Michael Leland: [00:00:00] 75 and 85% of mission critical applications are now SaaS. Yes. So you're now using a browser to access all your business application sensitive data, intellectual property, but you're doing it in a consumer browser. It was built to monetize you to deliver ads, to track ads of all the CVEs and zero days that have been announced against chromium in the last 18 months.

I have customers that they had 12,000 Atomic DLP rules. They told me coming in that they had seven approved AI products. We deployed the browser, 243 products. Wow. Is what we discovered it. And security have long been the department of no.

Ashish Rajan: Yeah.

Michael Leland: Right. No, you can't because I won't have visibility. Yeah. No you can't.

'cause I don't have governance or compensating control. That's how some customers are addressing ai. They say no until a certain line of business comes in and says, okay, fine, we'll poke that in and it's becoming Swiss cheese again. 'cause you can't protect what you don't understand.

Ashish Rajan: If agentic browsers. LLM running through APIs or CLI for that matter, is of concern to you.

You probably have also heard of terms like enterprise browser is a way to go down this path. Now most people will tell you you probably need an [00:01:00] LLM firewall, enterprise browser Security, or even an endpoint combination as well may, perhaps even a combination of all these three. Fortunately I had conversation with Michael Leland from Ireland where we spoke about some of these changes that have come through.

For example, SaaS with AI these days is not just your. Gmail that you use for work, but Gmail that you use personally as well, to be able to separate that AI agents are running not just on your browser as a agent capability, but they're also running on your CLI. How should people working in cybersecurity approach this evolving world of how AI agents are creating almost an ecosystem in your entire IT environment, not just from the browser, but all the way into the CLI as well?

Another thing that I learned from my conversation with Michael was about the browser itself. How in the past I normally used to rely on the fact that because I already have subscription to Microsoft or Google, my browser security components are covered. Turns out chromium, the engine behind most of the popular modern browsers.

Has been compromised multiple times in the past and may get compromised the future. In the future as well. And looking into the browser may [00:02:00] only be looking at one of the challenges that AI may be bringing into your IT environment. I spoke about all of this and a lot more with Michael in my conversation at RSA.

If you know someone who's working on browser security or in general how to secure how AI agents work in an ecosystem that today consisting of CLI browsers and perhaps APIs as well. Definitely share this episode with them and if you're here for a second and third time and have been finding episodes of the podcast valuable, I would really appreciate if you take a quick second to hit the subscribe, a follow button, no matter which platform you listen or watch this podcast episode on.

We are on all podcast platforms, including Apple, Spotify, YouTube, and LinkedIn. It only takes you a second. It does not cost anything, but it helps us reach more people. So thank you so much for all the support. This conversation was recorded. RSAI also wanted to say thank you to everyone who came up to us and said hello.

At RSA made us feel so loved for the work we do here. Thank you so much for all the love and support. I hope you enjoy episode with Michael and I'll talk to you soon. Please. Hello and welcome to another episode of Cloud Security Podcast, I've got Michael with me. Thanks for coming on the show and

Michael Leland: thanks for having me, Ashish,

Ashish Rajan: and [00:03:00] maybe we set things off.

Could you share a bit about yourself what your background in cybersecurity so people have some context as well?

Michael Leland: Sure. So I joined Island about two years ago.

I, prior to this, I was chief evangelist in Strategy officer at Sentinel One. So I've been on the EDR side. SecOps.

Ashish Rajan: Yep.

Michael Leland: Prior to that, I was co-founder and CTO of Nitro security before we got acquired by McAfee in 2011.

Ashish Rajan: Mm-hmm.

Michael Leland: But it goes back as far as the early nineties with a company called Cable Tron Systems.

Ashish Rajan: Okay.

Michael Leland: So, uh, networking, network security, cybersecurity, security operations, and now executive.

Ashish Rajan: Oh, wow. Okay. So you've kind of seen the plethora, so probably maybe this is. Good for the topic as well because we were gonna talk about browser security, but a lot of people, and I will include myself in there before we had the conversation, where this is the skepticism, is that browser is a solved problem.

Like I have done IE Edge, Firefox, like name, the name, the browser you can think of, like why is browser security now kind of coming back as if it's gonna come back again. I guess what, why is there a need for that now and what before that, what was missing?

Michael Leland: Yeah. So it's not what was missing it's what was [00:04:00] there that we didn't want, right?

So think of it this way, if you believe, and most organizations tell you between 75 and 85% of mission critical applications are now SaaS, right? Yes. So you're now using a browser to access all your business application sensitive data, intellectual property. But you're doing it in a consumer browser.

