Francis Odum: [00:00:00] Enterprise. So when you think about data specifically, we're speaking about if you're a banking financial institution, okay, that's credit card data, that's users bank accounts information those are their their PIN, personal identification number, that could be their gender, that could be their, like all of what we consider really classified.

It usually it's based off compliance. So if you're adhering by GDPR type of specific types of data set. Those are the types of what we mean by sensitive data, or it could even be IP related to the company specifically,

Ashish Rajan: CNAPP predictions, AI security predictions, a lot more. Yes. So in this week's episode, I am talking to Francis Odom, who runs the software analyst, cyber research newsletter.

Basically he is a researcher who talks to CISOs, other leaders in the cyber security space on categories like cloud security, identity security, social Sock automation, SOC as in itself, data security, and AI. And he has been working with vendors to understand where the market is going, what the entire ecosystem of [00:01:00] specific subcategories of all these spaces are.

If that's of interest for you, this is definitely the episode. So check out this episode, which is the interview with Francis Odum on our predictions for 2025, what should be completely ditched and what should be carried over in 2025? I've also dropped in my personal predictions for cloud security and the AI space. Francis insisted so I dropped them in there as well but i'll definitely make a separate post on Linkedin about it and knowing about what the ecosystem is evolving to is something of interest.

I'll definitely check out this episode with Francis Odum. And as always, if you're watching or listening to Cloud Security Podcast episode for the second or third time, you can support us for free by hitting the subscribe or follow button on the platform you're listening or watching this episode on.

Thank you so much for supporting us. And I hope you enjoy this episode and I'll see you next one. Peace.

Francis Odum: Thank you so much Ashish for having me. I'm a big fan of the show.

I

Ashish Rajan: appreciate you hanging out with me today. Can you just share a bit about yourself for people who may not have heard about you and the [00:02:00] work you do at Software Analyst Cyber Research?

Francis Odum: Yeah, thank you so much.

Yeah, my name is Francis. I'm the founder, lead research analyst at the Software Analyst Cyber Research. I'll come to what I do here in a moment, but prior to doing this, I spent some time at Venture Capital doing research on cybersecurity as well as data infrastructure, actually. So all the areas of AI, ML, machine learning.

And then prior to doing that, I spent some roles in other different areas primarily around technology and AI related categories. So about four years ago started just as a blogger really sharing my thoughts on what I was learning in the cyber space. security world. And just what I'd observed on kind of what was happening.

And yeah, gradually over the last four years, that blog eventually turned out to be something that a lot more vendors, professionals security leaders were interested in. And I was like, okay, I should maybe formalize this a lot more to make it more of a research platform. And so today the software analyst research.

I pretty much [00:03:00] just try to say I'm a middleman between the security leaders, CISOs, operators, as well as the vendors on the other side. So I try to speak to the vendors I try to speak to the CISOs and security leaders to understand their pain points across four major categories that I cover cloud security, identity security security operations as well as data slash AI security

Ashish Rajan: Awesome, thanks for sharing that as well and so interesting to know that something that started off as a blog as an idea became a full time thing for you, man. And I also love the four topics also the four topics that we talk about quite a bit. And yeah. Because this is one of those episodes which is going to go talk about 2025 predictions and what should not go in 2025 as well a bit later.

I'm maybe going to start off with something that may be familiar to the audience that we have which is CNAPP. You did a blog series on the whole complete guide to the future of cloud security and with the beginning of the year is always a great time to talk about the future of things in general, as most people are [00:04:00] talking about, how do you define CNAPP, first of all, because you've obviously spoken to both sides people as well.

How do you define CNAPP as it stands today?

Francis Odum: Absolutely. I think in general, we all know about CNAPP as being this term or terminology originally coined by Gartner to go about how do we actually go about securing our applications that are in the cloud devices, workloads, How do we go about doing those?

And I think over the last originally, let's just maybe step back a little bit. That was the whole fundamental thesis with cloud security was how do you identify misconfigurations in the cloud environment and how you actually go about fixing those. And I think over the years, as our definition of cloud security started to expand with more features like Kubernetes, IaCs and there's many types of workloads emerging. I think Gartner saw the need to give this terminology called CNAPP, right? Cloud Native Application Protection Platforms, to give it more of an umbrella terminology that contains multiple different [00:05:00] aspects. So I think at this point we went from it just being what CSPM and then now CNAPP was this umbrella terminology for both obviously your CSPM, Cloud Workload Protection some people might argue came as being one of those core umbrellas under that bucket as well.

And then, yeah, and then those are pretty much, for the most part, how we've defined it. Then I think in 2024, 2025, where we're having this conversation today, I think this definition of CNAPP continues to expand and even grow broadly to maybe not encompass areas like the SOC, right? Like more runtime security.

How do we go about new areas like cloud detection and response or some newer areas like ADR, how do we make sure. We're also incorporating this in the CNAPP conversation, but not to go into a whole tangent, except there are areas you want me to go deeper, but at the fundamental level, I think CNAPP should just be essentially defined as the way you really go about securing your cloud [00:06:00] workflows and anything you have running in the cloud in two areas.

So one could be the posture and vulnerability scanning. So making sure you have tools in place to help you make sure that you're scanning properly to identify vulnerabilities and make sure you have the best posture. And then once you've actually deployed them how do you make sure you have the best types of solutions?

