Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachel Lyon here with my cohost, Vince Spina. Vince, welcome to the podcast after a little hiatus. Yeah.

Vince Spina:
You're ready

Rachael Lyon:
for some fun?

Vince Spina:
I am. I'm very excited about this. Thanks for, thanks for letting me be, in the chair next to you.

Rachael Lyon:
Absolutely. Alright. So I I'm so excited. Your first guest is gonna be Yasirr Ali. He is the founder and CEO of Polymer, which is no code DLP for SaaS applications. But, really, Yasir, you are a man that wears many hats, and I'd love for you to share a little bit more about your background with our with our listeners.

Yasir Ali:
Sure thing. So, yes, we are a data security platform for the modern business, application stack, hosted on the cloud, SaaS and AI basically. My background, I'm a developer by training, Focusing on data. So, training in building mortgage models first, training those models to, arbitrage the market, actually, based on those analysis. At hedge funds and various investment banks for a few years.

Rachael Lyon:
Wow.

Yasir Ali:
And started a consulting business, after the financial crisis focusing on data governance, data privacy, intersection of technology, and, privacy and just, kind of like the security aspect of things, at large investment banks. And that kind of got me into this space more directly And we started this company, me and Usman, in 2020, focusing on data security geared towards kind of the CISO, ICP.

Rachael Lyon:
Nice. Wow. That's so you kinda touched on my my very first question because we're always so fascinated here on the podcast. It's like the road to cybersecurity for many can be a winding path. I mean, we've had someone who was, like, medieval studies PhD and somehow a CSO. Right? You know what I mean? So just kinda fascinated. Like, how did, you know, young Yasir, when you're starting out, I mean, how did you find your way on this pathway to to being a developer and then ultimately to where you are today?

Yasir Ali:
You know, I think, people have a tendency of, like, backfilling the story of their lives in terms of it's all planned. Reality is a lot of these things just happen, right place, right time or wrong place, right time, whatever you wanna call it. And I would say that, you know, the recent kind of with the product launch, which we we did in 2020, which led to Polymer kind of getting started, focus was just understanding the air force. That was a construct which comes from the world of IT. Development. What information do I have? Where is it stored? And how is it moving around in my environment? And that was the initial thesis of the of the product. And we kind of, like, stumbled upon this data loss prevention use case specifically based on what we heard in the market when we first, unveil the product in in an MVP basis. And so it was kind of happenstance kind of by luck, by chance.

Yasir Ali:
I've never been, in security per se specifically. So I'm a newbie. I'm still learning. And, yeah, it's it's it's been fun.

Rachael Lyon:
I bet. I I love it. What I love about cybersecurity is there's always that opportunity to find that thing that's not being addressed. Right? And if you have the the resources, the knowledge, the wherewithal, you know, you could take a, you know, you could go address that for people and and really make a difference in in businesses and people's lives. It's just why cybersecurity is so much fun. But as I as I digress, with cybersecurity being such an interesting dynamic industry, like, what trends are you most excited about as you look ahead? Like, what's gonna have the greatest impact on the industry as we look to 2025?

Yasir Ali:
I mean, I'm biased here, obviously.

Yasir Ali:
It's with data.

Yasir Ali:
Data is the frontier that has been unsolved in cybersecurity, partly because it's been a mind the gap. Who owns it? Who who manages it? We used to we went through a trend in the last decade of chief data officers getting hired in large organizations, like, we're gonna make it into a data bay data specific, kind of, like, a department focusing on data. They'll be your data czars. And that kind of failed in many ways because you could come up with the best sort of controls on a spreadsheet, but day 1 of them going live, they go stale unless someone is absolutely, like, managing it kind of on a manual basis. And then we've kind of like now in the in the interesting space where data is back in work. And this like stepping back in the last 30 years, why data has been unsolved is partly because the old, data kind of control product was DLP sitting at your firewall at the email junction. Mhmm. Emails was being transacted but monitored and you might get an alert saying, you cannot send this because this attachment contains, I mean, I used to be at various banks of force point where you'd send me an email, a semantic word with a k.