Ashish Rajan: Mm.

Michael Leland: Right. Which there's nothing wrong with the consumer browser for doing consumer activities, but just know that consumer browser was built to monetize you. Yeah. It's it to deliver ads. To track ads. So we looked at the consumer browser architecture about six years ago and said if the enterprise were adopting an enterprise application delivery suite, shouldn't they be using an application that was built?

Secure by design and enterprise grade.

Now we started from the same foundation. Everybody else did chromium, right? Yeah, yeah. It's the, we stood on the shoulder of giants.

Ashish Rajan: Yeah.

Michael Leland: But when we looked at the code base of chromium, about 35 million lines of code, we decided that about 40% of that code was consumer.

And so we ripped that out when we forked chromium and decided the first thing we needed to do was harden the underlying platform of chromium.

Ashish Rajan: Right.

Michael Leland: So we built an entire enterprise fork of [00:05:00] chromium. And the first thing we did, and what we continue to do. Is hardened. The browser itself, and the most important thing about that is.

The results of us hardening over the last five years meant that of all the CVEs in zero days that have been announced against chromium in the last 18 months, Island is already immune to about 80% of that. Right. So we don't have to manage the attack surface anymore because we started out by managing it.

Ashish Rajan: Oh, but why is it AI that's driving it more? 'cause to your point, I understand the fact that prom is a known browser ecosystem engine, whatever you can call it. But is it more AI adoption that's driving the, by the rising of the conversation for browser security? Now, again,

Michael Leland: yes and no.

Ashish Rajan: Okay.

Michael Leland: The original driving force was SaaS.

The original driving force was, most of my work I'm doing sitting inside of a, a terminal, a web browser.

Ashish Rajan: Right, right.

Michael Leland: Okay. And if you think about it, we've gone, this pendulum has been swinging from centralized to decentralized computing. And so decentralization like a SaaS application means that all of our workstations are now the desktop, right?

Yeah. And the browser is the new desktop. It's what we're using to get [00:06:00] access to our applications. We joked earlier about. Is it the new operating system?

Ashish Rajan: Yeah, yeah, yeah, yeah.

Michael Leland: Yes and no as well. The more applications that are now rendered through the browser means that we have a, we can funnel our attention to addressing the attack surface, the data protection around that surface, but where most other applications went from thick apps.

To SaaS.

Ashish Rajan: Yeah.

Michael Leland: AI is the first one that I've seen in less than 12 months. Go from predominantly web based to desktop. Claude Code Gemini, CLI.

Ashish Rajan: Yeah.

Michael Leland: Right. Yeah. All of these tools are now agentic based. Mm-hmm. And those agents want access to your desktop as well.

Ashish Rajan: Yeah, and I guess, but to your point, because the way people look that at I, and a lot of people already have control planes on.

The network side, the identity side. I'm just gonna brand like, oh, there's E-D-R-X-T-R. You can keep listing out all the things that we've been already doing and which is kind of where a lot of the assumption for, Hey, isn't browser like the solve problem? 'cause I have all these layers of defense. Yep. For lack of a better word.

Are they blinded by or are they blind spots? These, is that why

Michael Leland: So blind [00:07:00] spots, yes. But more importantly, they've amassed a huge amount of tech debt. They chose their EDR vendor five years ago. They chose their swig vendor six years ago. The sassy architecture hasn't changed Evolutionally in a decade, right?

Ashish Rajan: Yeah.

Michael Leland: So the challenge they have is they've now got too many control planes. They've got a data plane, a control plane, and the protection side of things is now spread out across multiple consoles.

And I can tell you, the human brain doesn't multitask. It does one task until it puts that task aside.

It picks up another task. Think about the, the day in the life of a SOC analyst.

Ashish Rajan: Yeah,

Michael Leland: right? A practitioner who's sitting there trying to bounce back and forth between. Is this A DLP policy to worry about? Is it an EDR policy? Do I have to go to my swig console?

And so trying to manage all of those different control planes does create gaps.

It also creates cost and complexity. Right? So our goal was to minimize that, to reduce cost and complexity, to drive as many capabilities into a single control plane as possible.

Ashish Rajan: Yeah.

Not

Michael Leland: to say you adopt the entire platform day one.

Ashish Rajan: Yeah.

Michael Leland: Um, but. We started with a browser, we added the extension, we added the [00:08:00] desktop component that allows us to create this application boundary for not only web apps, but also thick apps.

