Discover Paul’s journey from law to leading Saviynt, and explore insights on AI, zero trust, and the future of identity security.
Welcome to AITech-Park, Paul to start, could you please share your journey from starting in law to becoming a leader in the cybersecurity and identity security space?
My professional career began as an attorney in Washington, DC, first with a large, international law firm and then with the U.S. Department of Justice. As a lawyer, I worked on several matters that demonstrated the transformative power of technology and, as a result, I became determined to enter the industry. Over the next sixteen years, I held leadership positions at both MicroStrategy and ParAccel, where I worked to build and grow companies at different stages in the enterprise analytics industry.
After this extensive operating experience, I believed that I understood the evolving technology needs of global organizations. As a result, I wanted to use my experience to identify and then assist earlier stage technology companies that would be leading the next generation of enterprise technology transformation. As a Managing Director at Carrick Capital Partners I was focused on finding those key companies and market segments. With my past operating experience and market thesis work conducted by Carrick, my PE began focusing on the outsized impact that SaaS cybersecurity solutions would play in leading this transformation.
This focus led me to Saviynt where Carrick became the series A investor and I joined the Board. After several years on Saviynt’s Board, I could see the generational impact that Saviynt could have on identity security. In December of 2022, I stepped off the Board and became President of Saviynt where I oversee all of the company’s functions and report to the founder and CEO, Sachin Nayyar.
You have an interesting story and career path—you went from law to private equity to a senior leadership role in one of your portfolio companies. What ultimately led you to your current role at Saviynt?
I was not planning for another operating role after I became a Managing Director at my private equity firm. But, the market opportunity for identity security and the incredible promise of Saviynt were just too much to pass up. I am really glad that I made the switch back to an operating role and I have loved every minute since becoming President of Saviynt. The company has a great founding team, outstanding employees, and amazing customers and partners.
How are evolving identity security regulations shaping the way organizations approach compliance and identity access management today?
Governments, regulators, and industry overseers are tightening identity security requirements, pushing organizations to rethink their compliance and security strategies. New regulations emphasize reducing password reliance, implementing stronger identity proofing, and enforcing zero trust principles. They are also pushing organizations to extend their protections to their ecosystem. Companies must adopt proactive identity security measures to avoid regulatory fines and direct financial consequences of non-compliance. In addition to significant financial penalties, there are many other unfortunate consequences, including long-lasting reputational harm, that can come from a cybersecurity issue.
What challenges are organizations facing with the rise of non-human identities (NHIs), and how can they keep up with their rapid growth while mitigating potential risks?
NHIs, such as bots, APIs, and service accounts, now outnumber human identities by a ratio of 45 to 1, dramatically increasing the attack surface for cyber threats. In fact, the problem is worse than it seems. Because not only do NHIs outnumber human identities, but the maturity of the solutions to manage NHIs are much lower. The reality of these statistics should serve as a call for organizations to elevate their disconnected IAM efforts into a comprehensive, modern identity security system that is anchored in the principles of “never trust, always verify,” enforcing least privilege access, continuous monitoring, and AI-driven anomaly detection.Â
Why is a zero trust approach critical in today’s identity security landscape, and what are some key steps companies can take to implement it successfully?
As threats continue to escalate and AI hacks grow increasingly more sophisticated and complex, tighter access is essential to help mitigate potential threats before they materialize. The key is to have every access request scrutinized. Organizations can master the complexities of identity security compliance by adopting a zero trust approach and leveraging the power of AI’s capabilities.
“As emerging leaders, remember that customers don’t want more vendors, instead they want better ones. To stand out, you must deliver what others can’t: relentless innovation and an exceptional experience from day one.”
In what ways can artificial intelligence enhance identity security and compliance efforts, especially given the increasing frequency and sophistication of cyber threats?
AI-powered solutions streamline compliance audits, enforce dynamic access controls, and proactively detect security threats. AI enables Just-in-Time access, continuously monitors for anomalies, and enhances Identity Security Posture Management (ISPM). These capabilities help organizations stay ahead of evolving regulations while outpacing cybercriminals who are also leveraging AI for attacks.
Beyond financial penalties, what are the broader consequences companies face when they fail to comply with modern identity security regulations?
Noncompliance can result in severe consequences beyond fines, including operational disruptions, reputational damage, and loss of customer trust. In an era where data protection is a competitive differentiator, failure to secure identities can erode business integrity and hinder long-term growth. Organizations must take a proactive, holistic approach to identity security to protect both their customers and their future.
On a personal note, how do you approach decision-making when navigating major shifts in tech and cybersecurity trends?
First, no decision is ever 100-0. Meaning almost all decisions have a degree of uncertainty as to whether they are the correct one or not. The best you can do is ensure that you make no decision without carefully considering its impact on your customers. There are many things organizations can do that benefit their own organization, but those decisions tend to have short-lived returns. Long-term success in this industry is directly centered on how well aligned your company’s solutions are to the value they bring to your customers and the market. In the identity security space that is even more true than in many other industries because your customers depend so greatly on the solutions you provide. In the end, if you focus on your customers’ needs you have the best navigational guide you can use.
What advice would you give to emerging leaders looking to make a meaningful impact in cybersecurity or enterprise technology?
Understand that customers already have access to a lot of technologies and solutions. Many of which will claim that they can already do what your emerging company is seeking to offer them. Therefore, if your organization wants to make a meaningful impact in cybersecurity or enterprise technology you must deliver two things they cannot already get from their existing vendor relationships: 1) innovation, and 2) customer service. Customers are not looking to have more cybersecurity vendors. They actually want less. Therefore, emerging leaders need to provide them with technology solutions they cannot acquire already from others, and they need to have a relationship with this new supplier that is uniformly positive from day one. This has been the founding principles of Saviynt – constantly innovate and deliver that innovation with ruthless focus on the customers’ experience.
Lastly, any final thoughts on the future of identity security and how organizations can best prepare for what’s ahead?
Personally, I think every organization would benefit from an objective audit of their existing cybersecurity and identity management solutions and processes. There is so much changing so quickly that companies cannot assume that decisions they made several years ago can necessarily prepare them for the future, let alone the present. Having an outside expert look at how your organization is addressing these issues usually provides companies with actionable insights to evaluate.
Paul Zolfaghari
President at Saviynt
As President, Paul is responsible for developing Saviynt’s corporate strategy while directly overseeing all departments and operations of the company. Paul is a seasoned executive with significant experience in the business-to-business software and SaaS industries. From 2017 to 2022, Paul was a Managing Director at private equity firm Carrick Capital Partners where he was a member of the Investment Committee and Chairman of the Operations Committee. While at Carrick, Paul co-led the investment in Saviynt, and served on its Board from 2017 until 2022. From 2012 to 2016 Paul was President of MicroStrategy (Nasdaq: MSTR) the global enterprise analytics company. From 2010 to 2012, Paul was COO of ParAccel, the enterprise database platform which is the software foundation of Amazon AWS’s Redshift EDW. From 1999 to 2010 Paul served in a number of senior roles at MicroStrategy, including EVP of Global Sales and Operations. Prior to his career in technology, Paul was a lawyer in Washington, DC, including serving as an attorney in the US Department of Justice.