It could be agents, sensors, whatever, to make sure that at runtime you're able to detect potential threats and respond adequately.

Ashish Rajan: Now that we defined it, obviously funny enough, I was having a conversation with James Berthoty, he is a common friend with who's on the latio tech thing as well. He spoke about the whole runtime piece as well.

I'll let people check out his opinion or what he had to say about the whole thing. In terms of as things are adding to what you said, there's a posture management side, there's a runtime side. With the shift that's happening now, there's a lot of conversation around AI and identity is changing all of that as well.

And because you cover identity too, how would you describe [00:07:00] identity in the current space that we live in at the moment? I think it's worthwhile pointing out, cloud fundamentally changed how we approach security in general for data centers. Like now it's no longer what they used to be. People were happy with identity.

No one really saw identity was changing. I would love for you to how you feel identity security stands today and is there a relationship with cloud?

Francis Odum: Yeah, I think those are all really great questions. So I had one of my polls, which was on, I believe on December 19th, where I did talk about this evolution in the cyber security industry of how we've evolved from a network perimeter centric type model, like this defense in depth approach that started originally in the early 2000s of network perimeter type security and how we've evolved and we've gone deeper and deeper.

For anyone who knows the defense in depth model, you know how you then converge into the data being central. And I think similar to identity, right? Identity wasn't even considered a [00:08:00] cybersecurity category for a long time. Or like it wasn't necessarily thought, even though maybe some of the same types of definitions or components of it have always been existent from your firewalls and you like your old tools.

But I think the rise of identity in and of itself really emerged with the rise of SaaS applications, right? And the need to authenticate first of all, who is actually logging or who should have access to something? And then once you've actually, authenticated, how do we authorize what you should see and what you should not be seeing?

And I think identity has evolved and obviously a lot of these started off with like on prem type systems with like your PAM solutions, your cyber architect world, but now with the increase of cloud as well as SaaS applications, that whole identity conversation has brought in to take more of a broader conversation.

So today in 2025, identity is a really broad theme. You could talk about what's happening with CIEM and, entitlement management for cloud workloads [00:09:00] on that you have. You could also talk about identity in the types of sprawl that we're seeing with non human identities, right?

That was a very big topic as well, last year as well. And this could be your API tokens. This could be whatever types of keys that you may have running your applications or whatnot. Or you could also talk about just from the governance side of things. So long story short, I will say identity has really expanded and grown, like I would recommend anyone to check out the market map that I created on ecosystem on identity go on software analyst self stack. com and you will actually see it on there where I broke down all the major ecosystems. So anyways, to your question Ashish. It's hard to define identity today because let's just say, especially for someone like me who covers multiple area, there are different problems in terms of different parts of the ecosystem they come up with.

Ashish Rajan: Because I think I was reading one of your blogs about the whole future of cloud native identity security as well. Which I [00:10:00] guess in itself, it's like you've obviously mentioned the non human identity. Identity is no longer just a concept where it's the Francis username or Ashish has a username or is Francis admin or is Ashish admin.

It's a lot more than that. For people who are a bit more technical, I guess for them, it's more hey, your workload has identity now. Your apps have identity now. Your customers are identity as well. Your workforce itself is identity. You're going to keep the ecosystem which ones are you tackling and which ones are going to go into that cloud world is always an interesting conversation as well, man.

Francis Odum: And then with AI too, coming up too, I think now there's a conversation of agents are going to have their own unique types of identities, right? Or like you have what we call the service accounts, which are essentially bots, but for each of them, they have a unique type of identity to them. And I think those ones present even much more problem.

So yes, there's so much about identity today.

Ashish Rajan: But maybe I guess since we're in the topic of AI agents, as you called out. [00:11:00] SOC automation has come up quite often as another topic that has been on top of the list for a lot of people.

We did a whole episode on this with a analyst from Forrester.

I saw that interview and it was great.

Yeah, so I think one of the things that came out of that was there is generally a requirement from the industry for SOC automation and SOC in general, I think, but what do you have covered with SOC so far as a analyst or research in the space?

What's your current thesis on where the SOC market?

Francis Odum: So during the week of, I think December, 18 to about 28. So I pretty much just put out all my thoughts on SOC identity as well as data security. And the one on SOC was probably the one where as much as people are really hyping up this role of AI and SOC automation, I actually think from the practitioners and operators I speak to.

They're maybe not as optimistic as say the vendor side of pushing it. I think this is maybe one of those areas where I do think that [00:12:00] there's a little bit of a mismatch between what operators are looking for and looking to solve the security operations relative to what the market is maybe probably provided, but the long story short is yes, give or take over the next five to 10 years there's a lot of potential for AI to help automate a lot of really menial tasks around, especially the high amounts of alerts and false positive alerts that SOC teams are dealing with. I think the bigger question is how do we go about, the problems of the SOC are well known around alert fatigue, around tool sprawl and just quite frankly, the cost problem that they exist and that's more on the infrastructure side of things, but I think the solution to actually go about solving that for your tier one, tier two type analyst, I think there's a lot more nuance there and obviously happy to go into that, but yes, as a market, yes, it's definitely something that we're all eager to watch how we will evolve this year.

Ashish Rajan: More than happy, do you want to do my double [00:13:00] clicking on it like this? And so I'll just, yeah, for sure.

