Roy Akerman 00:00
Sree has spent his career building and leading cybersecurity programs at some of the most demanding organizations out there, including Warner Brothers, Capital One, and more. Today, as VP of Cybersecurity at Interactive Brokers, he’s focused on securing systems where speed, scale, and risks all collide.
Sreenarayan Ashokkumar 00:16
A lot of identity designing, and imagine the number of systems a Fortune 500 organization has one of the colleagues I called from a Fortune 10 bank told me that they put Mythos connectivity into a terminal inside a Linux kernel and the system was fully patched and the model kept pushing itself and broke out of it. So let’s get real, and this is the threat we are facing. The era of less technical leaders is gone.
Rob Ainscough 00:41
Sree brings a very practical perspective shaped by years in the field, from threat modeling and red teaming to building global teams and governance frameworks. In this episode, we talk about how new technologies like AI and mythos are breaking the traditional model, and what it means to secure increasingly complex environments in this agentic era.
Sreenarayan Ashokkumar 00:59
This battle cannot be fought alone. We are entering a new foundational model era. The threat landscapes are changing, and with AI coming in, speed has power.
Roy Akerman 01:10
Identity isn’t just an operational problem, it’s a security one, and most teams are figuring out in real time.
Rob Ainscough 01:16
This is Identity Decoded, the podcast where we reverse engineer the meaning of identity security, sharing candid conversations about the people building, fixing, and rethinking identity security from the inside.
Roy Akerman 01:29
I’m Roy Ackerman,
Rob Ainscough 01:29
and I’m Rob Ainscough.
Roy Akerman 01:31
Let’s dive in.
Rob Ainscough 01:32
Let’s do it.
Rob Ainscough 01:38
Welcome, Sri.
Sreenarayan Ashokkumar 01:40
Thank you for inviting me. I’m excited to have a fruitful discussion around cybersecurity and how identity plays a role.
Roy Akerman 01:47
Your record speaks for itself, right? You’ve been in so many important places in the important times, right, from recording studios to some financial, big financial institutes up until that moment that you’re in one of the largest companies that run financial transactions. Would you mind to walk us a little bit through your journey?
Sreenarayan Ashokkumar 02:10
I think it was just luck that favored me being in these places. Many instances of luck. I’m always looking for the next challenge as I evolved my career all the way from a startup to cybersecurity, I tried to pick up the next challenge that will help me grow. We are entering a new foundational model era with my thoughts coming in, and the threat landscapes are changing, and with high frequency trading and interactive brokers itself, it’s a new business area for me, and with AI coming in, speed as power. How do you defend it is going to be key, especially with identity.
Roy Akerman 02:51
One of the things that’s really interesting about your approach is that across the years, although your, your grew with again the level and seniority, we’re still very technical in like building solutions, and not just employing solutions, not to mention inventing solutions as well. Is that right? You’re still like kind of like hands on with big teams.
Sreenarayan Ashokkumar 03:14
I strongly believe that’s one hot too that people don’t understand, where leaders go wrong. I think the era of less technical leaders is gone, if especially in tech organizations, there’s no more. You’re not looking for a GRC CSO, you’re not looking for a board CISO, you’re looking for somebody who is first technical and then you have those skills on top. That’s the new mindset that that this leadership is demanding. These roles are demanding nowadays. I quote, call it product first CSOs, is what the roles demand, because if you don’t understand the business and you don’t understand how to make tech work in the business, you don’t get features out to customers in time, and Cyber’s role is no longer a check in the box or saying no, it’s figuring out how do we enable these features to the customers.
Rob Ainscough 04:08
I think it has changed so much over the past few years in terms of the demands on the CSO and what it takes to be successful in that role, because as you say, it’s that ability to understand and empathize with the business, the ability to enable it, and the ability to explain these really difficult, complex technical things, whether they be attack paths or whether they be controls, in a way that means something to someone who CFOs who mainly worry about finances or CEOs worrying about the business or marketing leaders or whoever it is, right? It’s not their natural territory, and it’s so important that we can bridge that gap at the senior level.
