Roy Akerman explains why identity is the frontline of cyber defense and what it takes to secure the enterprise in a world of hybrid cloud, AI, and evolving threats.
Roy Akerman’s cybersecurity journey spans national defense, MIT labs, and the frontlines of private sector innovation. Now Head of Cloud and Identity Security at Silverfort, Akerman brings a rare blend of strategic depth and operational grit to today’s most pressing security challenge: identity.
In this candid interview, he unpacks why legacy defense models no longer hold, how identity has become the new battleground, and what cultural and architectural shifts enterprises must make to stay resilient. Drawing from his government experience and product leadership in cloud and XDR, Akerman explores how anti-disciplinary thinking—blending psychology, security, and systems—can unlock the future of adaptive, real-time defense. This is a masterclass in moving from reaction to readiness for cybersecurity leaders grappling with AI-driven threats, non-human identities, and fragmented tools.
Full interview;
You’ve led cyber defense operations at the national level and now focus on identity-centric security. How has your approach to threat defense evolved in the transition from government to private sector innovation?
It’s been almost a decade since I retired from government service, but the mindset never entirely leaves you. I still deeply carry both perspectives—the strategist defending a nation from existential threats and the practitioner working alongside frontline defenders in the private sector today. And I can tell you: they demand completely different mindsets. You have to reinvent yourself to adapt.
In the government, our mission was to stop threats before they became real, capable adversaries with long-term plans. Many of the attacks we prevented never made the headlines. In fact, most organizations never even knew how close they came to being compromised. That’s the nature of national cyber defense: protecting in silence, at scale, often preemptively. But defending inside an enterprise is entirely different—it’s faster, messier, and far more exposed.
Three major shifts have changed the way we defend today:
- The Attack Landscape Has Evolved: We no longer protect castles with moats. Today’s environment is a sprawl of SaaS apps, cloud workloads, ephemeral access, and AI-powered systems. The perimeter is gone, and visibility is fragmented. Attackers exploit this fluidity, and they move fast. The old defense frameworks simply don’t scale to this level of dynamism.
- Cyberweapons Have Changed—Identity Is the New Battleground: Today’s attackers don’t need to break in; they log in. Instead of zero-days and malware, they use credentials, token theft, and misused privileges to move laterally. That shift puts identity at the center of security. Securing identity requires more than security teams—it demands synchronized effort from IAM, IT, cloud, and DevOps. The battleground isn’t at the network edge anymore. It’s at the heart of business logic.
- Government Capabilities Don’t Translate Directly to the Private Sector: In the government, we had access to deep intelligence, global visibility, and specialized teams that could engage across the full threat chain—from Blue to Red, from tech to human intent. We could be strategic, even surgical. But in the private sector, things move in short sprints. Teams are smaller, budgets are tighter, and tools are often siloed. The response cycles are different. The stakes are still high, but the playbook must change.
These are some reasons why I joined the frontlines again—this time from the other side. I believe identity is now the operational frontline. It’s where attackers strike, and defenders can strike back—if they have the proper visibility, insights, and the ability to act in real time. Our mission now is to simplify, defend, and shrink the gap between detection and action, as well as build dynamic and resilient systems to stand up to just as dynamic and relentless attackers.
Also Read: Sean Malone on Aligning Security with Business Goals
You emphasize anti-disciplinary innovation—blending technology, psychology, and business. How does this philosophy influence how you build and lead cybersecurity product teams?
Being anti-disciplinary is a life philosophy I absorbed early, which supercharged during my years in government, and sharpened at MIT. It came from one clear realization: you can’t solve complex, modern security problems by thinking in a straight line. These are multi-dimensional systems where people, technology, and operations constantly interact.
Trying to fix one layer without understanding the others leads to failure—or worse, false confidence. So when I lead cybersecurity product teams, I never just look at tools or workflows—I look at the psychology, the incentives, the process design. I ask: Where are the reinforcing loops? Where are legacy assumptions creating blind spots?
Many organizations, especially the big, established ones, try to force-fit old methods into new threat realities. It’s like a kid trying to jam a circle into a triangular hole: familiar, but fundamentally wrong. Cybersecurity leaders must reprogram how we think about security, not just update the stack.
Identity security is a clear example. It’s historically been fragmented with security teams chasing alerts, IAM granting access without context, Dev setting and forgetting, and audits focused on compliance. Each function is reacting within its domain, missing the bigger picture. But this fragmentation is rooted in mindset, not just org charts.
We’ve been programmed to see identity as a checklist, not a dynamic risk surface. So I start with people: how they perceive risk, how they make decisions, how we can align them around shared access storylines that build clarity and confidence.
When teams can see the whole picture and trust the signal, they can act, reconfigure systems, and even automate. That’s what I focus on: helping them shift from static roles to adaptive collaboration. Innovation here isn’t just about building better tech—it’s about changing how we see and solve the problem together.
With identity now central to the attack surface, what cultural or strategic shifts must organizations make to secure the modern enterprise effectively?
The rise of adversarial AI and the increasing capabilities of AI agents have only expanded the attack surface, creating blind spots within current systems. Enterprises are continually adding a patchwork set of identity tools to tackle the laundry list of security gaps, creating further gaps with systems that don’t natively integrate.
