Welcome to ExtraMile by SecureITWorld, an extensive interview series featuring industry trendsetters discussing the latest in technology, cybersecurity, marketing, and more. For todayโs conversation, we are delighted to feature Steve Tait, the Chief Technology Officer of Skyhigh Security, a leading provider of cloud-native, data-aware security solutions.
The firm is determined to empower organizations with the highest level of security while collaborating with top-notch data security and data loss prevention strategies. With over 25 years of experience in solidifying security practices across industries, Steve is taking care of the entire tech strategy and vision of Skyhigh Security. His expertise expands across security, finance, healthcare, and others, where he has delivered mission-critical applications.
Steveโs leadership abilities and strategic thinking have led Skyhigh Security to deliver innovative and robust security solutions to its clients. Whether you run a business looking for reliable security solutions or are a SecureTech practitioner, this insightful interview can surely enhance your understanding of cyber defense, AI integration in security practices, cloud security, and more.
Hello Steve, we are thrilled to host you today!
1. With an extensive career in the technological domain and remarkable contributionsโฏyou are truly a thought leader in this industry.โฏShare the key moments that haveโฏshaped your professional journey.
Steve. I have been fortunate to work across a very diverse range of sectors in a mix of different businesses both private and public.โฏI started out as an engineer for some small productโฏcompaniesโฏin the emerging vehicle telematics space in the late 90s where mobile telecommunications was still in its infancy. It gave me a great experience of working with emerging technologies that today are completelyโฏcommoditised - mobile data just works now, not so back then with banks of X25 dial-up lines!
My career in leadershipโฏreally started properly in Capita IT Services. In this role I cut my teeth leading large engineering teams servicing customers across a range of sectors (finance, government, telcos etc) and was fortunate to be involved in helping to establish a new India Engineering centre, an experience that I have used repeatedly throughout my career as international team management has been a part of every role thereafter. At Capita I took on a role as Head of Engineering leading a very large function which gave me the experience of having to drive change through influence and persuasion which is vital in senior leadership. In that role I was then able to work for around 12 months supporting big ticket sales which gave me vital commercial experience. I finished at Capitaโฏleading Engineering for one of the associated business units.
From there I followed my colleague and mentor into BAE systems which was my first foray into the world of cybersecurity and defence. Again running large multinational engineering teams. This gave me huge exposure to commercial cyber and nation-stateโฏthreat protection. A genuinelyโฏunique experience.
From there I was keen to move into a faster paced delivery environmentโฏand moved to a PE-backed pharmaceuticalโฏsoftwareโฏcompany where I was part of the leadership team that led a carve-out of the software portion of the business from a parent company. From there I joined Snow Software, another mid-sized PE-backed organsiation as CTO. This was a two year very rapid transformation of an engineering organisation. Successfully sold inโฏ2024 the engineering organisation was pushing multiple production releases every day, delivering a continual stream of customer value. Since then, I have moved back into cybersecurity as the CTO of Skyhigh Security where the journey continues.
2. You joined Skyhigh Security last year but have been crucial for driving innovation in the firm. Which areas do you want to focus on to make the company's services moreโฏeffective?
Steve. I spend a lot of time speaking with customers. It's a vital part of my role to get a feel for the real business challenges that our customersโฏface in the ever emerging threat landscape. From these conversations, I see three key areas:
-
- Protection against AI risk. Inโฏparticular, how do we secure our data in an AI worldโฏhungry for data. This is an area where we have had several recent innovations to detect shadow AI and to enact data loss prevention controls for Co-Pilot applications. This continues to be a key areaโฏof focus.
- Hybrid architectures are not a transition state towards full cloud adoption. Every customer I speak with recognises that their default operating state for the foreseeableโฏfuture will be a mix of on-premise and data centre operations, mixed with Cloud and SaaS. This is now the default IT operating model. In this environmentโฏwe need to provide customers with flexible choices to enforce their web and data policies where it makes sense to them, be that within their dataโฏcentres or managing remote users through our global PoP network. While Skyhigh Security already offers a unique hybrid solution we continue to focus on making this experience more seamless and offering more choice to customers about what they host and where they host it.
- Data Security PostureโฏManagement (DSPM). For many years Skyhigh Security's advanced data protection capabilities have been the bedrock of our differentiated propositions. We launched the SkyhighโฏDSPM offering at this year's RSA Conference and we continue to focus on developing comprehensive DSPM visualizationโฏtools that sit on top of our detection, classification, and closed-loop remediation capabilities.
3. Skyhigh Security recently accomplished the title of Best Product Data Security Platform in the Global InfoSec Awards 2025, hosted by Cyber Defense Magazine. Why are such recognitions important?
