April 30, 2025 • 22 mins
Jo Peterson, cloud and security thought leader and VP of Cloud and Security at Clarify360 joins Leonard Lee of neXt Curve to exchange notes on what they thought were highlights and key takes from RSAC Conference 2025 which took place at the Moscone Center in San Francisco. They also discuss the newly published "The State of SaaS Security: Trends & Insights for 2025-2026" report by The Cloud Security Alliance.
Jo and Leonard hit on the following topics:
➡️ What is on Jo's mind from RSAC 2025 (2:34)
➡️ The specter of shadow AI (5:05)
➡️ The Cloud Alliance SaaS Security Report 2025 (5:24)
➡️ Shadow AI and shadow IT are related (9:02)
➡️ Agentic AI is not your daddy's minivan AI (10:50)
➡️ What is your security posture? DSPM + AI-SPM (15:27)
➡️ Letter to the Board: Give your CISOs more money! (17:39)
➡️ Cyber risk and attacks get more sophisticated with AI (21:04)
Connect with Jo on LinkedIn at www.linkedin.com/in/jopeterson1
Please subscribe to our podcast which will be featured on the neXt Curve YouTube Channel. Check out the audio version on BuzzSprout - https://nextcurvepodcast.buzzsprout.com - or find us on your favorite Podcast platform.
Also, subscribe to the neXt Curve research portal at www.next-curve.com for the tech and industry insights that matter.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Leonard Lee (00:09):
Hey everyone, this is Leonard Lee, executive
Analyst at Next Curb, andwelcome to this episode of the
Rethink Podcast Live here fromthe Palace Hotel in San
Francisco, and I'm here for RSAC2025, which is I think the
premier.
Cybersecurity conference in allof the Telemundo or the El
(00:32):
Mundo, right?
And I'm here with a very goodfriend of mine, Joe Peterson, a
clarified 360.
And you know what?
It's really amazing to have youon and to be here.
With you in San Francisco forthis event.
How are you?
Jo Peterson (00:48):
I'm doing great.
Thank you so much for having me.
Guys.
You can't see this place, thisPalace Hotel, but it is
gorgeous.
There's these, it's like thisarchitectural turn of the 19th
or 20th century Yeah.
Situation with these gorgeous.
Domed, glassed ceilings, Uhhuh,if you can check it out.
Leonard Lee (01:09):
Before we get started, remember to like,
share, comment on this episode.
Also subscribe to Ncur Rethinkpodcast on, buzz Route as well
as on YouTube.
also just before we, start adisclaimer all the views and
comments by my.
Guests are entirely their ownand don't reflect those of next
curve, or myself.
And we do this because we wantkeep an open forum.
(01:32):
allow my guests to, say theirpeace and, foster an open
conversation around technologyand some of the leading trends
that, matter.
Especially in this, reallyimportant industry called
cybersecurity, which looks likeit's getting really, really hot
this year.
I mean, it's a hot topic and wehave a lot of stuff going on, AI
(01:54):
SaaS apparently, which we'lltalk about in a moment.
But yeah.
Before we get started, everybodywants to know Joe.
what have been some of your keytakeaways from the event so far,
and the engagements that you'vehad with vendors and end users,
practitioners, et cetera?
Jo Peterson (02:10):
Yeah, so the event has been really well attended.
I, heard that there are about30,000 people here at RSA don't
know yet, but 44.
44.
Oh, man.
Okay.
All right.
Much bigger than I thought.
Yeah.
The thing with RSA is if you've ever visited.
We were chatting about this alittle bit earlier.
(02:32):
Everything used to happen justat Moscone and the buildings
around Moscone and what'shappened over the last few
years, I'd say since post Covid,things have become even more
decentralized.
So maybe you don't see all thepeople all in one place all at
one time, kind of a thingbecause they're here and there
at the different buildings that.
Surround, let's say the 10blocks around Moscone, right?
(02:57):
So, but great activity here.
I think that last year was RSAtraining wheels, I mean, sorry,
AI training wheels at RSA, AITraining Wheels at RSA people.
We weren't seeing the plethoraof use cases yet.
We weren't seeing.
(03:17):
Some of it in the field and inpractice, and now we are, we're
seeing generative AI being putin place.
I don't know, depends on who youask and what resource you look
at, right?
But generative AI is somethingthat's being used across
enterprise.
Mm-hmm.
now the next trend is agentic ai.
(03:38):
Yeah.
Right.
So we're hearing lots ofconversations about.
How to protect agentic ai,because agentic AI brings on its
own set of challenges andcomplexity, that we didn't see
in generative ai.
So that's been a bigconversation that's happening
(03:59):
here.
Leonard Lee (04:00):
Yeah, a really big conversation.
And then, with cybersecurity,there's always a light side and
a dark side, right?
Mm-hmm.
It's like watching Star Wars,there's the dark side of the
force and the.
The light side of the force.
And, one of the things that, Iheard quite often, actually ever
since I stepped on the floor ofthe Moscone was, shadow ai.
(04:24):
So the growing challenge andproblems with shadow ai and
we're gonna talk about somethinga little bit similar.
