LastPass CEO: If the Browser is AI's New Interface, What Does it Mean for Security?

[00:00:03] Welcome back to another episode of the Tech Talks Daily Podcast. Now, as most of our work shifts inside browsers and AI becomes part of our everyday workflows, in fact, in some cases there are AI browsers. Everything is changing. But the bigger question I want to explore today is where does security actually need to show up?

[00:00:26] Well, in today's episode, I'm joined by the CEO of LastPass. And together, we're going to talk about how SaaS, AI and Gentic workflows are all reshaping the way that we think about access, productivity and risk. And we'll also explore why the browser has quietly become the new enterprise operating system and how shadow AI has now created blind spots for IT teams.

[00:00:52] But hey, I'm a solutions, not problems kind of guy. We'll talk about what changes when agents start acting on our behalf instead of answering questions. And most importantly of all, some of the solutions, some of the best practices and what we can be doing as individuals and organizations can be doing and how they can educate their workforce better to to avoid their data getting in the wrong hands. So much to talk about today. So much to talk about today.

[00:01:17] But I don't want to reveal any spoilers. So enough from me. Let me introduce you to my guest right now. So thank you so much for joining me on the podcast today. Can you tell everyone listening a little about who you are and what you do? Yeah, certainly. So thanks for having me, Neil. My name is Kareem Tuba.

[00:01:37] I'm the chief executive officer for LastPass. I joined LastPass in about 2022 or almost the middle of 2022. A little bit of background about myself. I've been in the technology space for about, oh goodness, going on 32 years now. And the majority of that, about 30 of it in and around cyber.

[00:02:04] Prior to this, I was a chief executive officer of a company called Kenneth Security, which really helped pioneer the risk-based vulnerability management market, which was largely using machine learning and data science to help organizations prioritize vulnerabilities. And then we subsequently sold the company to Cisco.

[00:02:28] And then I stayed there for a while helping integrate our machine learning algorithms and our data science into their EDR and NextDR platforms. And I would suspect that throughout your career, you've seen so many big changes. I mean, just the last five years alone, we've gone from working at home at scale, hybrid working, AI at scale. Well, the pace of change is just phenomenal now.

[00:02:52] And I think in particular, we've also seen a massive shift in the way that people work with most activity now happening inside the browser. And from your perspective here, how has this changed the way organizations think about both security and productivity? Yeah, yeah. It's a terrific question.

[00:03:10] Yeah, we have. I mean, look, we've seen change in cyber for quite some time now, just both in terms of the technologies that we build, but, you know, candidly also what attackers are actually doing and the evolution and the sophistication, if you will, of attackers. But as of late, you're 100% right.

[00:03:31] We have seen partly spurred by the remote work and COVID just a huge increase in the amount of work that's done through what is effectively now the enterprise application, which is the browser. I think the latest data shows that about 85% of time for prototypical business users actually spent in the browser. It's where they get work actually done.

[00:04:00] Turns out that Google, what I think it was 10 years ago, they had a tagline that said the browser is the operating system, right? They may have been a little early, but they weren't wrong. And so as a result, and by the way, this did start back when SaaS applications, right? Obviously, people like Salesforce were very, very early pioneers two decades ago of this notion of software as a service.

[00:04:27] But now I think over 50 to 60% of applications that are delivered within enterprises are delivered through SaaS. So it's just a huge number and the majority of the users use them.

[00:04:39] And so that causes a real challenge for organizations because historically, if you look at the security model, which has largely been layered, we've protected the network, we've protected systems, we've protected endpoints, and we've protected applications, right? From the source to the transport layer into the target applications.

[00:05:05] And one of the areas that has not had a lot of security visibility and focus is the browser, right? Because most notably, and of course, organizations have fixed vulnerabilities in the browsers, but they've largely relied on the browser manufacturers and vendors to provide layer security. And so as of late, there's been a lot of change and a lot of focus.

[00:05:29] And it's one of the areas we focus on, but there are multiple other modes, if you will, and other companies that focus in that area. So it's really about adding in that additional layer where people are spending the majority of their time. And looking across the landscape now, I think SaaS and AI, they're clearly reshaping IT and security and have been doing for some time.

