Pragmatic Cybersecurity: Alex Jilitsky, Head of Cybersecurity @Plus500

In this CloudNext episode, Alex Jilitsky of Plus500 and Ganesh dive into cybersecurity automation's role in transforming digital defense. They tackle the shift from manual strategies to innovative automated solutions, underscoring the need for agility in tech's fast-paced realm. Alex shares insights on pragmatic decision-making and aligning security with business goals. Tune in for a discussion on navigating cybersecurity challenges in today's dynamic landscape.

This transcript was generated automatically by AI. If you find any mistakes, please email us.

[00:00:00] Ganesh: Hello, everyone. You're listening to Cloud Next, your go to source for cloud innovation and leaders insight brought to you by GlobalDots. The alarm goes off, marking the start of another day. Coffee in hand, you [00:00:20] settle in, ready to tackle the projects that drive innovation forward. But instead, your morning evaporates into a whirlwind of manual security checks and firefighting.

[00:00:30] The digital landscape races ahead, and yet, here you are, anchored by tools and practices that can barely keep up with yesterday's threats. In this era of technological [00:00:40] leaps, where new vulnerabilities emerge before the last patch has been applied, there's a silent battleground that every IT cybersecurity professional knows all too well.

[00:00:49] It's the tension between sticking with the old school manual methods that have been the backbone of cybersecurity for years, and the shift forwards towards automated defenses that promise to [00:01:00] revolutionize how we protect our digital world. Every missed coffee break, every evening spent combing through logs, and every moment of innovation.

[00:01:08] Lost to the mundanity of routine tasks underscores this struggle. It's not merely a choice between tools. It's about how these decisions impact your work life, the security of your digital assets, and [00:01:20] innovation potential that could be unlocked with a shift towards automation. Today, we're zeroing in on this challenge with Alex Zhelitsky, head of cybersecurity at Plus500, who will also take us through the nuances of balancing instinctual quick fixes against meticulously calculated decisions in security management and the dedicated art [00:01:40] of resource optimization in the quest to close the ever present security gap.

[00:01:45] Alex, before we start, What should the people know about you? Tell us a little bit about yourself.

[00:01:50] Alex: Well, first of all, um, that sounds really horrible. Is that my life that you've just described? I guess we'll talk about it.

[00:01:58] Ganesh: I hope [00:02:00] that introduction is not you, actually. I really hope that that's the world you're going to tell us how we can avoid.

[00:02:07] So, or else we have a slightly different podcast, but hey, either which way it should be interesting.

[00:02:14] Alex: Yeah, it's, uh, I mean, It really depends on whether you look at it from [00:02:20] a slice of life perspective or, uh, or like motivational, um, you know, self improvement perspective, perspective. So, uh, we'll try to go the, the other way.

[00:02:30] Right. Let's, let's aim for that for sure. I'm Alex Jelicki. I'm 35 head of cybersecurity at plus 500. Uh, I've been [00:02:40] in the field for 15 years, more or less. So I've done a lot of interesting things. In my opinion, I have at home my spouse, um, who's a musician and an artist, Gili Kimhi. Uh, and we have two very adorable cats.

[00:02:54] Yeah, that's me more or less.

[00:02:56] Ganesh: Nice. And for, for people who possibly don't know, [00:03:00] also, um, Plus500 is a, I would roughly describe it as a share trading app. But, um, Um, as you can imagine, anything to do with a financial gain is highly targeted by cybercriminals everywhere. So, um, Alex, as the, as the head of the cyber [00:03:20] security, you can imagine he has, um, unbelievable stressful evenings and nights.

[00:03:25] Um, but I know previously you've mentioned taking quick and dirty approach over the meticulous by the book strategy, which goes against. Um, what a lot of people in cybersecurity would do. Can you give us a specific instance where you, where you gave [00:03:40] this approach in plus 500?

[00:03:41] Alex: I think that, um, first of all, I wouldn't, I wouldn't recommend adapting it, adopting it as a way of life.

[00:03:48] Uh, but I do think that, um, it's something that, you know, it hits you once in a while. During your, um, your work or whatever you do is that [00:04:00] you sometimes feel like, you know, you're maybe too deep into something, you've been struggling for too long with something, and sometimes the right, the right path is not necessarily try and complete what you're doing or fix it, but sometimes you just, you know, you have to realize that maybe the correct answer is just something much simpler, which may [00:04:20] be the right answer.

[00:04:20] Thank you. Not perfect, but good enough. Uh, so I'd say in the, uh, you know, in the sense of cybersecurity or it fields, it's something that I see a lot happening is that we usually, we usually try and resolve to what we know best, right? We we've known something for a while. [00:04:40] We, you know, this is, this is what we have in our tool belt and we, we go back to the same tools and not always, or not for.

[00:04:49] Not every time the same tools will be the right choice to make. So I think that you, you really have to specifically when you're, [00:05:00] when there's something new around, whether it's new environment and new technology. I know major changes that, that are happening around you. So you, you really have to be mindful of those things and you have to, you have to verify yourself.

[00:05:15] You have to verify your own, um, sort of. [00:05:20] Beliefs, uh, against the current situation, right? Just simple example. If we have to find a technological solution in a specific field, like we need, uh, I know a code scanning solution. We need a vulnerability management solution. We need something else. It doesn't really matter.

[00:05:38] So we [00:05:40] are, sometimes we're familiar with. You know, top vendors, we know which, which one is best of breed and which ones are considered more popular, less popular, cheaper, less cheap. I think that sometimes we have to before even before going and making the choice, we have to. We have to really think what we're trying to [00:06:00] achieve, because, you know, we may think we know which one is the best and which one is the most expensive and which one is the most popular, but we really have to think, do we actually need the best for this situation?

[00:06:12] Do we really need the specific tool that does that? That way for the specific situation. So we really have to, uh, [00:06:20] to check this sometimes. Um, and, and for, for this example, I think that sometimes is maybe even a lot of times we can fix a solution to a problem without, you know, going all in about it so we can sometimes, you know, just.

[00:06:38] Pull something out of her [00:06:40] sleeve. We can reuse something we already have. We can even sort of do something. And if we look at things, um, creatively enough and out of the box, we realize that we can, uh, answer some questions with, um, Not, uh, not obvious answers, [00:07:00] but they're still good answers and, and, and I think basically at the end of the day, what we're all trying to do is to give, is to give good answers, right?

[00:07:09] It doesn't really matter whether they're the expected classical answers. They just have to be good answers for the questions.

[00:07:15] Ganesh: Yeah. I completely hear you there with a lot of the time you have. The [00:07:20] answer already. So there's a bunch of tools that are overlapping and you may have something in there already.

[00:07:27] What's quite interesting. I find in a world of security, when you say you don't need the best of breed in X, Y, or Z, I actually see a lot of. Condensing of security tools now. So like open source [00:07:40] security, host vulnerability, patch management, cloud security, I see them more and more merging into one tool, um, eventually becoming a CNAP and then plus adding, you know, I see SAS.

[00:07:52] security posture management as the next thing that will just merge into one larger tool in, but in around that [00:08:00] conversation of tools, when you're looking at selecting tools yourself, um, how do you balance the need for like a full evaluation of a tool against the urgency of needing to put it in there?

[00:08:11] Alex: First of all, this is very interesting because urgency is sometimes, um, sort of a whole new challenge and sometimes urgency is more [00:08:20] challenging than. then budget issues or other things, right? Because urgency usually comes from, if it's security, then obviously it's maybe a major risk, but sometimes it may also come from a business case, which may be urgent.

[00:08:34] And we know that the business loves to do business. And we're there to cater for that. First [00:08:40] thing I think about this question is really, we have to Double check and verify with, with the business owners exactly what they're expecting to get because, and this is a situation I've, I found myself at, um, you know, time and again, you know, it and cybersecurity [00:09:00] many times you're tasked as, uh, you know, as a, as a head of it or cybersecurity to, to bring a product, you know, you get the tasks we need.

[00:09:11] A system that does A or a system that does B and then you can, you know, go ahead and look for systems that do A or B and you go back with it and [00:09:20] at the end of the day, you realize that the business doesn't really need A or B. They just need a specific function or functionality and someone has told them about A and B and they thought this is what they need.

[00:09:32] But. That's not really what they need, right? Because they just heard that it could be, uh, you know, it happens a lot with, um, [00:09:40] compliance or regulation or, you know, they can have this conversation with, uh, with an auditor and they'll someone, you know, someone will say same and someone will say sore and some, someone will say CNAP.

[00:09:51] And, and this then becomes The problem rather than being the solution, then the problem becomes instead of securing our cloud workload, [00:10:00] the problem is let's get a CNAP, right? Or instead of auditing or gathering logs, let's the problem is let's find the seam. And I like in on those occasions, I When the business owner is not ourselves, it's not the security, um, department, then [00:10:20] I really like to understand the business needs.

[00:10:22] I want to ask why and what, uh, rather than just bring a solution to a problem, which may not be the actual problem behind the scenes. Right? And. Again, I've been in the situation. I've been tasked to do that. I've done my research. I went to talk with vendors, et [00:10:40] cetera, and chose the products. And then at the end of the day, you know, you're like, when you get to the bottom of it and they ask you, Hey, well, why does it cost so much?

[00:10:50] And why is it so complex? And you, you know, you explain what What they asked for is this and that. And then they realize, wait, this is, this is an [00:11:00] overkill. This is not what I need for, for my use case. And when you get to the bottom of it, you realize that, you know, you may have two or three systems already that can do what, what the user asks you.

[00:11:11] Right. Um, so if, if they want an audit, you know, maybe I already have, uh, an application that can do that for you. Maybe I already [00:11:20] have, um, uh, an Something that I can reuse to, to cater for your specific need. Right. So it's really important to be, uh, connected to the business on, under business, business level and their language, try to go a bit into their field of play, [00:11:40] and then, then you get, I think you get better outcomes when you try to translate it to cybersecurity solutions, right?

[00:11:47] Cause you, you get a better feeling of what exactly the problem you're trying to solve is.

[00:11:52] Ganesh: Uh, great advice. And I think there is often a disconnect between, um, the technical, [00:12:00] the technical world and solutions and business just generally, it's great advice actually for anybody who's in there to get on the level of business, you know, understand what the driver is behind there far too often, we have situations where.

[00:12:14] We're doing things and people don't know the outcome or they don't know why they're doing things and it [00:12:20] happens all the way through the stack, you know, you can have people testing for something in the application and not knowing why they're doing a unit test, for example, and I think that's a, it's a good example of why everybody should have the vision, even if it seems like it's a waste of time having the conversations, but hey, we're all doing this because Of this reason [00:12:40] now, you know, and specifically around security tooling and things like that.

[00:12:45] I imagine a lot of it is to do with compliance. There's usually a compliance reason behind that. It's not, it's not necessarily that we're going to get attacked by bad guys, or we're not going to get attacked. You know, we're, we're, we're worried about [00:13:00] ransomware. So. I think for the, for the business to understand why we're doing these things is pretty important.

[00:13:06] Um, and you could save a lot of time with that piece of advice as well. I imagine enormous, you just talked about investigating whatever particular seam tools or saw tools. It's a lot of time, a lot of money and, and, and waste effort in there. [00:13:20] Um, so really, really great advice on that. Couldn't agree more.

[00:13:25] Well, if we talk about time wasting, it's a, it's a nice lead on because we, we want to talk about automation and security management and how that's a game changer. Um, and I know it has challenges of its own, um, [00:13:40] how have you a plus 500. Dealt with that problem, um, approaching integration of automation with your security and what lessons have you learned?

[00:13:48] What, what pitfalls can you avoid other people from

[00:13:51] Alex: first of all, I think that game changer is, uh, it's, it's maybe an understatement, right? Cause it's, it's 2024 automation is, I know [00:14:00] animation is king, right? In cybersecurity, but not only in cybersecurity. And soon it's probably going to be replaced by, you know, AI, et cetera.