Yasir Ali:
You can't send this because there's some errors found in this Excel file containing sensitive data. And once things move to the cloud, obviously, the endpoints have dramatically expanded. It's no longer just an email. It's no longer just an attachment that's being sent. I can send a link. I can write a chat. I can write a ticket. I can upload, download, take pictures, so and so forth.

Yasir Ali:
So and the buyers though in in general, the security officers of folks who have been to cybersecurity for the past 10, 20 years, they bought CASB in the past line, they bought DLP. And it's been one of those for at least for financial services check the box exercise and move on. We're not going to measure the efficacy of it but that's going to be changing very rapidly with the adoption of AI obviously. It all comes down to when you look at the NIST AI risks, Bovash, top 10, LLM risks. Data is like 50% or 60% of those items basically is where things are being identified to be in. It's it's very, like, just, like, forget all the technical mumbo jumbo here, but when you think about, like, AI models, what data is doing in, who has access to it, who has access to the output, what could be put in by the prompt.

Rachael Lyon:
Right.

Yasir Ali:
It's all data related.

Rachael Lyon:
Right.

Yasir Ali:
And right now, the maturity in our market, in general, is still pretty, like, very low on the curve. Most organizations do not understand what data they contain and where it is. Let alone, figuring out who should have access to it and how is it being transacted internally or externally.

Vince Spina:
Yeah. Yeah, sir. I'll I'll jump in there. First of all, you made me smile when you said mind the gap. I know, I know you're from New York, but, kinda threw that British London tube, reference in there. And it's kinda funny because, here at Force Point, we we have turned our road map into the London tube. And at the end of the, the last stop is a full solution, but along the way, you know, there's there's various components that are being built out, and, we use that term quite a bit, mind the gap. Like That's hilarious.

Vince Spina:
You know, couple couple interdependencies along the way. So, I'm gonna steal that one. That that was, pretty good. You're talking about data. And listen, you're speaking our language. That's certainly, kind of the way we look at it. It's all about the data. That is, you know, today's oil, if you will.

Vince Spina:
And what comes out of that, you know, and and you spoke about AI and that that's probably the biggest thing that's on CSOs and CIOs mind today. And some of it is positive and some of it quite frankly scares the heck out of them. But what that gets to now is you've got data, you gotta know where it is, all that. But, you know, how do you govern that? And especially, how do you govern data in kind of this, this new AI world? You know, this 20 year old new AI world, if you will. But, just wanted to get your, perspective on what you think the key principles, an organization should prioritize, when establishing an AI data governance framework.

[8:40] Master Data Management: It's History and Process

Yasir Ali:
Yeah. I've been advising our customers and and just in general, for me, the best, kind of the recipe roadmap or the framework is, looking at what master data management has been over the years. Like, master data management is a process, that's been around for 15, 20 years, IBM and a lot of old organizations still do it. It's a big part of a lot of heavily governed organizations like health care, financial services, government, having those controls at least on paper, has always been around and let's just dive into what is a master data management program. What does that look like? So I'm a I'm an organization. I wanna, have some sense of access to information and how do I build it up. So first thing I'm gonna do is I'm gonna scan my database environment, look for the column names, maybe do some random sampling of the of the values themselves and see what do these columns contain. And organizations that have been around for 20, 30, 40, or more, what you notice is there's, there's no standardization.

Yasir Ali:
It's been so many different iterations of teams that have worked on data, assets or data infrastructure over time. Just getting a sense of where things are or what is inside different kind of your your block stores, your databases, your file storage. That alone is a challenge which hard to grapple around. So what we did when we were starting to prioritize from a master data management perspective was, okay, what is the biggest plan for the buck, the 80 20 rule? Databases, transaction databases, and what help me also do is if I'm able to get the sense of what my transaction which is affecting my front office on a day to day basis right now, not the legacy of what's happened in 10 years that can also help me build a data analytics layer, you know, a data warehouse. That was a one of the reasons why master data management was around. I wanna think about what do I have stored in this data lake? I'm gonna abstract out raw database environments, raw infrastructure environments. Put it all in no matter it's a mainframe, it's a database, DB 2, Sybase, Oracle, whatever. Throw all the data in one common format, text files, or whatever it is in a lake.