To that, regarding SaaS, right?
Mm-hmm.
So, I know that you wanted totalk about this, study that was
published by the Cloud SecurityAlliance.
So why don't you tell, theaudience a little bit about that
and then maybe we can just talkabout.
(04:45):
that and what sort of bearing ithas in the cybersecurity
conversation going into thisyear, because obviously, the
timing was interesting, right?
Jo Peterson (04:56):
right.
I think that the findings werevery interesting.
Some of the findings were sortof expected.
so the Cloud Security Alliance,published the state of SAS
security report 2025.
On April 21st.
I think they wanted it to be alittle bit of a topic of
conversation here at RSA.
Right?
I think they wanted folks likeus to sort of talk about it and
(05:19):
bubble it up because they spenta long time getting it ready.
if you look at SaaS, it makes upa significant portion of IT
budgets,
right?
The latest findings from Gartner is that it
represents 41% of total publiccloud investment in 2025, right?
And that's a shift for manyorganizations, especially those
(05:42):
like when we were coming up,that were highly infrastructure
based, physical equipment,infrastructure based that had
life cycles, investment cycles.
It was a capital expense.
It was a three to five yearwindow.
Yeah.
And that's changed.
more and more of the IT budgetsare moving towards SaaS of some
(06:03):
sort.
Yeah.
And if you think about that in alot of different ways, first of
all, your browser is your newedge.
Think about that.
Right?
Leonard Lee (06:12):
Yeah.
You know, that's very light.
It's, it's your new edge.
Not quite zero footprint, butYeah.
Right.
Jo Peterson (06:18):
it's, forget the old topologies of hub and spoke.
Those are gone.
and think about, and theneverybody, we all went remote
work during the pandemic.
Yeah.
So.
That edge worker be became, butnow as we move towards more and
more SaaS in our budgets, nowthe, the browser has become the
(06:38):
edge.
Right?
Right.
So if you think about that, andso if you think about some of
the, some of the work that cameout of this study around
spending, cloud spending in 2025represented the large and SaaS
in the cloud market represented300 billion.
Like that's a lot of money.
That's
a lot of dero,
I agree.
And SaaS is becoming thepreferred method of purchasing
(07:02):
software.
Mm-hmm.
and deploying software, and you've got these
shifting patterns that areoccurring.
It's not just it that is buyingthis anymore.
it's other business units thatare buying it.
So I think that there's somepatterns that are emerging and I
think that there were some goalsof the study that came out as
well.
Leonard Lee (07:21):
Yeah.
And I think the.
SaaS trend actually has been inplay for quite some time.
I think, going back to my priorcomment about shadow ai, right?
We had the problem with shadowit, and in a way, SaaS became
part of that dynamic.
And so what I thought was reallyinteresting about the paper is
(07:41):
speaking to something that we'llprobably be concerned about next
year, which is shadow.
AI for sure, which will take itsform in a number of different
ways, not just from a, you know,it'll, there'll be an
infrastructure aspect of itbecause there's now a lot of,
let's say GPU as a service typePlayers out there.
Anyone, one, like a departmentcan just go out and, provision
(08:04):
of their own instances of like aGB 300 MVL 72, that's an Nvidia.
Like big, supercomputing thingif you don't know what that is.
So, from there all the way up,right?
Because you have the AIplatforms and then now you have
these folks that are creatingall these chat bots and
applications.
Yeah.
And so, I think you're, what wesaw with the cloud and are
(08:28):
continuing to see with the cloudis probably going to translate
or it's just gonna morph orextend, further out as we have
this AI agent AI layer.
Maybe in next year, becausethat, it's all interrelated,
right?
Jo Peterson (08:41):
Right.
So one of the things to thinkabout, and we did learn lessons
from the cloud, right?
When I started architectingcloud environments in 2009,
security was an afterthought.
Yeah,
security was bolted on at the end of the process now
we think about designing thoseenvironments with security at
the forefront.
Yeah.
(09:02):
The thing that's different, there's some, a
number of things that aredifferent about ai, Agenda ai,
first of all, is not your dad'sminivan of an LLM.
it is smarter.
It makes decisions on its own,and it thinks without human
intervention, which can be goodor it could be bad.
(09:23):
Now let's extrapolate with thata minute, what we learned about.
During cloud was identitymanagement.
That was one of the lessons welearned from cloud.
Let's remember math and schoolwhere we would put an exponent
on something and it wouldgenerally just make it bigger.
That's what's happening with ai.
(09:44):
If you think of it in thatterms, that exponent level,
because you're not just worriedabout human identities anymore.
You're worried about machineidentities.
Yes.
Yes.
So that becomes a different thing, managing those
identities.
Managing the life cycle of thoseidentities.
That's another problem.
(10:04):
Yeah.
And you know, if you start to think about that as
an emerging threat vector thatbecomes its own set of problems.
do we have the tools today tomanage that?
Well, we're getting there, butit's changing.
Leonard Lee (10:19):
Yeah,
Jo Peterson (10:20):
right?
It's changing.
Leonard Lee (10:21):
Yeah.