[00:14:10] Ganesh: That's it. You get the, you get the AI bell. You're the first person to mention it. Bing, bing, bing.

[00:14:16] Alex: Uh, that's it. That's a wrap up.

[00:14:19] Ganesh: Yeah, [00:14:20] for sure. Um, it's true though, but a lot of people are scared to do that. I don't mean scared to AI. People are scared to automate security practices because they're so fearful of Yeah,

[00:14:33] Alex: I, I, I can relate to that.

[00:14:35] I mean, we've all been there, but I think that first of all, and this, this is on the reassuring [00:14:40] side. I think that if we, if we look at it, you know, even historically automation and security and it in general has been there for a while and it's been there basically forever. Right. Because, uh, Even in the days of, I don't know, traditional endpoint protection, I'm taking you like 15 years back, we always had policies that [00:15:00] I know how to disconnect an endpoint if there's something bad on it, right?

[00:15:05] Or how to react, um, to, uh, to an incident on an endpoint. We always knew delete the file, quarantine the file, um, disconnect the, the, the system from the network. This is pure automation, right? There's no other word for this. This is the [00:15:20] automation by definition. But when we take the automation and we sort of, um, You know, we take it out from its box as a feature within a system, as a means to an end, and we create, we, Sort of, um, transform it into the central, centrally managed [00:15:40] automation engine and tons of business logic.

[00:15:43] It becomes a bit more scary because you're saying, wait, I used to have this automation with that, which had very limited scope and very limited power. And, and now I'm giving it more, more scope, more power. I'm giving it all the power, right? Cause I'm going to give it all the [00:16:00] permissions and all the privileges, et cetera, and access everywhere.

[00:16:03] And, um, And yeah, it's, it, I think it's, it's, it is frightening and like, not, not in the sense of the rise of the machines. Right. But in the sense of, um, is it ready enough? Is it tested enough? It may break. How do, how do we allow it [00:16:20] to, to be efficient and still, you know, as, as risk free as possible. So this is, uh, I'm not taking the question back to you.

[00:16:28] Yeah. I'm just analyzing this. And I think this is, this is really, I can really feel for everyone who has You know, this pretty natural fear from automation, [00:16:40] specifically when we're talking about sensitive operations within our networks, within our data centers, within our, you know, user, uh, data operations, et cetera.

[00:16:49] Uh, so, you know, in cybersecurity, when we say automation today, we usually, you know, first thing comes to mind is SOAR and, um, you know, centrally automated response [00:17:00] to incidents. And to be honest, and I've seen it, I've seen it. Plenty of times with colleagues with friends. It really is hard to implement it.

[00:17:10] Well, uh, I mean, there's the, the idea is there, the technology may be there, but, um, it's very hard to, to make a successful [00:17:20] project out of it. Right. Uh, not only because of our, um, Sort of fear, but also because these types of solutions tend to be expensive, complex, and it takes a lot of time to implement them.

[00:17:35] So it takes a lot of time to, to complete those types of projects. [00:17:40] So if I'm, you know, for me personally, on the one hand, I understand. And I agree that, um, that it's something we have to have today, right? We can't do without it. But on the other hand, we have to find the right balance to, to make it right.

[00:17:58] Right. We can't just buy a [00:18:00] store and expect it to work automatically. It's not magic. Yeah. And, and it doesn't really matter who's the vendor or what tools we're using. It, it really, it's all about understanding how we integrate all of this together. What's our plan? What's your end game there. Right. So what I, what I think, and I know.

[00:18:17] It may not be the best advice for [00:18:20] everyone, but what I think works well for me is that I'd say if you're looking to go there, if you feel like you want to automate, but you're afraid you can start small, you can start small and grow over time. And this is something that I think it has a few benefits, but it's really important to get, you know, get rid [00:18:40] of the, um, of this big fantasy about fixing everything and anything with SOAR and just cover everything.

[00:18:47] This is, this is maybe not the best approach. I think you should do it step by step, um, and this will allow you to, to achieve meaningful results. And you're gonna, you know, you're going to [00:19:00] get those slow hanging fruits, some quick wins, uh, and A, it's going to be, Cheaper, at least in the start be, it's going to build up your own confidence and your organization's confidence around automation, right?

[00:19:13] Because it's frightening, not just for you, it's frightening for everyone. And if you start small, if you start with simple tasks, if you [00:19:20] start with tasks that are not in the core of the business and not very dangerous, and you manage to successfully cover them, you're going to build up confidence with the organization.

[00:19:29] Um, Um, you know, not unlike people, right? You do the same with people, you give them something, you see that they're successful at it, you give them more. So, so [00:19:40] this is, this is my approach. And also, I think that if you start big and you plan big, so You're going to be talking about a complex project, an expensive project, and you're going to set very high expectations.

[00:19:51] So the, the path to meet those expectations is going to be very long, very tedious, and there's going to be so many [00:20:00] opportunities to, for something to break and fail the project. Uh, so. We, I, I like to look at it as a set of short term goals, um, very, you know, getting our targets very close to us, reaching them and then setting the next target, right?

[00:20:16] So it doesn't have to be a long [00:20:20] grandiose project. It can be just a step by step project.

[00:20:23] Ganesh: Makes sense. Um, Um, you know, the, the fear of, I know I often hear fear of automation because cyber security is so impacting on the business in some way, you know, if you're either [00:20:40] going to stop somebody doing a process or you're going to stop something happening on the website, or you're going to stop this or that, and the business hates that, you know, the business always hates security for that.

[00:20:51] You know, they're always thinking that security is there just to slow them down, but it doesn't make sense to me because I would, it's the one place where I would [00:21:00] rather have false positives and I would rather have those false positives actioned on, like, if I think, if I think around like user access or identity and access management or something, I would rather have nine false positives in order to catch the one bad guy.

[00:21:17] That, you know, that seems like a good piece of automation to [00:21:20] me. So, so what, so nine people had to call support and say, my account's been unfairly locked and you have to say, I'm sorry, we did that for a security reason, and then you can learn based off that, that you're, you're too aggressive with your policy.

