The Future of Security Leadership with Sivan Tehila

Welcome to the Security Cocktail Hour. I'm Joe Patti.

I'm Adam Roth.

So Adam, we have to get right to it today. No banter, no joking or anything. We have a very busy CEO on. I think this might be our first CEO, so it's pretty cool.

Okay, let's go.

Okay, let's say something.

Look, I mean, listen, this is a long time in the making, right? You know, a little bit of mea culpa, but I'm so happy we're all here. And I'm looking forward to the next time I get to spend time with Onyxia and do some trial flights.

Oh, that's right. Well, we have the CEO of, is it Onyxia, Siobhan? Is that the right way to say it?

Oh, I said it wrong?

We have the CEO of Onyxia, Siobhan Tehilla. Siobhan, welcome. It's great to have you on.

Thanks for having me. Happy to be here.

Yeah. And I think what Adam was referring to was back a little while ago, I think, I think you connected at one of your events. I think Adam, Adam like texts me, he goes, I'm flying an F-35. I'm flying an F-35. And I said, God, I hope it's a simulator and not the real one. Just I haven't seen him drive. Anyway, so glad to have you on. So why don't you tell us a little bit about what you do, what Enix is. And from what I understand, from what you had said, you made an interesting jump. You were a CISO, you were a security executive, a leader on the practitioner side, and now you're the CEO of a startup. And that's a big jump that not a lot of people make. So I'm kind of interested to hear a little bit about that, if we could.

Sure, happy to share my story. So I started my career as a cybersecurity officer in Israel, and I was basically a CISO myself. I was a CISO of the Research and Analysis Division. And after I retired, I started to work with other companies and to work closely with CISOs and consultants. And I realized that we have still one problem that no one has solved good enough yet. And it's really the way we're managing security programs. And I'm sure I'm going to talk a lot about this today. But to your question, I think I got to the point where I really was excited about solving big problems. And before I started Onyxia, even though I had this idea in my mind for quite a while, I worked in another startup and that was the first time I got exposed to how amazing it is to actually build something from scratch and shape a whole new industry. Back then it was perimeter 81 and in 2019 we started to develop our remote access solution, Zero Trust remote access solution. Now everyone knows what Zero Trust is, but back then it was a very new concept. And I remember myself pitching the company at a conference in 2019, and I had a slide behind me saying that in 2020, 75% of the world will work remotely, and then a few months after. Wow.

You have prophetic powers too. That's impressive.

I still have this picture of me standing on the stage, and I have this slide behind me. It was July of 2018 or 2019, and then a few months after, everything was shut down. And since then, I think everyone knows what Zero Trust is and how important it is to secure the remote workforce. So that was a very exciting journey. And I know that we're kind of like shaping a new industry now. There is a whole new concept of cyber defense planning and optimization and mesh architecture and problems that we're solving. And I'm very excited to be at one of those companies. We're basically shaping this all new category and helping CISOs manage better their security programs and maximize their capabilities of their security stack. Um, and, and more and more things that we can help with.

So since you were able to see the future, were you able to add that feature to your product? Because I really want to know what the lotto numbers are for tonight.

You know what? We actually have something that like, if you, if you're looking at our website, our slogan is from reactive to proactive, to predictive. And the way we're able to predict the future is actually by a help, like we have the ability with our AI capabilities to predict when a company is not going to meet their SLA for a specific API in their security program, and we can notify them. And that's how we predict the future. So yes, we're We're actually able to do that.

Well, that's very cool, and I certainly hope it works better than Adam's predictive capability. We've been playing the lottery for about three years, and every week he tells me, we're going to be winners this week. I picked winning numbers, and that hasn't worked out yet.

Let's be honest. I'm going based on luck, and I'm not going based on intelligence. If I was going based on intelligence, I'd probably try to play more numbers and play more tickets with more numbers. There are people out there that win a lot more than I do. We'll build a dashboard for that, Joe. We'll make our own company. We'll do predictive analysis, Volato.

