This transcript was generated automatically by AI. If you find any mistakes, please email us.
0:00:00
(Nir)
You know, and by the way, that's another facet of cyber. It's like a giant pile of shit that you got to shovel sometimes. And you got to clean a bathroom. That's what it is. Sometimes patching is not fun, but you got to do it. If any founder is listening to this and they want to start a cool company,
0:00:16
(Nir)
take the pile of shit and make it smell a little better. Behind the buzzwords and the risks and the vulnerabilities, you know, it's just a lot of heavy lifting. And again, that's if you're willing to do that as a professional in cyber, you're going to do really well for yourself because the company is going to see your value.
0:00:33
(Announcer)
Hello, everyone. You're listening to Cloud Next, your go to source for cloud innovation and leaders insight brought to you by GlobalDots.
0:00:48
(Ganesh)
If you ever worked in cyber security, you know it's not glamorous. It's patching systems, fighting technical debt and constantly chasing scale. But somehow Nir Rothenberg makes it sound like stand-up comedy. In this episode, we sat down with Nir, CISO at Rapid, who shared his journey from chemistry to cyber. Lessons from leading security at NSO and why he believes the future isn't about chasing the latest buzzwords, but just doing the basics really well. I'm Ganesh the Awesome Solutions Architect at GlobalDots where we research
0:01:21
(Ganesh)
innovations every day so you don't have to. As always, we invite you to join the conversation on LinkedIn. We recorded this episode live in our Cloud Hub, our first ever exclusive customer event. Nia, before we dive in, tell us a bit about yourself. You've had quite a unique journey from chemistry to cyber security. What led you to make that career switch?
0:01:45
(Nir)
The money, it's all about the money. Who said that? Some rapper, it's a great song. So it's all about-
0:01:51
(Ganesh)
Where's the money, Lebowski?
0:01:53
(Nir)
Not that one. It's all about the money. So, dollar dollar billio. So it's all about the money and cyber is blowing up. Anybody listening, if you want to make some money, I'm hiring.
0:02:07
(Nir)
I don't pay well, but the next guy will pay well. So I'll teach you. So join my team. So yeah, it just happened. When I started, it wasn't cyber. I still remember, I tell this story a lot.
0:02:20
(Nir)
I was in the Bank of Israel doing an IT assurance project. And then my boss came to me and he's like, hey, you know, you're actually doing a cyber project. I'm like, what's a cyborg? Like, what are we, like bionic people? He's like, no, cyber.
0:02:31
(Nir)
He's like, what is that? He's like, it's this new thing that it's a cyber thing. And then my salary just went up by 30% automatically. And since then, you know, I don't look back. So it's amazing. And the reality is about cyber is it's a facet of quality.
0:02:50
(Nir)
So if you're a company that really focuses on having quality, you're gonna have really good cyber. Probably, because you care about quality. So you know, everybody's talking about Netflix, right? That's the example of like a company with great security. Netflix has great quality, except the Tyson fight,
0:03:06
(Nir)
which apparently really sucked. Except that one time, it works really, really well. You know, or Google is another great example of a company that figured out scale, invented half the open source we use, and has amazing security.
0:03:24
(Nir)
So, you know, don't tell anybody, but you know, it's just a facet of quality. And coming up, as it's joining, I just, you know, stayed curious, went between the drops, and ultimately found success in cyber and giving value to companies there.
0:03:43
(Ganesh)
Well, it maybe wasn't quite the emotional, heartwarming story that we might have expected but it was deadly honest that you went for the money. And I can't say that I'm not in the industry for the exact same reason.
0:03:59
(Nir)
There's a quote I love, I don't know who said it. They said, it's called work, it's not called super happy fun. It's called work, right? We're supposed to work and we get paid for, you know, and I think people forget,
0:04:12
(Nir)
you know, sometimes people on the team, they're like, I'm not motivated. I'm like, oh, I'm sorry, did the paycheck, like, went into your bank account? Like, am I missing something here? Like, you know, and by the way,
0:04:24
(Nir)
that's another facet of cyber. It's like a giant pile of shit that you gotta shovel sometimes. You gotta clean a bathroom. That's what it is. Sometimes patching is not fun,
0:04:34
(Nir)
but you gotta do it anyway. Know what I mean? And I think that the companies that find success, if any founder is listening to this and they wanna start a cool company, take the pile of shit and make it smell a little better,
0:04:46
(Nir)
and people are gonna buy it. You know what I mean? So if you look, I'm here, I'm talking to you from the GlobalDots conference, the Cloud Hub, and I look at the companies here, and the successful companies,
0:04:56
(Nir)
the companies that took something really hard and made it a little easier for the practitioners to do. And that's another important thing that people tend to forget, behind the buzzwords and the risks and the vulnerabilities, it's just a lot of heavy lifting.