Yasir Ali:
It could be s 3. It could be, anything really. And, Hadoop clusters, so on and so forth. And from there on, I'm gonna create a set of ETLs that's gonna run end of day throughout the day and be able to create some warehouses which are much faster transactions to come in. Obviously, with Snowflake coming in, some of these things kinda started evolving where leave the data where it is. We're gonna put in the warehouse right where it is on top of it, and we'll also, by the way, classify the information for you all in one shot. Just start using us as a managed service as a database, and Snowflake did pretty well doing just that. So when you kind of, like, learn those kind of, like, thing in in master data management, many organizations, the first step they were doing, and they never got to the data warehouse end state.

Yasir Ali:
They're still in this journey of understanding what is where. And usually, you would then use a governance tool like a big ID, maybe a security dot AI. You might use a data classification product like an elation, or other kind of products out there. Databases themselves have, classification tools, discovery tools out there, sniffers, and so and so forth. And you basically then put this in this notified spreadsheet. At this column. This is, considered to be sensitive or not. Yes or no.

Yasir Ali:
At some sense of the values, maybe not. And these people should have access to it or they should be this change management process around this set of data assets. And what what failed in those kind of master data management from an operational long term perspective was I put the spreadsheet out, I stored the spreadsheet in a in a in a, let's say, application or or whatever Excel sheet and day 2 as the new databases got formed, new data started coming in, this information set got stale and operationally it was very hard to keep up with the realities of the business which kept evolving all the time and dropping tables and creating new environments, moving to the cloud which is still ongoing for a lot. That is basically, was one of the reasons why it kept getting stale. So when you think about the data kind of moving around in the large organization, then AI is no different from a massive data management kind of problems or a set of issues that we ran into why massive data management fails. And AI is the same way. You're looking at what assets do I have? What should I be putting in my LLM model? I need to understand that. And number 1, and lot of organizations what they're doing is and I can go into deep end with this very quickly, but let me just, like, not do that just yet.

Yasir Ali:
But and then the other aspect of this is who's asking for information, who's putting more information in at the problem. And if it's a third party service like OpenAI, Jaijapiti, Copilot, whatever, then there's obviously ex recreation events and stuff assuming it's all you trust the service. Even then there's a risk of stuff coming out, hallucinations, and and also so there's one aspect of it, which is the data that goes in the input and the other one is the output, which is very dependent on who's asking the question. So when you think about, your I'm you think about your ED, your role, your roles in organization, your groups within organization. That we feel is the one of the, highways to be able to kind of solve this problem a little bit scalably and sustainably.

Vince Spina:
Yeah. Yes, sir. So, couple of things. What I got out of that was, first of all, you referenced databases all the way back to the nineties, so you've been there. When you brought up, Sybase, I go, oh my gosh. I remember that. And then you brought it on a way to Sybase. Yeah.

Vince Spina:
Yeah. Absolutely. And then, you know, all the way to Snowflake and AI. Listen, here's here's kinda what I heard when, you know, when I'm thinking of the principles and you were kinda taking us through where this thing started, where it's at. I'm hearing, principles like transparency, accountability, fairness. Quite frankly, what what we really didn't talk about there which, you know, if you got any opinions on, you hear a lot around AI systems and the ethical considerations and the, the biases that, you know, can be, implemented if if done incorrectly. Any any thoughts on that?

Yasir Ali:
I I look at the AI journey as a master's law of hierarchy. The stuff you're bringing on is much higher on the pyramid. Folks are still at the bottom of, like, how the hell do I even make AI useful for me?

Rachael Lyon:
Right. Right.