That would be a waste of time. You would have no chance on the lottery. However, in security, it is very possible to do things smarter and to use some intelligence to get it working. So, Sivan, it's a really interesting approach because I know that having led a security team, one of the things I always say that's hard and that's a lot of the art of it is, You know, you typically have a lot of stuff, whether you inherit it or you buy it. you know, whatever, you have all these things. And, and knowing just what the right mix is, is, and we've talked about it before, it is so hard and where you should be spending your, your time. Um, it's, you know, it's really difficult. And especially when you're being pulled in a lot of directions, you know, everyone's got a different opinion about what's important, what isn't, uh, you know, I used to always dread this, something with someone comes into the office or says, Oh, they just reported. drop everything and fix that right this second, because that's the most important thing. Not quite, but it sounds like you're dealing with a lot of that world.

Yeah, I mean, it's true. I think systems today are really having major challenges when it comes to managing their security stack. We see that in average enterprises have between 30 to 50 products in place. And I think at some point, Like as a CISO, you're losing track. Like you don't know what's doing what, where you have overlaps, redundancies. Often there are some things you can consolidate and it's hard to keep up with trends in the market, features of all of the vendors that you're using. And from that perspective, the way we address it is by allowing CISOs to understand exactly how each of their products can help them achieve the SLA for specific APIs and to manage the data and make decisions accordingly. One of the features we have is a really nice map. We call that security stack map. And as soon as CISOs are integrating their security products to Onyxia, we automatically generating a map that tells them which domains they cover at least and like additional aspects that really help them get this clarity. And on top of that, they're getting AI insights that can help them understand where they have overlaps, redundancies, new releases of specific vendors, and how they can maximize the budget and their capabilities to make sure they're aligned with our security program, which obviously aligned with the business objectives. At the end of the day, we're all here as security experts to serve the business objectives. And that's something we always need to keep in mind. And we often forget when we I mean, I have all this chaos of all these different products in place and like we need to always remember, go back to basics, like why we're here, what are we trying to achieve with each one of these products. And when it's automated and you have this place where you can get clarity and understanding of all the aspects of your program and to be able to connect all the dots, it's very, very helpful. And it's also very impressive for and management when CISOs can really come up with all these reports and explanations of all the things that he has in place, easier to justify budget, easier to communicate with others in the organization. So I think that's something that, I mean, soon we won't be able to live without this.

So is the idea to have a single dashboard that allows that C-level person, usually the CISO, to be able to come up with factual information without having to go really deep into the woods? Is that how I understood your product?

Yeah. I mean, so if I'll need to describe it in a few sentences, I would say that we're providing a core solution for CISOs and to really help them understand their security program to be able to measure the performance of their program, to maximize the capabilities of their security stack, and to ensure compliance and have a better way to report on their activities. And my dream as a CISO was to be able to wake up in the morning and like I'm asking Alexa, hey Alexa, how is the weather today? I really wanted to be able to go to one place like Onyxia and ask a platform like this, hey, Onyxia, what are the top three things I should be afraid of today? What are the top three things I should focus on today? And get to understand what are the actions I need to take and prioritize it and not just like start with a lot of chaos and logging into all these different dashboards. Onyxia is really a one place where systems can go and have their coffee in the morning and get all the insights they need. Or, and we know that sometimes this is also happening. If someone is waking you up in the middle of the night and ask a random question about our like detection and response strategy, like you really have this place where you can get, um, insights that are data-driven, uh, without starting to aggregate data from all the different tools that you have in place.

Two things I want to point out, and I'm sorry, just one side, Joe, one, you just triggered everybody's Alexa. Let's listen to this. I was wondering if you had one too. And number two, that would be really cool. If you integrated Alexa with your product and said, Hey, Alexa, blah, blah, blah. You know, give me the, give me the, uh, the hit for, you know, Onyxia. So that would be cool.

Yeah. I mean, we're soon releasing many cool new features that are AI driven. And I think what's interesting about our platform is that when we started, it was mainly about assessing the programs and KPIs and getting data-driven insights, but we realized that we can do so much with the data and we have a very unique way to map the data we're aggregating. We're actually just now filed a patent application for the way we're basically structuring the data. And we can do a lot with this. We can help you understand where you have gaps from one product to another. from a coverage perspective, we can help you, as I mentioned, with predictions and forecasting, and we can even provide you with the ability to calculate, like we have a what-if calculator where you can add a product and see how it's affecting your environment. You can remove some KPIs and see how your program is changing. So it's very, very dynamic. And it's very cool. And I think it's going to be really the next generation of the traditional, maybe even GRC tools that we're using today, because we're not looking to replace any GRC tool. But I think that our approach to risk is really how we can help companies improve their performance in order to reduce risks. And not just to leave you with all the information you probably already know. and quantify a risk that, okay, what's now? As a CISO, what are you gonna do with this information? So we're taking it to the next level with all of our capabilities. One question you didn't ask me, and I'm surprised, is where the name is coming from, where the name Onyxia is coming from.