Ashish Rajan: Yeah, yeah, yeah.

Michael Leland: And then we started looking at the adjacencies that made sense to our customers.

Ashish Rajan: Hmm.

Michael Leland: We know they need a SASS E, they need A-Z-T-N-A solution. Mm-hmm. So we architected that. We know they need digital employee experience 'cause they need to track application performance metrics.

But because we have a presence on the device, not just in the browser, but. At the kernel level.

Ashish Rajan: Yeah.

Michael Leland: We get to see not just application metrics, but local device resource information. So if you're troubleshooting what root cause of a performance problem might be.

Ashish Rajan: Yeah.

Michael Leland: It's not always the application team that has to solve a performance problem.

Sometimes it's the network team. Sometimes it's the end user compute team. Yeah. Sometimes the answer. Is that Dawn needs to move closer to her wifi hotspot, right? Yeah. And so the ability to, to pull both sets of that telemetry together yeah. Gives you phenomenal high fidelity information to actually make the right decision earlier.

Ashish Rajan: A lot of people may also, and I've been victim to this in the past as well, where a lot of traditional browsers also have, for lack of a better word, in-build security [00:09:00] policy, whatever you wanna call it. What would an enterprise browser do in addition that a traditional policy driven browser that I'm controlling with my Microsoft whatever, or Google whatever is gonna miss.

Michael Leland: So that's a really good point. Enterprise versions of other consumer browsers and I would say Google Chrome Enterprise, Microsoft Edge for business. These aren't enterprise great browsers. It's an enterprise management layer on top of a consumer browser. Right. Oh, interesting. They didn't fork, they didn't rearchitect chromium, which means their attack surface is still just as large as the one that my 90-year-old grandmother installed off.

Yeah. Her download. So the most important thing though is they miss identity and tendency. So you authenticate into an enterprise browser, uh, with your existing IDP credentials.

And it's through that authentication. That we drive identity driven least privilege access, which is the first principle tenet of zero trust.

Ashish Rajan: Yeah.

Michael Leland: But then we also look at not just who you are, we look at the device posture of your [00:10:00] platform. Is your discon encryption turned on? Is your screensaver turned on firewall locks? Like all of those things?

Ashish Rajan: Yeah. Yeah.

Michael Leland: And the most important thing is that. The verdict from that device posture assessment, which we perform every 60 seconds.

Yeah. 'cause security drifts. The verdict from that can drive a dynamic policy. So identity is the first piece. Next is device posture then is network location. Mm-hmm. Are you physically on the corporate network or are you coming in from a Starbucks wifi hotspot.

And last is geography, right? Because your policy when you're sitting here in the states, might be very different than the policy you have when you travel over to Germany.

One, how you enforce it is different. Two, the GDPR requirements of the governance layer mean that we have to capture different. PI. I. Or, or, or anonymize it in different ways.

Ashish Rajan: Yeah,

Michael Leland: so those four things drive kind of this very discreet policy, but tenancy is probably the most important thing that those platforms can't always get right.

If I've got two tabs open, they both say gemini.google.com. One I'm logged into my corporate Gemini tenant, one on logged into my personal Gemini tenant. Yeah. I can't use standard swig, secure web gateway [00:11:00] to identify the distinction between the two. Mm-hmm. It's a URL filter. I need to say yes to corporate and maybe to personal.

Ashish Rajan: Yeah, yeah.

Michael Leland: Um, because I can have two very distinct data policies. Yes. You're allowed to upload data into the corporate tenant that has PII.

Ashish Rajan: Yeah.

Michael Leland: But if you try uploading business data into your personal tenant, I need to stop that. And the most important thing is that has to happen. As close to the end user as possible by the time it's hit.

The sass e

Ashish Rajan: yeah,

Michael Leland: it's too far. AI is probably the most interesting example of why this is important if I'm just gonna a website, right? Yeah. I can probably rely on a pop or a proxy to filter that.

Ashish Rajan: Yeah.

Michael Leland: AI has to understand intent. Right. I'm the user interacting with an application.

It has to know what other tabs I have open if I'm expecting it to summarize that and build a just in time rag.

Ashish Rajan: Yeah.

Michael Leland: Uh, if I'm doing prompt injection or if I'm, if I wanna identify indirect, prompt injection

Ashish Rajan: mm-hmm.

Michael Leland: That happens at the client side.

Ashish Rajan: Um,

Michael Leland: if, if I wait till it's already left my network and gone upstream to, to be evaluated, it's too far. Right. Right. So AI is driving that [00:12:00] policy requirement? Yeah.

