Guy Bejerano was all set to be a pilot with the Israeli Air Force, but one week before the start of training, he had a car accident. The course of his life was changed for good.
“I call it reality,” he says.
That accident was a temporary setback, but it eventually taught him a valuable lesson. “It taught me a lot about dealing with the unknown. It challenged how I saw uncertainty.”
A CISO’s perspective
It was this sudden turn that occasioned Bejerano’s entry into security. He spent the next 14 years with the Air Force, nonetheless, but instead of flying aircraft, he led security operations and red team efforts. When he joined the private sector, he served as CISO of several public companies. Here, he realized that while the responsibility was immense, there were no tools to enable organizations to understand their security posture on a continuous basis.
There were many frustrations. “I realized it can never work because it’s like trying to solve a dynamic problem with a static approach.”
Venturing into the unknown
With his knowledge – and frustrations – from his years as a CISO, Bejerano teamed up with Itzik Kotler, a hacker and red-teamer. “We sat together and discovered that we could build a product for security teams, and provide a new layer of adversarial view into the security space.”
The decision to become an entrepreneur brought fear and uncertainty, but these feelings were outweighed by the thrills and opportunities he faced. “When you see something that’s so right, it does not take long for you to fall in love,” he says. “That was exactly what it was for me. This was my chance to actually create something that will change our industry.”
“The future carried a lot of unknown, but also a lot of promise. I chose to focus on that.”
Much has happened in five years. The company’s breach and attack simulation platform led analyst firm Gartner to create this same new product category for cybersecurity. “When we started, we were the only ones evangelizing that breach and attack simulation was important and that it can change the market.” Second, it was able to build its global customer base faster than it had expected. From Tel Aviv the partners brought their families to the United States. “When you are building something, you cannot just manage it from a remote location.”
On a daily basis, however, Bejerano continues face the new uncertainties the come with running a company. “There is no textbook that will tell you ‘this is what you need to do.’ Out of all the information out there, what is the right thing for you? You need to eventually make a decision,” he says. “Running a company is not a good fit for people who don’t like uncertainty.”
The second challenge is to focus amid plenty of distractions. “You need to be able to quickly identify the things you will say yes to and the things you will say no to.”
In being an entrepreneur, Bejerano believes in learning how to fail fast. “Don’t fall in love with your decisions. You have to quickly make a decision, and if it turns out to be the wrong decision, recognize it and correct your mistake.”
Along with their shared success, the partnership with his co-founder has grown. “We come from two different worlds. One offensive and one defensive. But somehow we managed to build something together, in a natural way. We encourage each other to take risks and to lead and own what we do. e rely a lot on each other.”
A lot less sophistication
“I’d like to be a little controversial here,” Bejerano says. “Many security companies say that hackers are becoming more sophisticated, that we will see more zero-day attacks, that there is a lot of advanced persistent threats. What I believe, however, is that the opposite is true. Hackers are using the same methods that they have been using for years. The vast majority of successful attacks are known attacks.”
According to Bejerano, most organizations have already purchased the solutions they require to address these attacks.. The problem is not with missing controls or missing technology. The problem lies with the huge gap between what those controls are promising, and the way that they are configured, combined, or generally utilized in the companies.
To be sure, there are great technologies out there. “If they are used in the right form, they would always be more effective.” He would tell companies that they need to better optimize the controls they have already purchased before trying something new.
“Don’t wait for hackers to come to your environment and be your security QA. At that point you’ll definitely learn if your security works or not, but it will be too late.”
“When a hacker comes and tries to attack a target, he can choose between using a new set of tools, obviously challenging, or to use known techniques which are the easiest path to create an impact.”
Indeed, sophistication isn’t the difference between a successful attack, and a failed attack. Rather, persistence is often the key. Good attackers are relentless – and will take advantage of misconfiguration, blind spots, and environment changes as soon as they appear. They know that security is complex, and dynamic, while security teams often, “Don’t know if something was changed in the last hour, or last minute.” That’s why continuous security assessment is so critical.
Enabling the CISO
Bejerano speaks from experience when he talks about what CISOs need and how they respond to the demands their organizations have on them.
“Most of the CISO’s role is to translate a lot of tech and security control issues into relatable business problems. We help them be more systematic in the way they present their security posture,” he says.
“The executives and the board don’t care about the number of vulnerabilities you have. They don’t care about how many attacks your firewall faced in the past month. What they care about is the exposure of the business to risk.”
Security is fast becoming a baseline to assess the health of the company. Bejerano says that more businesses undertaking mergers and acquisitions consider security standards in determining the prices of companies that will be bought and sold.
Mind off work
Bejerano says he has a few hobbies, “but if you ask my wife she will tell you that I have too many.”
He, for one, is an avid photographer, fond of taking portraits and landscape pictures with his DLSR or drone. Taking these photos also require a lot of hiking and traveling. He also likes spending time with his family, relishing his role as a dad to two teenage daughters.
“You need hobbies to take your mind off work,” he says.
Key to maintaining one’s composure in a cybersecurity startup life is acknowledging that it could all feel like a roller coaster ride. “One day you feel like you are on the top of the world. The next day you are saying, ‘oh my God what have I done?’”
One has to consciously choose not to get stressed and to perceive everything as normal. “You should not be alarmed about anything that happens. If you allow yourself to do that, you will not be able to cope with the stress.”
The ride may be wild, but the important thing is to enjoy it. “Sure, goals are important. But is is also crucial to enjoy the journey. Just remember, there is nothing you cannot do.”