Rajan Kapoor: [00:00:00] With the co-pilots, they're going to go and look at all the data your employees have access to. Yeah. And answer questions based on that data. So if you ask like a question like, Hey, what does my chief people officer make? And it's in the spreadsheet, the co-pilot's gonna see that, see that you have access to it and bring it back for you.

Ashish Rajan: If you just focus on email security, just looking at half the problem, not the full,

Rajan Kapoor: yeah. I wouldn't even say half, right? Yeah. You're leaving out like what's in drive? Right? Yeah. Uh, what's happening with your accounts? That's why we've moved from calling it email security to just workspace security. We've been doing email security the same way for like 30 years.

We've always thought about pre-breach. Yeah. With email, we have never really addressed post-breach. You have to protect the data that's at rest in that mailbox. So you don't need to necessarily catch the data in transit anymore. Yeah. You can just go look at it where it's at. Rest. How can CISOs separate noise from the signal?

Don't just. Replace like your email gateway with another email gateway. Go and look. Start to think about post breach protection.

Ashish Rajan: If you have been looking at email security, trying to solve that with ai, you're probably seeing only half the picture. I had a great conversation with Raj Kapur, who's a field CSO for material security, about how [00:01:00] much email security has changed in 2025.

Thanks to ai, so many connecting parts like your shared storage. Things that are supposed to be just productivity applications. The whole workspace has evolved into interconnected with email, so email security has come a long way and perhaps. If we just focus on email security, this could be only looking at half the picture.

So if you're someone who's working on the email security uplift and what would that look like from an AI perspective, definitely check out this conversation with Rajan and do share it with other people who are trying to understand this particular problem as well. If you are here for a second or third time, I really appreciate a support on hitting the Subscribe button.

Follow button on Apple Spotify. If that's why you're listening to this episode. Or subscribe and follow on the LinkedIn and YouTube channels if that's for you watching this video. I really appreciate you taking the quick second to check out that you have followed us, so it means a lot of for that you're supporting the work we do.

I hope you enjoy episode with Rajan and I'll talk to you soon. Hello, Mike, another episode of Cloud Security Podcast. Of course, Rajan with me. Hey man, thanks for coming on the show.

Rajan Kapoor: Yeah, for sure. Thanks for having me.

Ashish Rajan: [00:02:00] Maybe to set the context, could you share a bit about yourself, what your proffesional background is?

Rajan Kapoor: For sure. I'm the, uh, field CISO at material security. But basically means I'm like the customer in residence. If I didn't. Work at material, I'd be a customer. Um, my background is IT and security for 20 plus years. I'm old, uh, and, um, uh, I was most recently a director of security at Dropbox and, um, have just kind of been in the industry for a little while and, uh, yeah, I came, followed my passion and doing something for the security community now.

Ashish Rajan: Uh, and one of the questions I've been asking people, uh, at Black Count has been, obviously now you focus on email security quite a bit. And what is your definition of email security? At least a 20, 25 version.

Rajan Kapoor: Yeah, so we've been doing email security the same way for like 30 years. And if you think back to Postini, which was a service that Google acquired year, yeah.

Two decades ago. At this point, we haven't really changed much with our approach to it, right? It's like, try, try and stop the bad things from coming into the mailbox and then you know, if a user sees something, let them report it and get it outta the mailbox, right? But we haven't really thought about what's inside the [00:03:00] mailbox already and how to protect that.

So today, um, in my view, uh, in Material's view email security is not just stopping bad things from getting in, but it's protecting what's already inside that mailbox in case there is a breach or in case there is something bad that's happening with an account.

Ashish Rajan: Alright. Actually, and to your point, it's a much more broader problem though.

Rajan Kapoor: It, yeah. We've always thought about pre breach. Yeah. With email, we have never really addressed a post breach. And, uh, and so, to properly address post-breach, you have to protect the data that's at rest in that mailbox.

Ashish Rajan: I, I love that. Oh, well, would you say, would it be different between, say a, uh, an ISV or an enterprise how different is it between them as well?

Just email security?

Rajan Kapoor: Yeah. I think that if I understand your question correctly, you know, like, like I, I think that like. It really doesn't matter, right? Like, everyone has a mailbox, right? Yep. Everyone's using email. It's how you collaborate externally. It's how you collaborate with your partners and you have to still protect, protect those mailboxes from the bad stuff, but.