Francis Odum: Yeah. Fundamentally within the SOC, like some of the biggest problems today exist around the analyst experience, so in terms of analyst experience comes down to a number of things, getting tons and tons of alerts because the number of security tools and solutions companies are connected to their SIEMs only continue to grow, right? So there's just a lot more data. Number two help around detection engineering, but how you actually go about making sure you're detecting the right things.

And then number three is also just ease of use and scalability, right? So you could categorize all of this in this analyst experience of burnout. detection engineer rule. I'm really just helping to improve that whole decision from triage, all the way to investigation. The second major problem you have in the SOC is also cost.

This is more cost around data storage. So we've heard about the traditional problems with your Splunk, right? And that [00:14:00] still is a big problem around the data. There's just so much data of like how much you actually stored, you actually log relative to other other types of tools and data that you're getting.

Now, so that's the problems that are well known and everyone will tell you about those problems. The question is, okay, how do we go about solving those? I actually personally think as much as, yes, we do need better automation types towards our solutions. I have no doubt. And I've talked about extensively why I think the next iteration of automation really calls from next gen SOAR tools, right? Your traditional SOAR, because SOAR has been the only type of solution that has shown to be really, at least any type of traction that we've seen for automating tasks within the SOC. SOAR at least has that first evidence, but there are lots of problems with these more established vendors.

That we still need to iterate on that process before we get to this conversation of AI and so in the shorter term, I think those are where teams need [00:15:00] to use automation tools to solve their problem. But fundamentally abroad, everything, I think the major problem to solve in the soft today is the data problem.

So that means All the data that's coming in from your EDR tools, your cloud tools, your identity, your network tools. All of these data tools come into let's just say you have a SIM or a data lake, or whatever type of infrastructure that you're using to aggregate that data before you actually create alerts for an analyst to solve it.

And my question, or at least this is my challenge to the industry, like, why don't you focus on solving the data problem and solving this data problem, there are a number of companies like data pipeline tools that lots of solutions around more data routing and more data management type solutions.

Because once this data is coming in, if we could actually filter the data appropriately before it even goes into the SIEM or even to your particular SIEM or two SIEM solution, then guess what? You don't have as [00:16:00] much irrelevant types of alerts that we'll have to go off to some tool now to go automate that if you've already solved the problem all the way from there.

So that's my fundamental thesis that the major problem that needs to be solved today in the SOC is aggregating it first from that data layer before it even gets in. And then that way, if you cut it down, or at least you minimize how much irrelevant types of you could do that with better detection roles, detection engineering types of tools, better tools that actually help to filter and optimize that data.

You could solve the automation. So that's my, at least in the short term, that this is what I'm hearing from operators, and that's where my thesis is leading me to. Obviously, if some of these AI agent and automation tools, if they actually do prove to be very effective at least cutting down on the type one like you have more tier one type as false positives, which we just still haven't completely seen.

I don't think any SOC engineer you speak to [00:17:00] today will tell you, Oh my gosh, we feel so confident we could go put one of these tools on the front line to help us immediately, there's still a whole back and forth of managing these tools. So my problem is just solve it early on the data before we get here.

And that's my whole thesis on the SOC in general.

Ashish Rajan: But would you say why? Cause that seems like the logical solution also, because that means that the overall cost for your SIEM tool will be lower because less data is going in. There's a lot of that as well. Have you been able to get into why this hasn't happened yet?

Francis Odum: My second research of the year, which coming out in February is gonna go really deep into this because I actually really wanna write it up, because that's exactly what you also talked about, the cutting out of SIEM cost as well.

Ashish Rajan: Yeah,

Francis Odum: 100%. That's one of the biggest problems. No one likes Splunk. Guess the reason why they do Splunk is because of the ingest cost that's associated with using that is, and it's like one of the most universal problem, but guess what? No one is just able to get off [00:18:00] Splunk because it's still so robust in terms of what you could actually do the ingest in their login compliance capabilities it offers you. So most companies, even though they don't like it, you just have to use it. Or maybe they're using some other type of data leak type solution. Or next chance type tool solution to maybe that's more cloud based to save some of that cost. My thesis is, yeah, if you solve it from a data problem, you could cut down on the cost problem, improve the number of false positives, as well as also solve this whole problem around analyst experience.

But to your question around why haven't we seen that I still think so, no one has really been able to disrupt Splunk, and I actually don't think it's going to be that easy to disrupt them, at least give or take over the next five years, because of just how much built in logging that solution has.

So I think it's still going to be a robust solution. I think that's one and the hyperscalers have robust solutions as well. And I think a huge part of the industry has been [00:19:00] focused on that category. And I think now there are emerging solutions that are coming in to solve this data problem.

And I'm excited to write about it. So it is an emerging category. I think the whole cybersecurity industry has just been built around yes false positives. And then the only way to do that is, yeah, just bringing garbage data in and then let the analysts try to figure it out.

And I think that's where we're stuck.

Ashish Rajan: I look forward to that research coming out as well, because which kind of leads me, the data thing also is a good segway into the data security as a thing as well.

Which seems to be because you're covering data security platforms and AI ecosystem in your conversations as well in the research that you've done. Let's start big with the AI ecosystem and then we'll narrow down to data security and other challenges come with it as well.