Yasir Ali:
Just a simple let me connect my ticketing system and have my customers, get to answers faster than having a help desk person in the middle. So on that front, I would say, yes, hallucination buys you, but we just are not focused on that because I think that's a good quality problem to have once the system is ready. We're still in this early phase of, like, what is the system? And I'm seeing CISO struggle with we're gonna basically look at it from a perspective of classified information and start tagging information. And when the eye model gets built internally, we'll at least have a starting point. I feel that that is good, but that provide them from a security perspective, from a technology perspective because I built these models in the past when you start hiding stuff that goes in the model based on columns or values or sensitivity, you start creating holes in the model which can reduce the actual output and efficacy of the model itself downstate for the users. So it's a very risky part of trying to, like, limit information. You might just have a chat box exercise. Yeah.

Yasir Ali:
We got the AI tool ready, chatbot, but it's not gonna have much value. Our what we're trying to, like, kind of conceptualize in the market and and have kind of working towards this. Can we do this at runtime? So everything in the model, but at runtime, have the guardrails to allow certain information to be accessed by an individual depending on where this individual comes from. Certain teams in in the organization should have more access to information versus others and all that to be done, in at run time at the prompt level rather than having to kind of worry about this whole journey, which could take you 10 years to get there is still not

Vince Spina:
good. Interesting. Rachel, jump in.

Rachael Lyon:
Well, you know, I'm always kind of, I think you're right. I mean, it so many are at the beginning of this journey and just trying to wrap their arms around what can we even do with this. It's it's almost this this monolithic being, and, you know, how do you tame the beast? You know, and then and I I can't I don't think we can have a podcast without talking about 0 trust, you know, and and how how strong data governance can can support the principles of 0 trust, and what challenges do organizations face in in aligning that. Right? And you talk about permissions and and other things. Can you expand a little bit on that?

Yasir Ali:
Yeah. So the the the framework when organizations think about when you get onboarded as a as an employee, you assigned a group. You assigned access to certain databases, certain folders, certain kind of applications, certain kind of, like, your email groups and so on and so forth. That's a classic. I'm a new employee. I'm I belong in this group, and that's kind of where my my access is. We have not evolved as an industry or just in general in terms of looking at not, from the channel perspective where the data is coming from or or what information I should have access to. It's more still on a fixed asset basis, like, what access do I have? We feel that the the time has come now where access should be I'm should be driven by what the business context is in the information wherever that's coming from.

[19:17] Data Security Must Adapt to Cloud Technology

Yasir Ali:
And that's for data security to work, that is table stakes going forward because cloud has introduced so many different ways of data coming into me, that I am rules, which static rules for access to information, access to areas of information, they are not as, resilient. They are not as, scalable, and they frankly do not work. Why do you have so many breaches with so much access going in with one person coming in, hijacking someone's wrong MFA or or using that persona to access your Slack, get the credentials from there, and you log in to your database? Why is that happening? Because of we're not being, cognizant of the information that is being accessed, at a user level no matter where it's found. So I think there is a from a zero trust perspective, we need to kind of start going beyond just looking at these fixed assets, but looking at the information that's flowing in and making some determination. Is this person having access to this information in this time frame, in this bandwidth, in this scale? Is that real or not? Or is it should we should we have some restriction in that?

Rachael Lyon:
Yeah. That's a really good point. And it's I love the lead in too because my other favorite topic is insider risk. You know, and and it seems like AI is kind of the boogeyman, right, on kind of how do you get in and out. And so I'd be kinda interested in your perspective, you know, how are insiders, right, using AI to orchestrate attacks from within, and and how can organizations kind of anticipate where these attacks are gonna originate, and how do you mitigate them?

Yasir Ali:
That's a that's a pretty loaded question. I mean, I I I probably don't have, like, a very good answer for it, but Right. It's it's an evolving area. We're on one side of the equation. Yes. You know, writing code has become much easier. Some I I, like, I do a lot of, like, just, like, playing around with Ajay Patel, like, ask it to write a script on Python to do x y z. So So it becomes so much easier to write actually injections, whenever you're sitting with the browser.

Yasir Ali:
So it's that superpower obviously can be misused. But in general, I think inside of thread, just as a macro way, you have to not trust identity or identity is not fixed.

Rachael Lyon:
Right.