Everyone's got super sensitive content in that mailbox. You [00:04:00] think about your own mailbox. Yeah. Right. Like what's in there. Even your personal mailbox. Right? Yeah. Yeah. Like it's a lot of stuff that you really don't want someone to get access to if they shouldn't have access to it. Yeah. Right. Apparently Google does.

Ashish Rajan: Yeah, exactly right. We'll trust them. Yeah. Leave my, I extend my trust boundary to Google. Exactly. Exactly.

Rajan Kapoor: Yeah. Um, and so it, it really doesn't matter what type of organization you are or who you're protecting, they're going to have a mailbox and there's gonna be something sensitive in there.

Ashish Rajan: Yeah. So Google Workspace, even though I joke about it what kinda security challenges does that bring into this email conversation to you, to your point these days, email is just not, Hey, yes, we were talking about pre breach or not post breach, uh, but email itself is quite complex these days. Uh, and specifically Google Workspace.

Why is that? What kind of challenges is it? Is it producing for people?

Rajan Kapoor: Yeah, so this gets into a broader conversation about Google Workspace. So email is just a piece of the pie here, right?

Ashish Rajan: Yeah, yeah, yeah.

Rajan Kapoor: There is a need for broader workspace security that you know, if you think about how people protect Google Workspace today, they have, um, [00:05:00] an email threat detection uh, service.

They'll have a DLP service, they'll have a posture management service. They have all these different services that they're, you know, that they're lack, uh, you know, bolting onto Google Workspace and they're still writing their own detections. They're pipe pumping stuff into a sim and they're writing their own detections and they're trying to really wrap their arms around Google, uh, workspace security.

The reason for that is Google doesn't offer much out of the box. You know, like if you look at the ui, yeah. There's really very limited options for building detection, uh, rules, and then responding to those detection rules. And so what's happening today with Google Workspace, or at least what we're trying to do, is you think about, um, the EDR space.

Yeah. And you think about what CrowdStrike did for like endpoint detection and response. You know, you take a bunch of different apps that you're running on your endpoint, you have a bunch of custom detections that you've written yourselves. Um, stop doing that. Just collapse it all down into one platform.

And so email is very, very much a part of that, but it's not your entire workspace security posture, right? Like you need much more to protect workspace.

Ashish Rajan: So actually to your point, if you [00:06:00] just focus on email security, just looking at half the, like half the problem, not the full problem. Yeah.

I wouldn't

Rajan Kapoor: even say half, right? Yeah. You're leaving out like what's in drive, right? Yeah. Uh, what's happening with your accounts? Is your posture where it should be? Are you seeing something suspicious happening? You seeing a suspicious login from a known network that you know the North Koreans use, right?

Like,

Ashish Rajan: yeah.

Rajan Kapoor: Really? Like unless you start to consume Google's APIs yourself. You're not gonna get that visibility and you're not gonna be able to like, detect and respond to it. And, you know, if you're an organization, you shouldn't have to consume Google's APIs to like protect workspace, you know, let us do that for you.

Ashish Rajan: Is that is that similar challenges in Microsoft 3 5, 3 6, 5 as well?

Rajan Kapoor: It's similar. Microsoft definitely has more tooling, uh, and more, more check boxes. Yeah. Levers. The challenge with Microsoft though is you know, in 2023, they had a number of breaches directly against their own infrastructure.

Ashish Rajan: Yeah.

Rajan Kapoor: So even if you had done everything right you know, with, with your, your Microsoft tenant, your M 365 tenant. They're coming through the back door.

Ashish Rajan: Yeah.

Rajan Kapoor: And detecting that and, and seeing that. And actually, you know, when the, when the state department was, uh, [00:07:00] breached, they had a canary set up, and that's what tri, that's what, uh, basically tipped them off as something bad was happening.

But doing that is, it's a lot of work. Yeah. Right. Yeah. So it's a similar thing. You know, the, the, I think the, the problem set is slightly different with the two the two environments. But it's something that you really shouldn't have to worry about as a security team. Just have something to do before you.

Ashish Rajan: Yeah. And do you find that. I mean, maybe, um, just a different question as well then. 'cause are people even aware? 'cause I feel and maybe I'm guilty of this as well, in one of the companies that I was CISO for we basically stopped the line for, Hey, I have, I don't know we have an email security solution for each Google.