What does the security for AI ecosystem look like? And I appreciate there would be security for AI, security from AI. There's so many variations to it. Which one are you focusing on and what do you think about that ecosystem?

Francis Odum: Yeah. So I think within this category, there are only like two areas that I cover again, and I should also [00:20:00] make it very clear to your listeners that I don't cover every single one.

So I usually just pick my tiny niche because as you know in cybersecurity, there's so much. There's so many categories and I generally try to cover just minute areas that I've spoken to leaders and security operators to get a good sense of their problems and what they're thinking, as well as the vendor solving problems in those areas.

In this category, specifically just security for AI and LLMs I did a big research piece last year that covers the category which your readers could check out as well. And then I also covered more of the data security. So more thinking about data security, both from the governance side of things, from the regulatory part of that, like dealing with like customer type data, how do you have the right protocols in place?

But these two areas I just talked about are almost adjacent to each other in a way, because the way your security your LLMs, and you've done a lot of great work, by the way, on security for AI with thanks, Peter. With Yeah, that was a great

Ashish Rajan: With AI Cybersecurity [00:21:00] Podcast yep.

Francis Odum: Yes. Yes, exactly. With Caleb, right?

Yes.

Ashish Rajan: Yeah.

Francis Odum: That's correct. By the way, I recommend people to check out those, because when I was doing my research into that piece, actually in the summer, I actually listened to a few of your interviews and both of you had quite a good podcast. So I recommend people to check it out. But anyways.

Fundamentally, what I was just trying to say is we LLMs to be extremely successful, right? There's this RAG, we know about the RAG components is where you need to leverage some enterprise type data that's only unique to the enterprise. But guess what? Before you could actually use some of those datasets to make your LLM significantly better, you need to make sure that directly the PII, you're not violating PII type, GPR type, HIPAA type compliance. And this is where a lot of your DSPM type solutions are complementary to security for AI initiatives. Because what your DSPM and data security tools do is they help you scan your environment, identify what's sensitive [00:22:00] and what's not sensitive, or you should be using for AI initiatives, blah, blah, blah. An then leveraging that data or you're able to use that for AI LLMs initiatives. And then obviously what your security for AI companies do is they help you secure your solutions in runtime type environments. So help you against prompt injections and so many of the other types of trust.

In terms of both markets, I will say. Security for AI and LLMs is still a very early market. I think that was like the key takeaway we had was it felt like 2024 was still a year where enterprises are still even experimenting with lots of these technologies are still trying to bring them on board understand like the compliance and the complications of at large scale and within the enterprise.

And I think 2025, actually, talking about predictions, while I'm not a big fan of making predictions, I think 2025 might be the year where it comes in okay, now we have some type of an architecture around how we want to leverage AI across our enterprise. Now, how do we go [00:23:00] about securing them?

Because this is very similar to cloud. Actually in the report, I give an analogical security, I actually wish you would know because what I said in my report was cloud was like a new enterprise type technology to help the enterprise do things better, faster and cheaper. But security came a few years afterwards, right?

Security didn't come afterwards. And I even gave the same analogy of there were many companies that went bust. So this is my warning to the industry too. There were many early companies that came because they were like, Oh, wow, cloud, this is amazing thing. Now we got to secure these things, but they didn't get it right.

And quite frankly, even in cloud security, we had to wait for about 10 years before we saw the most successful cloud security vendor, which eventually it turned out to be like waste in terms of revenue outcomes from security class. So the long story short, I think the security for AI and ML market is still there early.

I think we still need to understand how enterprises deploy these [00:24:00] technologies. We need to then understand the types of risk that they're actually facing. Then to understand the role that like security will actually play and what should be the right areas. And then on the other side of DSPM, I think that one is still much more of a short term immediate problem because every region district around the world, whether it's GDPR, HIPAA, depending on your industry category, most especially financial institutions or hospitals if you're dealing with lots of customer data, you need to know what data you're having in it. You probably need to know what's sensitive, what's not sensitive, what should be compliant with whatever type of regulation.

And that's where your DSPM guys are helping you play a role. So both markets, one is a little bit more early. One is. It's still somewhat early, I will say, but I'm seeing a lot of traction.

Ashish Rajan: Would you say a lot of people who believe, I guess maybe we're just on double clicking on them once more, the DLP and DSPM, they are sometimes confused by people.

How would you describe DSPM for people who don't know what that is? And the [00:25:00] DLP space, how is this different to DLP? Cause most people just think that, Hey, isn't that just DLP, just re bandaged or repackaged?

Francis Odum: Yeah. No, there's actually quite a bit of difference. And I think before going into the research, I actually had that same conception and they're all the same, but the closer and the more deeper you hear this, I knew what, from customer calls and whatnot, the more you actually hear the difference.

So fundamentally, DSPM or Data Security Posture Management is primarily around visibility. Let's just say visibility, if you want to use that as a keyword of, okay, we have this enterprise with 5, 000 employees, 2, 000 employees, let's understand all of the different types of data sets that we have internally within our enterprise.

And what's the nature. Sure. The context let's classify that data. Classification is a big piece of understanding and the reason for that is because of compliance centric reason, or even in the case of a breach. If you were to get a breach how do you actually go about knowing what should be [00:26:00] used and what not.

