 Hello, and welcome back to SuperCloud 3, where we're discussing and dissecting the future of AI and enabled security in the cloud. And I'm pleased to welcome to the program, Alvina Antar, who's the CIO of Okta. Alvina, welcome, it's good to see you. Thank you, thank you, Dave, for having me. You're very welcome. I want to first review your role. You know, a lot of tech CIOs, they're pulled into sales calls by the sales people. They want to help them improve their customers' internal security and use the examples that you've set. In your case specifically, how do you spend most of your time? Is it on making Okta better, or is it helping customers do better or a combination? Well, yeah, thanks for asking that. I would say what, in August, I'm hitting three years at Okta, and that has evolved. And when I first joined, it was really focused on internal structure. You know, really looking at the level of organizational structure that I needed, and building an enterprise product, enterprise engineering, enterprise data, infrastructure and operations organization that has evolved dramatically in building almost a tech ops organization within infrastructure and operations and enterprise security, in a strategy organization that helps us think of what is needed to be able to evolve the business and drive our growth and scale of our business exponentially. And so that has been the first three years of my run at Okta. And within our organization, we have an Okta on Okta function, and that function has transformed the way we work, not only within product and engineering and in building deep expertise within our product and not just Okta and all the capabilities within our workforce identity and customer identity capabilities, but also Okta in the ecosystem, the actual integration across the ecosystem that is required to be able to transform our employee experience as well as our customer experience. And that effort, that initiative, the Okta on Okta initiative, has now shifted and taken a ton of focus organically to customer engagements. And so I spend a ton of time with customers and partners and prospects who are really wanting to understand what we do, how we run our business, how we evolve our employee experience and what we're doing with our password list journey, which I know we'll talk about, what we're doing with governance and how are we really looking at our customer, our end-to-end customer experience and driving the most seamless and secure customer experience. And so actually, I just last week, I was in Australia in Sydney and Melbourne and had the most beautiful time there. It was my first time visiting and the level of engagement from our customers and partners and interest in what we're doing internally across all industries at all sizes was so meaningful and so valuable. And so that's actually one of the best parts of my gig now. So thank you for that. So what's the relationship between your office and the SecOps team at Okta? I mean, a lot of tech CIOs do double duty as the CISO. So how has that relationship evolved? What's your particular point of view on the ideal regime for this so-called AI-powered world? Does that change over time? But I'm interested in the sort of, are you the CISO? Is there a CISO? Is that individual counterpart? Does that individual work for you? Do you work for that individual? Where do you report that whole regime if you could give us your view? Yeah, I mean, so every organization is different. I actually am working closely with our Chief Security Officer, David Bradbury and his organization and our structure is distributed, right? So and what we've done in the evolution of our security structure is that, security ultimately is driven through our Chief Security Officer in a distributed model across the organization with my organization responsible and accountable for enterprise security. We have a product security focus within our product and engineering focus. And so it's a distributed model and really wanting to ensure that we've got a mindset where security is everyone's priority across the entire organization, not just mine from an enterprise perspective, not just the product infrastructure security team, but everyone's responsibility and building a security first culture is our joint responsibility and accountability. And so that's the way that our structure is set up and what I've realized and what we've talked a lot about David and myself, two customers, is how identity is actually driving the most incredible and strengthened relationship and partnership across security and IT. And the reason for that is that in the past, it was security makes strategic decisions around what we need to do to be able to drive our overall strategy and IT is in a position to execute without questioning the strategy. And that doesn't fly, especially if you're thinking about how to operate with an identity first mindset and ensuring that what you're enabling is this balance between security as well as the experience and that they're not mutually exclusive. And the importance of having the joint accountability for all the initiatives that we have tied to security across both the CIO and CSO's responsibility. And that is what allows us to shift our mindset that driving a hardened security posture doesn't necessarily mean that you're now creating a frictioned experience. But you're actually, all that we're talking about with our password list journey is actually