Closer and closer. We do policy evaluation enforcement. At the device.

Ashish Rajan: And would, but what about, so obviously there's a, there's a tussle in, so in a lot of organizations, whether it's regulated or enterprises, a lot of people have kind of gone, taken the verbal approach. There's two sides to it. One is a, we are completely stopping the use of AI.

On the other extreme, we're like, you know, we are accepting that's. Go full speed in and see where where we land. Yep. For CSOs, we're just trying to kind of find the middle ground for, I'm just trying to prevent a, I don't know a non-normal employee, unharmed, UN employee, unharmful employee. Just copy pasting information that may be sensitive into whatever AI systems.

If that is a basic problem that I'm trying to go ahead with is browser right. Approach. 'cause to your point you mentioned ion, which is happening on the endpoint. Are those controls also 'cause there's like the whole CLI usage. The ID usage, the browser usage, and multitudes of ways people can copy with information into that.

Michael Leland: Yep.

Ashish Rajan: Is that still something that works with browser security as well as an enterprise browser?

Michael Leland: It does. So I mentioned, [00:13:00] six years ago we built a browser.

Ashish Rajan: Yeah.

Michael Leland: A year after that we built an extension that you can install into your existing browser.

Right. So maybe you have a religious attachment to Chrome or Edge or Safari or Firefox.

So we wanted to extend the same capabilities in our full browser into those other browser. Modalities

Ashish Rajan: Right

Michael Leland: now, you can't offer all the same capabilities because there are certain APIs that Chromium doesn't expose.

So all of the stuff that we did to harden chromium, yeah. Doesn't exist when we're just an extension bolted onto another browser.

And then the third thing we did is we expanded ad into desktop. And so people think of us as the browser company. But we're also the extension company. We're also the data protection for the endpoint company now.

Ashish Rajan: Yeah.

Michael Leland: Our platform has kind of expanded to take what we originally built, which we called a data boundary.

And a data boundary can be thought of as. A secure enclave mm-hmm. Inside of which you programmatically defined by policy, what applications you trust.

And by the nature of them living inside that boundary, it's got a moat around it. Yeah. We can govern what and how data can move out of it. And that's data movement that could be intentional or unintentional.

Right. And. [00:14:00] All of those techniques are called the last mile cut, copy, paste, file, print, save, inspect, screen share, screenshot protection, all of those things.

Ashish Rajan: Yeah.

Michael Leland: Is how data could move out.

Ashish Rajan: Yeah.

Michael Leland: But customers kept saying, we love what you're doing for us inside the browser. I've got a long tail of thick applications that lit outside the browser.

Yeah,

Ashish Rajan: yeah.

Michael Leland: And really what they meant is Excel, dot, xe Outlook, xe.

Ashish Rajan: Yeah.

Michael Leland: And so they said, can you provide that same level of visibility, governance, and last mile control to those? Yeah. We said. Yeah, we can, we have a, an ex a background service that lives at the kernel level. Uh, we have integrations with the Microsoft Suite and others, so we, we could easily do that.

But it gets really interesting with AI because one, there's AI browsers now, right? Yeah. Atlas Comet, you name it.

Ashish Rajan: Yeah.

Michael Leland: They're, by the way, they're chromium products. Oh, right. Which our extension lives natively inside of those. But to your point. Chrome or uh, uh, Claude Code, Claude, CLI, these are now terminal level applications.

Ashish Rajan: Yeah.

Michael Leland: So the concept of the network, uh, or the Island desktop

extends to any file action, any network action, uh, any [00:15:00] service level action that takes place at the desktop. Yeah. That includes applications and command line.

Ashish Rajan: Mm-hmm.

Michael Leland: So we. Have visibility and protection now across the entire suite of AI deployments, whether it's browser based, desktop application based, or terminal based.

Ashish Rajan: Actually, that's an interesting point because I, when you mentioned Outlook, I'm thinking, isn't that what DLP normally does as well? 'cause that, that's now where coming into, like I'm again putting much Heso hat on. We are kind of talking about the fact that, hey, maybe endpoints are maybe missing a point.

Are DLPs also like the traditional ones that we have to use so far? And I say traditional, some pre ai, let's just say. Yeah. Um, the, are they also missing out on these or they don't get the right telemetry to identify this?

Michael Leland: The challenge with. Legacy DLP.

Ashish Rajan: Yeah.

Michael Leland: Is it requires a, a complex policy typically of atomic DLP rules.

