Ofer Klein: Security’s Role in Startups and Beyond
Share
Earlier this month we announced our investment in Reco, as part of the company’s first external financing. We participated in the $30M round led by Zeev Ventures and Insight Partners and are thrilled to be working with CEO Ofer Klein and the rest of the Reco team.
Today we sat down with Ofer to discuss the security landscape and how startups should be thinking about the most important trends affecting the sector.
Interview
Ofer, thanks for taking the time to speak with us. Given you and your team’s backgrounds as cyber security experts, tell us what you guys think are the key security-related risks that you see startups struggling with. What are some of the emerging threats you’re seeing in the security landscape?
Thank you for having me. There are various security risks we can talk about, such as Malware, Phishing, Password Attacks, etc. However I believe many of a company’s latent security risks are being formed from within. Companies are working from home, employing remote teams across the globe, and are increasingly relying on digital tools to share information and ideas internally. This makes work faster and more efficient. It is a new wave of agile teamwork, and it is supported by tools like messaging apps, shared cloud file storage, and collaboration platforms. With 45% of all business collaboration happening outside of email, it has become clear that Collaboration Security risk has emerged as an important area of focus for CISOs.
Within this area, we support three main use cases: GRC (for example knowing the entire data flow for sensitive information), Data Security (for example ensuring that business justification is behind any data access and sharing to prevent data loss), and Insider Risk. For example, these risks include when a third-party user stops working with an organization but retains access to sensitive files and permissions.
How do you think those risks translate to business impact and ultimately affect the P&L of the business?
Legacy security software is not equipped to deal with collaboration tools because of their dynamic, always changing nature. Collaboration tools are built around enabling the business, whereas legacy security tools rely on static rules and continuous maintenance. This dichotomy creates a push/pull dynamic that results in security becoming a blocker for the business, and ultimately strains a company’s output.
Legacy security tools require constant management of policies and rules. New rules have to be manually added, and employee actions are often manually approved. These manual processes are bottlenecks to the business flow, and they cause the business to not move as quickly and act as dynamically as it needs to effectively serve its customers and maintain competitive advantage over competitors.
How do you think startups should think about security relative to larger companies? What are some of the similarities and differences in the types of security investments that different sized companies should be making?
Startups typically have lighter compliance requirements than public companies. For example they have less sensitive information and data. Having said that, if a startup sells a product or service to a large enterprise, they need to meet certain compliance and security requirements.
The most sensitive data that startups have is their customers’ data. In order for customer data to be secure, the company in possession of it needs to be secure. The challenge startups face is how to spend the minimal amount of resources and capital to effectively protect that data and comply with what their customers (and sometimes regulators) need. This is why startups avoid buying legacy tools, and instead look for software that is easy to onboard and maintain.
How should companies think about the likelihood of different departments within a company, like finance, being more or less subject to security risk? How does that affect the way the department is run?
Collaboration tools have become the norm and teams are seeing the benefits of increased efficiency by using them. That means companies need to be aware that departments have sensitive data flowing through various systems, and the risk does not end once the data is shared from one person to another. That data is in a collaboration tool, which can potentially be continuously accessed and shared.
What factors should a company consider when assessing whether or not to procure a new security tool?
The first factor should always be defining what is the value of the tool. That value then needs to be considered within the broader goals of the business. One of the main considerations needs to be how a new security product can help a business run faster/more efficiently while maintaining effective security.
Next, companies should consider the level of effort and resources needed to maintain the new security tool. What is the bare minimum level of effort that can be dedicated, while still receiving the value from the tool. What resources are being used to maintain it? And even more crucially, what is the expertise level needed to run the system?
We hear more and more from security managers that they want to implement systems of accountability for the non-security, business team members. Making business teams accountable for certain security risks is a necessary “shift left” as it relates to collaboration security specifically. It represents a decentralization of security, which can decrease risk by increasing employee awareness.
You mention the “shift left” movement. How do you think it more broadly, and the process of building more security into products earlier in the development life cycle? What does this mean for founders as they oversee the creation of new products within their company?
Ofer Klein: Shift Left is accelerating the streamlining of security into day-to-day workflows. For example, look at what Snyk is doing for R&D.
The shift left has to be natural enough to be adopted. Going back to my previous answer, not everything can be decentralized to the employees. For example, I don’t see how protecting against a network attack could be streamlined to non-security, business team members. But collaboration security, on the other hand, has events created continuously by non security team members, both internally and externally, which means it can be done in a more secure way. They have the context and access to help identify and avoid certain types of incidents. On the other hand, if they are not aware about what is right and what is wrong they will continue making mistakes.
More than 90% of security events in collaboration security are due to human error. For example, leaving permissions open to former vendors, or customer success managers sharing sensitive customer information on the wrong Slack channel.
If employees are given context of security events, and if security teams make it easy for them to understand what happened, why they should care, and what they can do to stop them from happening in the future – this represents the shift left for collaboration security.
I believe it is extremely important to first understand whether a specific type of security is relevant for Shift Left before encouraging it. If it is, then it can be a fundamentally important part of a company’s security posture.