Um, we were primarily a cloud shop, Amazon, like the kind of, uh, scale up companies you can imagine. And we obviously just relied on Google Basics at that point in time and to, 'cause it will get an alert 'cause they try and sell you the whole Google advanced feature, right? Able advanced security, whatever.

I wonder, what's the misconception most people have about security across your Google Workspace and Microsoft Office, office three five, as you mentioned, because this is a [00:08:00] SharePoint vulnerability going around as well at the moment.

Rajan Kapoor: That's right. Yeah. Yeah. Mic, the Microsoft environment is, I, I think, a little bit more complex because you have a lot of enterprises who have legacy tech.

They have like on-prem and they have cloud and wrapping your arms around that is, uh, you know, I, I don't envy the security teams that are in that position. Right. Google shops. Are typically younger companies who are cloud native.

Ashish Rajan: Yeah.

Rajan Kapoor: So they, you know, they started a company, we, we joke at Material that, um, you're not really a company until you have your first Google workspace.

Yeah. Fred, right. And, um, and so you start, you know, you start small. Yeah. Um, it's probably a CEO or you know, another co-founder who's. Running that tenant, then you hire someone who's going to like, you know, start to manage it for you. Maybe an IT person or a security person, or both actually. Yeah. And uh, and so with Microsoft you have like this legacy um, uh, debt.

That companies are, are, are working to pay off with Google, what you have is just this thing was just like thrown up and no one ever really paid attention to like, are the right things done from a security perspective. And over time, like [00:09:00] something can fall through the cracks. Mm-hmm. Right? Um, and, and you realize one day that, oh, we had this like app oh, often to like the CEO's account that he did himself five years ago and that app just got popped and his account just got popped.

Right? Like that's the type of stuff you see with, with Google environments, with Microsoft, it's. We have on-prem SharePoint and there's an, you know, an 0 day vulnerability and it's going around, you know? Yeah, yeah. Uh, so I think the, the, it's still a cybersecurity challenge, but the types of challenges are very different between the two environments.

Ashish Rajan: And I guess to your point should we approach to email security? We kind of spoke about the broader landscape. Feels like way you're going with this is that you need a lot more context instead of just focusing on your DLP quote unquote for your email. Yeah. You need a lot more context around it.

Rajan Kapoor: Yeah. There's, uh, you need, you need context. You need to understand what's happening with that email. Right. You know, you like, um, do you see a, you know, so the first problem is getting visibility, right? Mm-hmm. Like even seeing what's inside a mailbox has historically been a very hard problem. Yeah. Um.

Email security services focused on in transit. So if it was going in and out of your [00:10:00] organization, you would see it. If it's going within your organization until very recently, you wouldn't really see it. Right. If it was going from one of your employees to another employee. And that's, for companies that are email centric, there's a lot of data that's going between employees.

Right. So once you get that visibility, then it's classifying it, right. And understanding what's in that mailbox, right? And then it's like, okay, now we've found it and now we know it's in there. Um, where is it going? Is someone forwarding, you know, sensitive data to their personal account? Mm-hmm. Is someone forwarding sensitive data to like, you know, a competitor?

Mm-hmm. Um, is you know, is it being used in ways that it shouldn't be used as being accessed in ways that it shouldn't be accessed? Do you have a sales person? I always pick on sales team. Sorry, sorry Kevin, if you're out there. Um, but, uh, uh, you know, if the, uh. Is there a salesperson who just put in their two weeks notice and is all of a sudden accessing a whole bunch of contracts?

Ashish Rajan: Yeah.

Rajan Kapoor: That's in their mailbox and taking it out the door with them. And then finally, if someone gets into that mailbox, who doesn't belong there?

Ashish Rajan: Yeah.

Rajan Kapoor: They have unfettered access to everything, right? Like there's [00:11:00] no, like per email like security, uh, that, that stops someone who gets access to an account from just.

Exfil trading everything, right?

Ashish Rajan: Yeah. Yeah.

Rajan Kapoor: Um, and so we looked at each one of those like, areas of email security and tried to rethink like how to, how to approach it. But really you need to understand what's in there, what's happening with it, and protect it because it's,

Ashish Rajan: it's not just your email anymore.

You have drives, you have chat bots and copilots and Yeah, that's right. Everything else that's going around as well.