Ashish Rajan: Mm-hmm.

Michael Leland: This, yes. That. No. Very hard rule. I have customers that before they deployed Island, they had 12,000 atomic DLP rules. Asked any DLP practitioner.

Ashish Rajan: Yeah.

Michael Leland: And they'll tell you the [00:16:00] hardest. Most complicated and stubborn product to deploy and maintain is DLP. You're constantly playing whack-a-mole or building these very finite policies for a specific use case.

You mentioned outlook. Can you download files from Outlook that are attached? Can you attach files into outbound emails? Every atomic rule you create creates more tech debt to have to worry about later on.

Ashish Rajan: Yeah.

Michael Leland: Alternatively, if you architected a system that has a application boundary. And Outlook lives inside it.

Ashish Rajan: Mm-hmm.

Michael Leland: Then by nature of the fact that you've governed what data can come and go through that boundary, you now have inherent protection for all of the applications. Mm-hmm. That customer that had 12,000 atomic DLP rules now has 200 because DLP has shifted in the way it can be enforced.

Ashish Rajan: Yeah.

Michael Leland: We've tried to modernize as much as possible and we address any number of primary use cases, but the one I love the most is called the Say Yes use case.

Ashish Rajan: Okay.

Michael Leland: Right. IT and security have long been the department of no. Right. No, you can't because I won't have visibility. No, you can't. 'cause I don't have [00:17:00] governance or compensating controls.

Ashish Rajan: Yeah.

Michael Leland: And so it was always a, a binary yes or no decision. And today it's like, uh, you can say yes to safely adopting ai.

Ashish Rajan: Yeah.

Michael Leland: Knowing that you can govern and put guardrails around how users are allowed to interact with ai, uh, you can reduce the risk of indirect prompt injection. But most importantly, you can actually give optionality to different stakeholders.

Coders wanna use anthropic. Yeah. Your legal team wants to use Harvey. General purpose. Yep. Probably Gemini fine. You know, the little two five mini whatever. Yeah.

Ashish Rajan: Yeah.

Michael Leland: You also think about the cost model of ai.

In the past, I think people just kept spinning up a, a lot of AI tools, and so AI sprawl happened.

Much quicker than I think anybody expected it to.

Ashish Rajan: Yeah.

Michael Leland: Uh, the chaos that was created by shadow ai

Ashish Rajan: mm-hmm.

Michael Leland: Not only created risk, but it also creates this bifurcation of policy.

Ashish Rajan: Yeah.

Michael Leland: Who owns AI policy? Is it the governance team? Is it the IT team? Is it the security team?

And ultimately it's everybody has to work in conjunction to enable the right [00:18:00] user to have access to the right ai.

Ashish Rajan: Hmm.

Michael Leland: The idea of providing that steering methodology, shadow it. It's been a problem for a decade or more. Yeah,

Ashish Rajan: yeah, yeah,

Michael Leland: yeah. Right. Identifying sanctioned versus unsanctioned tools and steering them.

Ashish Rajan: Yeah.

Michael Leland: Shadow AI came outta nowhere. There are customers that I talked to that they told me coming in that they had seven approved AI products.

We deployed the browser.

Ashish Rajan: Yeah.

Michael Leland: Extension 243 products.

Ashish Rajan: Wow.

Michael Leland: Is what we discovered.

Ashish Rajan: That definitely, I mean that's a, that's a growing problem 'cause you almost feel the, the surface area is quite dynamic as well. And maybe that's why, to your point the possibility of instead of waiting till it before it hits the end point, doing it sooner probably makes more sense.

In that case, are we focusing, 'cause uh, obviously the people we at RSA people are getting, being thrown at, hey, focus on, uh, moral security, focus on protecting from prompt injection, focus on, like, there, there's, so I focus just on shadow AI focus, just on identity, like in the. Things that you guys notice, there's obviously a Mitre attack.

I'm curious how many attacks in like say the Mitre, and it [00:19:00] doesn't have to be the different number in the Mitre attack context. How many of those attacks are usually something that probably originate at a browser or can we stop at a browser and am I looking at the wrong thing if I'm focusing on just model security in this, in today's world,

Michael Leland: I think there's, there are two sides of the same coin.

Model security protects the infrastructure and architecture of your data.

Ashish Rajan: Yeah.

Michael Leland: But the client side security is the one that I think most people are having challenges with. You can probably solve the model security problem with a couple of layered products, but if you think about how the client side is going to, to work, you've gotta think about extension management.