[00:05:51] And from your somewhat unique vantage point here, what do you see as the biggest challenges that businesses are facing right now as these technologies become almost a backbone of operations? Yeah. Yeah. Yeah. Yeah. Well, I mean, I think that's a little bit different for SaaS, traditional SaaS versus AI, even though many of them are actually, again, used through the browser.

[00:06:14] I think one of the biggest observations that we have is the increase in the number of applications that IT and security don't have visibility into, which creates not just a blind spot, but an even bigger security risk. And so, you know, this idea of shadow IT has been around for quite some time. That's nothing new.

[00:06:39] But this idea of shadow AI is most concerning, largely because the numbers in many ways are kind of overwhelming, right? First of all, in the world, in the landscape of AI, there are kind of multiple modes that people can use AI. They can use AI natively within the applications they're working in. Many enterprise applications are now starting to enable AI embedded capabilities in them.

[00:07:07] And then, of course, you have, you know, well-known AI models and AI capabilities that the traditional user will use, like ChatGPT, Gemini, things of that nature. And then, of course, beyond that, you have, of course, AI tools that developers use to help them build better, more efficient software. So the landscape of how you can use AI is pretty broad.

[00:07:35] But part of the challenge I think most IT and security organizations are having is that there's such a pent-up demand that, as a result, a lot of that work is happening outside of the traditional visibility of security in IT. And I think that's one of the biggest things that we and others within the industry are really aiming to solve.

[00:08:00] And throughout both of our careers, we've seen BYOD, shadow IT. Now, shadow AI is the new shadow IT, as you mentioned there. So why is it such a growing concern? And what steps can companies take to manage the risks without slowing down innovation? Because we've kind of seen this similar battles in the past. But what can we do to try and win this battle this time around? Yeah.

[00:08:25] Yeah, the concern really stems from the fact that people use a lot of personal accounts that we see, right? So I will log in with my, you know, corporate name to an authenticated AI applications with my corporate domain, thereby giving me authentication controls to my IT and security team. But then many people will allow AI utilization with personal accounts.

[00:08:53] And so they lose complete visibility into what's actually going on. And visibility isn't just about things like, can I prompt open AI and get a question? Those are the kinds of things most people use on a day-to-day basis. But the more sophisticated users, and we are all becoming more sophisticated and aware of the power of AI, people are starting to upload data.

[00:09:15] And without that visibility, you really can't control what data is actually being uploaded to effectively train those models. I think there's legitimately been a lot written about, you know, kind of the insatiable appetite these LLM models have and the underlying companies to actually get access to as much data as possible to continuously train them. And so what we've started to see is kind of the attacker community respond to that,

[00:09:45] particularly because many of these AI applications are accessed within the browser. And we start to see a significant increase, right? The latest research shows that upwards of 70% of malware cases are actually embedded within the browser. We have the overwhelming majority, 90-plus percent of organizations that have experienced at any given time attacks that come in through the browser. So you've got kind of this confluence of this new paradigm and application.

[00:10:14] And then at the same time, you've got this kind of awareness of the attackers, of understanding where people are using it. And those two worlds are kind of colliding and creating a real challenge and a blind spot for IT and security organizations as a whole. And Agentic AI is also emerging as the big game changer. There's a lot of talk around it last year. It's going to continue this year. And many enterprises are proudly stating that they're going to unleash thousands of agents out there,

[00:10:44] which makes me a little nervous as an ex-IT guy. But I'm curious, how do you see it disrupting traditional authentication, traditional access models? And what should businesses be doing to prepare here? Because there is a lot of bandwagon jumping again of everyone getting involved with agents. But how do you see this evolving? Yeah, the bandwagon piece. Boy, yeah, this one, you know, you and I have been around for a while, right? We've seen a lot of hype cycles. But this one kind of takes the cake.

[00:11:14] And it really is interesting to understand, kind of to think about the spectrum of hype versus practicality, right? And one other thing is a precursor to Agentic that's also interesting that we find is that there's so many, there's so much pent up demand at the executive and board levels in large organizations and even at the business level within small to medium sized businesses.

[00:11:40] AI is being discussed at every level at its potential ability to connect users to data more confidently and more quickly and empower productivity, efficiency and economic gains for organizations. It is so front and center. I've yet to see a technology in the last 30 years be applicable so broadly and be such a focal point of change within organizations.

[00:12:09] And one of those, as you mentioned, is Agentec, right? Because this idea that I'm going to take a particular workflow, it could be at a consumer side, it could be at a business side, right? Why should I log into my mobile application for British Airways or United to reserve a ticket

[00:12:34] when I could have speak into a prompt and then have an Agentec workflow do it on my behalf? Similar things apply in business. There's so many ways to potentially streamline the business for support for sales using Agentec models. And the challenge with that, if you look at it architecturally, is that typically you have the user accessing an application through some form of transport mechanism.

[00:13:02] And through that application, they have authentication and authorization policies enabled. But it is Kareem Tuba that is tied to the authorization policy and the access mode, accessing a particular application. In an Agentec workflow, you oftentimes lose visibility into the user that is accessing it because the agent is accessing the user on our behalf.

[00:13:31] So there's a series of changes that would have to happen. Think of it as trying to figure out the Agentec identity as the user accesses, no longer accesses the application, but the agent is doing it to automate. And then the second thing, of course, because we're using a confluence of either headless browsers, which means they're browsers that don't have a front end,

[00:13:55] or we're using this notion of agents that are being spun up in data centers. So now you have an access mechanism where, because the user is no longer sitting on a device, accessing an application to complete a workflow, you actually now have an agent in a data center or a headless browser doing it. What does the access path look like and how do you insert yourself into that access path

[00:14:22] so you can define and control authorization policies? And that requires a different way of implementation. It requires some different integrations that will eventually enable you to still have that visibility and control. But it is quite disruptive. And given the pent-up appetite for all of these things that have so much promise, security has to keep up very, very quickly with the demand that we're seeing.

[00:14:51] And at the beginning of our conversation, we started talking around how most activity is now happening inside web browsers. And even those web browsers are evolving now. I've recently downloaded a few AI browsers just to try and get the most out of them and try and understand how it all works. But within a few minutes, they asked you to connect to your email, to your calendar, and it just made me incredibly nervous. And I thought, whoa, whoa, what's going on here? Do you think users are aware of some of the risks of just connecting everything into their browser?

[00:15:21] No, absolutely not. I mean, that is part of the biggest challenge. And by the way, Neil, this is the irony. The more connectivity you give an AI-enabled browser, the more value and streamlining of the workflows that they can do on behalf of the user. But therein lies the conundrum, right? You drive more value, you're going to really sort of push the envelope in terms of potentially compromising your data

[00:15:49] or doing something that you don't want done. So most users know. I mean, I think all research shows definitively most users don't have the typical technical acumen. I think that as a result, it's kind of incumbent on us as an industry to probably do a couple of things. And I say broad industry, not just us as a security industry, but even the people that are developing AI technologies. First and foremost, you have to train and educate the user, right?

[00:16:18] The more educated the users are, both business and consumers, the more they understand the risk that they take. Because there is a trade-off to be made here, right? The value of the efficiency in automation is resounding. There's no doubt about it. When you watch a change that AI can implement within an organization and the value to its employees and its downstream customers, it's glaringly obvious, right?

[00:16:48] But at the same time, you need to be able to do that in a thoughtful and security way. So education is number one. And then number two is both the security community and the AI community have to be able to be very specific about both the risks, but also the ability to integrate within data in ways that users can trust, right?

[00:17:13] Think of it as the traditional licensing agreement or end-user license agreement on steroids, right? Because that information that you're sharing is going to allow a better workflow, but will require you to really be very thoughtful about the risk that you're willing to take as an organization and as a consumer. And the risk also that the organization is going to be taking and the responsibility they have to protect that data.

[00:17:42] Yeah, I would also advise anyone listening, when they're faced with those 15-page terms and conditions that we just click OK or next, next on, I would paste all of that information into something like ChatGPT and say, what data does this give them access to? And you might be quite surprised at just how much comes out there. And with browsers now the primary interface for work and AI, obviously attacks are going to begin to surge and they are surging.