Roy Akerman 04:52
Yeah, I totally agree. I just can imagine, like, how challenging is it to protect transactions? Actions like billions of them that needs to, you know, be made in a fraction of a second, and make sure that the security layer is 100% there, but not disrupting anything. So I totally bought into that notion that, you know, leaders should be super technical. Would you mind that I poke around about a thing that kind of like held us from meeting on time a couple of times, which was the mythus, let’s call it like almost released of the Mythos by Anthropic. So we were supposed to meet a couple of times, and then you’ve been called to the CEO, or like you’ve called into the CEO in order to discuss the implication of a potential near future release of a new AI model by Anthropic. Can you tell us a little bit about that, and why it kept you busy?
Sreenarayan Ashokkumar 05:43
I think everybody is thinking about this right now. Everybody that’s listening to the podcast, how are in some or the other stage of this mythos discovery slash action journey? And I am in the same boat. Every org is wondering if the threat is real. You’re calling your colleagues across the industry. I was doing the same. There was a lot of speculation through news that was keeping people up at night, including tech leaders, executives. I’m sure you’re facing that as well as the listener. You both were also facing that in your organization. Is this threat real? And your customers are calling in and asking you, how are you preparing similar fork, right? And that’s one of the key things that kept delaying me, because I was trying to figure this information out to give my technology team comfort. Then the steps I was taking that others should also be taking is, you should talk to a known contact who has already got an exposure. There are 40 to 50 banks and critical infrastructure organizations that have access. Read articles that are published from trusted CSOs, like JP Morgan published one recently, Anthropic published one. So, first steps to take is understand if the threat is real and how everybody’s preparing from the executive perspective, it’s very important to take understand that no matter what strategy you come up with, you need time commitment from tech partners. This battle cannot be fought alone. A threat like this, or when you have a breach like any other organization faces, you need to have your technology partners, your C level, so you should put a crisp presentation, send it to the CEO explaining what the information you got, and if the threat is real, and how are you preparing your 30 60 90 day plan. I was on a podcast from CISO from Palo, who said six months is giving it six months, three to six months, tops for the entire industry to prepare, right? So you go pillar by pillar and build the confidence.
Roy Akerman 07:47
I just want to say that, so there was an earthquake, right, for our audience that are still catching up. So we’re speaking about anthropic, speaking with the world, and telling that they built a model, or that they were about to release a model that was so powerful that in the testing phase the researchers actually tasked this model with some security like penetration testing or like hacking assignments and released a little bit of the guardrails and the controls around this model and by the end of the day this model could have come with, or actually came with, so many zero day vulnerabilities and exploits on the most protected or untapped environment from Linux systems to others, and all of those were verified, or most of them were verified by others. So, the concern business leaders and tech leaders is that once this model will find itself in the hands of the wrong people, we’re all like been a jeopardy.
Rob Ainscough 08:46
I think there’s a couple of things that spring to mind. Mythos is just the, it’s just the warning flare for the industry of what’s to come, right? It’s just the signal of the direction of travel of this thing, and I think coming back to what you were saying, Sri, I think the important thing for me is preparing for this thing, right, this unknown, really, in terms of what that means for our environments, that needs commitment, it needs business buy-in, as you say, but importantly, it’s a team sport, right, that doesn’t just sit with the cybersecurity team, it’s not all sitting within that team in terms of responsibility to fix that thing. It’s a team sport, it’s for everyone to take action, because there I think so many uncertainties, but one thing I think is clear is a mythos level model is likely to get in the hands of attackers and adversaries quicker than equivalent capabilities for defenders, and there’s going to be a gap there, and we need to fill that gap with urgencies.
Roy Akerman 10:13
I’m with you. I think that it will be very interesting to like run this through a two-step journey.
Sreenarayan Ashokkumar 10:40
I want to share an example. I think that’ll get us kick started in this. Yeah, so one of the colleagues I called from a Fortune 10 bank told me that they put Mythos connectivity into a terminal inside Linux kernel, and the system was fully patched. It has all security agents installed, and they basically told it the IP addresses inside and outside and let it free and the model kept pushing itself and broke out of it and there was no CVS, nothing there that was because it basically created a live exploit and broke out of it through the hypervisor, so let’s get real, and this is the threat we are facing. It’s very, very important to understand. It had nothing. It broke through the agents, through the protections, through containment to the hypervisor, and out.