Steve. Recognitions like this are important as they validate the differentiation in our solution. If companies truly care about protecting their data then this award and others like them validate that Skyhigh Security has the best data protectionโฏsolution availableโฏwithin the SSE space.
4. Give us an overview of Secure Service Edge. How does this service protect user dataโฏfrom threats across the web, applications, email, and cloud? Any relevant use casesโฏyou can share?
Steve. Secure Services Edge is about protecting today's world where the edge of your network is no longer the firewall or your corporate DMZ, rather all your services and users are distributed. Business workloads are executedโฏon premise, in the cloud or through a range of SaaS applications where data can move in and out of networks and between SaaS applications within the cloud.
Typically SSE comprises the followingโฏcomponents: Secure Web Gateway: Securing web traffic; Cloud Access Security Broker (CASB): enabling security controls within your SaaS estate; Zero Trust networking (ZTNA): replacing traditional VPN approaches with a more secure zero trust approach; Data Loss Prevention (DLP): ensuring your corporate data is protected; and RemoteโฏBrowser Isolation (RBI): for very secure web browsing.
Typically a mix of these componentsโฏprovides the followingโฏcapabilities: Access control, activity control, collaboration control, forensicโฏanalytics, anti-malware protection, user behavioral analytics, configuration drift and many more.
5. AI integration is a common tech trend in today's business setup. Do you think suchโฏintegration can increase security risks for businesses? How do we adopt AI securely,โฏeliminating the emerging risks?
Steve. AI is probably the biggestโฏemergent threat of ourโฏcurrent time. From Skyhigh Security's ownโฏdata we have seen that data uploaded to AI applications grew 80% in the second half of 2024 with the average number of AI applications used by an enterpriseโฏreaching over 300 (a fact many organisations remain blissfully unaware of). There are lots of well documented risksโฏof using AI such as hallucinations, bias and of course the use of AI to assist bad actors in endeavoursโฏsuch as increasing the sophistication of phishing. I tend to focus on the data risk. Co-Pilots now have access to a vast swathe of corporate data.
This presentsโฏrisks of inadvertentโฏdata exposure to unauthorised employees and inadvertentโฏexposure of sensitive documents into the co-pilot ecosystem, where such data is consumed and the contents become part of the derivative 'learned data'. Coupled with citizen developersโฏusing AI to generate applications where the application user scope may be very different from the end-users personal scope and we have a big risk. To adopt AI securely, security policy and training is of course the foundational bedrock. However when you see the figures above it is clear that a technology defense is also necessary to stay safe.
This must include discovery of what is being accessed, targeted blocking of AI applications based on risk scoring (you can'tโฏblock everything or businesses will stop!) and then implementation of Data Loss Preventionโฏsolutions tailored and integrated with your sanctioned AI.
6. Why is data loss prevention important for companies? How do we recover from a data breach and loss?
Steve. It starts with one simple statement. Data is everywhere.
It is ever easier to move data within and throughout a company through native application tools, yet conversely the regulations are ever tighter. GDPR in Europe is a great example with the potential for very material fines of up to 4% of a companies turnover being levied on businesses for a data breach. Therefore companies have reputational damage and financial damage to contend with. Recovery is an expensive process and will often require specialist help in remediating the breach followed by extensiveโฏprocess and systems controls being implemented
7. What are the key considerations of cloud security? What challenges typically arise with safeguarding cloud environments?
Steve. It comes down to several key areas, who has access to what, what are they permitted to do and how does the user behave when they are there. What makes this complex in the cloud is the number of enforcement points required to protect users and data. You can't rely on logging into a network subnet and then allowing all users to go wherever they need because all these applications are distributed and often on publicly accessible URLs.โฏ Who has access to what needs to be considered from an end user-user device traversing to a cloud resource but also from the perspective of two Cloud applications talking to each other. Collaboration can happen between two cloud applications with the end user device unaware of the transaction.
The way users behave both from their device and when they are on cloud application can identify anomalous and risky behaviour that must be stopped and the potential for exfiltration of data across these platforms is extremely high as they are fundamentally designed for data exchange. Furthermore, this is all different when I am in a corporate office or I am in a coffee shop, or when I am on a managed, or unmanaged device. The typical SSE components are designed to provide enforcement points across this landscape to provide these protections.
8. With digital transformation becoming a norm for companies, how will the threatโฏatmosphere evolve in the future? How crucial will it become for businesses to adoptโฏeffective security strategies?
Steve. I have argued recently that "digital transformation" as a paradigm has largely ended. Most companies are now relient on digital services for almost everything. The real challenge now is AI transformation with some of the risks already discussed.
Discover More In-depth Interviews:
