āļāļāļŠāļąāļĄāļ āļēāļĐāļāđ
Steve Tait, Chief Technology Officer at Skyhigh Security â Interview Series
SteveâŊTait, Chief Technology Officer at Skyhigh Security, is a seasoned executive technology leader with over 25 years of experience across cybersecurity, defense, financial services, and healthcare sectors. He joined Skyhigh in August 2024 to spearhead the company's Security Service Edge (SSE) technological vision, architecture, and cloud infrastructure strategy.
āļāļēāļĢāļĢāļąāļāļĐāļēāļāļ§āļēāļĄāļāļĨāļāļāļ āļąāļĒāļĢāļ°āļāļąāļāļŠāļđāļ is a privately held, cloud-native cybersecurity company headquartered in San Jose, California, offering a comprehensive Security Service Edge (SSE) platform. The platform unifies solutions such as CASB, Secure Web Gateway, Zero Trust Private Access, CNAPP, DLP, and Remote Browser Isolation to protect data and ensure secure collaboration across web, cloud, email, and private applications. With a focus on real-time data protection, threat prevention, and compliance, Skyhigh Security serves over 3,000 customers globallyâincluding many Fortune 500 companies and major financial institutionsâthrough a scalable, data-aware architecture designed for modern hybrid work environments.
You began your career in mobile data before rising through engineering and leadership roles across different sectorsâwhat early experience shaped your passion for cybersecurity and led you to where you are today?
When I joined BAE systems, I gained insight into the work of the incredible teams that decompile the most malicious viruses and malware to learn how to defend against them. The sheer scale and organized professionalism of the cybercrime industry was a genuine eye opener. For example, the code behind cyber breaches can sometimes have its heritage traced back to multiple nation-state actors and criminal organizations. Itâs not teenagers in bedrooms, itâs a serious global business. Defending against this is a genuine good for society, and I wanted to be a part of that.
Youâve stated that âdigital transformation is overâ and weâre now entering an era of AI transformationâhow do you distinguish one phase from the other in terms of company strategy and outcomes?
Digital Transformation was about using technology to re-engineer business processes to be more efficient, effective and provide a better experience to the customer. AI transformation from a business perspective seeks to achieve the same goal. The fundamental difference, however, is that digital transformation achieves this through process automation, data aggregation and advanced data visualization, whereas AI Transformation achieves this through original content creation, companion analysis and autonomous decision-making. Digital Transformation aimed to optimize and streamline the human decision making processes. AI transformation has the ability to eliminate many of them entirely!
What do you consider the biggest organizational challenges companies face when making the shift from classic automation to integrating generative AI?
The level of transformation required to really take advantage of this is huge. Business could â and perhaps should â look totally different a few years from now. Now though, despite the hype, itâs still in its early days. The biggest organizational issue today is actually training. Lots of companies have rolled out the usual '20-minute' corporate training video on AI, but that simply does not cut it. Employees need to learn how to leverage this technology, the real risks it presents and understand, even if just a little, about how it works. That way employees at all levels can help the business transform with the technology.
In Security Magazine, you highlighted prompt injections and hallucinations among top risksâwhat threat vector worries you the most, and how is Skyhigh addressing it?
Unintentional data exfiltration is by far the biggest corporate threat by volume. Just from the data we track at Skyhigh, we saw an increase in data uploaded to LLMs of a staggering 80% within the past year. Many interfaces operate like business assistants and encourage more and more information to be uploaded. The act of sharing information with another person â taking a file and zipping for upload to an SFTP location for third party analysis â makes an employee stop and think about what theyâre doing and any potential risks. Itâs just quite a few steps to do it and you become very conscious you are sending it to someone. Being halfway through some analysis using an AI tool and just pasting a block of data into a prompt for AI to give a provide a quick answer is seconds of effort, yet the question remains: where did that data go and how was it used? Because of this, Skyhigh's main focus is on data loss prevention for AI applications, especially copilots.
Youâve cited statistics showing that 94% of AI apps carry LLM risk and 11% of files uploaded to AI are sensitiveâwhat trends do you see in how businesses are responding to address those issues?
Businesses are still using âuser policyâ and âblockingâ as their primary techniques, but many businesses remain blind to the amount of AI that is being used every day. We see a lot of interest in increasing discovery, visibility, and in the extension of Data Loss Prevention techniques to AI, particularly for major copilot applications.
Corporate copilots can access vast amounts of proprietary dataâwhat are the most effective strategies to prevent unauthorized data leakage or misuse via these systems?
As always, it starts with policy and training. Following this, a combination of data labeling and DLP techniques are vital. Microsoft AIP labeling, for example, can prevent confidential data from being indexed by MSFT Copilot. In combination with CASB and DLP tools, AIP labels can be added automatically based on data classifications. DLP performed on document and prompt data can ensure the prevention of unintended data upload.
Youâve emphasized the risk posed by citizen developers creating their own applicationsâhow can companies strike a balance between fostering innovation and ensuring secure development?
It always comes back to training. Just because someone is a âcitizen developer' doesnât mean they can opt out of security fundamentals that would be a part of standard engineer training. They don't need to know everything that a skilled software engineer may know, of course, but basic concepts of privileged access and horizontal privilege escalation are important concepts when building an application. Personally, I would only enable the access to such tools after appropriate training has been completed. Then itâs about implementing security tooling to trap the inadvertent mistakes, which comes back to techniques such as DLP.
As CTO of Skyhigh Security, which area of AI-risk mitigationâcopilots, citizen dev, or compliance infrastructureâare you prioritizing for the next 12â18 months?
Awareness is vital and Skyhigh already provides comprehensive Shadow AI discovery tooling. Microsoft Copilot and ChatGPT Enterprise are our main focus in 2025. We have already rolled out controls on both and we are extending these further over the remainder of 2025. As we move into 2026, we are looking to turn our sights more to prompt control to secure against malicious prompts, jailbreaking, and other key LLM risks.
Whatâs one breakthrough or shift you foresee that could completely reshape how we think about enterprise security in an AI-first world?
Agentic AI. Itâs just starting, but the impact is potentially huge. As more and more of these agents chain together, the attack vectors increase along the chain. A lot of cybercrime is âspottedâ by humans because something does not look right. In these chains of agents how to spot signs of compromise will be a real challenge.
āļāļāļāļāļļāļāļŠāļģāļŦāļĢāļąāļāļāļāļŠāļąāļĄāļ āļēāļĐāļāđāļāļĩāđāļāļĩ āļāļđāđāļāđāļēāļāļāļĩāđāļāđāļāļāļāļēāļĢāđāļĢāļĩāļĒāļāļĢāļđāđāđāļāļīāđāļĄāđāļāļīāļĄāļāļ§āļĢāđāļĒāļĩāđāļĒāļĄāļāļĄ āļāļēāļĢāļĢāļąāļāļĐāļēāļāļ§āļēāļĄāļāļĨāļāļāļ āļąāļĒāļĢāļ°āļāļąāļāļŠāļđāļ.