Rajan Kapoor: Yeah. And, and that's exactly it. It goes back to what we were talking about earlier. Email is just one piece of this pie, right? Yeah. Like one size is pie. It's um. Then you start thinking about drive.

What's in drive? How is it being shared? Is there payroll data in a Google um, sheet that it has a public link attached to it? And what's interesting with, you know, you're talking about copilots, right? Yeah. A lot of, until up till now, companies have not really focused on like drive sharing.

It's been a very hard problem. Oh. And like, you know, an employee can just throw some data in a, in a file. Yeah. And just share it the way they want to. Yeah. Right. With the copilots, they're going to go and look at all the [00:12:00] data your employees have access to. Yeah. And answer questions based on that data.

So if someone in the hr department. Incorrectly shared payroll data. Not with a public link, but just with an internal link, right? Yeah. The co-pilot's not gonna know that. Like your employee, it's not

Ashish Rajan: supposed to know that. Yeah.

Rajan Kapoor: And so if you ask like a question like, Hey, what does my chief people officer make?

And it's in the spreadsheet. The co-pilot's gonna see that, see that you have access to it and bring it back for you.

Ashish Rajan: Yeah.

Rajan Kapoor: Right. So now it, it's very similar that you have to get the visibility. What's in those files? Um, classify the data that's in there.

Ashish Rajan: Yeah.

Rajan Kapoor: And then understand how it's being shared.

And then take actions to prevent, sharing that could lead to bad outcomes. Like I just, I just, uh, laid out there.

Ashish Rajan: Yeah. I think a lot of people kind of always, it's funny, I think, um, before I became a CISO my naive understanding of email security used to be is to protect my CEO from, uh, getting scammed or phished or whatever as well.

And I think where you're going with this is like, there's a lot more. I guess tentacle, for lack of a better word, that email has these days that you need to kind of keep an eye out for. [00:13:00] It's not just my I guess it is improvement in phishing scams and all of that. Yeah, because like, I don't get emails from Nigerian Prince anymore saying me gold, but at least that's a good thing.

Uh, that's right. We've made progress. There's some progress, right? Yeah, yeah. There's some progress there in phishing. But I guess the, the true reality is that maybe I'm just looking at the wrong part. I'm just focusing on the wrong problem. Because the way I thought about this, at least traditionally, has been, oh, I'm, my email security is about detecting a malware, uh, in an email or a PDF or whatever.

Or a phishing scam. 'cause you're almost saying that there could be a connection between my Google Drive and the email that I got between them. Uh, was there an incident as well or was there a use case that kind of solidifies this or maybe a customer story around this?

Rajan Kapoor: Yeah. So, yeah, there, there's a story.

Uh, you know, it's, uh, you can see basically what we've seen is you know, email is a vector. Yeah. For attack. It's also a target. But let's focus on as a vector right now. Yeah. Right. So someone gets an email, um, they click a link and they are asked to OAuth you know, [00:14:00] grant an app access to their account by OAuth, right?

Yeah. What they've just done is given an attacker persistent access to their account and depending on the scopes of that OAuth app that they probably have access to a lot of stuff in that account. Right? Yeah. And detecting even that, right, like malicious OAuth app just got installed. Yeah. Is super hard with Google and Microsoft.

You can write a detection, right? You could absolutely write a detection to do it, but like not every security team has the expertise to do that. And even if you have the expertise, if you have threat detection engineers on staff. They should be focusing on like what's important to the company. If you're a, if you're a finance company, like focus on fraud, focus on account takeovers that are draining money from your, um, employees, you know, things like that.

Ashish Rajan: Yeah.

Rajan Kapoor: But then you, so you have the so off app installed.

Ashish Rajan: Yeah.

Rajan Kapoor: And now it's looking, it's, uh, exfiltration of files, you see of emails, and they're just taking everything they can out of there.

Ashish Rajan: Yeah.

Rajan Kapoor: And they'll go, they'll go back and look at it later on. Excuse me. They'll go back and look at it later on.

And, um, getting signal on any of that today is [00:15:00] really hard. And that's why we've moved from calling it email security to just workspace security. Right. It's, uh Oh, okay. Like just it's workspace security and email security is, is one part of it. Right. And you can't think of it as its own thing anymore.

Yeah. Because to your point, it is all interconnected.