Roy Akerman 11:31
So, first broken part is that the assumption that even with a zero day will be able to either patch on time, okay? And that’s the, that’s the near real time play that we have. Something else is happening. Would it be valid to assume that a breach will happen soon, and then be a like build ourselves to respond fast, or like how do we mitigate that thing?
Sreenarayan Ashokkumar 11:57
My thoughts on this is layer defense. It’s not, it’s no longer going to be one defense versus another. It’s going to be multi-layer defense. The story of CVE converting to a KM, which is exploit, and you’re waiting for the exploit to come in, is gone, right? Any CV can get exploited real time now with the agent figuring out how to exploit it, so if you look at if I were to tell somebody or recommend somebody a strategy, I would say start with the three pillars: data security, exposure management, and identity. So let’s figure out how you’re going to secure your data in case something does get in and they’re trying to pull it out, going out and then outside in secure your exposure and figure out what exposures you have, which are easy low hanging fruits. Let’s start with those, but even low risk, couple of low risks can be chained. That’s what this model is has speciality in. It can chain multiple low risks to get in, and the third one is identity. Make sure you are access controlling, you’re authorizing, and you’re logging all identities, be it system or user, so then you can trace, or you get monitored and alerted when the scope is broken.
Rob Ainscough 13:11
I’m interested in kind of notion of exposure management and vulnerability management, you know, different people think of it different ways and call it different things, but my experience of that in industry was, you know, and this is way before this, right? It was a struggle to any, in any way, keep up with the stream of unpatched vulnerabilities that you have across your organization, right? You’re as soon as you patch them, there’s so many coming up, you’re just keeping your head above water in terms of the overall level of vulnerabilities you’re running, so it was already like a challenged model, but now we’re taking that to the step where you say, hey, you’re much more likely to get hit by something that hasn’t even been listed, it’s zero day, it’s never been recorded, it’s never been spotted, so we’re coming up against this challenge. I’m saying, should we place any reliance on things like exposure management, vulnerability management in this thing? Right, you mentioned it as one of your kind of key pillars, but isn’t the safest assumption like anything I’m running is exposed, whether I know it or not?
Roy Akerman 14:19
Maybe I’ll try to gamify this a little bit. Okay, so let’s assume that I’m the agent, and I just found this Linux box, and I’m in. I found this amazing zero day, and I got in, and now I secure the channel out, and I’m starting my operations of taking over your organization. How do we humans play right with the other technologies that we have in order to win? I would say that now we had privilege management world, but now we have an assumption that in every given moment we’ll have a highly privileged identity pwned or a highly privileged presence. Of a malicious actor inside of our organization. Okay, and the only way that we can understand how to play against it, it try to a, understand what’s the next move is going to be, and b, track all the moves, so like you said, SSH and SMBs, and like trying to get a route to the cloud, and persistency, all the kill chain, but right now on steroids, we’ll need to be able to to predict it, to detect, and then we’ll need to play the game. I believe that the game is an IAM game. The game is, how do you allow paths that you know that you can control and secure, and make this agent prioritize or think that these are the most useful paths, you know. Sometimes we can even trick the agent, but you need to make sure that these are the ones that you have security controls or filters or something that may slow it down, not just like a binary blockage. By the end of the day, I mean, you know, everybody will say bring an agent to fight the agent, right? We’re not there yet. I think we need to be there.
Sreenarayan Ashokkumar 16:02
How do you see this space evolving from a response perspective? Do you see automation kicking in? Do you see AI agents coming in? Your, how do you do that with trust, without disrupting the business?