[00:21:34] Must be better to be doing that than just have something so loose that it doesn't catch anything. [00:21:40] Um, how do you approach that challenge of, um, wanting to put something in place? Not knowing what the boundary line is and then having to deal with the, the fallout from that.

[00:21:50] Alex: Uh, yeah, that's, that's really, that's really an everyday challenge for cybersecurity staff.

[00:21:57] Um, again, also it, [00:22:00] I mean, there's a lot of places where this happens. It actually relates a lot to, to my previous answer, because I think that this is, again, this is a classic spot where we use the step by step approach because What I learned is that on most occasions, the, the, the relevant stakeholders, you know, it could be our, uh, [00:22:20] our superiors.

[00:22:20] It could be top, it could be senior management. It could be someone else could be key roles in the organization. Usually they understand very well the value of security, right? But they also understand even better the value of the business. And obviously it's our, it's their job to make sure the business runs.

[00:22:38] It's also. to some [00:22:40] extent their job to make sure the business is secure. And so this is, I mean, this is something everybody understands, but Not everybody really knows how to, how to approach this. I think that, again, on most occasions, the step by step approach, for me, worked quite [00:23:00] well. I mean, it's not always possible, right?

[00:23:02] Because if you're maybe replacing, um, Firewall A with Firewall B, so this is, uh, this is, there's a cutover, right? There's a, there's a painful cutover and you want to do it with, You know, zero, uh, zero issues. But if you're talking about endpoint [00:23:20] security, if you're talking about anything on your, on your endpoints, on your servers, on your SAS apps, et cetera, anything that does prevention, in most cases, you'll, you always can start small.

[00:23:32] But you have to have in mind your end game, right? Because you can't sell to the management that you're going to deploy, [00:23:40] uh, I know any DR, and it's going to always be in detection mode, right? It has to prevent. So the plan is. A, we want to reach, uh, this place where we're going to have it covered 100 percent of the organization.

[00:23:55] And we're going to have a policy that does A, B, and C. And the way to reach [00:24:00] there is we're going to start with a policy that only does A. And A could be, I know, learning mode, monitoring mode, alarm mode, whatever you call it. And we're going to start with that. And we are not going to start with 100 percent of the organization, right?

[00:24:12] We're going to start with less sensitive locations. Like I know teams that, That we may, uh, we maybe have, [00:24:20] um, You know, more, uh, redundancy there. So we can allow some issues. Uh, we're not going to start with our central database databases or central app servers, right? We're going to start with something, um, uh, in the perimeter, perhaps.

[00:24:34] Uh, we're going to start in QA environments. We're going to start in development environments, but, but we will [00:24:40] show a plan where we, where we can see the, the end, the end, right? Because we don't want to not complete this type of project. We need the prevention there. But we have to build the same confidence, uh, as we had in the automation, uh, scenario, right?

[00:24:55] And the confidence will not be built by words or promises or [00:25:00] vendors. Um, talking about how great the products aren't, it's going to be built from the, from. You know, from the ground, right? We're going to show how it works. We're going to show that it's okay. And we're just going to expand. And, you know, it's going to make the project a bit lengthier usually, but you're going to get a lot more credit if it [00:25:20] took you longer and you had less, uh, you know, less damages to the business, less collateral, uh, than if you've done, done really fast, but everyone, uh, you know, uh, went crazy because of that.

[00:25:33] Ganesh: Yeah. And requirements is something that seemed to be a A mystical beast [00:25:40] inside most organizations. So I often find that projects are mid flow and three quarters of the way through the project, someone says, you know, what are the requirements? Well, what are the requirements to make this successful? And nobody knows, we're just in the middle of a project.

[00:25:54] So that's a, a top tip to, to spend some time front load. [00:26:00] You know, what is your success criteria? Because you can become, you can be completely successful on your success criteria, yet the project is a total failure. This isn't, this is a, this is an outcome that can actually happen and vice versa. So it's a interesting, and it's more and more as well.

[00:26:19] And the more I speak [00:26:20] to. People like yourself, you know, heads of cybersecurity and CTOs or heads of DevOps and things more and more and more it's requiring the, the IT people to become business people, essentially, and that's the, that's the problem, which I think a lot of IT professionals, they fall [00:26:40] over because nobody starts, nobody starts at management.

[00:26:43] Yes. Everybody starts lower down. You don't need those skills lower down. You just get told, Hey, you You're implementing this or, Hey, your, your, your job is to look after tool X, Y, or Z suddenly you jump up to another layer when you're asked to then solve problems for the business. And [00:27:00] everything you did prior to that counts technically, but you suddenly you have a new role where you're not a business person.

[00:27:06] So there's a, there's a disconnect there. And I think a lot of people don't go through their own. Companies don't offer the personal development generally, it's something you have to just develop yourself. Have you found something like that [00:27:20] in your own life where you've had to upskill your, your own personal development?

[00:27:23] And is there something you did around that, uh, any books you read or something like that?

[00:27:28] Alex: I think that in, in, in this specific sense of, you know, my careers in cybersecurity or it, I mean, I sort of, self developed somehow, didn't always have [00:27:40] very precise, um, intentions or plans about, you know, my long term future, what I'm going to do.

[00:27:48] It's just somehow, you know, went this way and, you know, I played my cards, right. At any point. Point in time, but, but I, I do think this, this is, this is an important issue [00:28:00] because, you know, we used to call it years back, obviously it's still there. We, we used to talk about IT alignment and, and this was how, you know, how IT, IT is there to, and it's, you know, it's true in the same way for cybersecurity or DevOps or even R and D, right?

[00:28:16] We're there to, to accommodate for the business, right? Not [00:28:20] the other way around. So businesses don't have. R and D for the sake of R and D they have R and D for the sake of developing the business, et cetera. And this is true for most functions in the business, right? And I think that one, one, one tip that I really think is true here, and this is true for, for managers, for, [00:28:40] for, for, you know, uh, employees at every level of this type of profession is that we really have to realize that basically business is the boss, right?

[00:28:50] It's not us. Um, and. Whatever we may think is best or ideal or correct or whatever, [00:29:00] it's not always true in the business's perspective. And the business perspective, it's, it's basically what's most important. Right? And. And so this is sort of, you know, this is a gap in how we perceive our profession versus how the business perceives our role, right?

[00:29:17] So we have the role, we have the profession, they're not [00:29:20] always one and the same. We have to sort of take the best out of our professional experience and expertise and and cater for the specific needs of the specific role in the specific, uh, you know, organization. And, you know, we need, we need to act with some sort [00:29:40] of, you know, humility about it rather than ego.

[00:29:42] It's not about, and, and, you know, I've, I've, I've worked with, you know, CISOs or CIOs or CDOs in the past, you know, they just thought that they were right. And that was the way to go. Um, And I sometimes get that feeling, you know, myself, but basically there's no right and wrong. [00:30:00] There's what I think is right.

[00:30:01] There's what the business thinks is right. We have to find, you know, the, the common path for everyone to be happy about it. And, and this is to realize that your, your own opinion is not, is not the most important one. Even if you're a hundred percent technically correct, right? Uh, which [00:30:20] it's not easy. I, I suspect it's not easy for anyone.

[00:30:22] Right. But, uh, unknowing, unknowing as it may be, this is, uh, I think it's important for success within organizations. Right.

[00:30:32] Ganesh: And you often, you talked about the, the business, you know, what I would say is the, the, the dog wags the tail. [00:30:40] The tail does not wag the dog is what we would say. And. It's funny that that happens in tech where you have a situation where the tail is wagging the dog, but even more insane Sometimes the dog is asking the tail how to wag and and then you have to say guys listen I'm not here to [00:31:00] tell you What to do we're supposed to be an enabler, but maybe, maybe it's a dog with two tails, a tail at one end and a tail at the other end.

[00:31:07] And there's, there's no heads. It's just two tails could be the case. Um, relating to plus 500 or it doesn't have to be plus 500. Actually. It could just be your, your personal. [00:31:20] How you arrange your personal life and style, um, any specific showstopper tools that you would highly rate or advise to other companies.

[00:31:28] So things that have made a real impact that you could share,

[00:31:31] Alex: you know, I'm not, I'm not here to sell anything. So I, I'm not sure I want to, um, go, um, very deep with, uh, name dropping, but [00:31:40] I, I, I found there's, um, there's a whole wide world out there, right? There's, um, there's all those, um, Traditional vendors out there.

[00:31:51] And, um, they're doing, you know, best of breed code security and there's some more modern vendors, they do, [00:32:00] um, maybe something slicker and something better, but not necessarily best of breed or not necessarily, um, you know, supporting all the languages and all the technologies, the. The other vendor support.

[00:32:15] And then there's also the world of the sort of new players, basically [00:32:20] CICD, the complete pipeline security, right. End to end. And I think that this is something that I haven't thought of at the time. But in hindsight, I think that this is, this was, this was a revelation because the, my problem for in that instance was, okay, I had to address code security, but then, you know, you realize there's [00:32:40] actually, there's so many approaches to code security that.

[00:32:43] There's so many solutions today. It's not like there's not just one solution and you have to choose the best from the category. There's actually a few categories that, that, that can, that can basically answer that need. And I think that the, the players, some of the players I [00:33:00] saw in the, um, in the pipeline security, um, niche were very, Very impressive.

[00:33:08] And again, I don't want to, I don't want to recommend, um, any specific solution, but I do think I came across several, uh, from that category that [00:33:20] really impressed me, they were able to, um, You know, like you talked before about the, the CNAP and, uh, SAS security things converging into one world. So, so they, they sort of done that for AppSec, right?

[00:33:35] In my opinion. So they sort of, they took code security, they took, [00:33:40] uh, CICD security. They even took cloud security to some extent and, and they put it into one product and there's, there's a few of those they're coming to you with their solution, the same look, I'm going to. I'm not, I'm not only going to solve the, your code security solution.

[00:33:55] I'm also going to solve a couple others, uh, a couple other problems, sorry. [00:34:00] And, and it's going to be modern and sleek, and I'm going to prioritize it for you. And, and I think that this is, uh, in general, this is, um, this is where I think the industry will go because, you know, there's so many problems you can't.

[00:34:15] You can't look for a solution for every problem. You have to, you have to see where you can [00:34:20] consolidate, where you can work with less vendors, where you can, uh, you know, get systems, um, again, more automation and et cetera, but out of the box. Right. So I really think that this is something, um, if you don't have a good AppSec solution today, or if you're looking to [00:34:40] replace your own solution, I would definitely, uh, I would definitely look in that area.

[00:34:47] Um, and I think I've, I've been, I was very surprised by the quality of, of the products. And, uh, yeah, I think, uh, they, they can really cater for, I [00:35:00] think most of the, most of the industry out there can really, can really use them.

[00:35:04] Ganesh: Yeah. All in, all in one tools appear to be the way to go. And I would completely back that because in the same way that.

[00:35:13] You know, CS, uh, CNAPs now cover open source vulnerability. They cover host vulnerability. They cover container [00:35:20] vulnerability. They cover secret scans inside your workloads and, and, and, and, and, you know, suddenly you don't need five or six tools for cloud security management. You just need one CNAP tool, like a WIS or a Lacework or an Orca, for example.

[00:35:34] Totally makes sense that the same was going to happen for app developers. No need to have [00:35:40] something for open source, something for SBOM, something Static code, something for CICD, something for secret scanning, whatever. It makes perfect sense that, that these overarching tools were going to come on top.

[00:35:51] And I also, I would, I would totally push people towards an all in one solution. The, the only cases that [00:36:00] I see And okay, I'm coming from the sales side. I'm not a deep in the, in the weeds as a developer, but the only real arguments I come against are when somebody has something in their mind that is really specific and S bomb would be an example.

[00:36:15] So lots of people can make S bombs. You can do open source making S bombs, [00:36:20] but if you want. A tool that will not only create an S bomb, but read an S bomb, and then become a registry of all S bombs that you own. You need something specific for that. I didn't see something very cool that does that, that isn't a one tool vendor.