0:05:13
(Nir)
And again, if you're willing to do that as a professional in cyber you're gonna do really well for yourself because the company's gonna see your value and you're just gonna deliver value constantly you're just gonna make sure they're patched make sure their file wall is configured correctly make sure they got a WAF partner with with cool companies like GlobalDots by the way which is a partner of Rapids and you
0:05:35
(Nir)
know if you do the right steps the company's well configured, you get value.
0:05:39
(Ganesh)
It's very true what you say. I want to come back to you. You spent some time at the NSO. Can you give us a bit of a breakdown on how that shaped your perspective on cyber security and what lessons did you get from it that you could share for others?
0:05:53
(Nir)
So yeah, I led security at NSO for three years. For those of you who don't know, NSO hacks cell phones and sells it to governments. They do a lot of good. They do a lot of good, I'll just say that right now. I know I sound like Trump, it's a good thing, it's a great thing, but no, they really do a lot of good.
0:06:10
(Nir)
Basically, most of NSO's activities stop being a crime and terrorism for Western countries. 99% of the customers are legit Western countries that want to stop terrorism and crime, and they did a lot of good. And you don't hear about that because it's
0:06:29
(Nir)
intelligence operations. Like you know James Bond, you can't really go meet him in real life, right, you can't see his cool tech. And Anna Sobiet's tech for people like James Bond. So that's literally, working in that company was really interesting because you work with some of
0:06:42
(Nir)
the smartest people I've ever met. People who can hack iPhones. What I learned is that anything can be hacked, literally anything. If you put enough smart people, enough time on a problem, they're going to solve it. It's just amazing to see. And I learned to focus. I think that's the number one rule you learn when you work with smart people who can hack anything. It's like then you become a CISO
0:07:05
(Nir)
of a regular company or a company that's not selling cyber weapons to governments. It's like, okay, what should we focus on? Should we focus on this arbitrary, stupid, zero day that doesn't involve us, or should we just do the fundamentals, just keep shoveling the shit, right? And the answer is fundamentals.
0:07:25
(Nir)
Focus on the fundamentals, because this kind of exotic stuff, they're probably not gonna get you. And again, you can't cover all bases, but if you build a program that's fundamentally sound, you're gonna be in a good place.
0:07:39
(Nir)
So that's number one lesson.
0:07:40
(Ganesh)
So that leads quite nicely to talk about your team. So you just talked about keeping people focused, keeping the eye on the ball, building teams, and security teams today have an overwhelming amount of data points to look after and attack vectors and all these other things, and they need to stay fast and efficient.
0:07:59
(Ganesh)
You're a CISO of a global fintech company. What are some of the biggest challenges that you face when dealing with all of that noise and keeping your operations cost-effective?
0:08:07
(Nir)
First off, it's really hard to do cyber today. There's the data explosion, there's an infrastructure explosion. When I started off in Rapid, I used to say, I used to love saying that, I'm like, if you're multi-cloud, then you're a sucker.
0:08:20
(Nir)
And today I understand that, I was fucking naive. I was just naive, because if you're a small company, you got AWS, you're like, hey, look at these guys. Like, no, you just have a small company. If you're a global company and you bought some companies and you got a global presence and you're multi-cloud
0:08:34
(Nir)
and you got on-prem and you got everything and you just secure it and properly configure it all, and that's really, really hard to do. And then you get breaches and you got problems, which is by the way, going back to the money, not a bad thing, is it?
0:08:46
(Nir)
Like, as long as I don't get breached, the fact that there's breaches in cyber, it's an unpleasant truth to say, but if your career is in cyber, and there's a lot of cyber stuff happening, then that's not a bad thing for you.
0:09:00
(Nir)
Imagine there wasn't, imagine nobody get hacked anymore. Like I get fired on the spot. Look at all these dumb jokes I make. I'd probably be the first one to go. So, it's hard to do, first off, and the way to do it, you gotta do a number of things. First off, you gotta
0:09:17
(Nir)
partner with RightPeak because it's about vendors and yeah, I'm in the GlobalDots conference so obviously I gotta say, work with companies like GlobalDots, you know, we work with them for instance in the lab, you know, it was a game changer. You get a lot of knowledge that it's hard to retain and build internally and then you can learn from that knowledge and bring up the people who work for you. So I would say the key is, and this is something I strive to, good partnerships, bring in some
0:09:48
(Nir)
A players, some really good experienced people and then bring in a lot of less experienced people that are very hungry to learn and work hard that will learn from the partners and the A players and become A players in the future. And I'm a proud stepping stone. Like I got people who worked for me who became CISOs, who became security managers, IT managers, CIOs, whatever. I'm happy that I gave them two, three, five years of their career and I was their stepping stone and they leveled up with me. They
0:10:17
(Nir)
did a lot of impact and moved on. I like it. You know, this is a marriage. This is an open relationship. You know, like we're working. That's what's important. I've been rapping for a few years already. When I was able to mix it up with the seniors, juniors, and the good partners, we were killing it.
