidden talent?
Yes.
You must spook your wife,right?

With that, doesn't work 100% of the time,
but it gets me out once in awhile.
Yeah.

That is a hidden talent because I'm totally tuned
out when I'm tuned out.
Okay, Chithra.
If you had to choose a themesong that plays every time you
walk into a room, what would itbe and what energy are you
trying to bring?

Okay, so I love songs.
I'm from South India.
So there is this random rapartist, very like
underappreciated, I feel.
So he has a song calledTamburadi.
It literally means queen.
So I totally walk into roomswith that playing in the
background.

Oh, I like that.
Bamchi, what's a time whensomeone showed up for you in a
way that completely changed howyou think about showing up for
others?

I think it's not just someone, it's
almost like everybody.
So I'll just say this.
And Paul Aldener was when Ijoined.
I ask a question and I get aresponse within two hours,
sometimes 20 minutes, sometimesimmediately.
And I have like verybroad-ranging questions.
So to me, I think that speed ofresponse was amazing.
And I really appreciated it.

(58:05):
And I cultivated some of thatas well.

That's amazing.
Yeah, that's a super fastresponsive in a company.
It's a great way of showingthat you care and showing that
it matters.
Okay, Chithra, if you could beguaranteed to be really good at
one thing that you're currentlyterrible at, what would you
choose?

Oh, I love this question.
It would be swimming.
I'm terrible at it.
Yeah, like growing up, the onlyoutdoor activity I did was
shopping.
So I would love to swim.

Pro shopper, not great swimmer, but want to swim.
You know, it's funny.
When I go to India, every poolis max depth four and a half
feet.
Exactly.
So you get the point.
And then when I go to thebeach, if there's any hint of
tide, they won't let you go inany any higher than your your
ankles.
So it's ridiculous.

(58:53):
So you're not the only one.
Okay, Vamshi, what's a mistakeyou made that taught you more
about yourself than any successyou ever had?

I think early on in my career, you know,
in marketing aspect, kind of,you know, the enthusiasm to talk
about us and our offerings wasa lot versus kind of doing a
little bit of, and these are thethe conversations at a at an
event offline, et cetera, versustalking to the customers,
prospects about, and evenpartners about what do you do.

(59:26):
And then that actually givesyou the information to bridge
versus like, okay, I'm doingthis and this is what I do.
Like it doesn't matter.
So value of a conversation is alot more when you actually
learn about somebody and then becontextual.

Yeah.
Flip the script, right?
You don't need to giveeverybody the answer.
You need to talk to them first,understand them.
Chithrap, if you could giveyour team, whether it's current,
past, or future, one giftthat's not money or time off,
what would it be?

I think it would be gift of being resilient
as a human being.
It's a very underappreciatedskill, I feel.
Like we're going through somuch, whether it's personally or
the world, but being resilient,having a sense of gratitude.
I think that's what I wouldget.

Rajiv Parikh (01:00:07):
I love that.
That would be an incrediblegift.
Thank you both for joining metoday.
I think we had a reallyilluminating discussion about
security and the uniquechallenges of building security
products and marketing them andgetting them to market and
thinking about how you measurethe metrics around it.
So I really thank you bothbecause you both have so much
experience in that area andyou're hitting it from multiple

(01:00:28):
angles.
So I really appreciate it.

Chithra Rajagopalan (01:00:29):
Thank you very much.
This was great.

Rajiv Parikh (01:00:32):
Yeah, and it's also great to get to know you
guys.
Thank you.
I have about three takeawaysfrom this.
And one is how importantsecurity is to what we're doing
and how easy it is in this AIworld for security and critical

(01:00:53):
corporate information to bebreached or used as a way to
influence us or to drive actionsor harm us.
It's surprisingly easier withAI and even more challenging
than before.
So Wolf, I think, did a greatjob of talking about that.
I think from a go-to-marketstandpoint, actually made
go-to-market to security easierto understand.

(01:01:14):
A lot of times when you hearabout ABM, you talk about lots
of systems and data andtechnology.
And from their points of view,it's as straightforward as
what's my ideal customerprofile?
What do I need to do toapproach them, reach them, drive
to them?
And how do I presentinformation that they can see
and touch?
Security in and of itself ishard to see and touch until you

(01:01:35):
get in trouble.
And Vamshi and Chithra talkedabout how they can make that
understandable by visualizingthe product, showing reports, by
securing subsets of their data.
They're just straightforwardPLG approaches, product-led
growth approaches that theytalked about.
And I think the last part thatI took away is that in security

(01:01:55):
and being part of a team that'smarking security to companies,
it's important for the group towork together.
So finance and go to market.
Yes, you have to close thedeal.
Yes, you have to get thepipeline in.
But your metrics also are aboutestablishing a relationship
that enables your company toyour prospects or your customer

(01:02:16):
to succeed.
And so when Chithra talks aboutmetrics around it, she cares
about more than just the sale,but beyond the sale.
And so does Vomsheets.
It's really important to bepart of that team that works
together on it.
So I took a lot out of it.
And I hope you did as well.
They're both really know thefield extremely well.
And that just shows you howcritical it is for our economy

(01:02:36):
and how we, especially in thiswhole world where we're adding
more and more agents.
So I hope you enjoyed it.
And I hope you enjoyed alltheir personal notes.
They're just reallyinteresting, good people that
have found their way and grownup to be executives and emerging
in top companies.
Thank you for listening.
If you enjoyed the pod, pleasetake a moment to rate it and
comment.
I do actually read all thesethings and I really care about
what you have to say.

(01:02:57):
You can find us on Apple,Spotify, YouTube, and everywhere
podcasts can be found.
The show is produced by SindleyParik and Anand Shah,
production assistants by TarynTalley and edited by Laura
Ballant.
I'm your host, Rajiv Parik fromPosition Squared.
We are a top notch growthmarketing company based in
Silicon Valley.
Come visit us at position2.com.
This has been an F Funnyproduction.

(01:03:18):
We'll catch you next time.
And remember, folks, be evercurious.

All Episodes

The Security Gap When AI Agents Have Access/Chithra Rajagopalan, Vamshi Sriperumbudur - Governance, NRR, Buyer Groups ~ Spark of Ages Ep 51

Episode Transcript

Popular Podcasts

Las Culturistas with Matt Rogers and Bowen Yang

Crime Junkie

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}The Security Gap When AI Agents Have Access/Chithra Rajagopalan, Vamshi Sriperumbudur - Governance, NRR, Buyer Groups ~ Spark of Ages Ep 51