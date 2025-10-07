Spend any length of time hanging out with Okta’s in-house cyber security team and sooner or later you’re going to hear colleagues greet one another with a cheery “g’day, mate”, which is a surreal feeling when you’re sitting inside an air-conditioned Las Vegas conference centre and haven’t seen sunlight in 26 hours.

Although right now he calls San Francisco home, the man responsible for assembling so many Aussies in one place is Okta chief security officer (CSO) David Bradbury, who arrived at the identity and access management leader in 2020 from Symantec, having previously held security roles at Australia’s Commonwealth Bank and the government-backed National Broadband Network (NBN) company.

While any incoming business leader will naturally seek to put their own stamp on the company, in Bradbury’s case, his time at Okta was partly defined for him by a series of high-profile incidents – one of them directly targeting the company’s own products and services – that elevated Okta from a name known only to cyber professionals to one at the centre of major breaking national news stories.

The most immediate result of the October 2023 breach of Okta’s helpdesk case management systems – which led to the theft of data including customer service logs and support requests, and saw the company criticised by annoyed customers – was an unprecedented 90-day suspension of all new development work at Okta to give it time to work the problem without distraction.

The most tangible long-term result was the creation of the Okta Secure Identity Commitment (SIC), a long-term plan for cyber improvement. The four core pillars of this pledge are to provide market-leading identity products and services; champion customer best practice in all things identity; elevate the industry to be better protected against cyber attacks; and to harden its own corporate infrastructure.

Sitting down with Computer Weekly at Okta’s 2025 Oktane conference, Bradbury reflects on the success of the commitments Okta made to reinvent itself after its unfortunate experience. He says the breach really caused Okta as a whole to pause and think both about the company that it was, and the services that it provides to its customers.

“It was clear to us that the threat environment had changed around us, and we had not changed with it to the extent that we needed to,” says Bradbury.

“Many of our customers rely on us for security, and expect us to be always secure, always on and almost like a utility, and we demonstrated that it is very challenging to make sure that is always the case.”

Threat intel: A new frontier Part of this challenge is striking the right balance between focusing on building features and products that make the job of “doing” security easier, but also focusing on the wider threat landscape and making sure Okta can protect its customers first and foremost. When the firm launched the Secure Identity Commitment, says Bradbury, it reflected a significant change within Okta to rethink how it prioritises the build-out of security products and features that are driven by how it understands the needs of its customers, based on its growing understanding of the threat landscape. Okta has recently ramped up its own threat intelligence and research capabilities, working both with the intel it gleans from its own products and services – as an identity specialist, its technology is heavily attacked as a matter of course, so it makes sense to lean into this data – and working with other threat-led cyber experts. “We like to think we have a unique perspective on who is accessing what application and [are able] to lead on proactive defence. We have completely reoriented the company to be threat-led when it comes to creating security products and security features” David Bradbury, Okta “We’ve seen the customer base of Okta really grow in certain verticals, and they’re highly targeted verticals, from the US federal government to the banking sector and healthcare. We see very interesting threat groups targeting these customers on a routine basis,” says Bradbury. “We like to think we have a unique perspective on who is accessing what application, and by partnering heavily with our friends at CrowdStrike, Mandiant and others, it puts us in a really good position to lead on proactive defence,” he adds. “We have completely reoriented the company to be threat-led when it comes to creating security products and security features.” Over the summer, Okta’s threat intel team identified a new social engineering campaign in which the threat actor tried to convince Okta users to turn off the FastPass passwordless authentication feature in Okta Verify to access an important Slack message. The threat actor claimed that this was because FastPass was not working properly with the target’s Slack integration. Okta learned about this thanks to reporting features the product teams had built into the technology and pushed live. “When it comes to phishing-resistant technologies, they’re really great at preventing you from being able to put your username and password into a fake site, but they don’t log it, they don’t send that information anywhere, they just prevent it from happening,” explains Bradbury. “With our product, it actually records, it sends that to the customer, and it also alerts our intelligence, so we get to see these phishing events, and we can then start to draw intelligence and start to identify more root causes. “We ourselves are just starting to unlock the power of our own products, and being able to find threat actors and feed that back to the broader security community to better protect ourselves.” Oktane 25: Identity security and AI security At Oktane 2025, CEO Todd McKinnon described identity security and artificial intelligence (AI) security as essentially inseparable. Picking up this thought, Okta chief security officer David Bradbury says managing AI risk, in particular agentic risk, is fundamentally an identity management problem – the fundamental principles of identity security must apply to AI agents as much as they apply to humans. This is the challenge Okta is seeking to address with the various announcements made at the show. “As I think about the attack surface that’s being created by this proliferation of agents, we need to make sure two things happen,” says Bradbury. “One, that when people are building these agents, they’re actually building them securely. And we’ve been reviewing a number over the past six months. People are pushing these things out the door with the bare basics of authentication and authorisation. So that’s problem number one. “Problem number two is that as people start to deploy these agents at scale, you can imagine a scenario where you’re running dozens of these things and they’re connecting to all sorts of things. Again, they’re creating more and more connections, more and more tokens. We need to make sure that at the enterprise level, these identities are being treated with the same level of importance as a human identity, that they’re given a secure identity at the moment that they’re enrolled, and they’re being governed and managed from day one. “Those are the two problems we’ve been staring into as a company for the last 12 months or so: How do we securely develop AI agents? How do we securely manage and run them when they’re actually in place?” he says.