Ashish Rajan: Mm-hmm.

Michael Leland: Because the majority of of AI extensions have unknown or. Potentially malicious, uh, yeah. Intentions. Yeah. Whether it's prompt harvesting, some of 'em are installing crypto miners.

So you've got extensions to worry about.

Ashish Rajan: Yeah.

Michael Leland: Uh, you've got ai, uh, applications thick apps, even the chat, GPT executable.

Then you've got the standard just interacting with AI via generative tools, whether it's Gemini or copilot or something else. Then you've got the coding side of things with vibe, coding tools in the cloud, and then CLI and application on the desktop, like [00:20:00] cloud code and, and others. So the menagerie of.

Of problems at the client side, I think is a harder one for people to get their hands around than the protecting the LLM side. There are a number of, of great products on that side.

Ashish Rajan: Yeah.

Michael Leland: We are focused primarily on what faces the customer and what helps the, uh, the governance team, uh, really get to their outcomes.

Ashish Rajan: And do you find that because browser usage is, and I think the stats around over 80% of a work is already on a browser. At least unless you're a developer, you're not spending a lot of time, maybe you're still spending as much time on a browser. Is the, if I was trying to build a program for security, say I'm planning for five years is probably a long time now, let's just say six months, maybe 20, 26, let's just say.

Michael Leland: Sure.

Ashish Rajan: For 2026, I'm building a security program. I'm trying to figure out what my capability should be that I focus on. Is a browser a good one to start off with and if they are thinking about that. Is the, what's the uplift like? 'cause to what you were saying earlier, we already have an EDR. We already have all these DLPs and everything else already there.

Is that a good place to start? If it is, what's like the maturity thing that you can go for? Am [00:21:00] I deploying everywhere in one go or what's the, what's the play there?

Michael Leland: So I think. Our strategy is kind of the crawl, walk, run.

Ashish Rajan: Mm-hmm.

Michael Leland: One, you might find a specific use case.

Ashish Rajan: Yeah.

Michael Leland: Right. And that could be a cer certain pocket of users that are either represent the highest opportunity for risk.

But the only way you know what that user community is, is you've either got an existing gap that you've already identified, or you've had an incident that has pointed very specifically to a problem you have to solve.

Ashish Rajan: Yeah.

Michael Leland: It starts with visibility, right? You have to know what the population of AI tools look like across your environment.

You have to know the way data is being accessed and and moved across your network by various user communities. Mm-hmm. So visibility is probably the first thing. 'cause you can't protect what you don't understand.

Ashish Rajan: Yeah.

Michael Leland: So get the biggest, clearest picture you have of the way users interact with your business, applications and data.

And then how they're interacting that data with ai.

And then you take a step back and you say, yep. That pocket of users is predominantly going into my ERP tool copying data and pasting it into, let's say, an unsanctioned ai.

It could be a policy [00:22:00] violation that you either weren't aware of or didn't have a compensating control to fix, because the only way that most customers are, are trying to address it now is they're going back to their existing security vendors.

And maybe that's a, A sassy vendor.

Ashish Rajan: Yeah. Yeah.

Michael Leland: And they're saying, Hey, could you just stop this in my swig? Sure we can. And their solution is block page. To your point earlier, do you accept the risk and, and let them do what they want? Or do you put your head in the sand and say, we're not doing any of it?

Ashish Rajan: Yeah,

Michael Leland: but remember the old days of firewalls, you're constantly like poking holes, like this application needs. Okay, I'll open it up for you.

Ashish Rajan: Yeah, yeah, yeah.

Michael Leland: That's how some customers are addressing ai. They say no until a certain line of business comes in and says, but I really need access to Harvey.

Yeah. Like, okay, fine. We'll, we'll poke that in.

Ashish Rajan: Yeah.

Michael Leland: And it's becoming Swiss cheese, I guess.

Ashish Rajan: Do you find that? The direction this is going in, people who are trying to build the maturity model towards it. Obviously this is just adding into adding another layer to existing defensive player people may have From a browser perspective, uh, is the, does it reduce the attack surface?

Is that the advantage? Because I'm trying, trying to think from a, like for a lot of [00:23:00] people. Try and justify this to the board as well.

For what's my use case here for Why is, and again goes back to what I was asking earlier, we already have an E five license, so we already have Google Workspace. Why am I adding, what's the value here?

And yes, AI use cases that they're not. What are you finding as something that people are able to say to the board to help them understand the I I, I guess the use case for this to kind of get the approval for the idea. 'cause I don't know what the right way to approach this to a board would be when AI is the only focus people have.

