The neXt Curve reThink Podcast
The official podcast channel of neXt Curve, a research and advisory firm based in San Diego founded by Leonard Lee focused on the frontier markets and business opportunities forming at the intersect of transformative technologies and industry trends. This podcast channel features audio programming from our reThink podcast bringing our listeners the tech and industry insights that matter across the greater technology, media, and telecommunications (TMT) sector.
Topics we cover include:
-> Artificial Intelligence
-> Cloud & Edge Computing
-> Semiconductor Tech & Industry Trends
-> Digital Transformation
-> Consumer Electronics
-> New Media & Communications
-> Consumer & Industrial IoT
-> Telecommunications (5G, Open RAN, 6G)
-> Security, Privacy & Trust
-> Immersive Reality & XR
-> Emerging & Advanced ICT Technologies
Check out our research at www.next-curve.com.
The neXt Curve reThink Podcast
Highlights and Insights from RSAC 2025 (with Jo Peterson)
Jo Peterson, cloud and security thought leader and VP of Cloud and Security at Clarify360 joins Leonard Lee of neXt Curve to exchange notes on what they thought were highlights and key takes from RSAC Conference 2025 which took place at the Moscone Center in San Francisco. They also discuss the newly published "The State of SaaS Security: Trends & Insights for 2025-2026" report by The Cloud Security Alliance.
Jo and Leonard hit on the following topics:
➡️ What is on Jo's mind from RSAC 2025 (2:34)
➡️ The specter of shadow AI (5:05)
➡️ The Cloud Alliance SaaS Security Report 2025 (5:24)
➡️ Shadow AI and shadow IT are related (9:02)
➡️ Agentic AI is not your daddy's minivan AI (10:50)
➡️ What is your security posture? DSPM + AI-SPM (15:27)
➡️ Letter to the Board: Give your CISOs more money! (17:39)
➡️ Cyber risk and attacks get more sophisticated with AI (21:04)
Connect with Jo on LinkedIn at www.linkedin.com/in/jopeterson1
Please subscribe to our podcast which will be featured on the neXt Curve YouTube Channel. Check out the audio version on BuzzSprout - https://nextcurvepodcast.buzzsprout.com - or find us on your favorite Podcast platform.
Also, subscribe to the neXt Curve research portal at www.next-curve.com for the tech and industry insights that matter.
Hey everyone, this is Leonard Lee, executive Analyst at Next Curb, and welcome to this episode of the Rethink Podcast Live here from the Palace Hotel in San Francisco, and I'm here for RSAC 2025, which is I think the premier. Cybersecurity conference in all of the Telemundo or the El Mundo, right? And I'm here with a very good friend of mine, Joe Peterson, a clarified 360. And you know what? It's really amazing to have you on and to be here. With you in San Francisco for this event. How are you?
Jo Peterson:I'm doing great. Thank you so much for having me. Guys. You can't see this place, this Palace Hotel, but it is gorgeous. There's these, it's like this architectural turn of the 19th or 20th century Yeah. Situation with these gorgeous. Domed, glassed ceilings, Uhhuh, if you can check it out.
Leonard Lee:Before we get started, remember to like, share, comment on this episode. Also subscribe to Ncur Rethink podcast on, buzz Route as well as on YouTube. also just before we, start a disclaimer all the views and comments by my. Guests are entirely their own and don't reflect those of next curve, or myself. And we do this because we want keep an open forum. allow my guests to, say their peace and, foster an open conversation around technology and some of the leading trends that, matter. Especially in this, really important industry called cybersecurity, which looks like it's getting really, really hot this year. I mean, it's a hot topic and we have a lot of stuff going on, AI SaaS apparently, which we'll talk about in a moment. But yeah. Before we get started, everybody wants to know Joe. what have been some of your key takeaways from the event so far, and the engagements that you've had with vendors and end users, practitioners, et cetera?