Ashish Rajan: Yeah. I think these days. Funny enough, un under the, under the banner of productivity. We have linked all of it together. Uh, and by the way, I'm, I'm not saying it's a bad thing, it just, it's, that's how work is done because you're well able to collaborate and all of that.

Right. I think it's just more the fact that now you just opened up yourself to. Potentially a bigger threat risk for lack of a better word but in the sense that it cannot be managed, it can be managed. It just being aware of the fact that, hey, now you have, uh, probably just cared about email security now has to care about your Gmail, Google Drive, your chat window chat history.

Prompt injection inside a email, right? I don't know. Right. Are there actually any AI kind of threats actually impacting ai uh, email security outta curiosity?

Rajan Kapoor: There's been a couple of proof of [00:16:00] concepts that I've seen. I haven't seen anything in the wild yet, but yeah, definitely like, you know, um, AI prompt injection is, uh, is, is starting to become interesting to people.

But I think not many people are using AI to manage their mailboxes just yet, but it will happen. Okay. Right. It'll start to grow. I think what's more concerning are those copilots that we were talking about earlier, right?

Ashish Rajan: Because they have, have access to your shared drive and Google Drive, whatever.

Yep. And, but 'cause I mean, to your point, it's almost like people would always, okay, who's looking after this? 'cause I feel like, because. Email security was traditionally like an it or corporate IT thing. Right? Right. And we are not talking in terms of shared drives Yeah. Google Workspace.

Rajan Kapoor: Yep.

Ashish Rajan: How, how should a CISO approach, uh, email security conversation now?

'cause I mean, obviously we did an updated, updated definition of what 2025 email security is. Yeah. So how should someone in a decision making position today, perhaps leading a corporate IT world or has it corporate security as part of their remit within as a ciso. How should they be looking at this?[00:17:00]

Space though.

Rajan Kapoor: Yeah, that's a good, that's a very, uh, complex question. Yeah. I could spend, I could spend an entire podcast just talking about that. I have some thoughts here. It's interesting. We've seen an evolution where, um, security used to report to it. Yeah. Uh, like a decade or so ago, and then the two teams got split off and maybe you had a CTO that both teams reported to.

Yeah. But it became their own domains. Yeah. What didn't change is the require requirement for like strong collaboration between IT and security, because security can put the controls in place. Yeah. But when it comes down to doing like the day-to-day operations of maintaining the controls or responding to them, very often you see like an IT team.

Yeah. Doing that. Yeah. I think that there's no one organization that. Owns this today, they'll own different parts of the the problem.

Ashish Rajan: Yeah.

Rajan Kapoor: And that's why, like, putting in place tools that make it easier for the teams to collaborate with each other is important. Yeah. So, and I'll give you an example of that.

If you have a bunch of, detections that you've, your security team has written that's, you know, firing to your sim and then, um, or, uh, you know, loading off of your sim and then they, they fire off a Jira ticket [00:18:00] or some other like, support ticket for the IT team. Yeah.

Ashish Rajan: Yeah.

Rajan Kapoor: You're splitting your team between all of these different tools and like the IT team doesn't really understand the detections, they can't go and like get more information from the detection itself.

They have to go look at your now and like do some investigations themselves. Or you have like a security analyst doing investigations, handing stuff over to the IT team. Um, because the IT team very often are the ones who go and then interact with the end user. They're the ones who have like the right scopes into, Google Workspace or, or Microsoft 365 to take action.

And. And so you end up, you, you slow down to teams, number one, which is not great when there's something bad happening. You have them jumping between tools, which means con, like a a a signal could get lost.

Ashish Rajan: Yeah.

Rajan Kapoor: Like, going back to the example I gave earlier, they might see like a whole bunch of data leaving their org.

Maybe there's a detection for that. They might miss the fact that an OAuth app got installed.

Ashish Rajan: Mm.

Rajan Kapoor: Right. Because they're working through different tools. They're not, they don't have this one pane of glass that they can see everything in.

Ashish Rajan: Yeah.

Rajan Kapoor: So you have multiple teams, multiple tools. It's gonna be a bad time.

Mm-hmm. Um, and so to, you know, to your point of like how [00:19:00] to think about this as a ciso. It's really how do we re re reduce the friction between these two teams working together? Okay. And the way you do that is reducing the complexity, right? Reducing the number of tools, reducing like the manual work that you're doing to Yeah.

To get your coverage.