[00:36:38] I think that's what you need to go and you need [00:36:40] to go, right, let's assume that you're boilerplate and you have to convince me otherwise that you're not boilerplate and then we can look at adding another tool. So yeah, I, I totally hear you on that.

[00:36:50] Alex: Yeah, I, I think that, you know, going back in history a bit, we probably, We've all worked with all in one printer scanners, [00:37:00] right?

[00:37:00] And I don't think anyone has ever, uh, thought that the all in one printer is the best printer out there or the best scanner out there, right? So if you were a print shop, you'd probably wouldn't use it because you had better quality printers. Um, so if we're taking that to the world of, I know, cloud security or CICD [00:37:20] security.

[00:37:20] So, you know, the cloud infrastructure is just, it's just another. Pillar of our technical, um, tools, you know, in our organization and code and development is just another pillar we use to, uh, to move the business, right? But this [00:37:40] is essentially not that business, right? What we do is not writing code. Code.

[00:37:44] What we do is, you know, in our case, FinTech. Others do other things, but you know, we don't need to solve this problem to, to its fullest extent. We just, we have to be responsible and we have to be good enough, but [00:38:00] we don't really need to go, you know, to go the extra mile, uh, to cover ground, which we're not looking to go to in the first place.

[00:38:09] Uh, so, so, so this is what I think about those. So there's obviously all in one is, is not the answer to everything, but you know, In [00:38:20] today's reality, when we have so many, uh, you know, vulnerabilities and gaps, and obviously our security and it budgets aren't always aligned with, with the new emergence of new threats.

[00:38:33] And then, yeah, it's, it's up to us to make the best use of what we have. And if that means going, [00:38:40] you know, consolidating and, and going to all in one products, there's nothing wrong with that. As long as we know that they cover. the essentials that we really, really need, right?

[00:38:51] Ganesh: Couldn't agree more. And I'm going to steal.

[00:38:54] your multi scanner printer copier analogy next [00:39:00] time I'm, I'm trying to convince somebody to buy that solution from me. Um,

[00:39:04] Alex: yeah, great. I also stole it from someone, but I can't tell you who, so,

[00:39:07] Ganesh: uh, nothing is new. Nothing is original. Everything is only stolen and repackaged. Yeah. You can

[00:39:15] Alex: credit it to folklore, right?

[00:39:17] Yeah. Yeah,

[00:39:18] Ganesh: exactly. One [00:39:20] question I'd like to ask everybody we have on the show. Um, if you go back in time and give yourself one piece of advice, what would it be? And that could either be like something to help you with the situation or something to avoid.

[00:39:30] Alex: Oh, wow. This is, um, I know there's a lot comes to mind, but probably the first intuitive thing I'll say is, uh, just buy, buy Bitcoin.

[00:39:38] Right. [00:39:40] Um, right. Well, because. I hope I'm not, I mean, I really believe I'm not the first one to say this, but I think that's what, you know, we all make mistakes, right? And we all learn from mistakes, but this is, this is really painful because I think you feel the most pain when you know you [00:40:00] were there and you didn't act upon it.

[00:40:02] Um, This is more disappointing than just, you know, not being there. Right. So if you were aware of Bitcoin and you thought it's stupid and it makes no sense, you may have been right. Yeah. It's maybe stupid and doesn't make sense, but you could have been rich today. Um, [00:40:20] So, uh, yeah, this, this is my, uh, you know, on a personal note, this is, this is a mistake I've made in the past.

[00:40:26] Ganesh: It's a totally great answer. not, not one we would ever expect, but hey can, comes from the heart and will resonate. I think almost everybody has a Bitcoin story or a friend of a friend who has a Bitcoin story, so it's, yeah, you know, [00:40:40] it's, it's in the zeitgeist. It's in the zeitgeist right now, and around yourself and your professional career.

[00:40:46] You know, the number of security things that happen every single day and new attack vectors and vendors that solve those problems, you know, it's [00:41:00] ridiculous now as in cyber security, it becomes ridiculous. So what do you do to stay on top? How do you stay on top of the latest threats? Um, technologies, et cetera.

[00:41:09] Alex: That's always a challenge, you know, because when, when you phrase the question, I was, I was just, you know, I had those memories re emerging from all those times I had [00:41:20] vendors approach me and offer me solutions to problems I never knew I had. And. In fact, I have had them, right? I just never thought, uh, never thought about them as problems or never thought they were problems.

[00:41:35] Uh, so yeah, I think this is, uh, the reality in our landscape is that [00:41:40] we're always going to have, um, the bucket of gaps and problems is always going to be bigger than the bucket of resources, um, to deal with it. So. I think that, um, first thing I, it's, it's a very general maybe idea in, in, in the approach of this challenge, but [00:42:00] I think that it's, it's really important to frequently assess and reassess yourself and your environment and your environment by that.

[00:42:10] I mean, not only your organization or department, but also, you know, the landscape of threats, the landscape of your specific Um, maybe market [00:42:20] you're in, um, geolocation, whatever. Right. Because, um, we're, and this is again, uh, you know, sort of the traditional way or by the book is we're used to, you know, in cybersecurity, we're used to doing, um, this annual, annual risk assessments and annual PTs and [00:42:40] annual, um, user access reviews, et cetera.

[00:42:43] But in, in today's reality, right. Um, If we're working in annual cycles, how many risks or gaps will we not see, uh, if we just look at them once in a year, right? Uh, and, and this is basically what you're talking about. The, the emergence of [00:43:00] threats is a lot quicker than, than the traditional ways we treat security.

[00:43:04] And of course, The first answer that comes to mind is again, automation, right? I mean, to some extent, I'm not talking specifically about this big monster sword, but you can automate as much as possible in the, uh, processes of risk management, [00:43:20] vulnerability management, security, posture, assessment, et cetera.

[00:43:23] Right. So we, we talked about some of these things within the code security, within the cloud security, but this is very general. This is a process. Um, managing your own risks and vulnerabilities, um, in cybersecurity. I don't think it's, it's. It makes [00:43:40] sense to look at it as an annual process anymore, right?