Identity security isnʼt just an element of cybersecurity; it creates the conditions required for success. Organizations must implement a unified identity security strategy by aligning holistic security solutions that can natively integrate within existing infrastructure. Doing so allows for real-time protection with fewer gaps for every identity. Silverfort’s unique security architecture removes the complexity of securing every identity and extends protection to all assets across an organization.
Also Read: Is Identity the New Cybersecurity Front Line?
You’ve bridged public and private sector mindsets from your MIT experience to your government work. What lessons can corporate leaders learn from state-level cyber operations regarding resilience and readiness?
You can’t just focus on your part of the battlefield. That’s one of the biggest lessons I brought from government cyber operations. In state-level defense, we had to think across the full chain—the attacker’s entry point, their lateral moves, and their ultimate goal. Most companies today are still defending in silos: security handles threats, IAM handles access, IT handles systems, and they assume everything in between is “someone else’s problem.” But attackers don’t respect org charts. Resilience means ensuring your internal teams, partners, and vendors work in sync across the whole attack chain—before the attacker does.
And here’s another mindset shift: stop looking for “the platform” that solves it all. I’ve seen governments try it—consolidate under one agency, one team, one set of tools. And then watch it break apart again, because complexity always wins. The better path is distributed execution with centralized coordination. Start with strategy: know what matters and why. Build operational bridges across security, IAM, IT, cloud, and DevOps. Only then should you decide what tools you need.
And if a problem is big enough to impact multiple teams and decisions, give it a name. That’s how we got to the Chief Identity Security Officer. Identity used to be everyone’s problem and no one’s job. It’s becoming a defined function because we finally understand how central it is to attack paths, business risk, and real resilience. Naming it gave it power and ownership.
And here’s the last, maybe most important piece: always try to be ahead, or at least a few microseconds faster, than your attackers. Don’t act as a gate that slows things down, or a system that just reacts to alerts too late. Be in line and in real-time. Strive to fully engage your adversary with adaptive security controls that respond and evolve as fast as they do. That’s how you stop chasing and start winning.
Silverfort is pioneering identity protection beyond the perimeter. Can you walk us through how your cloud and identity security strategy closes the gap that traditional MFA or IAM tools leave open?
We have a lot of respect for the identity vendors out there—MFA, IAM, IGA. They’ve laid the groundwork for how organizations manage and secure identities, and we proudly partner with many of them as part of a connected ecosystem. However, as identity has become the new attack surface, the challenge has grown beyond what these tools were initially built to handle. That’s where Silverfort comes in.
What sets us apart is that we unify identity protection across fragmented systems, environments, and identity types. With our unique in-line enforcement technology, we apply real-time security controls—like MFA, conditional access, and segmentation—to places that have historically been out of reach: legacy infrastructure, unmanaged protocols, and both human and non-human identities. We correlate identity activity across the stack and enforce adaptive controls exactly where they’re needed, without relying on disconnected alerts or reactive playbooks.
We believe IAM and security teams deserve a single plane of control and a single pane of glass. On this centralized platform, they can see, manage, and protect every identity interaction. That might involve using our robust controls, reusing tools you’ve already invested in, or combining both. The result is a faster, smarter, and more cohesive defense strategy.
Silverfort isn’t just filling gaps—it’s redefining modern identity security and empowering defenders to act with clarity and control across their entire environment.
Also Read: How ProcessUnity’s Todd Boehler Sees the Future of GRC
Given the rise of hybrid cloud and multi-identity environments, what are the biggest blind spots in current enterprise security frameworks—and how should they be addressed?
Most organizations still rely on frameworks built for static, human-centric identities, and that world is long gone. In today’s hybrid, distributed environments, the biggest blind spots involve non-human identities: who owns them, how they behave, and how attackers use them as silent entry points.
We’re now dealing with agentic AI identities—non-deterministic, self-directed, and incredibly hard to predict or control. Traditional IAM can’t define them, let alone secure them. Most organizations still lack a live identity inventory that connects ownership, behavior, and access context, making automation and response nearly impossible.
At Silverfort, we see this up close: billions of authentications and millions of identities flow through our platform daily. In our labs, we’re building the next generation of identity security technologies—designed not just to observe but to act, adapt, and enforce in real time.
Zero trust can’t stop at the login. Genuine zero trust means continuous, in-line control across every identity, system, and protocol. Solving today’s identity challenges requires more than point tools—it demands a unified platform that sees everything, understands context, and responds instantly.
As someone who’s incubated new business lines in cloud security and XDR, what’s your approach to identifying product-market fit in a space as dynamic and fragmented as cybersecurity?
That’s the $5 billion question—and honestly, I’m still learning. But here’s what I’ve picked up so far from building and scaling in cloud security and XDR: real product-market fit doesn’t happen when early adopters are excited—it occurs when the broader market “gets it” in under two minutes.
If you don’t need to explain much, the pain is instantly recognized, and your stakeholder says, “I want this now”—not just once, but consistently across roles and industries—you’re probably onto something. We often overvalue early adopters as validation, but real traction shows up in early growth, not just early buzz.
The second part is about focus and credibility. If your product tries to be everything, it ends up being average at most things. The goal is to be specific and unique enough to solve a real problem at scale, while being open-ended enough to expand into adjacent use cases. You earn the right to grow your footprint only after proving deep value in one.
Cybersecurity is fragmented and crowded. Product-market fit is about cutting through noise with clarity, delivering real outcomes fast, and resisting the urge to promise everything to everyone. That’s the difference between hype and staying power.