Yasir Ali:
So we need to be somewhat more cognizant and look for anomalies of usage, and how the person is behaving, you know, on a given day within the environment. And and we the day has come. The time has come, especially with AI, where that is gonna become more and more relevant.

Rachael Lyon:
Yeah. Agreed. It's, it's funny that you just as a quick sidebar, on kind of manipulating the system, we did have a developer here just for funsies on a weekend. He wanted to see if he could get chat gbt to help him write a zero day, you know, malware, and it did. You know, you're just gonna change up your prompts. And and so there's so and it's human nature you wanna do that. You can't help it. You just can't help it.

Rachael Lyon:
But, I mean, it's it's how do you put the brakes on that? Because you do wanna test the system and and what are the limits of the system and what we could actually do with it for positive things. But also then how do you on the flip side, you know, better better mitigate that from happening in in the wrong way? And I don't I don't know if there's a clear answer on that just yet.

Yasir Ali:
And when you look at, like, the CVEs and vulnerabilities that do get published on a daily basis, their AI obviously I've seen this already, being used in terms of, like, processing large amounts of unprocessed data to, like, see, okay, what am I at risk for based on my environment, based on the CVs that have got published, yesterday or something. So there's definitely a lot of good that's coming in from processing semi structured and structural, unstructured datasets. In general, though, my experience, at least with Jigpt, the structured dataset analysis is still lacking. Like, that is an area where we still have to kinda write the Python script to do the work. JWT cannot just merge columns and crosspose properly.

Rachael Lyon:
Vince, this is a really great setup for you on the next question. Right? So what do we need? We need visibility and control. Right? And what's a good way to do that today? DSPM?

Vince Spina:
Well, I mean, listen. We're we're a little biased. Oh, by the way, yeah. So this is my first podcast, and I was told I can't, I gotta take, you know, my my current, company's, hat off and and try to be unbiased. But, somewhat hard to do. But we think, you know, it's about discovering, classifying, monitoring, you know, all those kind of things. And to us, it's, and I I loved earlier in the podcast, you said, hey, you know, data is back in vogue. And because data is in vogue, data protection is also in vogue.

Vince Spina:
And we do believe, you know, the componentry is, to have a really strong, data security posture model along with a really strong, data protection, solution and couple those together to have the whole, you know, data protection, 365, view, you know, solution for our customers. But, you know, as our esteemed guest here, you know, what's your thoughts, in the world of DSPM? First of all, for our audience, not to put you on the spot but if you had to define DSPM, what

Rachael Lyon:
Yeah.

Vince Spina:
What does that mean to you? And then, you know, what does it entail and, you know, what's the good and the, and the heart about it, I guess? That's a lot. So

Rachael Lyon:
It's a lot. It's a big question.

Vince Spina:
Take your time.

Yasir Ali:
I think if you ask, like, in a room full of, like, 10 people what DSP means, like, industry experts, like, you'll get at least 5 different answers.

Vince Spina:
100%.

[25:07] Holistic Data Protection Solution for Sustainable Security

Yasir Ali:
What you're seeing about, like, in terms of the the basic pieces of data protection kind of holistic solution, I 100% agree. So when we are thinking about data security, which is sustainable, we use the word sustainability a lot because, data security by itself is a noisy problem. Even if you get to 95, 99, 90 whatever percentage of accuracy, whatever that means, That's also a moving target in terms of what does accuracy mean, or false positive mean. Observability is number 1, obviously, like being somewhat like accurate in terms of observability of what data at rest and data at motion. That's step 1. Without that, you you can't govern, protect what you don't know. And number 2 is essentially around, protection as you as you said. That's like data loss prevention aspect like that is like can we create guardrails, optionally, for teams to be able to do stuff in line, for the business without creating too much friction in the business platforms.