[00:18:09] So what makes browsers such a critical background now and how can SMBs better protect themselves? Because it feels like almost, I don't want to be overdramatic, but it feels like somewhat of a time bomb when you move fast and break things. Yeah, yeah. Yeah, no, it's a terrific question. Look, I mean, I think we mentioned earlier, the browser is kind of like one of the areas

[00:18:35] that has been under covered, if you will, from a security perspective, right? I think that's why you're seeing a surge of technologies and companies really try to close that gap and make a lot of investments in that particular area. And as a result, you know, we often talk about the vendor community, but the attacker community sees this, right? That's why we're seeing the surge

[00:19:03] in the types of attacks that are happening within the browser as a whole. And, you know, organizations, I think, you know, if you step back and think about our average utilization of the browsers, I think there's kind of like three fundamental things people have to think about, particularly within the business context. Number one, you have to have visibility, right? The more you see about what the user is doing through the browser, the better you are, ultimately.

[00:19:31] And visibility is no longer just what application am I accessing? Visibility needs to be one step further. What is the application that I'm accessing or what am I actually doing with it? Am I cut and pasting data into it? Am I uploading data into an AI application? Am I downloading data from a type of AI application? So forth and so on. So it's important to understand that visibility

[00:20:02] is kind of like a broader set of constructs. Number two is you have to have control. Once you get the visibility, it's kind of half the equation or a third of the equation. You really need to develop a control mechanism that can give you the ability that says, hey, Kareem can do X, Y, and Z within particular applications. Neil cannot. Should be configurable at the group level, the individual level, the organizational level,

[00:20:29] within, especially within larger, more complex organizations. And then thirdly, you have to continue that flow, right? So you have to think about how does the user securely authenticate to that particular application? So the flow really think about visibility, control, authentication. And I think the more we can help organizations drive that both for general SaaS applications, but in particular AI,

[00:20:58] which we've seen a much bigger surge on, I think the more we'll get them prepared to be able to deal with enabling productivity, but at the same time, putting some security controls in place at scale. And over the last 12 months, one of the things that I've noticed is if I'm on a trip to a tech conference, flying somewhere I've not been before, I found that turning to AI will quickly give me a three-step guide on different options, the best, the safest, the cheapest ways of getting to the airport,

[00:21:28] to the hotel, quicker than any Google search would. During the holiday season, it's easier to find personalized gifts and things by using AI rather than traditional search and traditional browsing. So in my own life, I'm seeing that the way we browse, search and retrieve information is dramatically changing. So how do you see LastPass evolving in the months and years ahead as these different ways of browsing change and evolve? Yeah. Well, you know,

[00:21:58] we're no different than, I think, many other companies in that we've embarked on our own initiative a while back to leverage AI within the organization as well. And that is across a myriad of different areas. And the ultimate intent is to make information securely accessible, both for employees, but also for customers, but do so in a really thoughtful and secure way.

[00:22:27] Because as we said before, the security, the availability of it, and when you see it in action, it really is amazing. It is allowing us to do a number of things like provide better customer support, provide more efficient development of applications, all of which are extremely beneficial and accretive to our customers. It's also really, in many ways, acting as a bridge

[00:22:57] between perhaps highly technical people and people within the business or our customers that are not as technical, allowing us to kind of distill the right information at the right time for the user. So there's a lot of evolution that is occurring from a business process. And we, in many ways, are kind of no different, right, than most of the organizations that are going through that. And we're seeing it from, you know, Fortune 1000s all the way to small to medium-sized businesses. Secondly, we're a security vendor.

[00:23:27] And, you know, historically, we had started the company really focused on traditional password management. And we've evolved our model significantly since then using the same footprint, which is an extension in the browser. And so now, beyond password management, we've evolved and we now can discover all apps. We can enable control of those applications through the browsers. And then we can authenticate the user. And that is effectively allowing us

[00:23:55] to answer three fundamental questions for organizations. Number one, what applications are they using? And specifically, what AI applications? Should they have access? And how can we control that? And are they authenticating securely into those applications? And so that evolution really is allowing us to help solve, as we said, a very pressing problem for organizations today. And passwords, pass keys,

[00:24:24] two-factor authentication codes, all these things are not going anywhere. So what advice would you offer every listener on what they should be doing and thinking about improving their own security in this AI world where we work in browsers, find information via AI rather than search engines and websites? It can feel overwhelming to a lot of people. So for that person listening, what should they be doing? Yeah, yeah. Well, I think you mentioned one of them. First thing I tell every user, business or consumer, is think before you click, period, end of story, right? Take a moment.