[00:43:42] It's continuous, just like, you know, uh, development has its continuous integration, continuous deployment. This is the same. You have to do it continuously and to do something continuously, you, you really have to do it automated, right? So, so this is one thing we really want to catch the issues as soon as [00:44:00] possible.

[00:44:00] Um, and. You know, this, this could be anywhere, but, you know, shift left. There's no other answer to that. Basically, I think we have to shift left wherever we can, and it's usually going to be achieved with automation. Of course, where we can, there's also, um, you know, procedures and policies we can Revise [00:44:20] and see and, and, you know, get also the, get other stakeholders to, to help us with that, right?

[00:44:27] Because sometimes, you know, the sooner we know about things, the sooner we're in the loop. So the, the sooner we can address to, to issues and, and assist with them. And, and this is, you know, it [00:44:40] comes back to sort of the boring issue of awareness, because, you know, at the end of the day and awareness is a, is a very old.

[00:44:50] Challenge in cyber security, but at the end of the day, security does rely on employees, right? And each one of them is another [00:45:00] gateway to a company, to the organization, to the database. And we have to put effort into making the employees. Um, realize how important they are, not just in, you know, fulfilling their day to day roles and their, the tasks that they're assigned, but also in protecting the company as a whole, because, you know, the strength of [00:45:20] the chain is the strength of the weakest link.

[00:45:22] Right. And it's sort of, I don't know, I'm, I'm looking at it like a, you know, like a football match, right. Because you have a new team, you have just one goalkeeper, right. So he can do things, he's allowed to do things that they're not allowed to do. Other players can't like you can catch the ball with his hands, but in order to not [00:45:40] concede any goals, you can't just rely on a goalkeeper, right?

[00:45:43] It's a team effort and you expect everyone to, to do some defense. And even the best keeper will not be able to deny all attempts, right? So we need to build a team that will be also able to mitigate. As many attempts as possible to get the keeper [00:46:00] to only treat some, you know, as few attempts as possible.

[00:46:03] This is, this is basically like a 60 second metaphor to how it feels to be his cyber security in an organization, right? You're the goalkeeper. So, uh, you're somewhere behind there. You're. Hoping no one will reach you, but when they do, you have to be ready [00:46:20] and you want everyone, um, you know, everyone up front to, you know, to, to realize what you're doing, to realize how important it is to, to keep those thoughts away from you because you can't stop all of them.

[00:46:33] Ganesh: Yeah. Super great advice and, um, just really, really [00:46:40] wise insights and, uh, they might even seem like semi basic insights, but I think we lose sight of things so often in the I. T. world and aligning with the business, looking to automate, looking to consolidate, taking things step by step, you know, they're just super, super nice.

[00:46:56] Bits of information peppered with the reasons why we do that. [00:47:00] So, um, it's been a really rich conversation with you, really appreciate you taking the time. Um, totally great to have you on the show. Anything else you'd like to add in closing? I just think

[00:47:12] Alex: I'll, I'll address what, you know, one word you said, you said, uh, basic.

[00:47:15] And I think this is, this is really important because basic is [00:47:20] not necessarily bad. Right. And I said a few things about it already, but I think that it does. It does lead me to, to another tip, which I think, I think it's attributed to Winston Churchill, but I didn't fact check it. Right. Um, perfectionism is the enemy of progress.[00:47:40]

[00:47:40] And, and in, in our, in our case, um, You know, we have the Pareto principle, the 80, 20 rule, et cetera. And I think that in cybersecurity management today, it's, it's very true. Um, it's not in the sense that we shouldn't strive to cover everything. [00:48:00] Um, but in the sense that sometimes it's impossible or not the right thing to do.

[00:48:04] So sometimes looking at the complex, big, complicated project solutions, it's not that it's wrong. It's, it just may lead us. To not optimal results, right? Cause the [00:48:20] optimal results will be to make the best use of our resources for, to cover as many risks or to bring as much value to the business as we can.

[00:48:28] And value is not necessarily bringing big revolutions. It can be fixing a lot of basic things as well. And, and yeah, I think it's, this is important to remember. I mean, [00:48:40] sometimes. Doing basic things, simple things can bring a lot of value, sometimes even more than making very big things. Right? So we don't have to be afraid of, you know, chipping here and there and do some small things because at the end of the day, we just want to bring value to the business.

[00:48:57] Ganesh: Sometimes it's more valuable [00:49:00] to bring a multifunction printer scanner than it is to bring AI technology, for example. Um, great wise words. Fantastic Saino, thank you so much. This episode was produced and edited by Daniel O'Hana and Tama Mufidzon. Sound [00:49:20] editing and mix by Bren Russell. I'm Ganesh The Awesome, a senior solutions architect.

[00:49:25] And if you're ready to deep dive and start transforming the way you approach security, then the team and myself at GlobalDots are at your disposal. It's what we do. And if I don't say so myself, we do it pretty well. So, have a [00:49:40] word with the experts, don't be shy, and remember that conversations are always for free.

[00:49:45] Find us at GlobalDocs. com

Related Content

  • Secure Sanity: Bronwyn Boyle, CISO @PPRO
    Cloud Security
    Secure Sanity: Bronwyn Boyle, CISO @PPRO

    Dive into cybersecurity and mental health with Bronwyn Boyle, CISO at PPRO. Discover the challenges of managing risk in evolving tech environments and the impact of AI on security. Bronwyn shares insights on fostering a no-blame culture, the importance of diversity in tech, and her journey through burnout. Learn practical strategies for building resilience and supporting mental health in cybersecurity. Tune in for a compelling conversation that bridges tech and well-being.

  • Adopting to Speed of Cloud: Stav Sitnikov, CTO @StreamSecurity
    Cloud Security
    Adopting to Speed of Cloud: Stav Sitnikov, CTO @StreamSecurity

    If you are facing real-time cloud security challenges and struggling with escalating costs this episode is for you. Discover the future of cloud security with insights into AI-driven threat detection and seamless integration of security tools. Learn how to balance performance and cost-efficiency, and why early unit testing is crucial for success. Join Ganesh on CloudNext as he sits down with Stav Sitnikov, Co-Founder & CTO of StreamSecurity, to explore actionable strategies and forward-thinking solutions reshaping cloud security.