Yasir Ali:
How can DLP be somewhat more ingrained in the business purpose? That's how we have to think about that a lot, because of we're we're we're sticking in the business application or the SaaS application stack. So for us being able to isolate incidences within Slack and manage them there where it's it's fully kind of, you don't have to come out of Slack to do something with it. So that's, like one example of that for you. So that's number 2. And the 3rd piece of this tool is human risk management, obviously. 80%, I would say there's a couple of stats which we and I'm sure you guys will somewhat agree. 80% of the violation, 85% of the violations in a large set of environment from a data security side we see is just like, sloppy behavior. Folks are like

Vince Spina:
Just mistakes. Yeah. Mistakes. Good people.

Yasir Ali:
Exactly. Yeah. So just in terms of, like, workflows and mechanisms to remind the users, hey, it could be better way. The I hate to use the word, but big brother watching, does help. We've seen repeated incidences if you do a nudge within 30 minutes or 15 minutes of an event happening to the user, go down by repeat offenses go down by that user by 40, 50% within days for similar kinds of instances at least. So it does have an effect. And the other stat is 8% of your employees will be responsible for, like, 90% of your violation traffic. Just by nature of their job, you know, the project manager or controller, whatever it might be.

Yasir Ali:
So it's it's a it's a long tail, but then the 10% is the real risk you still need to watch out for.

Vince Spina:
Right.

Yasir Ali:
And so that obviously, you know, understanding kind of what your normal flow business is that takes what's that kind of, understood looking for anomalies in terms of what kind of breaks the model. There you don't analyze the user. You want to basically just tell the CISO that, hey, this could be something going wrong here. So we feel that those three components kind of provide, a full maturity cycle depending on wherever you are in the maturity of your data governance in your organization. You can maybe stop with observability first. As you get more mature, maybe you'd just turn on the nudges of humanist management piece second. And then thirdly, DLP controls can be put in place selectively and then over time could be more autonomous and that has helped, CSOs and security teams in general get around that whole thing. I'm gonna install the system that's gonna break the business flow.

Yasir Ali:
I'm gonna get screamed at. I'm gonna switch it off again, and then this will be a tool that just sits collecting dust and checking our box. By kind of, like, providing value and and helping organization mature step by step, that I feel is very important because operationally, security needs to have the best in terms of like, as an organization, are you mature enough to even handle these kind of controls?

Rachael Lyon:
Right. That's a great great question. Because right now, I mean, would you say, like, DSPM is kinda like the new and shiny thing, kid on the block, and, you know, kind of what's next as we further wrap our arms around this kind of AI monster. Is it tamable? You know?

Yasir Ali:
Yeah. I I my personal perspective on DSP, I'm just gonna answer that question more directly is, it's a Gartner category which is developed for DLP products in general with some, shiny things on top of it, but people are taking different approaches. Yeah. So it's it's a wild west and no two 2 DSP and tools will look alike. So it's it's good interesting for the buyers. They can explore and and learn and see what fits them.

Rachael Lyon:
Exactly.

Vince Spina:
I was gonna I was gonna ask you, Yasir. So you get to talk to a lot of, senior people. I have the privilege of doing the same. I wanted to get a a sense of you threw some, numbers out there. When you talk to CSOs or CIOs and they're and they're honest, what percentage, do you feel they come back and feel like they really have a handle on what data they have, what, you know, what work stores it's in, data stores, and which ones are just, you know, scared to death? Because I'll I'll tell you, DSPM is a very hot topic, in our world mostly because they're really trying to get their arms around, where is my data? What is that data? Start to classify that data and then be able to type take action based on, you know, those that classification and the the users, try to utilize that data. But in your world, what what do you see? Like, you know, what what percentage of your customers like, yeah, we got a pretty good handle, on on our data.

Yasir Ali:
Yeah. I would say, like, 5 less than 10%.

Vince Spina:
Okay. Good. That's it's safe.

Yasir Ali:
Yeah. Very, very, very little. But to your point of 3 years ago, 3, 4 years ago, when you started the company, folks were like, it's all encrypted traffic. Get the hell out of here. Problem statement now has become in the last 20 months or so, I would say, post Uber reach that happened, like, Grand Theft Auto that happened through Slack was one of the channels, which was in November 2021 or something or 2022. That's kind of where we saw a big shift. Okay. Understanding where information is and guess what? SaaS is everywhere in my organization now.