hardening security while creating the most seamless, most least disrupted experience for our employees. And so they go hand in hand. And so your peers with the CISO, CISO correct or the CSO, I guess you call it. So it's interesting because we've seen over the years, security was just the domain of the security people. Nobody else cared about it. And then it went up to the board and of course then it was sort of pushed down throughout the organization. And now it's sort of middle out and everybody's as you just described. I wonder, you were talking earlier about sort of your role with the ecosystem and it struck me that, you are a super cloud enabler in that sense that I'm sure you're dealing with many different clouds and many companies that run on different clouds. I'm talking about the ecosystem now. So I wonder if you could talk about what's different with regard to multicloud security versus say just on-prem or hybrid or just in the cloud, are there opportunities to enhance security across multiple clouds or does multicloud just bring more complexity from a security standpoint, just a more complicated set of opticals? What's your experience been Elvina? I think it's an opportunity. I mean, I see multi-cloud is where everyone is focused not just from increasing reliability and redundancy but also from an efficiency, from driving efficiency, which is top of mind for all of us. And so, and it does add complexity from a security perspective. And that's the opportunity that we all have to ensure that we're now balancing our tools and methods and capabilities that may be different across multiple platforms. And so making sure that we think about the configurations and how we align configurations across the multiple platforms, thinking about data residency and where you're storing your data and how you're making sure that it's secured across all the distributed platforms, thinking about compliance and how to maintain controls from an audit perspective across multiple platforms. And then logging and monitoring is obviously top of mind as we need to ensure that the learning and triaging is consistent and spans across the multi-cloud environments. And so, the reality is what multi-cloud presents and reinforces is that the boundary is limitless. We need to think about our environment as boundary-less whether it's through multi-infrastructure, whether it's through multiple devices, whether the perimeter, we talk about how the security perimeter has expanded not just across your employees but think about your contractors and your extended workforce. And so needing to be able to have a centralized identity model across this expanded perimeter is critical in a multi-cloud and multi-everything environment. So thinking about what you just said about multi-cloud and security specifically, I'm interested as it relates to AI, where do you think, and your colleagues think and the technologists and Okta and the broader industry, where's the low-hanging fruit for attackers and the same question for defenders? I mean, normally the attackers are a little bit ahead, sometimes a lot ahead. Is that the case with AI? What are you seeing in that regard? Yeah, well, I mean, we all know, right? I mean, AI, it's not just a trend, right? We've been talking about AI for years and now the level of focus, we know that the full potential is yet to be realized with AI. I mean, it comes with the advancements in algorithms and the computational capabilities that exist. And most importantly, data, right? The rise of AI, it truly signifies a platform shift, paving the way for new applications, right? And with chat GPT and open AI, that is one of many new applications that will emerge, that we are excited to see the level of innovation that will come with new applications. And we know that each of those applications requires a login and requires a zero-trust model across all the applications. And we see ourselves from an identity perspective as the most equipped, right? To be able to offer solutions to all the new applications that emerge. And it's exciting, just even within our own products, within workforce identity and customer identity, we have capabilities that we continue to further evolve as it relates to AI across our security center and across threat insights that are areas that allow us to be able to understand what is happening and provide signals and insights to our customers around risks to prevent attacks. And so this is something that will continue to emerge and we are focused both within our products and within our organization to further take advantage of AI. And then you had mentioned, you know, the attackers and defenders, you know, I mean, from an attackers perspective, like data loss and exposing IP is at a greater risk, right? With AI, with AI, with feeding tools, with proprietary data that you had not intended. And, you know, from my perspective, you know, really thinking about controls, well, we don't want to limit the innovation across the organization. And we want to continue to empower the organization to innovate. We need to be able to also have the level of controls and guardrails and policies around, you know, what is required to have the appropriate use of AI. And so that is a focus from an attacker, you know, perspective. And then from a defender, I mean, I would say, it really helps us, you know, AI helps us get quicker access to information, right? We can prevent and limit the impact of security