Ashish Rajan: I is CASB playing a role in this as well, like the cas CASB and 'cause I feel like a lot of people went down the path of saying, Hey, I've got my SIEM for email security. Like the, someone exploring data. Yeah. CASB was also another component, so. Is, is that also playing a role here in terms of the traditional version of it is not looking into all of this, at least from my understanding.

Rajan Kapoor: Yeah. So what's in, I'm seeing, I've been having a lot of conversations. We're here at Black Hat and I've been having a lot of conversations with, um, CISOs and CASB has a role to play, you know, or like the, you know, the, the network based security controls have a, have a role to play. But what's interesting is I'm seeing.

One of the reasons we're able to do what we can do is because APIs exist today. Yeah. Right. Every mailbox has an API, every account has an API, um, Google Drive has an API. And so you don't need [00:20:00] to necessarily catch the traffic in transit, right. Or the data in transit anymore. Or you can just go look at it where it's at rest.

Right. When, when we moved to SaaS as a security industry, we lost control of the infrastructure. And that was good because we don't have to like, maintain infrastructure anymore and, and patch stuff. But it's, it was bad because we lost access to the data at rest and we're finally getting access back to that data at rest.

Yeah. And so like the CASBs of the world, I think were, came into play because we didn't have access to that data when it was just at rest. Right. We had to catch it in transit and we had to see what was happening to Oh,

Ashish Rajan: right, okay.

Rajan Kapoor: And then there was also, you know, CASBs also tell you, you know, can enforce DLP rules and things like that.

So there's definitely a role for them. But I think right now what I'm seeing, the trend that I'm seeing is a focus on the endpoint and a focus on the browser, and then a focus on, um, API based security tools.

Ashish Rajan: Oh, right, okay. API based security tools, browser and the endpoint.

Rajan Kapoor: And that's where like security teams are going to start get, like they're putting.

Tooling in place to [00:21:00] get visibility into each one of those areas. Because if you think about, okay, endpoint's your laptop, right?

Ashish Rajan: Yep, yep, yep.

Rajan Kapoor: Malware's on there. Something weird is happening on there. You wanna know, right? Yeah. CrowdStrike has, you know, and their, you know, their cohort of, uh, app of um, competitors have like solved that problem, right?

The browser stuff is just starting to get solved, right? Because you think about like the, the browser basically is like another version of an endpoint, right? Everything you do. Through a browser today. Yeah, and so getting like better telemetry there, getting better controls, I'm definitely seeing a lot of customers talking about going in that direction.

And then, and a lot of CISOs. And then finally this idea of API based security is very, very, very nascent. And I am seeing CISOs just starting to wrap their head heads around the fact that, oh, like tools, like material that can now give me access to the data at rest again. Can give me a completely different way of protecting my data and getting visibility into it that I've lost for like 20 years, and now it's back again.

Ashish Rajan: And to your point, it's back because now we have SharePoint, Google Drive, all that interconnected to my email. So I actually can go [00:22:00] back into the data points before. Yeah.

Rajan Kapoor: And, and not even into just like, they're just accounts, right? Like if, like we have to pivot from thinking about like the mailbox to thinking about like the account, right?

Yeah. So like Rajan at material security is a mailbox, right? But then in my account has also drive, it has, you know, MFA settings. Yeah, it has. All right. So there's an API for like almost every single aspect of the account, right? And you can go and start to consume that. What we do is we take in your settings, we take in your content, right?

And we take in your logging and that's all you need to understand what's happening with an account very broadly, right? So we do that. We just, um, and, and, yeah. So, it's, it is very, you know, I I, you know, I know we're talking about email security, but it really is just this like very like, like edge of like protecting the entire count.

Yeah. And, um, and the CISOs I think are starting to realize that they can. They need to think beyond email security and think about the broader like workspace environment. It's a holistic picture

Ashish Rajan: then.

Rajan Kapoor: Yeah. A very, exactly. A more holistic picture and a more holistic like view of, of the account.

Ashish Rajan: So I guess what should CISOs be looking out for?

'Cause I, I almost feel that there is a version where [00:23:00] you would have people who would. Obviously would wanna separate the noise from signal. Mm-hmm. Um, and based on what you're seeing, what and brow, I concur on the browser security part as well, the API security part as well. It, the world is evolving, uh, whether it's ai, not ai, it's, it's evolving.