And it's interesting that youbrought up the management of
identities.
Especially non-human identities.
I was just in a session, it wasa gentleman from, Exa Exabeam,
that's the name of the company.
And he was talking about, oh,no, no, uh, he wasn't from
Exabeam, he was from some othercompany anyways, his point was,
(10:43):
he was, his point was 40% of theidentities within most
organizations or averageorganization.
It is non-human
Jo Peterson (10:53):
right?
Leonard Lee (10:54):
And a lot of these get accumulated.
They're not lifecycle managed.
It's difficult to lifecyclemanage.
It's hard to trace, okay, whatsort of application dependencies
do these identities have?
Do you just erase or delete thatidentity?
Will it impact a integratedsystem?
So.
Yeah, it's a growing problem,but then now you stick agentic
(11:18):
stuff on top of it, right?
This notion that there are gonnabe billions of agents out there,
or maybe for an enterpriseorganization might have
thousands of these things.
How do you manage thoseidentities?
How do you manage those,non-human identities that are
going to interface with now?
other human identities and sothere's a whole can of worms
(11:41):
that are being opened up and,there really isn't an answer
right now.
No.
'cause I think the questionabout how do we manage all this
agentic stuff is going to beincreasing, area of focus and
exploration.
And I emphasize explorationbecause no one's actually come
up with a solid solution or astandard for doing this stuff.
(12:03):
But, going back to SaaS, I thinkthis is just going to complicate
things more in terms of, um, theneed to focus on SaaS security.
'cause I know one of the thingsthat you had brought up in a
conversation we had before was.
The need to secure APIs, right?
Yeah.
And these, these software SaaSofferings are becoming more
(12:25):
agentic, right?
You have Salesforce, you haveServiceNow, both who are
famously, in the forefront, ifyou will, of this quote unquote
agentic AI movement.
what are your thoughts?
Jo Peterson (12:38):
No, totally.
I think that, there's thispopular app.
I saw a commercial for it and Ithought it was really cool.
the tool is called Rocket Money,and basically it finds all the
subscriptions on your phone.
Oh, that you have, right.
And I'm like, wow.
That'd be really cool if we hadthat for organizations.
'cause I can't tell you how manytimes I go in and I'm like, oh,
(13:00):
she show me all your apps.
And they're like, well, okay,here's what we got.
And then we do a little fiddlingaround and we find out.
Oh, you got a lot more thanthat.
Right, and my point that I'mtrying to make is accounting for
SaaS inventory is toughvisibility into that SaaS
(13:21):
inventory.
Do you know what yourorganization owns?
Yeah.
If you don't know what your organization owns, my
question to you is this, how areyou going to secure it?
Leonard Lee (13:31):
What's the security posture exposure of those
assets?
Right.
I think that's in applications.
Yeah.
Right?
I mean it's like the full stack.
Do you, do you have visibility?
And that's another thing thatfrom last year was a big deal.
Especially with the advent oflarge language models and
everyone trying to make the pushtoward, enterprise AI is how do
(13:52):
we deal with the securing ofthese models in their various
forms of deployment.
in a way that's scalable and,that all starts with
understanding, okay, here's ourportfolio today.
Do we know what our securityposture is for every single
asset, I mean down to data oreven keywords, it's like insane,
(14:14):
and so when you look at what thepath to readiness, right?
Safe and responsible andreliable AI for your enterprise
look like.
The path to readiness isactually very complex and it's
fraught with, Risks and theseare things that, CISOs as well
as CIOs and vendors need to beconscious of because I think the
(14:38):
industry is still on the backfoot.
You know, they're not, they'restill trying to figure stuff
out, but it's pretty evidentwhen you look at what
constitutes, even just onereliable, what you might call
enterprise class.
AI application, the requirementsare very, very high.
(14:58):
Right, right,
Jo Peterson (15:00):
They are.
And, so a couple things andmaybe people realize this and
maybe they don't.
Um, and this is a shout out toall my CISOs'cause I'm always
sitting in the CISO corner vote.
Yeah.
Boards give your CISOs moremoney.
that's the front end of themessage.
People don't realize.
That the average organization,depending upon the vertical now,
(15:22):
the highly regulated verticalsspend more, but the average,
company spends between five and12% of their IT budget on
security.
That's small if you think aboutit.
Yeah.
Right.
And when you think aboutparticularly the highly
regulated ones that have.
So much to make sure thatthey're in compliance with and
(15:44):
ready for to keep the businessmoving forward and going.
so boards give your CISOs moremoney, um,
Leonard Lee (15:52):
because Yeah, less pressure.
Less pressure.
Less pressure.
Jo Peterson (15:54):
Because
Leonard Lee (15:55):
that's the other thing we hear about Board
pressure.
Jo Peterson (15:57):
but security is no longer one of those.
Things That's an afterthought.
It is integral to your business.
It's integral to your business'sreputation.
Yes.
consumers are so much more aware today than they
were five or even 10, years ago,right?
consumers I think care whatyou're doing with their data.
(16:21):
They care.
How secure you are.
they care about those things.