Rob Ainscough 16:15
I think the first thing to say is, you know, probably the best answer we’ve got today to that kind of problem is applying controls by policy at the point of authentication, right through identity. Now, the challenge with that is, as you said, like it’s handcrafted, right, it’s understood through behavior and telemetry, great, but it’s then handcrafted and getting to coverage and covering what you need to cover with that approach is very, very challenging, and I think for sure AI has got a role to play in helping us define our defenses and defenses structure through identity and apply those policies much more dynamically than we have in the past with static rule sets and static policies, which has probably been like kind of the gold standard up till now.
Roy Akerman 17:05
Yeah, I’m about to bounce this question to you in a second, so be ready, because you are actually one of the biggest organizations to recover from a big attack, right? And we just spoke about the like numerous projects that you needed to run there. I can say that I think that our controls should be much smarter. You probably need to reinvent control points to make sure that that fast-paced stream of AI behavior will not be just able to monitor, and when I’m saying monitor is like monitoring the reasoning of an agent, monitoring the memory of an agent, monitoring the agent to aid, like agent communication, but by the end of the day, we don’t want to monitor for just know what’s going on. We want to monitor to have a security instinct. What were you trying to achieve, and how did you do that when you’ve brought into one of the other organizations that you’ve actually led security with after, like, a major cyber attack, and a major cyber breach happened, and then how does it change if it’s an AI agent that is doing this, or it’s somebody who just abused a key?
Sreenarayan Ashokkumar 18:12
If you’re in the fortune on five hundreds or hundreds, and then you do face a major high impact breach, right? The biggest thing that happens is chaos. Regulators come in everywhere, start knocking, customers start panicking. Your incident response procedure is your best friend, and you need to make sure you’re working with the triple digit organizations and gain as much help as you can. Sometimes you might be in a position today in the industry where you don’t even have a big team, so you need to figure out that plan. All your tech partners and execs are looking at you for responses, so it’s a very difficult position to be in and figure out how to solve for it. So the way I would recommend you doing this is you identify, you define first how you want to tackle the regulatory problem and external problem first, so give your customers some comfort first, immediately, and then you go to the regulators and start handling them with a special high focus team. After that, you go inside to your tech stakeholders and you define 100 to 1000 initiatives to secure your ecosystem that will give your board and the tech leaders the confidence they need as your partners to vest in you and trust your program, and then you build a delivery shop that helps you prioritize. Right, if I see a similar scenario happening today with AI. It, I don’t know how many doors I need to lock, you know. Even without AI, there are so many doors that need to lock. Low priorities suddenly start becoming medium priorities. Medium priorities become high, high become critical. There’s a lot more. Going back to the fundamentals, every time you enter and exit an employee, have a very, very solid foundational life cycle, and that’ll, that’ll take care of that. The first initiative, the next one is going to be analyzing all identities for the right segmented access. You cannot have an open star policy, right? That’s just going to invite trouble. You will not even know which role they assumed. I want to bring back to the response. Right, how do you contain and what do you contain? I feel if the same scenario happens today, like you pointed out, I don’t think we have that much time, right? If you look at some famous banks that have been breached, there have been continuous breaches for the same bank again and again every three months. These were attackers who had time, now they have agents, now they have models that can penetrate deeper. So now imagine how much more ammo they have, and exponentially they’re going to come after you. So those months are going to become hours or days, right? So this is where Roy, like you’re pointing out, the response options are very limited. I don’t have – I don’t know if there is a single identity tool or a response mechanism that can contain an identity spot or kill it or respond it immediately by naturally detecting, even if I have a SOC automation for detecting something that connects and sends a signal to a containment tool, can the identity be contained? We can kill it, but can we contain it? And is that the right decision?
Rob Ainscough 21:33
That’s something I think about a lot, and have done for a number of years, and I think we’re starting to get there in terms of the technology behind this, but I started to think of identity as almost either mainly as a drawbridge that you could draw up in times of stress, right, and you could draw it all the way up, or you could draw it part of the way up, and your operating mode that you could describe to your business as you go through these levels of raising the drawbridge are different, but you can explain them right, and you’ll say right at, you know, our normal operating is this this constraint will be introduced if we start to see this stress in the environment, right? These signals, wherever they’re coming from, right, network endpoint identity itself, it doesn’t matter, but that drawbridge we may get to a point where we’ll automatically start raising it because we don’t have the time to do anything different and we want to take less and less risk with this thing and be more and more impose more and more costs on our business as we raise that draw bridge but ideally we get to a place where that draw bridge is available everywhere we need it and ultimately we get to a place where it applies automatically, right? So we don’t have to make a human decision in the loop to raise that drawbridge, and I know it’s a very conceptual way to think about it, but that’s for me the most urgent problem in identity.