Jo Peterson:Yeah, so the event has been really well attended. I, heard that there are about 30,000 people here at RSA don't know yet, but 44. 44. Oh, man. Okay. All right. Much bigger than I thought.
Yeah.
Jo Peterson:The thing with RSA is if you've ever visited. We were chatting about this a little bit earlier. Everything used to happen just at Moscone and the buildings around Moscone and what's happened over the last few years, I'd say since post Covid, things have become even more decentralized. So maybe you don't see all the people all in one place all at one time, kind of a thing because they're here and there at the different buildings that. Surround, let's say the 10 blocks around Moscone, right? So, but great activity here. I think that last year was RSA training wheels, I mean, sorry, AI training wheels at RSA, AI Training Wheels at RSA people. We weren't seeing the plethora of use cases yet. We weren't seeing. Some of it in the field and in practice, and now we are, we're seeing generative AI being put in place. I don't know, depends on who you ask and what resource you look at, right? But generative AI is something that's being used across enterprise.
Mm-hmm.
Jo Peterson:now the next trend is agentic ai.
Yeah.
Jo Peterson:Right. So we're hearing lots of conversations about. How to protect agentic ai, because agentic AI brings on its own set of challenges and complexity, that we didn't see in generative ai. So that's been a big conversation that's happening here.
Leonard Lee:Yeah, a really big conversation. And then, with cybersecurity, there's always a light side and a dark side, right? Mm-hmm. It's like watching Star Wars, there's the dark side of the force and the. The light side of the force. And, one of the things that, I heard quite often, actually ever since I stepped on the floor of the Moscone was, shadow ai. So the growing challenge and problems with shadow ai and we're gonna talk about something a little bit similar. To that, regarding SaaS, right? Mm-hmm. So, I know that you wanted to talk about this, study that was published by the Cloud Security Alliance. So why don't you tell, the audience a little bit about that and then maybe we can just talk about. that and what sort of bearing it has in the cybersecurity conversation going into this year, because obviously, the timing was interesting, right?
Jo Peterson:right. I think that the findings were very interesting. Some of the findings were sort of expected. so the Cloud Security Alliance, published the state of SAS security report 2025. On April 21st. I think they wanted it to be a little bit of a topic of conversation here at RSA. Right? I think they wanted folks like us to sort of talk about it and bubble it up because they spent a long time getting it ready. if you look at SaaS, it makes up a significant portion of IT budgets,
right?
Jo Peterson:The latest findings from Gartner is that it represents 41% of total public cloud investment in 2025, right? And that's a shift for many organizations, especially those like when we were coming up, that were highly infrastructure based, physical equipment, infrastructure based that had life cycles, investment cycles. It was a capital expense. It was a three to five year window.
Yeah.
Jo Peterson:And that's changed. more and more of the IT budgets are moving towards SaaS of some sort. Yeah. And if you think about that in a lot of different ways, first of all, your browser is your new edge. Think about that. Right?
Leonard Lee:Yeah. You know, that's very light. It's, it's your new edge. Not quite zero footprint, but Yeah. Right.
Jo Peterson:it's, forget the old topologies of hub and spoke. Those are gone. and think about, and then everybody, we all went remote work during the pandemic.
Yeah.
Jo Peterson:So. That edge worker be became, but now as we move towards more and more SaaS in our budgets, now the, the browser has become the edge. Right? Right. So if you think about that, and so if you think about some of the, some of the work that came out of this study around spending, cloud spending in 2025 represented the large and SaaS in the cloud market represented 300 billion. Like that's a lot of money. That's
a lot of dero,
Jo Peterson:I agree. And SaaS is becoming the preferred method of purchasing software.
Mm-hmm.
Jo Peterson:and deploying software, and you've got these shifting patterns that are occurring. It's not just it that is buying this anymore. it's other business units that are buying it. So I think that there's some patterns that are emerging and I think that there were some goals of the study that came out as well.