Leonard Lee (16:25):
Yeah.
and because it is all abouttrust.
this morning I got an email.
It turns out it was a phishingemail.
And it was the most authenticlooking phishing email, with a
contract.
And I'm not gonna name the nameof the company that it
referenced'cause I don't wanna,I don't want to you
Yeah.
Bottom line is this.
Happened to anybody.
(16:45):
lawyer had her email account hacked and Ah yes.
And then the hacker basicallybroadcasted thousands of emails
using her email account andbasically soliciting payment.
Okay.
And a phishing attack and heroffice received because it was
(17:09):
so legitimate looking.
Yeah, I actually almost clickedon it.
Oh, that's how good it was.
that office that morningreceived thousands of phone
calls so that I felt so bad forthe receptionist.
I told her, you know what, I'mgonna get off the phone right
now.
So that you can handle the othercalls.
And she said, thank you.
(17:29):
Yeah.
And I empathized with her.
But think about that.
I mean, I call that a physicalDDoS attack.
I mean, it's, you are floodingthat office.
You're not wrong with a bunch ofcalls.
You're not wrong.
And then bogging that businessdown.
I mean, and that's like realimpact.
That can be completelydisruptive to your business and
also the reputation.
(17:49):
you gotta wonder, you know, howtrustworthy are their IT
systems,
Jo Peterson (17:54):
I mean, it can happen to anybody.
Leonard Lee (17:55):
Yeah, it can happen to anybody.
Jo Peterson (17:57):
You know, that, these bad guys with the help of
ai.
Are not going to your endpointsanymore because the endpoints
are locked down.
Right?
Companies have done a good job,so they're doing things like
voice phishing or they'regetting into systems, and then
moving laterally.
That are not traditionalendpoints, which we've all tried
(18:19):
to do a good job in lockdown.
So it's happening.
and the thing with AI is we'rejust gonna have to move faster
than the bad guys do.
Or hope that we move faster thanthe bad guys do.
But this SaaS report, was veryeye-opening and very interesting
for a lot of reasons.
Because to me, it went beyondsecurity and it really talked
(18:40):
about what was happening in thelandscape.
Who was buying, what theproblems were, like visibility,
what the problems were withinventory, what the problems
were with machine identities.
It talked about a lot of thethings that are, to me, very
tangential to not just sas, butto, the AI challenges that we're
(19:03):
gonna see coming up.
Leonard Lee (19:04):
Yeah.
and the other key word,oversharing.
The problem with oversharing,that's inherent with shadow.
Anything related to it or ai orany of these information related
technologies.
And so, the industry has itswork cut out for it.
And, you know, I think there hasto be a fine balance between
(19:25):
best practices and hi genicpractices on the.
side of the enterprise.
And then for the vendors to beable to bring responsible ai,
thoughtfully designed AI that'sactually going to help address
the problems rather than createnew threat vectors.
for.
They're customers.
And I think those are thingsthat, we as analysts need to
(19:46):
help the industry on both sides,right?
The end user side and the vendorside to bring those
capabilities.
Because, one of the scariest,slides that keeps getting put up
there is how quickly the cybercriminal economy is growing.
It's at$10 billion a year.
It's the third largest economyin the world.
Growing at the fastest rate.
(20:06):
And I think that's anunderestimation.
'cause I don't know where theycome up with these numbers.
we know the GDP of the US andthe China and the eu, but how do
they figure out the.
Size of the cyber criminaleconomy.
I don't know, but it's,undoubtedly very large and
apparently growing very, veryfast.
Jo Peterson (20:25):
yeah, and part of it is just the ease of
acquisition, you know, back inthe day.
A script kitty used to have toat least know how to code Kitty
does not need to know how tocode today.
They can just buy a prepackagedanything.
Yep.
Phishing software, whatever itis they want and just go for it.
Template.
Done.
(20:45):
Yeah.
So with that.
Are we
done?
I don't know, maybe.
Leonard Lee (20:49):
Oh my gosh.
it is so wonderful to have youon.
Jo Peterson (20:51):
love that.
Leonard Lee (20:52):
just start a podcast around cloud and
security
Jo Peterson (20:55):
Alright.
Leonard Lee (20:55):
Thank you.
Thank you so much for yourhospitality.
And, inviting me here.
I haven't been here before.
It's like, it's
Jo Peterson (21:01):
gorgeous, right?
Yeah.
Leonard Lee (21:02):
Yeah.
And so, for those of you whotuned in and made it this far,
thank you.
hope you found the podcast,entertaining and informative and
all of you should follow, Joe.
She's wonderful.
she's my mentor.
Jo Peterson (21:16):
Oh, man.
That's a lot of weight.
Well, thank you for having me onthe show.
Leonard Lee (21:20):
absolutely.
And why don't you tell ouraudience how they can get in
touch with you a little bitabout your firm and then, the
kind of research that you focuson so they can give you a call.
Jo Peterson (21:30):
Oh, that'd be great.
So, as Leonard said, I'm JoePeterson.
you can find me on LinkedIn.
I'm always posting on LinkedIn.
