Vulcan CEO Yaniv Bardayan has a special standard for hiring members of his team.

“I don’t just hire anyone,” he says. “I look for people who are 20 times smarter, 20 times more talented and 20 times more capable than I am. I give them the authority to execute the business and market theses – which we have created from gathering various impressions – in a manner we can do best. And then I have no doubt that the company would just take itself forward.”

It’s not easy finding such talent, but if one perseveres, one can find a good fit. “I go to people I have worked with in the past, or those from our close network,” Bardayan says. “It might take some time, but you have to know that any match is always mutual. If you find someone, then it’s a good match for you as well as for that person. On the other hand, a mismatch is mutual, as well.”

Half by choice, half by coincidence

Having both parents as doctors instilled in Bardayan a desire to help others. It was natural for him to want to become a doctor as well. As he grew up, however, he felt that he wanted to help more than one person at a time. Soon he joined the military, and there he became exposed to the power of technology and its ability to drive change and do good, in scale.. “You can do something from your home and make an impact on the entire world,” he says.

He continued with tech, specifically cybersecurity, after his discharge from the Israeli Defence Force, and joined a company that saw tremendous growth – from just 12 pioneers to 400, by the time he left. At Cyberbit, an Elbit Systems (one of Israel’s largest defense contractors) subsidiary, he took on numerous diverse roles that ranged from technical to sales and marketing as well as other business units. “Those various roles helped a lot when I became CEO,” he says.

His stint at Cyberbit and the Israeli Army together, had instilled in Bardayan the appetite to solve “very difficult, very complex problems.”

He also learned that in developing solutions, it is equally important to address the business issues as well as the technical problems. “You have to be moving along the business, allowing executives to reduce risk and manage their cost structure, assess the impact of technology on the entire security posture of the organization, and create a business perspective that enables others as well to solve the difficult problems.”

After detection, what?

These days, Bardayan is mindful that 99% of breaches are due to known security gaps that have been found in the network. “These have been known to the security teams and operational teams even before the breach even occurred. The problem is, there are just so many known security vulnerabilities but not as many tools to resolve them after they are detected.”

But how can security teams decide which of the numerous vulnerabilities, once they are detected, should be resolved first?

Bardayan offers four criteria. First, technical severity. Second, the threat landscape, e.g if the vulnerability is exploitable or related to a threat in the wild. These two are objective standards. Along side these, there are subjective criteria, which tunes the severity of a vulnerability to a subjective risk to a specific enterprise – what are the attributes of the vulnerable assets – configuration, controls, location in the network, identifiability. While the exploitability of the threats raises the risks, the asset posture will either raise or lower it.

Finally, look at it in the context of the business: What is the specific business process that the specific IT asset takes part in? “If it’s a choice between a server that is responsible for money transactions and a server that is responsible for food deliveries in the office, clearly the vulnerability in the former is more important,” Bardayan says.

Don’t be that fruit

There will continue to be two main groups of threat actors in the coming years, Bardayan says: Nation states and criminal organizations. The former will not likely be involved in a breach except in specific, very targeted cases. On the other hand, criminal organizations almost always attack for financial gain and profit maximization.

They also like hitting the low-hanging fruit. “Security gaps, known vulnerabilities, weak passwords, and so on – they are so much easier to find and use,” he says. “These groups base their benefits on these instead of going through the trouble of researching and finding zero-day vulnerabilities, a process which requires tremendous efforts with no guaranteed results.”

A test of leadership

Bardayan relaxes through sports – “both watching and doing,” he says. He also like spending time with people who are close to him. “Your family and friends were there before the company, and they will be there after the company. They are the ones who help you get by from day to day.”

He is also confident in the quality of the team that he has built in his organization. “It’s not that you are not stressed. Of course you are always stressed. But once you have very good people who share your burden, share your purpose, whom you trust more than yourself, then you can perhaps sit back a bit.”

For Bardayan, his effectiveness as a leader will be determined by his absence. “If tomorrow I am out, then the company will continue to function exactly as it has. Good leadership is judged in your absence, not while you are there.”