Leonard Lee:Yeah. And I think the. SaaS trend actually has been in play for quite some time. I think, going back to my prior comment about shadow ai, right? We had the problem with shadow it, and in a way, SaaS became part of that dynamic. And so what I thought was really interesting about the paper is speaking to something that we'll probably be concerned about next year, which is shadow. AI for sure, which will take its form in a number of different ways, not just from a, you know, it'll, there'll be an infrastructure aspect of it because there's now a lot of, let's say GPU as a service type Players out there. Anyone, one, like a department can just go out and, provision of their own instances of like a GB 300 MVL 72, that's an Nvidia. Like big, supercomputing thing if you don't know what that is. So, from there all the way up, right? Because you have the AI platforms and then now you have these folks that are creating all these chat bots and applications. Yeah. And so, I think you're, what we saw with the cloud and are continuing to see with the cloud is probably going to translate or it's just gonna morph or extend, further out as we have this AI agent AI layer. Maybe in next year, because that, it's all interrelated, right?
Jo Peterson:Right. So one of the things to think about, and we did learn lessons from the cloud, right? When I started architecting cloud environments in 2009, security was an afterthought.
Yeah,
Jo Peterson:security was bolted on at the end of the process now we think about designing those environments with security at the forefront.
Yeah.
Jo Peterson:The thing that's different, there's some, a number of things that are different about ai, Agenda ai, first of all, is not your dad's minivan of an LLM. it is smarter. It makes decisions on its own, and it thinks without human intervention, which can be good or it could be bad. Now let's extrapolate with that a minute, what we learned about. During cloud was identity management. That was one of the lessons we learned from cloud. Let's remember math and school where we would put an exponent on something and it would generally just make it bigger. That's what's happening with ai. If you think of it in that terms, that exponent level, because you're not just worried about human identities anymore. You're worried about machine identities. Yes.
Yes.
Jo Peterson:So that becomes a different thing, managing those identities. Managing the life cycle of those identities. That's another problem.
Yeah.
Jo Peterson:And you know, if you start to think about that as an emerging threat vector that becomes its own set of problems. do we have the tools today to manage that? Well, we're getting there, but it's changing.
Leonard Lee:Yeah,
Jo Peterson:right? It's changing.
Leonard Lee:Yeah. And it's interesting that you brought up the management of identities. Especially non-human identities. I was just in a session, it was a gentleman from, Exa Exabeam, that's the name of the company. And he was talking about, oh, no, no, uh, he wasn't from Exabeam, he was from some other company anyways, his point was, he was, his point was 40% of the identities within most organizations or average organization. It is non-human
Jo Peterson:right?
Leonard Lee:And a lot of these get accumulated. They're not lifecycle managed. It's difficult to lifecycle manage. It's hard to trace, okay, what sort of application dependencies do these identities have? Do you just erase or delete that identity? Will it impact a integrated system? So. Yeah, it's a growing problem, but then now you stick agentic stuff on top of it, right? This notion that there are gonna be billions of agents out there, or maybe for an enterprise organization might have thousands of these things. How do you manage those identities? How do you manage those, non-human identities that are going to interface with now? other human identities and so there's a whole can of worms that are being opened up and, there really isn't an answer right now. No.'cause I think the question about how do we manage all this agentic stuff is going to be increasing, area of focus and exploration. And I emphasize exploration because no one's actually come up with a solid solution or a standard for doing this stuff. But, going back to SaaS, I think this is just going to complicate things more in terms of, um, the need to focus on SaaS security.'cause I know one of the things that you had brought up in a conversation we had before was. The need to secure APIs, right? Yeah. And these, these software SaaS offerings are becoming more agentic, right? You have Salesforce, you have ServiceNow, both who are famously, in the forefront, if you will, of this quote unquote agentic AI movement. what are your thoughts?