Yasir Ali:
Cloud is everywhere.

Rachael Lyon:
Yeah.

Yasir Ali:
I need to get a handle on it and, it's it's more around, like, like, is it number 2, number 3 priority item for me or, like, I need to buy something now right away? So it's, I think we're seeing a big swell change in the market as we see in the M and A space also a lot of DSPM companies got, taken out in the last few months. That is marker on how hard the space is becoming.

Vince Spina:
Yeah. I I just was gonna add, you you kinda told us a little bit about your journey and how you got here and, I know you've been in the business a while, like you said, you're still learning. We're all learning like this thing. Every time we get the answers to the test, they change the questions on us. Right? And this thing is moving. I come from a network background, and now in the cyber world. And in my days, it was all about just building a moat. It was all about perimeter security.

Vince Spina:
And your and, you know, your network, you knew your network. Today, networks are borderless. It's everywhere and anywhere. And, you know, some of the things that, you're talking about, man, the challenges have gone through the roof. So it takes, you know, some of these, technologies like DSPM, like DLP, to because you're not gonna control that data. What you what you can do is find it, classify it. I guess you can control it. But you gotta get your arms around it because, there are no more walls to, to organizations today.

Vince Spina:
Right?

Yasir Ali:
Yeah. And you one thing that I kind of, like, talk about is this this idea of, it used to be at least, I think it's changing now rapidly from, from a buyer's perspective, from cybersecurity specifically, it's a it's not a 0 or 1 problem. I'm protected, I'm not protected. There is a, a whole spectrum from between 0 and 1. And it's it's about, like, reducing your risk profile overall. Like, when you think about, like, a trading book, it's about hedging your book. I'm gonna buy some puts to hedge my long position on S and P, for example. And And when you think about DSPM in general or data security kind of, like, more broadly, it's what you're doing by observability by putting these controls in, but maybe, restricting access to certain pieces of information.

Yasir Ali:
You are reducing your overall risk profile. If something does happen, the severity of that incident is going to get reduced.

Rachael Lyon:
Right.

[34:14] Concerns about Data Security and Cybersecurity Spending

Yasir Ali:
And I think that is something which I still feel is lacking in the market, but that's not being, talked quantitatively. Hey. If my, like, SAC environment is controlled or my my my Azure cloud and who has access to it, what information, some basic controls. You might there could be a game changer in terms of what your, liability could be if something does happen. So folks need to think about this not as, like, okay, unprotected or not. Like, this is, like like, data ultimately is what the out output is of any hack, any breach, and what you're getting on the hook for. So I just wanna understand why I mean, any amount of money you spend on it is, like, not enough to be honest from a cybersecurity side.

Vince Spina:
Yeah. You're hitting on something in there. Oh, where did I wanna go? When you're talking about, you know, it's not about ones and zeros. It's not on and off. It's not black, white. It's it's gray. And, you know, we do a lot of assessments for our customers, who really wanna understand kinda where their data is and and what it looks like. What we find probably the number one surprise for most of our customers is over privileged users.

Vince Spina:
Users who have too much access to data that they probably shouldn't have. Like, are you saying that in the market as well? Because, you know, that talks to, when you're talking about assessing risk, it isn't there's no risk. There's full risk. It's somewhere in the middle. We're finding, you know, most of the times, it's just, you know, people that can get to, you know, content and data that they probably in their role shouldn't have access to. Seeing the same thing?

Yasir Ali:
100%. I think I think organizations kind of move to the Cloud. They started adopting SaaS, and now we are kind of going to the maturity cycle of, like, okay. Let's start to create some guardrails. Historically, it was difficult. And when you look at, like, governance models like C1 and C2.0, like, even the new version, whatever that is now, Some of the other kind of frameworks out there, GLBA, all that. They're very specific guidelines around access to information. So you need to kinda come down to the atomic level of understanding the data.