Sreenarayan Ashokkumar 22:56
How do you see that drawbridge working? Like, have you, can you educate us on what are the different options and angles of drawbridge today, or do you see in future?
Rob Ainscough 23:07
Yeah, exactly. So, so, like, I’ll give you some really simple examples, which aren’t based in anything, they’re, you know, just simple examples, but you have lower trust in your third parties and third party identity than you do employee identity kind of by default, right? You can, you can do things to raise that level of trust, but you’re always a little bit off in terms of third parties, and we know that’s a common route, but maybe at that first level of drawbacks we say, okay, well, we’re not going to allow third parties to authenticate for this point in time, maybe that’s not where you start, but maybe that’s where you start to get to, because you’re reducing and reducing that capability of these risks to be brought into your environment. If you’re in that position of uncertainty, now that’s quite a big thing, right? But reducing it down, so if you saw anomalous usage of a non-human account, I’m just not gonna allow it. For example, right? Maybe normally I’d tell the SOC, but under this level of stress, I’m not gonna do that. I’m just gonna say no, that’s not gonna happen.
Roy Akerman 24:13
I think this is this is the point that we’re keep speaking with our guest on where security and access are converging, right? Right, that this is the reality that we’re having there.
Sreenarayan Ashokkumar 24:23
I like the analogy you made. Now, if you, if you let’s go back in time to 2015 when cloud became a boom, right? We tried to retrofit all data center tools to the cloud, right, but we could never pull the misconfigurations out on time, we could never secure it the right way, right. And then came the CSPMS and the CNAPS of the world, right. I feel identity will need its own space now, like identity security posture management that gives you visibility, prevention, and also automated fine tuning, so it can. Respond back as soon as it detects something.
Rob Ainscough 25:02
Identity needs to have its cloud moment, is what you’re saying. It needs to change. What would you say, Sri, in terms of, you know, people listen to this, they come in Monday morning, what they’re gonna do differently? What do you think they should or think about differently? What can they take away from this and really apply to their jobs?
Sreenarayan Ashokkumar 25:20
I like one thought that you captured, which was around having different response styles. That was a key one educational exercise, breaking the status quo that we’re used to, because I can say, okay, activity logging for identity is key, identity segmentation, but that they have heard identity response, which is like a kill switch, right, but having a fine-tuned window policies for different types of identities, and how do you want to respond to it, depending on what access? Is it a SaaS system versus the internal admin system versus an application or a system account? Having different policies is a big one, I think you should take back as a listener, consciously think about it, because that will help you bring the right response versus disrupting the business all the time, and that will also give an opportunity, maybe it can be dynamically designed using AI, right, maybe the model can design it, you give it guardrails and let it design for you. Let’s build the drawbridge is one big takeaway that I would ask everybody to think through in the loop.
Rob Ainscough 26:28
I agree, and I think it’s about being prepared to fail, right? Not the most optimistic thought, right, but I think an important part, you know, we’ve seen over the last couple of years in, in cyber more generally, a real focus on resilience, on assuming the worst, and what’s going to happen to how we’re going to respond, how we’re going to recover.
Sreenarayan Ashokkumar 26:50
And do have one tip I can leave with, so we can all.. I would recommend all the listeners to build a testing arsenal, so they’re pressure testing themselves using existing models today that they have access to, even Opus, or the big difference between Opus to Mythios is Mythios keeps pushing itself, so your human in the loops can push Opus to the next journey too, and it does uncover systems.