Jo Peterson:No, totally. I think that, there's this popular app. I saw a commercial for it and I thought it was really cool. the tool is called Rocket Money, and basically it finds all the subscriptions on your phone. Oh, that you have, right. And I'm like, wow. That'd be really cool if we had that for organizations.'cause I can't tell you how many times I go in and I'm like, oh, she show me all your apps. And they're like, well, okay, here's what we got. And then we do a little fiddling around and we find out. Oh, you got a lot more than that. Right, and my point that I'm trying to make is accounting for SaaS inventory is tough visibility into that SaaS inventory. Do you know what your organization owns?
Yeah.
Jo Peterson:If you don't know what your organization owns, my question to you is this, how are you going to secure it?
Leonard Lee:What's the security posture exposure of those assets? Right. I think that's in applications. Yeah. Right? I mean it's like the full stack. Do you, do you have visibility? And that's another thing that from last year was a big deal. Especially with the advent of large language models and everyone trying to make the push toward, enterprise AI is how do we deal with the securing of these models in their various forms of deployment. in a way that's scalable and, that all starts with understanding, okay, here's our portfolio today. Do we know what our security posture is for every single asset, I mean down to data or even keywords, it's like insane, and so when you look at what the path to readiness, right? Safe and responsible and reliable AI for your enterprise look like. The path to readiness is actually very complex and it's fraught with, Risks and these are things that, CISOs as well as CIOs and vendors need to be conscious of because I think the industry is still on the back foot. You know, they're not, they're still trying to figure stuff out, but it's pretty evident when you look at what constitutes, even just one reliable, what you might call enterprise class. AI application, the requirements are very, very high. Right, right,
Jo Peterson:They are. And, so a couple things and maybe people realize this and maybe they don't. Um, and this is a shout out to all my CISOs'cause I'm always sitting in the CISO corner vote. Yeah. Boards give your CISOs more money. that's the front end of the message. People don't realize. That the average organization, depending upon the vertical now, the highly regulated verticals spend more, but the average, company spends between five and 12% of their IT budget on security. That's small if you think about it. Yeah. Right. And when you think about particularly the highly regulated ones that have. So much to make sure that they're in compliance with and ready for to keep the business moving forward and going. so boards give your CISOs more money, um,
Leonard Lee:because Yeah, less pressure. Less pressure. Less pressure.
Jo Peterson:Because
Leonard Lee:that's the other thing we hear about Board pressure.
Jo Peterson:but security is no longer one of those. Things That's an afterthought. It is integral to your business. It's integral to your business's reputation.
Yes.
Jo Peterson:consumers are so much more aware today than they were five or even 10, years ago, right? consumers I think care what you're doing with their data. They care. How secure you are. they care about those things.
Leonard Lee:Yeah. and because it is all about trust. this morning I got an email. It turns out it was a phishing email. And it was the most authentic looking phishing email, with a contract. And I'm not gonna name the name of the company that it referenced'cause I don't wanna, I don't want to you
Yeah.
Leonard Lee:Bottom line is this.
Happened to anybody.
Leonard Lee:lawyer had her email account hacked and Ah yes. And then the hacker basically broadcasted thousands of emails using her email account and basically soliciting payment. Okay. And a phishing attack and her office received because it was so legitimate looking. Yeah, I actually almost clicked on it. Oh, that's how good it was. that office that morning received thousands of phone calls so that I felt so bad for the receptionist. I told her, you know what, I'm gonna get off the phone right now. So that you can handle the other calls. And she said, thank you.
Yeah.
Leonard Lee:And I empathized with her. But think about that. I mean, I call that a physical DDoS attack. I mean, it's, you are flooding that office. You're not wrong with a bunch of calls. You're not wrong. And then bogging that business down. I mean, and that's like real impact. That can be completely disruptive to your business and also the reputation. you gotta wonder, you know, how trustworthy are their IT systems,
Jo Peterson:I mean, it can happen to anybody.