There's some crazy cat videosthat I post with, with
when,
when I try to tell a cybersecurity or AI security
story, I'm easily amused, so Ihope you find them amusing too.
I'm on Twitter at, uh, loveCats, right?
(21:52):
Yeah.
I'm on Twitter at Clear TechResearch I'm an engineer by
trade, and so what I bring tothe table is I bring that end
user's point of view whenthey're looking at technology.
My areas of focus are cloud,cloud, security, and AI
security.
Leonard Lee (22:10):
Yeah, I see.
Yeah.
She is one of those folks thatyou need to follow, so,, yes.
Remember to like, share andsubscribe to Next Curve research
core@www.next-curve.com for thetech and industry insights that
matter.
Live here from RSAC 2025.
(22:33):
We'll see you next time.
Hey everyone, this is Leonard Lee, executive
Analyst at Next Curb, andwelcome to this episode of the
Rethink Podcast Live here fromthe Palace Hotel in San
Francisco, and I'm here for RSAC2025, which is I think the
premier.
Cybersecurity conference in allof the Telemundo or the El
(00:32):
Mundo, right?
And I'm here with a very goodfriend of mine, Joe Peterson, a
clarified 360.
And you know what?
It's really amazing to have youon and to be here.
With you in San Francisco forthis event.
How are you?
Jo Peterson (00:48):
I'm doing great.
Thank you so much for having me.
Guys.
You can't see this place, thisPalace Hotel, but it is
gorgeous.
There's these, it's like thisarchitectural turn of the 19th
or 20th century Yeah.
Situation with these gorgeous.
Domed, glassed ceilings, Uhhuh,if you can check it out.
Leonard Lee (01:09):
Before we get started, remember to like,
share, comment on this episode.
Also subscribe to Ncur Rethinkpodcast on, buzz Route as well
as on YouTube.
also just before we, start adisclaimer all the views and
comments by my.
Guests are entirely their ownand don't reflect those of next
curve, or myself.
And we do this because we wantkeep an open forum.
(01:32):
allow my guests to, say theirpeace and, foster an open
conversation around technologyand some of the leading trends
that, matter.
Especially in this, reallyimportant industry called
cybersecurity, which looks likeit's getting really, really hot
this year.
I mean, it's a hot topic and wehave a lot of stuff going on, AI
(01:54):
SaaS apparently, which we'lltalk about in a moment.
But yeah.
Before we get started, everybodywants to know Joe.
what have been some of your keytakeaways from the event so far,
and the engagements that you'vehad with vendors and end users,
practitioners, et cetera?
Jo Peterson (02:10):
Yeah, so the event has been really well attended.
I, heard that there are about30,000 people here at RSA don't
know yet, but 44.
44.
Oh, man.
Okay.
All right.
Much bigger than I thought.
Yeah.
The thing with RSA is if you've ever visited.
We were chatting about this alittle bit earlier.
(02:32):
Everything used to happen justat Moscone and the buildings
around Moscone and what'shappened over the last few
years, I'd say since post Covid,things have become even more
decentralized.
So maybe you don't see all thepeople all in one place all at
one time, kind of a thingbecause they're here and there
at the different buildings that.
Surround, let's say the 10blocks around Moscone, right?
(02:57):
So, but great activity here.
I think that last year was RSAtraining wheels, I mean, sorry,
AI training wheels at RSA, AITraining Wheels at RSA people.
We weren't seeing the plethoraof use cases yet.
We weren't seeing.
(03:17):
Some of it in the field and inpractice, and now we are, we're
seeing generative AI being putin place.
I don't know, depends on who youask and what resource you look
at, right?
But generative AI is somethingthat's being used across
enterprise.
Mm-hmm.
now the next trend is agentic ai.
(03:38):
Yeah.
Right.
So we're hearing lots ofconversations about.
How to protect agentic ai,because agentic AI brings on its
own set of challenges andcomplexity, that we didn't see
in generative ai.
So that's been a bigconversation that's happening
(03:59):
here.
Leonard Lee (04:00):
Yeah, a really big conversation.
And then, with cybersecurity,there's always a light side and
a dark side, right?
Mm-hmm.
It's like watching Star Wars,there's the dark side of the
force and the.
The light side of the force.
And, one of the things that, Iheard quite often, actually ever
since I stepped on the floor ofthe Moscone was, shadow ai.
(04:24):
So the growing challenge andproblems with shadow ai and
we're gonna talk about somethinga little bit similar.
To that, regarding SaaS, right?
Mm-hmm.
So, I know that you wanted totalk about this, study that was
published by the Cloud SecurityAlliance.
So why don't you tell, theaudience a little bit about that
and then maybe we can just talkabout.
(04:45):
that and what sort of bearing ithas in the cybersecurity
conversation going into thisyear, because obviously, the
timing was interesting, right?
Jo Peterson (04:56):
right.
I think that the findings werevery interesting.
Some of the findings were sortof expected.
so the Cloud Security Alliance,published the state of SAS
security report 2025.
On April 21st.
I think they wanted it to be alittle bit of a topic of
conversation here at RSA.
Right?