Roy Akerman 27:16
It’s important, one, so around Opus or Sunette, or any other model, not necessarily Anthropic, the headlines, right, but run them against your own system. Make an AI pen test on yourself continuously, and then discover those access paths and those chain trusts that can be abused before another model will aim at you and try to do that. We’re almost coming to an end, and we have a tradition over here in the show to run some rapid fire, calling it,
Rob Ainscough 27:47
Yeah, rapid fire, quick fire questions,
Roy Akerman 27:49
Yeah. And Rob is really good in that, so I’ll hand it into him.
Rob Ainscough 27:53
Nicely done. All right, so we’re gonna, we’re gonna fire through these. So, first one, what’s one identity myth? An identity myth.
Rob Ainscough 28:03
Oh, there’s the tough one. So, I feel the biggest myth that everybody on the street believes is MFA will solve world hunger. It’s not right, even if you’re using, like, if you as a listener are using Face ID right now, it’s unlocking your password. It’s not unlocking the pass key unless you opt for it.
Rob Ainscough 28:23
Next one for us, what is one thing that leaders get wrong?
Sreenarayan Ashokkumar 28:27
They don’t think about the breadth, and they’re less technical. I think this goes back to how I started the podcast. We have more GRC and board leaders, and the other tech, other leaders on the table are becoming tech smart. Let’s go back, let’s go back in time, right?
Roy Akerman 28:47
Yeah,
Sreenarayan Ashokkumar 28:48
Everybody was learning high-level languages in 1990s Now everybody’s learning AI, they know how to use, how to build products, but the fundamentals of systems will stay right. If you don’t, as a leader, can talk that language, how will you secure stuff that a product officer is experimenting and prototyping on?
Rob Ainscough 29:04
So, the next one, one hard truth. What’s one hard truth?
Sreenarayan Ashokkumar 29:08
I would, I would go back to the previous answer. History repeats itself. Build a parity between how programmers went from low level language to high level, and everyone started building tools. If you remember, 80s and 90s games started coming up, software started coming up. Everybody started building tools, but before that, only the microprocessor engineers were building instructions, right? They were building the calculators, they were building like room-sized computers. So I think history repeats itself. So if I were the listener, I would go back in time, and then just understand what happened in the 90s when high-level language became popular, and everybody started developing.
Roy Akerman 29:51
So, one last question that is really interesting, what term or trend do you think that is overhyped?
Sreenarayan Ashokkumar 29:57
I strongly believe this, that AI can solve world hunger. It cannot. People strongly believe that it can. I use the fundamental, and I teach my leaders the same thing. I tell them, they ask me, How can I use AI? Can I use AI to solve this complex problem? And I tell them, No. I would respectfully tell them, think about if you had access to 100 interns with their skill levels, what would you plug them into solving for you? That’s what you can solve with AI models today.
Roy Akerman 30:29
Yeah, so you’re basically not waving a white flag against AI. You still say that there’s some human power to do things that AI cannot, and that there are some limitations, and yeah, we need to stop the grieve and actually maybe brain vent ourselves a little bit.
Rob Ainscough 30:45
We’ll have to have you back on in a year and see where it got to, yeah,
Roy Akerman 30:49
Yeah, it was a pleasure. I think that, you know, it takes a lot of courage to touch those points that everything breaks and like needs to be reinvented, you know, and it’s kind of like leads everybody to some fear and concerns, but I really believe that this day in the CEO office in those discussions are actually leading to some interesting place in our times that we’re gonna probably win. It’s not the Terminator area yet, and with that, I want to really thank you for dedicating the time, I know that you’re super busy. Thanks so much for winning us a little bit more smart. And with that, have a great day.
Sreenarayan Ashokkumar 31:29
I really appreciate the chance and to share the table with R and R identity.
Roy Akerman 31:36
We rebrand now.
Rob Ainscough 31:37
Thanks for that, Sree. Appreciate it. That’s it for this episode of Identity Decoded.
Roy Akerman 31:43
If this conversation changed anything that you thought about identity security, share it with someone who’s working through the same challenges, and don’t forget to follow the show,
Rob Ainscough 31:50
So you don’t miss what’s next.