0:10:36
(Nir)
We were just delivering like crazy. We did a lot of cool, innovative stuff. When I didn't know how to do that, maybe I packed too much A players and not enough juniors who were hungry or maybe I didn't get the right partner in the right time, then it started internal politics and fighting and all that stuff and then work slowed down and thankfully we didn't really get impacted operationally
0:10:56
(Nir)
because a lot of times I've been in companies that have led to a breach or to an operational incident. So thankfully it hadn't led to that, but it's not good. You know, so I think that's the secret. That's what I always strive for and that's why I advise anybody listening
0:11:08
(Nir)
to find the right mix for them, partners, seniors and juniors, mix it up and get to the work going.
0:11:14
(Ganesh)
That is great advice and I highly advocate taking on juniors that don't appear to have the right credentials for it, because some of the most successful people I've had in my teams in the past have been people that were sort of unhirable
0:11:29
(Ganesh)
by other people, but they just showed so much dedication and so much love for the topic and keen to learn that they then, like you say, used me as a stepping stone and went on to be way more intelligent than me.
0:11:41
(Nir)
100%. I've got to say that one of the best cyber professionals I've ever met was a chemist who thought he was a stand-up comedian and he's amazing. So you know, you can argue that guy's unhirable and you can't even interview him for a podcast, but you should edit that out. That's one of those dumb jokes that you edit out.
0:11:58
(Ganesh)
I hear that he's a total legend, so don't worry about it. And on the note of the bad guys, you know, we always have to salute those people because they've kept us in business for, you know, good 30 years and they will continue to keep us in business. So, big shout out to all the bad guys out there
0:12:16
(Ganesh)
who make our lives possible. Yeah, just don't hack us.
0:12:19
(Nir)
We love you, you're far away. We like you, you're far away. Just hack somebody else. But yeah, keep doing what you do.
0:12:25
(Ganesh)
We'll keep doing what you're doing somewhere else. Yes, absolutely. So you're a CISO, you're at the front line of this. We have a new world coming with AI advancements and new regulations coming in and old regulations going out,
0:12:42
(Ganesh)
as it would seem, on a yearly basis. Where do you see the market heading in the next five years in both terms of sort of attack and defense. You know the sad truth is
0:12:52
(Nir)
that the market is very very slow you know because you know some of you see like oh the new zero trust super duper AI based thing and ultimately all the companies still have VPNs right they don't even do the trust they have problem implementing MFA and that's why ransomware is so prevalent it's so hard to deal with technical debt so the truth is where I see the market and by the way I think I I read somewhere from the Zscalers last training calls that they say their
0:13:21
(Nir)
biggest competitor is adoption. It's not even like somebody else it's just like not enough people are buying their tech. So I'm saying we as early adopters people who you know as tech nerds we love to think like oh what's the next big move and it's not how the world really works. There's a lot of technical debt and I think AI could be the solution to that. It could really be the solution to that because there's just never enough working hands. So I think what I'm excited most about
0:13:50
(Nir)
the future is getting more, all this agentic approach is just getting more help doing the and getting rid of technical debt, then moving forward to the next thing. Again, it's like the invention of the washing machine. You know, it's like finally I can wash all my dirty clothes and I don't have to go to the stream
0:14:11
(Nir)
and kind of clean it on a rock. So I think that will be the biggest change, that we can finally get to baseline. Get to baseline, I think that if you look four or five years from the future, you'll see more companies at baseline, which sounds funny, right?
0:14:27
(Nir)
Like have a WAF, have like a zero trust access solution, you know, have good monitoring. It's like, yeah, but we were talking about it for 15 years. Nobody can implement it, it's too hard, it's too hard. But now finally, you have like a super brain that can do it. I think another byproduct will be that the market
0:14:43
(Nir)
will be full of much more laser people. Like, just, you don't have to work hard because you got, you know, 17 PhDs in your pocket, and then you've got the technical level is going down, and it's a great opportunity for anybody who likes to work hard. It doesn't matter if you're a chemist with dad jokes, or whatever, an artist, or maybe
0:15:05
(Nir)
you study computer science. If you're willing to do the work, and not just rely on AI, you're going to have a lot of value in the market moving forward. So I think this is a great, there's great opportunities here. That's where I see it. I don't see anything game changer. I don't see any new like network protocol being invented or anything like that.
0:15:25
(Nir)
Like networks have stayed the same for, you know, decades. And they'll probably stay the same, especially with AI. Maybe the quantum computing revolution will change that. But networks for the near future are probably going to stay in existence.