So discovery is a key piece of DSPM. And then DLP is like a follow up process. So it's okay, yeah. Now we actually know what type of data sets that we have, what complies, what's not complies, what can we use for AI,, what not. How do we actually go about securing that data from getting lost? And that's why you have that data loss prevention, DLP, is really about, okay, so for all of these data sets, now we can see them, how do we secure how it's accessed, how it's used, how do we detect when data leaks, the organization and employees trying to download something from their email, trying to assess something, the personal work, how do we go about detecting that?

And then in my research report, there was a third element. Sometimes used, sometimes not used, but it's a data backup and recovery. And for a company to have a good data security posture across the enterprise, they need to have these three elements. And the last is more around backup and recovery.

Because as we know, you might have a DSPM with visibility, you might have DLP for [00:27:00] protection, but if an attacker is still inside that threat actually does happen And that data is lost. How do you make sure you recover that really quickly? And that's where your backup recovery does.

Those are the three major pillars, but for the most part, DSPM and DLP.

Ashish Rajan: And does this work for the cloud space? Because I think, obviously, you've got a lot of huge audience that is primarily in the cloud, cloud security space. And a lot of people may be building infrastructure for AI workload in the cloud, which obviously has a huge data component there as well.

When people talk about data security and AI, a lot of people tend to just jump onto the bandwagon, it's ChatGPT OpenAI, it's Claude, but we're talking specifically about enterprise data security here to be clear. And I don't know if you agree with me and just to clarify for people who confuse this, are we talking about Claude and OpenAI and we're talking is primarily about how enterprise use data and DLP, right?

Francis Odum: Correct. So when you think about data specifically, we're speaking about if you're a banking financial institution, okay, that's credit [00:28:00] card data, that's user's bank account information those are their PIN, personal identification number, that could be their gender all of what we consider really classified, usually it's based off compliance, so if you're adhering by GDPR type of specific types of data set, Those are the types of what we mean by specific, so sensitive data, or it could even be IP related to the company specifically, but when we then talk about Claude, ChatGPT what not, I think that's where some of these falls into the category of your security for AI and LLM.

A big part of also the security and AI element too is also how do you actually go about monitoring how employees are using ChatGPT and some of these elements. Now your DSPM providers don't help you with that. They don't have that same level of granular.

The DSPM are more around. Specifically much more contextual data. And also when we will mean data security at DSPM, they're very different from the same type of vendors. [00:29:00] That's a very security threat like type data. But usually the DSPM guys are more concerned with, yeah, if you're a bank, if you're a hospital, it could be people's personal information as opposed to, so this is more specific enterprise specific data. And then when we're talking about AI and whatnot, that's a lot more of a different type of data. So then usually a lot of your more security for AI companies deal with that. Your DSPM just helps you really understand the foundational data sets that you have.

Ashish Rajan: Thanks for calling it out because I think I just want to make sure people don't get lost in that whole translation. Those are definitely important from a third party perspective, but what we're referring to is primarily the enterprise space. The next thing I want your, hopefully some opinion on this over is, and feel free to throw some controversial opinion in here as well.

What is something that you would like to completely ditch for 2025? In all the research you've done in the cloud, identity, SOC, data, and AI space, [00:30:00] what is something that you found should just not be a problem in 2025? Or should just be, it should not be used at all by vendors or by operators.

Francis Odum: Yeah, this is really controversial but I still think there's this I mean it's a controversial opinion so that's why I will give it so I think this whole talk about agent I think it's actually going to really fall flat on its head but I could be wrong I could be very wrong because you've probably seen a lot of VC content showing 2025 is going to be the year of agents.

It's going to be the year of agents. And my whole thesis is just, look, there's still fundamental steps within enterprises before they actually adopt these things or this technology is at scale that we still need to get right before we actually move into this rule of like agents taking control of everything and doing all the work, whether it's security related tools, whether it's calendar. So I actually just think we're still early. Yes, the technology is moving fairly [00:31:00] fast and quick. On the operator side of things, I don't think it's moving that fast.

I just don't think cybersecurity professionals and cybersecurity leaders are that like risk adverse, that they're not usually like your first adopters of new and sexy technologies. I actually think this whole thing about agents will fall flat on its head. I think we should still focus on core fundamental problems around making sure we get the data right, making sure we have the right policies in place, making sure we have the right processes in place making sure that people are well equipped and understand this technology.

I think that there's still lots of just fundamental things that I think need to take place before we actually see the role for agents actually being really successful to help the enterprise. And then we'll see how that goes.

Ashish Rajan: It's a fair call out. Cause I think at least in all the conversations we're having at AI Cybersecurity Podcast as well, which is a sister podcast to this and we did a whole prediction episode there as well, which will soon come out. I also still think the same thing happened when cloud, where there was a [00:32:00] small percentage that did automation that they were the quote unquote pioneers. I think that percentage was small in the beginning of the cloud.

And it's going to be the same in this context as well, where the percentage of people, I'm sure there'll be a few. I'm not saying that it will not be. There will definitely be one or two people who are super smart and doing this. But the percentage of those people who are going to be AI agentic, quote unquote, for people who can't see the video they are going to be a small percentage is where I'm leaning more on.

The larger chunk would be the people who are solving that data security challenge. 100%. As a CISO as well man, one of my biggest problems used to be that I had my data security policy, but whether it was implemented or not was the hardest thing to verify. Exactly. How do I verify if Francis has not copy pasted something into his yes, I can have laptop controls and all of that, but there were so many technological limitations, you almost feel like how is that even possible? You could literally take a picture on your mobile phone and walk away. How am I supposed to know that?