I think they wanted folks likeus to sort of talk about it and
(05:19):
bubble it up because they spenta long time getting it ready.
if you look at SaaS, it makes upa significant portion of IT
budgets,
right?
The latest findings from Gartner is that it
represents 41% of total publiccloud investment in 2025, right?
And that's a shift for manyorganizations, especially those
(05:42):
like when we were coming up,that were highly infrastructure
based, physical equipment,infrastructure based that had
life cycles, investment cycles.
It was a capital expense.
It was a three to five yearwindow.
Yeah.
And that's changed.
more and more of the IT budgetsare moving towards SaaS of some
(06:03):
sort.
Yeah.
And if you think about that in alot of different ways, first of
all, your browser is your newedge.
Think about that.
Right?
Leonard Lee (06:12):
Yeah.
You know, that's very light.
It's, it's your new edge.
Not quite zero footprint, butYeah.
Right.
Jo Peterson (06:18):
it's, forget the old topologies of hub and spoke.
Those are gone.
and think about, and theneverybody, we all went remote
work during the pandemic.
Yeah.
So.
That edge worker be became, butnow as we move towards more and
more SaaS in our budgets, nowthe, the browser has become the
(06:38):
edge.
Right?
Right.
So if you think about that, andso if you think about some of
the, some of the work that cameout of this study around
spending, cloud spending in 2025represented the large and SaaS
in the cloud market represented300 billion.
Like that's a lot of money.
That's
a lot of dero,
I agree.
And SaaS is becoming thepreferred method of purchasing
(07:02):
software.
Mm-hmm.
and deploying software, and you've got these
shifting patterns that areoccurring.
It's not just it that is buyingthis anymore.
it's other business units thatare buying it.
So I think that there's somepatterns that are emerging and I
think that there were some goalsof the study that came out as
well.
Leonard Lee (07:21):
Yeah.
And I think the.
SaaS trend actually has been inplay for quite some time.
I think, going back to my priorcomment about shadow ai, right?
We had the problem with shadowit, and in a way, SaaS became
part of that dynamic.
And so what I thought was reallyinteresting about the paper is
(07:41):
speaking to something that we'llprobably be concerned about next
year, which is shadow.
AI for sure, which will take itsform in a number of different
ways, not just from a, you know,it'll, there'll be an
infrastructure aspect of itbecause there's now a lot of,
let's say GPU as a service typePlayers out there.
Anyone, one, like a departmentcan just go out and, provision
(08:04):
of their own instances of like aGB 300 MVL 72, that's an Nvidia.
Like big, supercomputing thingif you don't know what that is.
So, from there all the way up,right?
Because you have the AIplatforms and then now you have
these folks that are creatingall these chat bots and
applications.
Yeah.
And so, I think you're, what wesaw with the cloud and are
(08:28):
continuing to see with the cloudis probably going to translate
or it's just gonna morph orextend, further out as we have
this AI agent AI layer.
Maybe in next year, becausethat, it's all interrelated,
right?
Jo Peterson (08:41):
Right.
So one of the things to thinkabout, and we did learn lessons
from the cloud, right?
When I started architectingcloud environments in 2009,
security was an afterthought.
Yeah,
security was bolted on at the end of the process now
we think about designing thoseenvironments with security at
the forefront.
Yeah.
(09:02):
The thing that's different, there's some, a
number of things that aredifferent about ai, Agenda ai,
first of all, is not your dad'sminivan of an LLM.
it is smarter.
It makes decisions on its own,and it thinks without human
intervention, which can be goodor it could be bad.
(09:23):
Now let's extrapolate with thata minute, what we learned about.
During cloud was identitymanagement.
That was one of the lessons welearned from cloud.
Let's remember math and schoolwhere we would put an exponent
on something and it wouldgenerally just make it bigger.
That's what's happening with ai.
(09:44):
If you think of it in thatterms, that exponent level,
because you're not just worriedabout human identities anymore.
You're worried about machineidentities.
Yes.
Yes.
So that becomes a different thing, managing those
identities.
Managing the life cycle of thoseidentities.
That's another problem.
(10:04):
Yeah.
And you know, if you start to think about that as
an emerging threat vector thatbecomes its own set of problems.
do we have the tools today tomanage that?
Well, we're getting there, butit's changing.
Leonard Lee (10:19):
Yeah,
Jo Peterson (10:20):
right?
It's changing.
Leonard Lee (10:21):
Yeah.
And it's interesting that youbrought up the management of
identities.
Especially non-human identities.
I was just in a session, it wasa gentleman from, Exa Exabeam,
that's the name of the company.
And he was talking about, oh,no, no, uh, he wasn't from
Exabeam, he was from some othercompany anyways, his point was,
(10:43):
he was, his point was 40% of theidentities within most
organizations or averageorganization.
It is non-human
Jo Peterson (10:53):
right?
Leonard Lee (10:54):
And a lot of these get accumulated.
They're not lifecycle managed.
It's difficult to lifecyclemanage.
It's hard to trace, okay, whatsort of application dependencies
do these identities have?
Do you just erase or delete thatidentity?
Will it impact a integratedsystem?
So.