0:15:38
(Ganesh)
I resonate highly with that conversation because working for a company that is highly innovative, we get technologies like six years in advance, but then they're not ready in Europe. So things that will sell in Israel and be getting highly adopted,
0:15:53
(Ganesh)
forget about it in Germany, in the UK, you know, it's just like moving the needle is super, super slow. So I resonate with that.
0:16:01
(Nir)
Yeah, a hundred percent. It's always eye opening when you go to conferences and you meet CISOs like big American corporations. They're like, oh, so which EDR do you use? He's like, oh, we're still on antivirus. It's like, what is that? And it's like, you know, stuff like that.
0:16:13
(Nir)
Or like the basic, and again, if you look at the innovative companies, they're innovative 10 years ago and they're talking about we need more adoption. It's not like, you know, the competitor is killing us. It's like the whole market is just scratching the surface. And that's the reality, you know? And if we go back to attackers, that's why,
0:16:32
(Nir)
you know, the metaphor for cyber I love is that joke of two people crashing the jungle, the tiger starts chasing them, and one of them puts on his running shoes. And his friend's like, you're never gonna outrun a tiger.
0:16:42
(Nir)
He's like, I don't need to outrun a tiger, I need to outrun you. Yeah, right. So that's what we're seeing in cyber a lot. Like, why invest so heavily in like hacking a company that has the fundamentals and more advanced controls. We got so many companies that
0:16:58
(Nir)
have open ports, no controls at all. Just you know it's free arrangement.
0:17:03
(Ganesh)
Makes perfect sense. Last question we always like to ask everybody who comes on the podcast is the DeLorean question which is if you could go back in time and give yourself one piece of professional advice, what would that be?
0:17:16
(Nir)
What I would say to myself is take more risks. You know, when early on in your career you feel kind of inadequate, you know, a lot of people, especially me going into chemistry, I had imposter syndrome. I'm like, oh my God, they're going to discover me. I'm just a clown. You know, I'm just a clown. You know, and it's something that took me years to get over.
0:17:35
(Nir)
I still know my place, right? Working with these geniuses, you always remember like, you know, not as smart as them, but I think the number one advice is take more risks. Like, you know, go to management, tell them what you think, tell them how you can accomplish them, give them value and don't be frustrated sitting in my chair like, oh, this is so stupid. And you know, this is a lot of juniors having companies, especially junior engineers or junior screen prediction. They're like, this is so dumb. This is going to get hacked. This is
0:17:59
(Nir)
bad. And yet you don't come with a serious proposal how to deal with it. You just stay with the frustration and you're basically fearful. You don't want to be turned down. That's what it is, it's fear. So instead of looking at some guy who doesn't have fear and feeling jealousy or feeling like, oh, my boss is an idiot, why don't you write a good proposal and go over to him and try to So I think that's the biggest regret, stuff I haven't done. You know, at times I haven't been with a serious proposal,
0:18:30
(Nir)
but just stayed with my, you know, kind of my frustrations. And that's something I really tried to focus on. If I have a good idea, you know, just like I said, you get a good partner, you get a junior and a senior, and you can just implement it. That's amazing where we live in.
0:18:44
(Nir)
If you don't know what to do, ask the 17 PhDs in your pocket, they'll help you out. So that's amazing where we live in, but even like 10, 12 years ago you could already have been there, you could have already done that if you just opened and think about that. So yeah, it's hard, it's easy to say now and it's really hard to think about that when you're just
0:19:02
(Ganesh)
starting. That's what I would do. Not often you hear a CSO say take more risks so I like that. Nir, you've been a total pleasure, really thank you for your time today. Any closing words for us?
0:19:16
(Nir)
Yeah, I really advise you guys to give alcohol to your guests. Like there's an open bar here, you know? I'm like, I'm very boring usually, actually. I'm like very boring and inhibited. Again, thank you guys.
0:19:27
(Nir)
Thank you for the opportunity. I really enjoyed it. I, this is the few episodes. Hopefully you'll get this podcast out there because you're getting good people asking good questions and in short form.
0:19:38
(Nir)
So, you know, it's exactly the right home or whatever and you know the more of this the better. So thanks for having me.
0:19:45
(Ganesh)
Thank you so much, total pleasure Nir. This episode was produced and edited by Daniel Ohana and Tom O'Morvinson, sound editing and mix by Bren Russell. I'm Ganesh The Awesome and if you're ready to deep dive and start transforming the way you approach cloud practices and cyber security strategies then the team and myself at GlobalDots are at your disposal.
0:20:06
(Ganesh)
We are cloud innovation hunters and we search the globe looking for the future tech solutions so we can bring them to you. We've been doing it for over 20 years. It's what we do. And if I don't say so myself, we do pretty well.
0:20:18
(Ganesh)
So have a word with the experts, don't be shy, So have a word with the experts, don't be shy, and remember that conversations are always for free.