[00:24:55] That 20 to 30 seconds that you will spend will buy you so much time relative to a potential breach of data or information of yours that is exfiltrated. Don't, you know, particularly within the business context, follow, don't try to subvert security and IT organizations. We talk a lot about this because at the end of the day, the users are the real unlocks. Security and IT organizations have evolved a lot.

[00:25:25] You know, historically, they were sort of these barriers to productivity and efficiency in the business. We see that changing dramatically. As I mentioned earlier, particularly with AI, there's so much pressure on these organizations to open up the floodgates and they're starting to adopt mechanisms to enable that much more. So really be, think about being partners if you're a business user to an IT organization. And then thirdly, you know,

[00:25:54] you are 100% right, Neil. These passwords, pass keys, multi-factor authentication are not going away. Different modes of access including single sign on pass keys, passwords are also not going away. So one of the things we continue to recommend is use a password manager to really sort of align all of these capabilities because these evolutions from things like passwords to pass keys, these are things that take years to manifest themselves.

[00:26:23] So not complicating the authentication flow, having a single place where all those credentials can be stored that you can trust is a really important part of it for the user as well. And we've covered a lot in a short amount of time today and anyone listening wanting to dig a little bit deeper, find how LastPass might be able to help or even just stay up to speed with some of the announcements coming out there. Where would you like to point everyone? Yeah, sure. So of course, first and foremost, go to lastpass.com. We publish a lot of information

[00:26:52] about what we're doing. We're incredibly proud to have, I think, the industry's leading within our space time team, which is our threat intelligent mitigation and escalation team. These are some of the most experienced researchers and intelligence people. And they constantly blog about different types of attacks that we see against customers, against users in particular.

[00:27:21] And it's a treasure trove of information to really kind of blow through. And then lastly, we just launched, that team has actually launched a podcast called The Fish Bowl, fish spelled with a PH, pun intended, and gives a lot of good insight in a podcast format relative to the deeper business, but also technical details of what we're actually seeing. Fantastic.

[00:27:51] Well, I will add links to everything that you mentioned there. And I urge people to check out anything that interests them. It's to keep up to speed with everything. As I said, we covered so much there. And I think there's a lot of people find the current pace of technological change breathtakingly fast, but it might not move this slow again. And I think being able to just take a pause and talk through some of the risks, talk around some of the solutions and things that we could all do to improve our security is absolutely priceless. So thank you so much for taking the time

[00:28:20] to sit down with me today. Yeah, thanks very much for the time, Neil. I appreciate it. I think our conversation today offered a somewhat of a timely reminder that convenience and risk are now tightly linked, especially as AI-driven browsing becomes the norm. My guest also shared why visibility inside the browser matters more than ever. And yes, agentic AI is going to challenge the traditional access model. But the big takeaway for me is what both businesses and individuals can do

[00:28:49] to stay ahead of the game without slowing down progress, without slowing down innovation. This isn't either or. You can have both. You can innovate. You can move quick while remaining safe and secure. But over to you. I'd love to hear your take as AI reshapes how you work day to day, how you manage your own personal lifestyle. Do you feel more empowered or do you feel more exposed? And what guardrails do you think matter the most right now? You've heard from me.

[00:29:19] You've heard from the CEO of LastPass, but each and every one of you are going to be impacted by some of these big changes that we're seeing. And I'd love to hear more about what you are doing, what you've seen work, what you've seen not work, and any warnings or solutions, anything at all. Please, I'm an open book. Go to techtalksnetwork.com. There are many different ways you can connect with me. You can send me a DM, send me an audio message, or connect with me on socials. And while you're there, there are also

[00:29:48] 4,000 interviews just like this one that hopefully will educate, entertain, and inspire. But I have taken up far too much of your time today. Time for me to get out of here. I'll return. I wish you all a fantastic day wherever you are in the world. And I will be back waiting for you in your podcast feed tomorrow morning. Speak with you then. Bye for now.