Michael Leland: Yep.

Ashish Rajan: And does it activate it? But I'm sure you have your opinion as well.

Michael Leland: So if you look at the, I did some research on this recently of the top 10 strategic initiatives that companies list in their SEC filings. When they talk about earnings reports, one of them is, is ai. Like one by itself is ai.

Ashish Rajan: Yeah.

Michael Leland: But the other ones all have an adjacency to ai. I wanna improve the operational efficiency of my staffing. Yep. That's agen ai. Yep.

Ashish Rajan: Yep.

Michael Leland: I wanna improve the visibility and device or security posture of my organization. That's the DLP conversation that leverages [00:24:00] ai. So if you, if you look at all of the strategic initiatives that companies are looking for, and that's what the board cares about mm-hmm.

Or the KPIs that drive toward those initiatives, if you can approach them and say, I, I'm not just solving that one, I'm also giving you the, the fingers and the tendrils into these other four or five.

Ashish Rajan: Yeah.

Michael Leland: Now all of a sudden you've got a business case that has an ROI tied to it. It's got funding tied to it.

'cause they know that those are the, the activities they want to drive. If you let the line of business decide, you create more AI tech debt. Right. Because they're gonna pick the ones they want and there's no cohesive strategy among them. One thing we're seeing though, is kind of a new persona showing up and that's the chief AI officer

That is meant to find strategy. In the past it might've been the CTO whose side gig is figure out what this whole AI thing is.

Ashish Rajan: Yeah, yeah, yeah.

Michael Leland: Right. Could be the CISO, uh, if they're a a, a very security forward leaning organization that says. Protect it, you know, at all costs. But this new chief AI officer or chief data AI officer mm-hmm.

They're the ones that are stepping back and saying we need a strategic direction. Um, that it, that drives the productivity improvements, the efficiencies the [00:25:00] workflows into an AI enabled workforce.

Ashish Rajan: Mm-hmm.

Michael Leland: And so they're finally taking a step back and saying, yeah, you know what, uh, AI's not just up.

Product, uh, it's, it's actually gonna be foundational to the way we succeed. Yeah. Either we become more innovative as a result. Uh, we became more efficient as a result. And so I think they're the ones that are, I think, really driving that effort going forward.

Ashish Rajan: Yeah.

Michael Leland: It used to be, you know, and the, here's the problem with having a platform that's as broad as ours.

Sometimes the stakeholder is network. Sometimes it's end user compute, sometimes it's cybersecurity, sometimes it's data protection, sometimes it's governance.

So you gotta find the right angle that. That address them. Here's the best thing. Sometimes you walk into a meeting and you've got all of those stakeholders in the room.

Ashish Rajan: Yeah.

Michael Leland: And they're concerned with who has to go first. The meetings I love walking out of is you get all those stakeholders in the room and they're fighting over who gets to go first. So those are great.

Ashish Rajan: Oh, what final question on this, 'cause there is this notion of, uh. At least in the beginning, a lot of this browser capability used to be with the head of it.

Mm-hmm. Infrastructure, it kind of [00:26:00] person. Do you see that evolving as well now that AI is such a huge component of all of this, or is that the CISO was looking after it because to your point now, that probably is one of the attack factors as well. I mean, it was always in attack factor before, but now even more than before it.

Michael Leland: IT is probably always involved in the rollout.

Ashish Rajan: Yeah.

Michael Leland: But CISOs are involved in the decision making process. Legal is involved from a governance perspective.

Ashish Rajan: Mm-hmm.

Michael Leland: Network is involved because it's an architectural decision to think about deploying a modern approach to sass e that Yeah. Doesn't require proxies and backhaul and break and inspect.

It's a new way of thinking about it.

Ashish Rajan: Yeah.

Michael Leland: When you push all the policy evaluation enforcement to the end point, you never, you no longer have this mesh of stuff you have to do in, in the backhaul process. So it's the CISO, it's the CIO. I'm actually speaking with more COOs these days.

Ashish Rajan: Okay.

Michael Leland: Um, because they have the business understanding of where they need to drive operational efficiencies and they can find the budget that, that most appropriate lines.

Ashish Rajan: Oh.

Michael Leland: And then the CTO.

Ashish Rajan: Interesting. Uh, well those are technical questions. I have I word three fun questions. Sure. Do a [00:27:00] speed round with snack war, I'm gonna quickly get this kangaroo or, well, I, I was gonna, I was gonna go, you can pick anywhere you want, but the crowd favorite has been kangaroo and crocodile, but there's a British.

