Anand Thangaraju, Field CISO at Alchemy Cyber

In today’s Sage Spotlight, Anand Thangaraju, Field CISO and former security leader at SVB, Zelle, and EY, shares his take on why the entire enterprise security stack needs to be rebuilt from scratch. Anand breaks down why he's betting on agentic architectures over Band-Aid solutions, why human risk is the most underinvested area in security today, and how Sagetap changed his view of what vendor discovery could look like.

Key Takeaways

• The Entire Stack Has to Be Reinvented: Anand is betting on vendors building for the agentic era from the ground up — not layering AI on top of broken infrastructure. The 50-tool wrapper-on-wrapper approach, he argues, is already a relic.
• Back to Basics: Identity, Data, and Agent Hierarchies: Risks are converging on knowing your identities and knowing your data. Anand envisions purpose-built agents governed by other agents, each with limited privileges to contain the blast radius of any single failure.
• Human Risk Is the Most Underinvested Area in Security: As the agentic deluge of attacks grows, Anand wants investment in reskilling people to find their place in the new ecosystem (not more AI wrappers on existing tools).
• Vendor Incentives Are Misaligned: The vendors who win long-term are the ones who resist next-quarter pressure and build for where threats are actually headed. Anand argues that every unicorn success started with a big bet, not a Band-Aid.
• From Information Asymmetry to a Level Playing Field: Sales reps arrive armed with ZoomInfo and 6sense data while buyers negotiate blind. Anand has found that Sagetap's anonymity allows peers to share key buying signals that don’t make it to the Gartner Magic Quadrant until much later.

Full Transcript

Anand Thangaraju: This is Anand here, Anand Thangaraju. I'm currently a field CISO. I used to work for SVB for almost a decade, and then I worked with Zelle, EY. In the last couple of years, I've been focused more on go-to-market and being an asset to other CISOs.

Meghan Lafferty: As you work with all these founders and different companies, what is at the top of your priority list for the year?

Anand: One thing is for sure: the entire tech stack has to be reinvented. Every defense, every known control is going to fail one way or another.

The few things that I'm really betting on is people who are taking bold bets on not just adding a Band-Aid to the existing infrastructure, and thinking about how the agentic architecture is gonna evolve and all the different ways we can bake security from the ground up.

We might have like 50 different tools for an enterprise, and none of them talk to each other. That's why we ended up having another wrapper on top of another wrapper that brings all the telemetry to one dashboard. But this is a golden era where you really don't need that approach anymore. The more you expose your tech stack to the agents, they can actually correlate and make sense pretty much as a trained security analyst would do.

So I'm really betting on people who are able to think through the future and build an agentic SOC or a completely autonomous pentesting service and so on and so forth.

Everything is getting back to the basics. The convergence where the risks will focus on is knowing what your identities are and what they are capable of doing, and knowing what your core crown jewels or assets are, which eventually comes down to some kind of data. And it's basically managing the connections of the identity to the data.

You’re going to build a hierarchy of agents that is overseen and governed by other agents so you basically limit the amount of damage one particular agent can do at any point of time. So it's a completely different mindset, so I'm really looking forward to all these emerging ideas and how people build, ground up.

Meghan: With all of the emerging ideas, how do you keep up? How do you actually do your research to learn about all of this, make some decisions, and then recommend certain steps to the companies that you work with?

Anand: That's the challenge, right? Things are evolving on a daily basis.

We all use Comet and other browsers, so I have my own personalized feed of information that I absolutely should know. 

Everybody has to have their own inner circle of friends who think alike and who have a similar role and background. So we're all part of multiple WhatsApp and Slack groups. If I'm just going and kicking off a project, if I need an awesome resource or I need to buy a new tool, I'm gonna validate that somebody's already gone through the process and has already evaluated the tool. I don't have to reinvent the wheel.

‍Meghan: What is the number one security challenge that you think is not getting enough attention but you think is important?

Anand: Human risk. This is the time that we really want to invest more in safeguarding the interests of humans as well as trying to help them navigate the new agentic deluge of attacks and vulnerabilities. We all need to be reskilled to find our place in this whole security ecosystem and also efficiently carry on our tasks with the help of agents.

So that's pretty much where I want to see more investments and more discussions, not the AI wrapper on top of all the tools to sell me 10 more tools.

‍Meghan: What would you say are the biggest opportunities for vendors, then?

‍Anand: That is the million-dollar question, right? Unfortunately, the way the industry works, they have to chase the new emerging idea where the money is, and they have to show immediate value for both the VCs who are putting in the money and the CISOs. So obviously there’s mismatched incentives, right?

So I really think the vendors should, wherever they can, they should really push the boundary and think long-term of how the threats will evolve rather than how do we survive the next quarter? And if you look at all the unicorn successes, it's consistently those vendors who dreamt big and not necessarily started with a small Band-Aid idea.

Meghan: Let's talk about before you joined Sagetap. What was your process like for either finding vendors or doing research or both?

Anand: What I share as a common pain point is the deluge of all the vendor capabilities, everybody having very similar capabilities and differentiators. Ultimately, the only way you can be sure is if you did a POC, right? It often takes an immense amount of commitment on both sides. That's the primary thing that we have to solve for: make the entire vendor selection and product discovery and POCing process as easy as possible.

Meghan: You joined Sagetap last year. Has your process for using the platform changed at all since then?

Anand: I initially thought it might be cool to experience a pitch where there's anonymity on one side. Usually when you're talking to a sales rep, they've done all their data scraping about you from ZoomInfo and 6sense. That sort of gives me a sense of a vulnerable position when I'm talking to a vendor. It's not a fair conversation for you to even negotiate the best price or the best features.

But Sagetap actually, I believe, is trying to solve some of that imbalance. The more I started spending time, I realized there is a much bigger problem it can solve. This can actually level the playing field there, if there is enough telemetry that can be generated through the community effort.

When it's anonymous, people are a lot more open about sharing their projects as well. It's not about the buyer-seller experience, it's about the whole ecosystem and what people are willing to share within the platform.

Oftentimes CISOs don't even have an idea of the kind of projects that they have to think about and build a business case. So what I love about Sagetap is you can actually collect information from your peers, what they're interested in, what they're buying, and what's the emerging vendor landscape even before it hits the Gartner Magic Quadrant or whatnot.

Meghan: Let's talk about any advice you have for other leaders who are not on Sagetap yet, but maybe they should be.

‍Anand: I know way too many leaders, the primary way they evaluate vendors is either through their trusted network of CISOs, through their private WhatsApp chats. They obviously want to spend time with the founder, especially if it's an early-stage company. They want to build a relationship. They want to become an advisor sometimes. They want to be able to influence the product roadmap. 

So a lot happens between discovering a vendor or a product all the way through the purchase. And I believe Sagetap can actually remove some of the pain in the whole journey.

This is something that we have been waiting for for a long time. I would absolutely recommend just check it out for what it's worth. It's a beautiful platform to go and discover new capabilities.