attacks because these insights exist. I mentioned threat insights, I mentioned security center within customer identity cloud. These are all insights that allow us to have quicker access to information for those that are, you know, taking advantage of our identity capabilities across both our employee experience and our workforce experience. And then, you know, just improved analytics, right? The data has to be trained, but, you know, we need to continue to focus on training the data to allow us to have analytics and insights that allow us to make data-driven decisions. So we're now not just focused on accumulating the data from disparate cloud environments. Now we have access to the data, we have access to intelligent data that allows us to make decisions, you know, and it gives us more and more thoughtful learning, you know, because we train the data. And so now we can spot, you know, generated attacks, whether they're AI generated, which will create even more complexity for us as organizations, right? How do we attack malicious events that no longer are generated by humans, right? They're generated by AI. And how can we, you know, really look at what is needed to be able to safeguard and take advantage of AI to understand those attacks and be able to have more automated ways and triggers to prevent the attacks? So I wonder if you could give us your CIO perspective on the following. So one of the themes, I don't know if you're at RSA conference this year, earlier this year, Rohit Guy had a talk and he talked about security's identity crisis, very clever. And so my question is, is identity across clouds? I mean, you seemed like you're pretty optimistic before us that's an abler. We've talked about in the past, like the last super cloud, a lot of the customers that we talked to said, well, our way of dealing with multicloud complexities, we go monocloud. Now the reality is when you talk to their colleagues in the organization, they've got multiple monocloud. So they're multicloud. The problem is those clouds don't necessarily talk to each other. So how do you see that in terms of adoption of identity? Because, you know, somebody might be in Azure with one identity on prem with another and using octa for a third, et cetera. Do you see that the industry is going to be able to get to the point, whether it's cross cloud standards or maybe it's a de facto standard where they can actually accelerate adoption for this notion of cross cloud, multicloud services, what we call super cloud. Your thoughts. Yeah, thanks for asking, Dave. What I would say is, you know, what we continue to see and actually even in this environment, in the macroeconomic environment that we're under, you know, we see an increased focus around our customers thinking about transformation, you know, because the reality is in this environment, unless you're thinking about transformation and you're thinking about cloud adoption, you may not survive in this environment. And so multicloud is here to stay and we continue to see increased cloud adoption in this environment. And so, you know, in order for workforces to evolve and the need to be able to really think about, you know, what is needed to transform your organization? What is needed to be able to adopt the cloud? You need that level of neutrality, right? You need to be able to ensure neutrality. You mentioned multiple identities across different platforms. I mean, that's not going to allow you to have a single pane of glass. And so, you know, cloud adoption and the emergence and continuation of increased cloud adoption will reinforce the importance of identity being neutral, the importance of identity, ensuring that it spans all devices, all infrastructure, all environments. And so, you know, we see this as a huge opportunity to continue to drive an increased adoption for our customers and, you know, in terms of like standards, we have, you know, obviously the security standards, you know, that is something that has been key, right? From an identity perspective, we have a robust suite of opportunities for us to continue to think about the overall standards. And like, if you think of FIDO2 and SAML2, like those are standards that will continue to be embraced, right? Whether it's FIDO for Fishing Resistance or SAML2 and the OpenID Connect for Federation. Those are areas that will continue to be relied on and we will continue to focus on adopting and embracing those standards. All right, I got a two-part question for you. It deals with culture, but I'll tell you a quick story. Last month we were at Cisco Live and they had Jim Gaffigan come in. And he was telling jokes, he's hilarious. And he says to the audience, you've been a great audience. I look around and I see a bunch of old guys and which was so true. The whole audience was just, you know, older men. You're not the prototypical picture of a CIO. It's changing somewhat, but so my question is two-part. One is sort of the woman in tech, the CIO women in tech angle, but also it relates to what your approach is to build a strong, sustainable security culture. Well, yeah, thank you for highlighting that because the reality is we've gone backwards, right? We've, especially in, you know, the environment that we've had with COVID and, you know, we've, instead of accelerating our opportunity of having, you know, an increased women in technology, we've actually gone backwards if you look at the numbers and it's