To learn more about Reco, check out their website and open jobs.
Earlier this month we announced our investment in Reco, as part of the company’s first external financing. We participated in the $30M round led by Zeev Ventures and Insight Partners and are thrilled to be working with CEO Ofer Klein and the rest of the Reco team.
Today we sat down with Ofer to discuss the security landscape and how startups should be thinking about the most important trends affecting the sector.
Interview
Ofer, thanks for taking the time to speak with us. Given you and your team’s backgrounds as cyber security experts, tell us what you guys think are the key security-related risks that you see startups struggling with. What are some of the emerging threats you’re seeing in the security landscape?
Thank you for having me. There are various security risks we can talk about, such as Malware, Phishing, Password Attacks, etc. However I believe many of a company’s latent security risks are being formed from within. Companies are working from home, employing remote teams across the globe, and are increasingly relying on digital tools to share information and ideas internally. This makes work faster and more efficient. It is a new wave of agile teamwork, and it is supported by tools like messaging apps, shared cloud file storage, and collaboration platforms. With 45% of all business collaboration happening outside of email, it has become clear that Collaboration Security risk has emerged as an important area of focus for CISOs.
Within this area, we support three main use cases: GRC (for example knowing the entire data flow for sensitive information), Data Security (for example ensuring that business justification is behind any data access and sharing to prevent data loss), and Insider Risk. For example, these risks include when a third-party user stops working with an organization but retains access to sensitive files and permissions.
How do you think those risks translate to business impact and ultimately affect the P&L of the business?
Legacy security software is not equipped to deal with collaboration tools because of their dynamic, always changing nature. Collaboration tools are built around enabling the business, whereas legacy security tools rely on static rules and continuous maintenance. This dichotomy creates a push/pull dynamic that results in security becoming a blocker for the business, and ultimately strains a company’s output.
Legacy security tools require constant management of policies and rules. New rules have to be manually added, and employee actions are often manually approved. These manual processes are bottlenecks to the business flow, and they cause the business to not move as quickly and act as dynamically as it needs to effectively serve its customers and maintain competitive advantage over competitors.
How do you think startups should think about security relative to larger companies? What are some of the similarities and differences in the types of security investments that different sized companies should be making?
Startups typically have lighter compliance requirements than public companies. For example they have less sensitive information and data. Having said that, if a startup sells a product or service to a large enterprise, they need to meet certain compliance and security requirements.
The most sensitive data that startups have is their customers’ data. In order for customer data to be secure, the company in possession of it needs to be secure. The challenge startups face is how to spend the minimal amount of resources and capital to effectively protect that data and comply with what their customers (and sometimes regulators) need. This is why startups avoid buying legacy tools, and instead look for software that is easy to onboard and maintain.
How should companies think about the likelihood of different departments within a company, like finance, being more or less subject to security risk? How does that affect the way the department is run?
Collaboration tools have become the norm and teams are seeing the benefits of increased efficiency by using them. That means companies need to be aware that departments have sensitive data flowing through various systems, and the risk does not end once the data is shared from one person to another. That data is in a collaboration tool, which can potentially be continuously accessed and shared.
What factors should a company consider when assessing whether or not to procure a new security tool?
The first factor should always be defining what is the value of the tool. That value then needs to be considered within the broader goals of the business. One of the main considerations needs to be how a new security product can help a business run faster/more efficiently while maintaining effective security.
Next, companies should consider the level of effort and resources needed to maintain the new security tool. What is the bare minimum level of effort that can be dedicated, while still receiving the value from the tool. What resources are being used to maintain it? And even more crucially, what is the expertise level needed to run the system?
We hear more and more from security managers that they want to implement systems of accountability for the non-security, business team members. Making business teams accountable for certain security risks is a necessary “shift left” as it relates to collaboration security specifically. It represents a decentralization of security, which can decrease risk by increasing employee awareness.
You mention the “shift left” movement. How do you think it more broadly, and the process of building more security into products earlier in the development life cycle? What does this mean for founders as they oversee the creation of new products within their company?
Ofer Klein: Shift Left is accelerating the streamlining of security into day-to-day workflows. For example, look at what Snyk is doing for R&D.
The shift left has to be natural enough to be adopted. Going back to my previous answer, not everything can be decentralized to the employees. For example, I don’t see how protecting against a network attack could be streamlined to non-security, business team members. But collaboration security, on the other hand, has events created continuously by non security team members, both internally and externally, which means it can be done in a more secure way. They have the context and access to help identify and avoid certain types of incidents. On the other hand, if they are not aware about what is right and what is wrong they will continue making mistakes.
More than 90% of security events in collaboration security are due to human error. For example, leaving permissions open to former vendors, or customer success managers sharing sensitive customer information on the wrong Slack channel.
If employees are given context of security events, and if security teams make it easy for them to understand what happened, why they should care, and what they can do to stop them from happening in the future – this represents the shift left for collaboration security.
I believe it is extremely important to first understand whether a specific type of security is relevant for Shift Left before encouraging it. If it is, then it can be a fundamentally important part of a company’s security posture.
To learn more about Reco, check out their website and open jobs.