Yasir Ali:
So to your point, 100%. And it's become it's it's it's no longer when you I'm sure I'll put the question back to you. Like, when you replay back the results of your assessment, it's becoming less and less surprising for folks. Like, oh, I didn't know this was there. Yeah. Okay. Fine. We need to do something.

Yasir Ali:
But, like, I think people are kinda understanding that they have that already. Like, used to be a surprise to a lot of folks in post assessment. I don't know what you're saying.

Vince Spina:
No. You know what? We're we're finding, inside of, you know, security organizations, we're actually giving them, the opportunity to be the champion, into their business leaders by, you know, by some of these technologies that we're talking about today, DSPM, etcetera, and really understanding kind of where your data is, how it's classified, who can get to it, putting that in a beautiful report form so that that security person who used to be the department of no or perceived as the department of no Yeah. Is now is being looked at as an enabler and and more often getting, you know, a chair at the big table, because they're enabler to the business. And at the end of the day, it's all about, you know, the business. Right? And And

Yasir Ali:
and that person should be, like, get get a much more elevated position if you're understanding the data because that could supercharge your reaction. That is like like even if you look at it from not like a cost center, from a revenue generation or a innovation perspective, understanding your data not only can help you protect it, but also help you, go faster on your AI journey.

Vince Spina:
Absolutely. Rich, I wanna be, I'm looking at time, and I I wanna turn it over to my, esteemed partner here.

Rachael Lyon:
I know. We are coming up on time. So I do have, like, a a final fun question maybe, hopefully, Yasir. We always like to ask folks kind of in the grand scheme of cybersecurity, what still keeps you up at night if anything? I I mean, are we just exhausted? And is that nothing keeps you up at night anymore? Or is there anything that's still out there that you're like, man, we really gotta get a handle on that?

Yasir Ali:
I mean, it's it's it's like it's it every year, every month, there's the the the scale, the the the intensity, the frequency of events, breaches, it's it's scary, to be honest. Like, so obviously, you're constantly looking behind your shoulder. Like, have I done all the controls necessary and my clients have done all the controls necessary that, at least we we're not responsible for it. So, like, I think that is obviously any product company, any product, CEO probably stays up at night because of that because, you know, you still have that I would, percentage risk at at anyone who's online at this point. So it's definitely scary, but, what's what's interesting obviously is that AI is bringing in more thinking around, like, security being an enabler, which we were just discussing. So it's very exciting times, I think, for security professionals in general, where AI can be enabler for their jobs and their jobs can be enabler for the eye journey of the organization itself. So it's it's pretty exciting times actually. We see a world merging between CIOs, CTOs, and CISOs To a certain degree, there's some overlap coming less and less of that gap, we discussed earlier.

Rachael Lyon:
Yeah. No. It is exciting. It's, it's almost what is it? Like, like phase 4, the industrial revolution or something like that where you have these Yeah. Kind of magnificent earthquake moments, and it's we're just at the beginning of that journey. So I think if we were to connect in a year, revisit the podcast, I think it was gonna be a very different landscape and a very different conversation in in some ways. So Yasar Ali, you know, founder and CEO of Polymer, thank you. Thank you.

Rachael Lyon:
Thank you for joining us today on the podcast. It's been a really insightful conversation.

Yasir Ali:
Thanks for having me, Jason. Vince, this is amazing. Yeah. Awesome.

Rachael Lyon:
Awesome. And to all of our listeners out there, what do we do, Vince? You gotta smash the subscription button. Smash, smash, smash. Yes. And you get a fresh episode directly in your inbox every single Tuesday. So until next time, everybody. Be safe. Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint.

About Our Guest

Yasir Ali, Founder & CEO, Polymer

Yasir is the founder of Dvega, an Enterprise Data & Technology strategy consulting firm as well as a developer for credit sensitive analytics for Bear Stearns Mortgage trading desk. He brings his experience with cloud-migrations, high-speed trading system deployments and compliance software development to Polymer. He is also the founder of PolymerHQ, a No Code Data Loss Prevention for 3rd Party SaaS Platforms to limit sensitive data exposure via autonomous remediation, redaction and insider threat monitoring.