Leonard Lee:Yeah, it can happen to anybody.
Jo Peterson:You know, that, these bad guys with the help of ai. Are not going to your endpoints anymore because the endpoints are locked down. Right? Companies have done a good job, so they're doing things like voice phishing or they're getting into systems, and then moving laterally. That are not traditional endpoints, which we've all tried to do a good job in lockdown. So it's happening. and the thing with AI is we're just gonna have to move faster than the bad guys do. Or hope that we move faster than the bad guys do. But this SaaS report, was very eye-opening and very interesting for a lot of reasons. Because to me, it went beyond security and it really talked about what was happening in the landscape. Who was buying, what the problems were, like visibility, what the problems were with inventory, what the problems were with machine identities. It talked about a lot of the things that are, to me, very tangential to not just sas, but to, the AI challenges that we're gonna see coming up.
Leonard Lee:Yeah. and the other key word, oversharing. The problem with oversharing, that's inherent with shadow. Anything related to it or ai or any of these information related technologies. And so, the industry has its work cut out for it. And, you know, I think there has to be a fine balance between best practices and hi genic practices on the. side of the enterprise. And then for the vendors to be able to bring responsible ai, thoughtfully designed AI that's actually going to help address the problems rather than create new threat vectors. for. They're customers. And I think those are things that, we as analysts need to help the industry on both sides, right? The end user side and the vendor side to bring those capabilities. Because, one of the scariest, slides that keeps getting put up there is how quickly the cyber criminal economy is growing. It's at$10 billion a year. It's the third largest economy in the world. Growing at the fastest rate. And I think that's an underestimation.'cause I don't know where they come up with these numbers. we know the GDP of the US and the China and the eu, but how do they figure out the. Size of the cyber criminal economy. I don't know, but it's, undoubtedly very large and apparently growing very, very fast.
Jo Peterson:yeah, and part of it is just the ease of acquisition, you know, back in the day. A script kitty used to have to at least know how to code Kitty does not need to know how to code today. They can just buy a prepackaged anything. Yep. Phishing software, whatever it is they want and just go for it. Template. Done.
Yeah.
Jo Peterson:So with that. Are we
done?
Jo Peterson:I don't know, maybe.
Leonard Lee:Oh my gosh. it is so wonderful to have you on.
Jo Peterson:love that.
Leonard Lee:just start a podcast around cloud and security
Jo Peterson:Alright.
Leonard Lee:Thank you. Thank you so much for your hospitality. And, inviting me here. I haven't been here before. It's like, it's
Jo Peterson:gorgeous, right? Yeah.
Leonard Lee:Yeah. And so, for those of you who tuned in and made it this far, thank you. hope you found the podcast, entertaining and informative and all of you should follow, Joe. She's wonderful. she's my mentor.
Jo Peterson:Oh, man. That's a lot of weight. Well, thank you for having me on the show.
Leonard Lee:absolutely. And why don't you tell our audience how they can get in touch with you a little bit about your firm and then, the kind of research that you focus on so they can give you a call.
Jo Peterson:Oh, that'd be great. So, as Leonard said, I'm Joe Peterson. you can find me on LinkedIn. I'm always posting on LinkedIn. There's some crazy cat videos that I post with, with
when,
Jo Peterson:when I try to tell a cybersecurity or AI security story, I'm easily amused, so I hope you find them amusing too. I'm on Twitter at, uh, love Cats, right? Yeah. I'm on Twitter at Clear Tech Research I'm an engineer by trade, and so what I bring to the table is I bring that end user's point of view when they're looking at technology. My areas of focus are cloud, cloud, security, and AI security.
Leonard Lee:Yeah, I see. Yeah. She is one of those folks that you need to follow, so,, yes. Remember to like, share and subscribe to Next Curve research core@www.next-curve.com for the tech and industry insights that matter. Live here from RSAC 2025. We'll see you next time.