unfortunate. And, you know, that's something that, you know, I've been in IT my entire career. I may not look like a standard, you know, you're a typical CIO, but I've spent 25, 26 years in IT from when I started as an engineer at Dell. And that shouldn't be you and far between. And, you know, I'm on a mission and I know many of my peers and, you know, what I would say is we have, you know, we have communities where, and networks that I'm proud to be a part of that really bring us together. You know, the CIO females in the Bay Area, we have a Silicon Valley women's network. We have a T200 organization that are women globally across all the C-suite. These are organizations that I'm, and networks that I'm proud, and thriving networks that I'm proud to be a part of and the entire intent of those networks are to be able to lift the next generation of females in technology. And what, and I feel accountable and committed to be able to really look at, you know, what is needed to be able to drive this change and accelerate, you know, the number of women sitting in my seat. And so that's something that I'm extremely passionate about. And then in terms of, you know, the security culture, you know, I, what I touched on, I mean, we are really, you know, looking at how to transform the culture and not thinking of security as the CISO's job or even my responsibility from an enterprise security perspective. But how do we, you know, shift that focus and shift that mindset in creating a culture where every single employee, regardless of industry, I mean, obviously from us as an identity, you know, company that focuses on making sure that everyone is safely to use any technology. Like, of course we're, you know, our organization of 6,000 global employees are focused on and see themselves as, you know, a integral part of our security strategy. But every company across every industry and every employee across every industry should evolve and that culture should, something that I see will continue to evolve. And it's, and it can't just be driven by the CISO. It needs to be driven by, you know, every leader within the organization. And so, you know, I continue to take an active role and I feel like our partnership across, across Okta is showcasing that. And those are a lot of the conversations that we actually have with our customers is how is our partnership, you know, really changing the game for the security culture in the industry. And so, you know, I'm excited to be able to see that evolution because it's, it can't be an afterthought. We can't continue to react to attacks and then think about security. It needs to be top of mind. It needs to be foundational. It needs to be, you know, you know, we talk about security by design. Like that should be embedded in all that we do where we think security first and security by design. And that's what you'll see, you know, every organization look to evolve. And it has to start from the top. Yeah, congratulations on both those fronts. I appreciate that answer. Last question is a topic that you brought up before and I saved it for last because I think everybody can relate to password less, right? Everybody hates having to forget, you know, forgetting their passwords, having to change the password, you change a device. It's just, it's the scourge of passwords. I mean, it reminds me of, you know, the old days of email where you had to like archive all your emails. It's just, it's a terrible experience. So it sounds like there's hope. So can we ever get to a world where there are no passwords? Yes, there's definite hope. And that is something that I'm excited about in terms of our journey. And one thing that I share, you know, we've initially talked about, you know, password list as this dream, you know, like will, as you mentioned, like will we ever get there? But the reality is, you know, phishing resistant factors and the evolution of all that we're doing to be able to drive, you know, this seamless experience is allowing, and biometrics, you know, is allowing us to actually realize this vision. And we're, this is something that's top of mind for us, you know, in our octa and octa efforts. You know, what we've deployed internally is our new octa identity engine that allows us to have, that actually takes advantage of fast pass capabilities that get us to, you know, that get us to a place where we are extremely close to, you know, in the 90 percentile to getting to 100 percent password list at octa. And we are sharing our journey. You know, what is, what is, we are sharing, you know, the steps, you know, in our path of password list journey, we are going through, you know, what is required to be able to actually realize this vision and that it's not, you know, a dream, but it's actually a reality. And it's an expectation that every organization should have. Yeah, 90 percent is amazing. I mean, I'm probably at about 12 percent and can't wait to get to 50 percent. But Alvina, thanks so much for coming on the program. Really appreciate your time and your insights and love to have you back sometime. Yeah, I'd love to join you back. They, thank you so much for all that you're doing with this incredible program. You bet. All right, keep it right there. We got more discussions. We have fire-tired chats. We've got power panels and conversations with tech athletes like Alvina and much more. You're watching SuperCloud 3. I'm Dave Vellante, the future of AI-enabled cloud security.