Francis Odum: [00:33:00] Exactly.

Ashish Rajan: Now to flip that a bit, what is something that you're looking forward to in 2025 that you feel people would see a lot more of or you would want to see a lot more of in 2025.

Francis Odum: Yeah, I don't think it would be anything necessarily brand new, let's just see solving this data problem.

I think I'm actually quite enthusiastic to see the companies that are actually going to evolve across this data layer. To actually solve many of these problems within security operations. I do see that if I could give more areas that are maybe more, I think looking at how those companies might evolve throughout this year is something that I'm really looking forward to.

But I think other areas will be like the identity problem, I think there's still this constant debate of how much of NHI is actually a big thing, is NHI, is it a platform category or is it a point solution that should be under maybe a cloud security vendor or one of the big identity vendors like Okta and whatnot.

I think there's still a lot of debate that rather than I'm just, let's just say that one is more where I'm neutral. And I'm like, [00:34:00] I'm really looking forward to seeing. If we're having this conversation in a year from now, how will NHI's evolve this year? Will they turn out to be a fad? Will they turn out to be real?

I think obviously with cloud security, I think, yes, there's been a lot of talk. And we don't want to go into a lot of depth because I think James did a good job, but just seeing where this whole rule of emphasis of runtime plays, like CDR and ADR and obviously how a lot of these complements ASPM on the left side, because one thing we need to talk about in the CNAPP is this convergence, like the major guys now want to do both ASPM together with ADR, CDR, and even though there's separate problems and different types of things I'm just curious because as you know this in is cyber, things go up and down, like at some periods in time, like again I'm also excited to for the unknown, there will be a theme, a category that will probably emerge like in six months from now.

And then I think lastly within security for AI and LLMs, I think I'm [00:35:00] looking at the maturation of the companies. As I mentioned, I think the space is early, but you know what? Some of these companies could actually really break out. There might be a, maybe one of the other, I hate to wish any company a bad attack, but who knows, usually you need one of a significant attack to happen or breach to a core. One of these companies be like, okay, now we need a solution.

Yeah. We'll see what happens in security for AI and LLM as well as that DSPM category. But yes, I'm someone who's not a big fan of predictions, but that's just, yeah, there are things I'm looking forward to observing. As a researcher, that's what you could do. You just stand outside and you just watch on the outside and see what's happening.

I write about it.

Ashish Rajan: Yeah, man, would you say I think it's worthwhile calling out as well. I'm looking forward to some of these things as well.

Francis Odum: Please, maybe share with me your own thoughts or what are you watching yourself?

Ashish Rajan: I would say, I think this is a good opportunity to shift a couple of things and from a cloud security perspective, I think the CNAPP category is going to [00:36:00] be it's already encompassing of everything.

And I think I agree with some of the other conversations that I've been hearing where eventually runtime and posture management would have to come together for it to be a full CNAPP. If that is what the industry wants to go forward with, because that's probably the most marketed term right now.

So if we were to stick to that category, that's probably going to be it's going to expand even more and come to the runtime side as well. Cause at this point in time, it definitely only does the left hand side. And the challenge that, so we run something called Cloud Security Bootcamp as well.

So we've been training a lot of SOC people on cloud and because they are the people who are becoming the I guess the people who are triaging these alerts from cloud, they get an alert from a CSPM or a CNAPP provider. But that is not a real time information in most cases. Sometimes the resource doesn't even exist anymore.

There's a lot more nuance to understanding how cloud works. So what I would say they would definitely be [00:37:00] at least in terms of. bringing the two together and some AI magic in between all of that, where there should be a capability. And I think a lot of the bigger players who have been in that runtime space for a long time, I'm talking about the granddaddies who have been in cybersecurity threat intelligence for a long time.

They have an advantage in this case, where they've known that side for a long time. And the left hand side is an easy lift for them. It's not hard to make an agent, and some of the most, I think most of them already have an agent or something available already. Those two things need to combine together.

That is what truly, as a cyber security professional, what I care about. I don't care about my bucket is open to the internet, but what I care about is that something's happening right now. And I have the real time information for how all of that is connected. And at the same time, it gives me some more additional context.

That's where the AI element piece comes in. I truly believe CNAPP would go down in that category. And I definitely believe that the granddaddy of cybersecurity are [00:38:00] well positioned for it because they already have done the right hand side. They made most of the money on the right hand side.

So the left hand side is like an easy lift for, Hey, by the way, guys, we have 20 years of cybersecurity threat intelligence. How do you beat that information? So I feel there is that advantage that they have. And if they make the move in that space, which would be really interesting. That's the cloud one.

The other one that I think would definitely happen is the one that I told you about the data security piece. 90 percent of people are going to be focusing on, at least the ones from a security perspective, they either focus on data security or third party management, hey, it's something was at miss on OpenAI or Claude or whatever, how are we gonna respond to it? Can I safely remove my connection from this third party, how tightly knitted I am to this third party? There'll be all these things that people have not logged into before. So it's gonna become a thing.

