20-Minute Leaders“They are using our software to play war games within their infrastructure.”
20-Minute Leaders
“They are using our software to play war games within their infrastructure.”
Guy Bejerano wanted a simple solution for simulating cyberattacks, and it bothered him that one didn’t exist - so he co-founded SafeBreach
In his time as a CISO, Guy Bejerano wanted a simple solution for simulating cyberattacks, and it bothered him that one didn’t exist. He wanted to fix that gap in the industry, so he co-founded SafeBreach, where he is CEO. Bejerano shares that SafeBreach’s software is a layer of truth for organizations who are hoping their security will work well against threats but can’t really be sure. Though he knew the change he wanted to create in the mindset of the cybersecurity industry, he explains that he didn’t have much of a plan for starting a company. By working with CISOs and studying market needs, the SafeBreach solution was developed. Bejerano describes their software as a way for organizations to play war games in their systems. He says the journey is very different from what he expected, but he is passionate about improving cybersecurity and helping young entrepreneurs.
Tell me about your own interaction with the security world. What draws you into it?
What drew me into the security space, it was by accident. I had an accident that took my course off going into the pilot course in the Israeli Air Force onto security. I fell in love with this space that was evolving back then in the ’90s. I built a red team in the Air Force. Through that, I grew into a few CISO roles and built SafeBreach about eight years ago.
What were some of the key insights from those journeys that led to the formation of SafeBreach?
The CISO's role is very challenging. I saw my role as the person that needs to translate a lot of technical data into business data. And the business realization of: What is our real risk? There was nothing in the market that really helped me to do that. A lot of the challenges were to convince the large enterprises to move their critical data onto our platform. We did that through proving our worth in security by actually showing behind the curtains and really being transparent of what you have and letting them challenge you.
Then I literally hit a glass ceiling because there was nothing in the market that could help me do that. We tried to build some homegrown solutions, but none of them was scalable enough. I brought in a few white hat hackers. After they showed me four ways to hack into our system and get confidential information, I asked them, "Is there a fifth scenario? Is there a 10th scenario or more?" One of them realized what I'm trying to do, and he actually connected me to my co-founder.
If we are looking at the world eight years ago and at this idea of attack simulations, where is the world from a market education perspective?
There are a lot of unknowns in what is supposed to be trivial. Any average organization today, if you will ask the CISO if they are susceptible to an attack that happened a few months back, if they are not using anything like SafeBreach, there is no way for them to know. They will be guessing. What we've introduced to the market is, for the first time, the ability to really test yourself against something that might happen and using that data to understand how good your defenses are.
The latest announcement by the US government actually embraces continuous validation testing as part of the standard for an enterprise to really increase their security efficacy and reduce risks. These are concepts that we established a few years back and now are becoming more and more acceptable by the industry.
Take me back eight years. How do you build this company from the ground up?
I can tell you that we had a plan in advance, but that wouldn't be true.
We actually partnered with a great VC. We started to really listen to the market and the market needs. I decided the enterprise market is our main focus. Through listening to the needs of their CISOs, we started to build a platform. At the beginning, we focused only on the red side. And then we realized that the blue side is very important as well because it's not just showing an organization that they have gaps, but actually helping them to mitigate the gaps would be critical.
Walk me through the traditional use case of what an engagement with SafeBreach would look like. What actually takes place from a company perspective?
Basically, we've built a software solution; it's fully automated. We would bring in the attack to an organization in a controlled way. They are using our software to really play war games within their infrastructure. It doesn't impact your production. We listen to the controls, and we try to understand: What did they see? What did they try to do? How did they try to prevent our action? Did they detect it? Did they send the right alert? We then compile all these into one image that the CISO gets that shows them what's their level of prevention and detection and how much they missed. We take all this information and look back to the security controls so they can modify their configuration based on our attacks and make sure that next time someone launches a similar attack, they will either prevent it or detect it.
In what way do you imagine that your customers are positioning SafeBreach in their cognitive landscape?
We are literally the layer of truth; the actual of what will happen if they will do nothing. What's the cost of avoidance? We look at it from two different angles. One would be the security vendor and the control validation. People talk about an average of 70 to 100 security tools used by the enterprise today. The level of complexity is just enormous. They have no real way to really cope with the level of their complexity. We show them what's the efficacy of all these controls. Sometimes it's a configuration matter. Actually, most of the time. Sometimes it's a blind spot that the specific vendor has. Then our customers can go to that vendor and ask for a resolution.
The other side is coming from the threat landscape. What we've compiled into our software are all the threat actors. We will provide them within the platform and they can actually know exactly how you will cope with them when the time comes. CISOs then take this information into the boardroom and actually talk about real risk.
If you are looking at your own journey, where do you see yourself as a part of your own personal vision?
I'm enjoying myself because it's all new. It's literally trail blazing. It's going against the conception of what I believe is a broken industry. I'm trying, and I can see today I’m succeeding, to change the mindset of the industry. I really love the fact that we've managed to make a change in something that was, personally, a pain point as a CISO. We've managed to build a solution that provides a simple answer.
Do you see yourself staying in security as a life mission?
I've been in security for my entire adult life, and I definitely see that as a mission for me. If something is not working and if it's broken, and people for years have accepted that, that really bugs me. That's where I find my real drive. Besides that, I super enjoy everything around building a company.
On your entrepreneurial journey, were there things that you really didn’t expect?
I'd say plenty. The journey turned out to be nothing that I thought of in terms of expecting the highs and lows. Building a company has a lot of aspects that don't relate to security or the security market that you need to actually learn and grow into. My personal growth also is something that I really enjoy in terms of being a first-time CEO.
What is something conceptually that you would advise college students to consider as they are approaching this journey?
I work with young entrepreneurs in multiple programs and share my scars and my experience. First of all, do something that you are passionate about. It's a tough journey; it's a long journey. Second, surround yourself with people that you trust and people that are positive. The third part is don't get excited or depressed too often about the highs and lows. It's a roller coaster. Take it down a notch in both ways.
Michael Matias, Forbes 30 Under 30, is a Venture Fellow at Innovation Endeavors as well as investment Venture Partner at Secret Chord and J-Ventures. He studies Artificial Intelligence and Human-Computer Interaction at Stanford University, and was an engineer at Hippo Insurance. Matias previously served as an officer in the 8200 unit. 20MinuteLeaders is a tech entrepreneurship interview series featuring one-on-one interviews with fascinating founders, innovators and thought leaders sharing their journeys and experiences.
Contributing editors: Michael Matias, Megan Ryan