How can CISOs separate noise from the signal when they're making like everyone has an email security solution today. Yeah. So it's like, so. What if they're thinking of an uplift for whatever the new AI threat or whatever threat may be, how can we separate the signal from the noise, uh, based on what you're seeing?

Rajan Kapoor: Yeah, that's a, that's always been a difficult, uh, thing in, in the security industry specifically. Yeah. There's always a lot of, um, there's a lot of solutions out there that claim to do things that then you put them in place and when they're actually deployed, you're like, okay, this isn't what, what I was expecting.

Um. I, I think honestly, the easiest way to separate a signal from a noise is talk to your peers. See what they're using. Right? Yeah. There's always been a source of great information in the security industry. In fact, I, like when I, when I was a buyer, I wouldn't [00:24:00] buy a thing without talking to one of my friends and finding someone who had used it first.

Yeah. And then the second is like, really start to think about the problem set differently. Give it away from just, email, for example, whatever you're thinking of, like whatever domain you're thinking of. Think about it differently and then restructure your proof of concepts with your, uh, vendors.

Yeah. To not just look for tra traditional security controls anymore. Look for the newer stuff. Look for stuff that actually, you know, don't just replace like your email gateway with another email gateway. Yeah. Right. Like, go and look. Start to think about post breach protection. Start to think about if you're thinking about browsers, think about like DLP and the browser itself, right?

And like con controlling data in and out of that browser. Um. Just, yeah, start to think about the problems differently and then make sure that the way you're testing the application is, it covers all of that. Right.

Ashish Rajan: Sure. Fair. Uh, I mean, those, those are the technical questions. I've got three fun questions for you as well.

Let's do

Rajan Kapoor: it.

Ashish Rajan: All right. Uh, first one being, where do you spend most time on when you're trying, not trying to solve the email security problems of the world?

Rajan Kapoor: My coworkers are so tired of hearing about this. Oh. I, um, [00:25:00] during the pandemic, I went down a very deep rabbit hole for automating my home. Okay. And I just like to, I just tinker and automate and like, I love to I love my environment to respond to me.

Oh yeah. And, uh, me not to have to respond to my environment. So I don't wanna touch a light switch. If, um, if I'm going to the bathroom in the middle of the night, I want the lights to just come on a little bit, you know, and like, and if it's the middle of the day, I want them to come on all the way. Right.

So I just spend a lot of time

Ashish Rajan: automating my home. Wait, so, uh, are you also someone who's basically replaced your front, the key lock into like, one of those, like a smart lock? Yeah. Yeah, yeah. Yeah. Is that a fingerprint or one of those ones?

Rajan Kapoor: No, it's just, I, I mean we're a def go. It's about to be Defcon, so I don't wanna give too much information.

Yeah, yeah, yeah, yeah. Fair. It's a, it's a smart lock for sure. Yeah, because I,

Ashish Rajan: I find like, and maybe this, the reason I said that is because I. In my previous home I had one of those, and I, my wife and I would always have this challenge of, should we still carry a key in case the battery dies? Yep,

Rajan Kapoor: yep, yep.

Ashish Rajan: Always carry a key in

Rajan Kapoor: case the battery dies. That's, you know, you need to like always have like a manual like backup, right? Yeah. But, but it is, yes. My phone, right as I walk up, it detects my phone, unlocks the door, and I, and I walk in. Oh. You know, because I, I

Ashish Rajan: feel like [00:26:00] people can do that with their cars and stuff as well.

Like he's starting to get there. Yeah. It's uh, yeah. I think a friend of mine, he's CISO as well. I think the way it works for him is the moment his car drives into the driveway. Lights turn on. Yep, exactly. Music turns on. I'm like, holy shit man. Love. How far have you gone? Love it. It is great. He said, no, I like a certain environment when I walk into my house.

Am I okay? Yeah, yeah, yeah. Fair. Yeah,

Rajan Kapoor: it's great. And then, because I have motion sensors everywhere, I don't have to yell at my kids about leaving the lights on. You know? Hate go off automatically. Right. It's great.

Ashish Rajan: Oh, actually, yeah. Fair. Fair. I mean, I was gonna say, yeah, I think there's a lot of people I have that challenge.

They're like, why are you leaving your lights on? And like, oh, okay. Fair. I mean, and uh Oh, okay. And the second question, what is something that you're proud of that is not on your social media? So I don't have social

Rajan Kapoor: media. I have LinkedIn and that's it. Oh, right. I don't have Instagram and uh, and Facebook.