That's the one for AI. I've got even more on the industry as well, which is that the cloud [00:39:00] security engineer role it's going to be really interesting. I definitely find that the cloud security engineering role as well as the SOC role, the separation that exists at the moment in the enterprise space, a lot of that cloud security role is going to transform into a lot more about thinking further Hey, how do, instead of going and looking at CNAPP alerts or CSPM alerts, I'm going to be focusing on, I'm going to do engineering for lack of better words, which is what my title was supposed to make me do, which I was not doing, but because I was like, people were trying to figure it out.

And this is specifically for companies that have just recently moved into the cloud space because there are still companies moving to the cloud space today. AI has pushed a lot more companies into cloud. So all those companies that have come in new into the space, they're going to start recognizing, Hey, by the way, there's a pattern here.

I should have a engineering person building the pipeline, building all of this, whereas the SOC and the people have the information going back to my first thing, where they have the runtime information and left hand side information. So they can look after the [00:40:00] holistic picture because any enterprise out there has on premise, so they have data centers.

They have a cloud, probably more than one cloud, probably six, seven clouds out there and they have multiple geographies to look at. In that complexity, we are able to give the right information to a SOC person. So they can look at that engineering, people can do the engineering.

Francis Odum: Yes, no, absolutely, because all of what you mentioned, that part of that engineering part is also part of whenever I talk about this data problem, this is part of it. This is exactly part of this engineering pipelines as well too. To help make the flow of other things better.

These are some of these same foundational things that I talk about. I think that's one. And I think the other thing you said that really resonates is, Yes, I think in my conversations with SOC analysts to date. So yes, they don't really know how to deal with cloud related types of incidents. Or like whenever there's a miscalculation, But whenever that comes into the same or whatever, they don't really know how to deal with that, as opposed to say your cloud [00:41:00] configuration team or whatever.

Those are the guys that are more problematic. The industry needs to come to a stage where, how do we help those, empower those SOC analysts to actually investigate and remediate some of these issues if they come? Or even, how do you even write the rules? What are the kinds of rules that you write in your SIEM?

This is why I talk about detection engineering being such a one of the core areas. I think that still needs to be solved in this SOC is this area of how do you write those detection rules? So I think these are the number of areas and you're correct. I think. It all comes down to a lot of these fundamental things, basic stuff, before we then get to the AI, the intelligence, and the search and looks like a very tough one.

Ashish Rajan: By the way, all those people who are looking for SOC help, send them over to me when I can help them out. If we do corporate Please. Beautiful.

Francis Odum: I was actually going to ask that actually, where do I find this for

Ashish Rajan: example, because I would say it's called a cloud security bootcamp or people want to search for it.

At the moment we've taught over a thousand people in 2024. Hopefully I can double the number next year. The intent is to have [00:42:00] online versions of it as well. So people can What website is this? It's literally cloudsecuritybootcamp. com. Oh, beautiful. Yeah. You can go there and I think I can figure that out as well.

But the thing is, we're covering AWS, Kubernetes, Azure, GCP, because exactly what you said for the past entire 2024 period, all I've been saying is, So people are just basically being sent logs because I understand scale is increasing now You need to figure out what the engineering looks like and the SOC people are being cornered into go.

Hey people figure it out You'll be fine. There's just another platform and they're like, ah So I think anyway, that's the goal. That's the reason we started it and this we're trying to help people out as well with it We cover all the threat detection, common threats and all of that as well.

Hope is to add some pentesting pieces in there as well, because I imagine for them, they want to be able to do some threat hunting later on. Anyway that's like the goal. I'll stop tooting my own horn, but I'm just conscious of the fact that I have three fun [00:43:00] questions for you, by the way.

Okay. First one being, what do you spend most time on when you're not working on your analyst research for software analyst, cyber research?

Francis Odum: Oh boy I definitely have a lot of interest, but if I could boil it down to , I'm a big runner. I'm a big marathon runner. Still hoping to do the London marathon.

They still want to let me in to come down. So if I'm ever there, I will let you know. So I'm a big road runner. Yeah. Usually I was training for marathons or races throughout the year. That's one number two. Yeah. I'm actually a really big soccer, like nerd so actually the English Premier League is actually a big Liverpool fan.

Ashish Rajan: Sorry to hear that, man. I'm a Chelsea fan. At least, yeah. We're top of the league.

So you have football, soccer, marathon. That's your primary interest outside of this.

Francis Odum: Yes. And then obviously the other things I study or, you watch, or you learn about I love a good history show like Rome, history of Rome or ancient Rome and things like that.

So those are all the things that I like [00:44:00] to learn about. But obviously there's always, I have many things on the go usually,

Ashish Rajan: Oh, that's awesome, man. And second question. What is something that you're proud of that is not on your social media?

Francis Odum: Oh, something that I'm proud of that's not on my social media.

Yeah, I think one thing that I could also mention is just having a sense of purpose and peace inside of you I think a lot of these things are things you have to work on personally of what is my purpose? What am I working towards? What's a vision that's larger than me.

So for example, where I leave, I try to contribute to my community, I have a tiny run club, I have a group for like young capital professionals and like just more different types of things that I try to help out in the community. And I don't like to boast about that.

I guess I shouldn't even be talking about those things, but it's like giving back and having a sense of purpose, because, there was an interesting blog, you probably read it, it came out this weekend about one of the Loom founder. This Loom founder, he sold his company for a [00:45:00] billion dollars to Atlassian, and actually check it, it went viral for three or four days and so many articles.