  • The CISO of CISOs: Greg Notch @Expel
    Cloud Security
    The CISO of CISOs: Greg Notch @Expel

    Greg Notch, led the NHL’s cybersecurity initiatives and now he is in some ways the "CISO of CISOs". Greg dives deep into the issue of cybersecurity tool sprawl and its impact on the effectiveness of security operations. Exploring strategic tool consolidation, he shares insights on enhancing efficiency and aligning security efforts with business goals. Drawing from his notable career, Greg provides expert strategies for managing security in dynamic environments and fostering a proactive security culture.

  • Transforming AppSec: Neatsun Ziv, CEO @Ox Security
    Cloud Security
    Transforming AppSec: Neatsun Ziv, CEO @Ox Security

    In this episode of CloudNext, Neatsun Ziv, co-founder and CEO at Ox Security, joins Ganesh to tackle the evolving challenges in application security. They delve into the incessant alert noise and manual triage that often overwhelm tech professionals, and how traditional methods fall short in today's fast-paced digital landscape. Neatsun shares his vision for a future where innovative solutions and strategic playbooks transform incident response, making security management more efficient and effective. Tune in for invaluable insights on enhancing your security posture in an era of endless cyber challenges.

  • Adaptive Security: Janis Lasmanis, CISO @Evolution
    Cloud Security
    Adaptive Security: Janis Lasmanis, CISO @Evolution

    In this episode of CloudNext, Janis Lasmanis, CISO at Evolution, unveils his cybersecurity strategies, emphasizing the importance of adapting to unique threats rather than relying solely on market solutions. Delving into SIEM and SOC, Janis discusses the critical balance between securing operations and maintaining business flow, showcasing how tailored, dynamic defenses are crucial in the rapidly evolving tech landscape.

  • AWS Innovations Decoded: GlobalDots’ Top 20 Picks
    Cloud Computing
    AWS Innovations Decoded: GlobalDots’ Top 20 Picks

    Join AWS experts from GlobalDots as they decode the top 20 cloud innovations you need to know in a 2 part Webinar. Gain insider insights on leveraging these transformative technologies to boost performance, tighten security, and reduce costs. Discover real-world applications to apply these advancements to your business. Reserve your spot now! 🚀 Stay Ahead: Learn […]

  • Innovative Cloud Strategy eBook
    Cloud Security
    Innovative Cloud Strategy eBook

    CIOs, Infrastructure Chiefs, IT, and Security Pioneers – This guide is more than just a document. It’s a strategic blueprint for your cloud journey, including concrete steps for migration, security strategies, and proven methods to optimize cost. We’re talking about real solutions for real challenges, such as: And yes, even – Discover not just security […]

  • Making Cloud Compliance Easy
    Cloud Workload Protection
    Making Cloud Compliance Easy

    The Challenge: Dealing with the Back-and-Forth There are so many shared challenges when it comes to cloud compliance. The constant back-and-forth with the auditor has become a draining routine. As you dart through digital archives for necessary audit evidence, precious minutes slip away from your actual duties. Each passing hour pulls you further from your […]

  • HashiCorp – New Licensing Model Explained
    Cloud Security
    HashiCorp – New Licensing Model Explained

    HashiCorp has recently revealed a shift in its licensing model, transitioning from open source to the Business Source License (BSL) for several projects. They’ve selected their usual Mozilla Public License, Version 2.0 as the ultimate open terms, with a four-year timeline for the new code release. But remember, there’s no need for alarm. Let’s unpack […]

  • How Yuki Achieved SOC 2 Compliance 6x Faster
    How Yuki Achieved SOC 2 Compliance 6x Faster

    Overview A fast-growing Snowflake optimization platform was missing out on customers because they didn’t have the right data security compliance. Through multiple consultations and extensive vendor-testing, the GlobalDots team selected a solution to provide both tech and human support, helping the company achieve SOC 2 compliance within just 3 months – and win new customers […]

  • Agile Content partners with GlobalDots to revolutionize CDN management ahead of IBC 2024
    Content Delivery Network (CDN)
    Agile Content partners with GlobalDots to revolutionize CDN management ahead of IBC 2024

    New partnership between Agile Content and GlobalDots promises to introduce automated multi-CDN solutions, optimizing content delivery and easing provider management for broadcasters worldwide. Amsterdam, Netherlands, September 9th, 2024 – Agile Content, a leading provider of digital TV and video distribution solutions, proudly announces its strategic partnership with GlobalDots, a global leader in cloud performance optimization and […]

  • How E-commerce TrustMeUp Achieved 40% Faster Delivery and 25% Bandwidth Savings with GlobalDots & CloudFront
    Cloud Cost Optimization
    How E-commerce TrustMeUp Achieved 40% Faster Delivery and 25% Bandwidth Savings with GlobalDots & CloudFront

    A popular e-commerce platform was growing fast, but that growth created challenges. With a poorly optimized cloud setup, the company faced content quality problems, as well as ongoing security issues. The only way to solve the problem was to optimize their CloudFront distribution – leading them to work with GlobalDots’ innovation experts. Using the solution […]

  • Cloud Partnerships: Itai Ben Dror, VP of Corporate Development @Cast AI
    DevOps & Cloud Management
    Cloud Partnerships: Itai Ben Dror, VP of Corporate Development @Cast AI

    In this episode of CloudNext, we explore the critical role of cloud partnerships with Itai Ben Dror, VP of Corporate Development at Cast AI. Discover how the complexity of the cloud landscape necessitates collaboration, the benefits of the 'Power of Three' model involving ISVs, resellers, and cloud providers, and the importance of trust and long-term relationships in successful partnerships.

Amplify Your Cloud Security

Technology, security threats, and competition all change rapidly and constantly. Your security stack must, therefore, be ahead of every emerging threat and, just as importantly, enable full-speed business processes by reducing friction in critical workflows.

Achieve this with GlobalDots’ curated solutions:

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services