Um, that was intentional. I, something I'm proud of that's not on my social media is a good question. I think just, um, you know, if you look at my, my work history on LinkedIn, like I've had a ton of experience in a bunch of different industries. And I'm proud [00:27:00] of, like, I, I like to take risks.

Ashish Rajan: Mm-hmm.

Rajan Kapoor: I'm not someone who just like chose a career and followed it, you know?

And, and I, I am really, um, when I look back on my career, I'm really happy with like the risks that I took that I was willing to like, get outside of my comfort zone and, uh, and do things that maybe someone might the same position wouldn't, wouldn't be comfortable doing.

Ashish Rajan: That's awesome. And uh, final question.

What's your favorite cuisine or restaurant you can share with us? Ah.

Rajan Kapoor: The cheesy answer is, uh, my mom's cooking is my favorite, but, um, make sure she hears the episode there. Um, but I'm, I, I love living in cities because you get to try everything. Yeah. But I'd say right now. Ethiopian food.

Oh, bread and all of that. Yeah. And I'm not usually a vegetarian person. I love vegetarian Ethiopian food. It's really so good. Yeah. Wait, so you

Ashish Rajan: are giving up on DVAs, the chicken DVAs for Yeah, yeah, yeah. 'cause like the, the lentils are good, you know, like, oh, you know, it's

Rajan Kapoor: just so tasty and, um, and I mean, I don't mind the meat, but like, I just sit and really enjoy vegetarian Ethiopian food.

Yeah.

Ashish Rajan: Oh, I kind of agree. I, I feel like I, I've had lentils. I, I [00:28:00] guess I've had the Indian version then theirs is a bit different. Yep. Yeah. And it's very similar, but it is. Yeah. Yeah. It, I don't know how to describe the, it does taste a bit different. Yeah. And, uh, in a, in a good way. And I'm like, so, uh, my wife and I have gotten into Ethiopian, uh, in general bread and all of that.

So you love in ginger bread and all of that? Yeah. Yeah. It's so good. It's

Rajan Kapoor: so tasty. You know, it's, yeah.

Ashish Rajan: I, my, I. I wanna go as far as saying it's even healthy. Yes it

Rajan Kapoor: is. That's the thing.

Ashish Rajan: Like you eat it and the next day you're fine. You know? I feel pretty good. Yeah. You don't feel like you've had a massive meal and you're like, but you

Rajan Kapoor: also don't feel like you missed out.

It's so good. It's so

Ashish Rajan: tasty. Right? That's right. And I think at least for me, what I enjoyed, and I don't know, I don't know if they do it in the city years than. They, if you are a couple or a family, they give you one big play to share. Yep. A

Rajan Kapoor: hundred percent, yes. And my daughters, we'll sit down, we'll get like the meal for four and just like, you know, like you pick away at it.

Really good. Yeah. Yeah. I think I, I,

Ashish Rajan: I, yeah. Again, we can talk about food forever. I'm gonna hold myself there. We can people find more information on material security and connect with you as well.

Rajan Kapoor: Yeah, for sure. Head over to material security. So material security, you'll find us there. We do something very interesting for the security industry.

We actually put our [00:29:00] pricing on our website so you can get an idea. Oh, we transfer it there. Just put it up. Right? Like why? And, um, and we tell you what you get with, you know, we have a couple ways that we bundle this and then me, you can find me on LinkedIn, you can email Rajan at material security. Um, but uh, yeah, don't be shy.

Uh, find

Ashish Rajan: me. I'd love to talk about this stuff. I will put the links in the show. But thanks so much for doing this on the show. Thank you for answering the questions as well. I enjoyed the conversation. Yeah, thank you for having me.

Rajan Kapoor: I really appreciate being here.

Ashish Rajan: No problem. Uh, thank you everyone for tuning in as well.

See you next time. Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloudsecuritypodcast.tv. We are also publishing these episodes on social media as well, so you can definitely find these episodes there.

Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in description for you to check them out, and also for our weekly newsletter where we do in-depth analysis of different topics within cloud security, ranging from identity endpoint all.

The way up to what is the CNAPP or whatever, a new acronym that comes out tomorrow. Thank [00:30:00] you so much for supporting, listening and watching. I'll see you next time.

‍