So just Google Loom CTO. Life crisis and I think this is such an important question for a lot of people, especially because it's a new year and we're setting a new year's resolution, but he just has this story about, yes, it's all over the internet, it went so viral, but long story short, he just had this whole thing around I sold my company for a billion dollars, in fact, he even turned down 60 million, because we have way too much money in my life now that I don't even know what to do.

But he's he's facing a life crisis now because he has all the money in the world. But he doesn't know what to do next with his life and he feels lost. It just feels like no purpose kind of thing. He was asking for help quite frankly on the internet. That's it. And he was probably like not afraid because I think this is something a lot of people implicitly, it just got me thinking personally if I have all the money in the world okay, what else would I be happy for, do you have a purpose, like your family, you have kids, you have a mission and those [00:46:00] types of other things that like spirituality, whatever, and yeah, so that's, I think that's just something that I'm proud of, but I think a lot of us all think and struggle about,

Ashish Rajan: Yeah, I would think so.

And thanks for sharing that as well, man. I think finding peace is definitely, let's just say it's a harder challenge, especially if you own your own thing as well. That does not come easy. No amount of meditation can help you with that, man. Or I haven't figured that part out. Yeah. So if anyone has a secret, please feel free to share that.

Final question. If you were stuck on an Island and if you only had a choice of one cuisine. What food cuisine would you pick could be actually could be a food or could be a food cuisine category? So I'll give you two options.

Francis Odum: Oh my gosh. I mean it has to be an Italian spaghetti carbonara, maybe I'm just biased because I was just my brain can't stop thinking about that food and I ate it so much so many times and I like, every time I think about it, I want more of it.

A good Italian spaghetti carbonara made with [00:47:00] good cream sauce, bacon, spiced up really well it is actually fairly good.

Ashish Rajan: Oh, wow. Wait, so if, so I'm assuming that's your favorite cuisine then.

Francis Odum: I could do that one. That's just one more recently, but I think. More generally, I think I love a good African cuisine.

I've definitely Anything specific for African cuisine? Okay, you know what? If anyone is interested, they could Google something called African jollof rice. Wait.

Ashish Rajan: Actually, I have a question for you. I've been asking everyone who talks to me about jollof rice. Which country has the best jollof rice?

Francis Odum: Yeah, you don't even need to ask me, we need to talk about my original country of origin, but it has to be Nigeria. Wait,

Ashish Rajan: I talk to a non Nigerian person for this, cause every time I talk to a Nigerian person, of course Nigerian why would we, I'm just talking to, I'm waiting to meet other people from, Ghana.

Ghana, yeah. Ghana. Yes. Yes. Jollof rice, the Nigerian version is what do you think is probably people should introduce themselves to? [00:48:00] Absolutely. I could eat it for years. Yeah, like the cutest part is actually they're very easy to make as well. Yes. So it's not even a complicated recipe and you're almost like, Hey, there's a fight for who has the best Jollof rice.

I couldn't put my mind to how can someone make this a bit more complicated for it to be

Francis Odum: harder to make, right?

Ashish Rajan: Whenever you come to London, I'm going to take you to a Nigerian restaurant over here for sure.

Francis Odum: Oh, that would be amazing.

Ashish Rajan: I'll take up recommendations for Canada for like Nigerian restaurant recommendations for something close to you as well.

Or otherwise I'll happily have your homemade jollof rice. I'm as much as excited I get about food. I do want to say I'm super excited that you came. Thank you so much for spending time with me. and sharing the awesome work you do as well. Where can people find you and connect with you to know more about the work you're doing with software analyst cyber research.

Francis Odum: Yeah, no, thank you again for having me again. I've been a big fan of your show. I've watched a lot of your interviews and actually occasionally I always revisit them. I'm a big [00:49:00] subscriber, so I recommend a lot of people to subscribe as well. But yes, in terms of where to find me, generally you could find me at the softwareanalyst.substack.com that's generally where I publish all my research reports, generally about once a month or once or twice a month. I don't write as often because you spend a lot of time researching topics.

I think that's one. LinkedIn, Francis Odum occasionally there too, I share my ideas and thinkings about some of these topics. And then, yeah, those are like the two platforms for now. And then, yes, fingers crossed we might do one later down, another one, maybe a podcast. Who knows?

Ashish Rajan: Ah, fair, man.

Let me know if you need, if you open one out, I'm more than happy to share what we have done as well. And I'll put those in the show notes as well. So people can find out a bit more about you, man. Oh, thanks so much for spending time on it with us as men. And I look forward to having more of these, maybe a 2025, 2026 version as well.

Oh, we'll do before that, but at least that much. Absolutely perfect and we would love to. Alright, man, thank you so much. What, thank you so much for listening and watching this episode of Cloud [00:50:00] Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www.cloud security podcast or tv.

We are also publishing these episodes on social media as well, so you can definitely find these episodes there. Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI cybersecurity podcast, which may be of interest as well. I'll leave the links in the description for you to check them out.

And also for our weekly newsletter, where we do an in depth analysis of different topics within cloud security, ranging from identity, endpoint, all the way up to what is a CNAPP or whatever a new acronym that comes out tomorrow. Thank you so much for supporting, listening and watching. I'll see you next time.

‍