Yeah, it's a growing problem,but then now you stick agentic
(11:18):
stuff on top of it, right?
This notion that there are gonnabe billions of agents out there,
or maybe for an enterpriseorganization might have
thousands of these things.
How do you manage thoseidentities?
How do you manage those,non-human identities that are
going to interface with now?
other human identities and sothere's a whole can of worms
(11:41):
that are being opened up and,there really isn't an answer
right now.
No.
'cause I think the questionabout how do we manage all this
agentic stuff is going to beincreasing, area of focus and
exploration.
And I emphasize explorationbecause no one's actually come
up with a solid solution or astandard for doing this stuff.
(12:03):
But, going back to SaaS, I thinkthis is just going to complicate
things more in terms of, um, theneed to focus on SaaS security.
'cause I know one of the thingsthat you had brought up in a
conversation we had before was.
The need to secure APIs, right?
Yeah.
And these, these software SaaSofferings are becoming more
(12:25):
agentic, right?
You have Salesforce, you haveServiceNow, both who are
famously, in the forefront, ifyou will, of this quote unquote
agentic AI movement.
what are your thoughts?
Jo Peterson (12:38):
No, totally.
I think that, there's thispopular app.
I saw a commercial for it and Ithought it was really cool.
the tool is called Rocket Money,and basically it finds all the
subscriptions on your phone.
Oh, that you have, right.
And I'm like, wow.
That'd be really cool if we hadthat for organizations.
'cause I can't tell you how manytimes I go in and I'm like, oh,
(13:00):
she show me all your apps.
And they're like, well, okay,here's what we got.
And then we do a little fiddlingaround and we find out.
Oh, you got a lot more thanthat.
Right, and my point that I'mtrying to make is accounting for
SaaS inventory is toughvisibility into that SaaS
(13:21):
inventory.
Do you know what yourorganization owns?
Yeah.
If you don't know what your organization owns, my
question to you is this, how areyou going to secure it?
Leonard Lee (13:31):
What's the security posture exposure of those
assets?
Right.
I think that's in applications.
Yeah.
Right?
I mean it's like the full stack.
Do you, do you have visibility?
And that's another thing thatfrom last year was a big deal.
Especially with the advent oflarge language models and
everyone trying to make the pushtoward, enterprise AI is how do
(13:52):
we deal with the securing ofthese models in their various
forms of deployment.
in a way that's scalable and,that all starts with
understanding, okay, here's ourportfolio today.
Do we know what our securityposture is for every single
asset, I mean down to data oreven keywords, it's like insane,
(14:14):
and so when you look at what thepath to readiness, right?
Safe and responsible andreliable AI for your enterprise
look like.
The path to readiness isactually very complex and it's
fraught with, Risks and theseare things that, CISOs as well
as CIOs and vendors need to beconscious of because I think the
(14:38):
industry is still on the backfoot.
You know, they're not, they'restill trying to figure stuff
out, but it's pretty evidentwhen you look at what
constitutes, even just onereliable, what you might call
enterprise class.
AI application, the requirementsare very, very high.
(14:58):
Right, right,
Jo Peterson (15:00):
They are.
And, so a couple things andmaybe people realize this and
maybe they don't.
Um, and this is a shout out toall my CISOs'cause I'm always
sitting in the CISO corner vote.
Yeah.
Boards give your CISOs moremoney.
that's the front end of themessage.
People don't realize.
That the average organization,depending upon the vertical now,
(15:22):
the highly regulated verticalsspend more, but the average,
company spends between five and12% of their IT budget on
security.
That's small if you think aboutit.
Yeah.
Right.
And when you think aboutparticularly the highly
regulated ones that have.
So much to make sure thatthey're in compliance with and
(15:44):
ready for to keep the businessmoving forward and going.
so boards give your CISOs moremoney, um,
Leonard Lee (15:52):
because Yeah, less pressure.
Less pressure.
Less pressure.
Jo Peterson (15:54):
Because
Leonard Lee (15:55):
that's the other thing we hear about Board
pressure.
Jo Peterson (15:57):
but security is no longer one of those.
Things That's an afterthought.
It is integral to your business.
It's integral to your business'sreputation.
Yes.
consumers are so much more aware today than they
were five or even 10, years ago,right?
consumers I think care whatyou're doing with their data.
(16:21):
They care.
How secure you are.
they care about those things.
Leonard Lee (16:25):
Yeah.
and because it is all abouttrust.
this morning I got an email.
It turns out it was a phishingemail.
And it was the most authenticlooking phishing email, with a
contract.
And I'm not gonna name the nameof the company that it
referenced'cause I don't wanna,I don't want to you
Yeah.
Bottom line is this.
Happened to anybody.
(16:45):
lawyer had her email account hacked and Ah yes.
And then the hacker basicallybroadcasted thousands of emails
using her email account andbasically soliciting payment.
Okay.
And a phishing attack and heroffice received because it was
(17:09):
so legitimate looking.
Yeah, I actually almost clickedon it.
Oh, that's how good it was.
that office that morningreceived thousands of phone
calls so that I felt so bad forthe receptionist.