Option, Australian option for which one? I gonna go for?

Michael Leland: I'm gonna go crocodile.

Ashish Rajan: Go, go for it. I'll be curious to hear. Depend. Uh, what's your take on crocodile,

chewy gaming? Salty.

Michael Leland: Taste like chicken.

Ashish Rajan: You're the second person to say that. It's like some people, I mean, I, I, I guess, uh, we had someone who had tried an alligator before.

So they're like, I was expecting it to taste like an alligator, but this is more different. And I've been tasting chicken the entire time I've had this.

I like, I'm expecting crocodile to be a bit more, like, a bit more, not rubbery is the right word. Chewy and Yeah. Like a bit more oomph to it, but

Michael Leland: It's tasty.

Ashish Rajan: Yeah. Yeah. If there was the packet was with you probably finish the whole packet, I imagine then

Michael Leland: I I absolutely would.

Ashish Rajan: Yes. Yep. Perfect. That sets the context for the personal [00:28:00] questions as a fun question that I had.

First, what do you spend most time on when you're not trying to solve enterprise browser security problems?

Michael Leland: Oh I'm an avid cyclist,

Ashish Rajan: oh, wait,

Michael Leland: my, my Hobby

Ashish Rajan: Choice France kind of cyclist.

Michael Leland: So here's the great thing. I live in Portsmouth, New Hampshire. We only have an 18 mile coastline.

Ashish Rajan: Oh,

Michael Leland: right. So I tell people I rode through three states, and if I go north of Mile and I hit the main border, I ride all the way down the Seacoast, I hit the Massachusetts border.

I've officially touched three states.

Ashish Rajan: Oh, right.

Michael Leland: With a 42 mile loop. So when I'm not doing cyber, yeah. I'm, I'm trying to cycle as much as I can.

Ashish Rajan: Fair. Second question, what is something that you're proud of that is not on your social media?

Michael Leland: Ooh, I jokingly tell people I speak two languages, English and regular expression.

Ashish Rajan: That's a good one.

Michael Leland: Go ahead. Which is really nerdy. I know.

Ashish Rajan: That's a good one. I mean, uh, I don't think I'm gonna be a great LinkedIn post, I guess, but term final one favorite cuisine or restaurant that you can share with us? Uh,

Michael Leland: I've lived and eaten in so many good restaurants. Manhattan, well, actually Brooklyn probably had some of the best restaurants when I was there, [00:29:00] but there's one right here in San Francisco.

Ashish Rajan: Oh,

Michael Leland: it's called Bix.

Ashish Rajan: Okay.

Michael Leland: BIX. Little hole in the wall. Actually, it's, it's a nice, you know, larger one you expect, but it's like down this alley.

Ashish Rajan: Okay.

Michael Leland: You have to know where it is to get to it.

Ashish Rajan: Yeah.

Michael Leland: Has a very nice speakeasy feel inside. Uh, amazing piano bar. So, yeah. Oh, great restaurant. Great food here.

Ashish Rajan: What kind of food this serve?

Michael Leland: It's an American flair, but it's uh, it's kind of got a little French influence too.

Ashish Rajan: Ooh. Yeah. We should probably make it an thing. I'll double check it out, but thank you for sharing that.

Michael Leland: Good. Thank you very

Ashish Rajan: much. Where can people find more about you and, and the work you guys are doing at Island?

Michael Leland: So, uh, our website is Island.io.

Ashish Rajan: Mm-hmm.

Michael Leland: Uh, the website's been recently re-architected to talk about our entire platform. I, our AI strategy, our network strategy, but the most important button on that is gonna be the request demo.

Ashish Rajan: Oh,

Michael Leland: perfect. Seeing the product, we can talk about it all day long. I could do slideware for hours seeing it's believing it.

Ashish Rajan: Yep. And, uh, I, I think your point probably on LinkedIn, so I'll probably share your LinkedIn Absolutely. Link as well there as well.

Michael Leland: That'd be great.

Ashish Rajan: But thank you so much for coming me on the show. Thank you for tuning in people. Thank you. Thank you Ashish.

Thank you for listening or [00:30:00] watching this episode of Cloud Security Podcast. This was brought to you by Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security podcast tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify.

In case you are interested in learning about AI security as well, to check out a podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talked. To other CSOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

You can check that out on cloud security newsletter.com. I'll see you in the next episode, please.

‍