I told her, you know what, I'mgonna get off the phone right
now.
So that you can handle the othercalls.
And she said, thank you.
(17:29):
Yeah.
And I empathized with her.
But think about that.
I mean, I call that a physicalDDoS attack.
I mean, it's, you are floodingthat office.
You're not wrong with a bunch ofcalls.
You're not wrong.
And then bogging that businessdown.
I mean, and that's like realimpact.
That can be completelydisruptive to your business and
also the reputation.
(17:49):
you gotta wonder, you know, howtrustworthy are their IT
systems,
Jo Peterson (17:54):
I mean, it can happen to anybody.
Leonard Lee (17:55):
Yeah, it can happen to anybody.
Jo Peterson (17:57):
You know, that, these bad guys with the help of
ai.
Are not going to your endpointsanymore because the endpoints
are locked down.
Right?
Companies have done a good job,so they're doing things like
voice phishing or they'regetting into systems, and then
moving laterally.
That are not traditionalendpoints, which we've all tried
(18:19):
to do a good job in lockdown.
So it's happening.
and the thing with AI is we'rejust gonna have to move faster
than the bad guys do.
Or hope that we move faster thanthe bad guys do.
But this SaaS report, was veryeye-opening and very interesting
for a lot of reasons.
Because to me, it went beyondsecurity and it really talked
(18:40):
about what was happening in thelandscape.
Who was buying, what theproblems were, like visibility,
what the problems were withinventory, what the problems
were with machine identities.
It talked about a lot of thethings that are, to me, very
tangential to not just sas, butto, the AI challenges that we're
(19:03):
gonna see coming up.
Leonard Lee (19:04):
Yeah.
and the other key word,oversharing.
The problem with oversharing,that's inherent with shadow.
Anything related to it or ai orany of these information related
technologies.
And so, the industry has itswork cut out for it.
And, you know, I think there hasto be a fine balance between
(19:25):
best practices and hi genicpractices on the.
side of the enterprise.
And then for the vendors to beable to bring responsible ai,
thoughtfully designed AI that'sactually going to help address
the problems rather than createnew threat vectors.
for.
They're customers.
And I think those are thingsthat, we as analysts need to
(19:46):
help the industry on both sides,right?
The end user side and the vendorside to bring those
capabilities.
Because, one of the scariest,slides that keeps getting put up
there is how quickly the cybercriminal economy is growing.
It's at$10 billion a year.
It's the third largest economyin the world.
Growing at the fastest rate.
(20:06):
And I think that's anunderestimation.
'cause I don't know where theycome up with these numbers.
we know the GDP of the US andthe China and the eu, but how do
they figure out the.
Size of the cyber criminaleconomy.
I don't know, but it's,undoubtedly very large and
apparently growing very, veryfast.
Jo Peterson (20:25):
yeah, and part of it is just the ease of
acquisition, you know, back inthe day.
A script kitty used to have toat least know how to code Kitty
does not need to know how tocode today.
They can just buy a prepackagedanything.
Yep.
Phishing software, whatever itis they want and just go for it.
Template.
Done.
(20:45):
Yeah.
So with that.
Are we
done?
I don't know, maybe.
Leonard Lee (20:49):
Oh my gosh.
it is so wonderful to have youon.
Jo Peterson (20:51):
love that.
Leonard Lee (20:52):
just start a podcast around cloud and
security
Jo Peterson (20:55):
Alright.
Leonard Lee (20:55):
Thank you.
Thank you so much for yourhospitality.
And, inviting me here.
I haven't been here before.
It's like, it's
Jo Peterson (21:01):
gorgeous, right?
Yeah.
Leonard Lee (21:02):
Yeah.
And so, for those of you whotuned in and made it this far,
thank you.
hope you found the podcast,entertaining and informative and
all of you should follow, Joe.
She's wonderful.
she's my mentor.
Jo Peterson (21:16):
Oh, man.
That's a lot of weight.
Well, thank you for having me onthe show.
Leonard Lee (21:20):
absolutely.
And why don't you tell ouraudience how they can get in
touch with you a little bitabout your firm and then, the
kind of research that you focuson so they can give you a call.
Jo Peterson (21:30):
Oh, that'd be great.
So, as Leonard said, I'm JoePeterson.
you can find me on LinkedIn.
I'm always posting on LinkedIn.
There's some crazy cat videosthat I post with, with
when,
when I try to tell a cybersecurity or AI security
story, I'm easily amused, so Ihope you find them amusing too.
I'm on Twitter at, uh, loveCats, right?
(21:52):
Yeah.
I'm on Twitter at Clear TechResearch I'm an engineer by
trade, and so what I bring tothe table is I bring that end
user's point of view whenthey're looking at technology.
My areas of focus are cloud,cloud, security, and AI
security.
Leonard Lee (22:10):
Yeah, I see.
Yeah.
She is one of those folks thatyou need to follow, so,, yes.
Remember to like, share andsubscribe to Next Curve research
core@www.next-curve.com for thetech and industry insights that
matter.
Live here from RSAC 2025.
(22:33):
We'll see you next time.
Popular Podcasts
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com