Okay, I was actually wondering, but yeah. I think you told me and I forgot when I was there with you.

I just, I say the dynamics, but that's really why, like, so Onyxia, the name comes from the video game World of Warcraft. And Onyxia was a dragon, but he had also a human form. And the character could adjust based on the evolving environment. And what we're doing is to really allow Sisu to be very dynamic with our security program and adjust adjust it as they go based on their needs and evolving environment.

I have a personal question to ask you. Are you a gamer? Tell me the truth.

I used to be. I used to be. And that was my favorite character. And all the inspiration, by the way, for the colors and some of the effects within the platform are basically from the World of Warcraft experience.

Oh, wow. Well, that's awesome.

Some CISOs recognize that. I mean, I actually have, right after this podcast, a demo with a CISO who immediately told me, is this Onyxia from World of Warcraft? And I was like, yeah. And often it happens, like CISOs know that. It's funny.

Well, I hope you don't get a cease and desist over that either way, but I'm sure you've checked it out. Well, you know, Simone, it's interesting, you know, you talk about all these things gathering the information, you know, I've for years when it comes to, you know, security and metric stuff, I've always been dissatisfied with what I've had, because, you know, I always have people asking our stats come up with some metrics. And it seems like insecurity always, especially a long time ago, but even now, a lot of the metrics that you end up getting, I really regard not as security metrics, but really as operational metrics, like what's our coverage? How quickly are things being patched? Is everything, you know, are all the agents out there that need to be out there, et cetera? You know, did things happen that were supposed to happen? Those kinds of things. But, you know, it seems like, There's always been a great difficulty in finding something that can translate that into, you know, real risk and real risk with the context against the threats you're facing and also, you know, what the needs of the business are. You know, I've always found that to be a huge, huge challenge.

Yes, I mean, I totally agree. This is a super challenging thing for any security leader. And when we started our journey, what we did was we basically spoke with 200 CISOs, and we were trying to understand how they're measuring their security programs. As I mentioned at the beginning, most of the CISOs are doing this very manually today. It's a very manual and time-consuming process. Most of the time CISOs are managing Excel sheets, right? I'm sure you're familiar with this Excel from hell with all the domains and the metrics.

I would never use such a thing.

And so we not only spoke with 200 CISOs, we actually collected. a huge amount of Excel sheets to understand what are the top practices.

They gave them to you? I'm sure they scrubbed them. They scrubbed them.

Look, obviously it was anonymized, but it was a very interesting experience for us because first, there are best practices and there are some metrics that everyone needs to use. On the other end, every company is unique and you still have to have the ability and the flexibility to adjust the program per client, right? So what we did was we took all these KPIs or what we call CPIs, Cyber Performance Indicators, and we created a library. So when you onboard to the platform, you can decide, we have out of the box metrics and you can decide what's relevant for you. And it's like very easy activation, like one click. You're defining the SLA. We even give you the benchmarking because we were able to have this data. So we tell you what is the common SLA for your industry, and then you don't need to invent a number, right? Like most of the time, even if you have the metrics in place, you're never sure about the SLA you're putting in place, right? Is it right? Is it wrong? It's like 24 hours to resolve an incident. Is it okay? It's really, really hard. So when you have this place where you can activate this out-of-the-box metrics, get benchmarking for the SLA, it makes it way easier. And obviously, on top of that, you can map it based on different frameworks, and it gets very, very granular. But I think it's interesting to see that even very experienced CISOs find it very, very helpful because they know how to build programs, but it's a different way when you have the ability to compare yourself against other companies.

Yeah, because you're crowdsourcing, right? You're anonymizing the other clients on your platform, but you're able to crowdsource against other people's. That's pretty interesting.

Yeah, and it's super helpful. And I mean, things happen, right? Like you're not sticking to the same SLA all the time, right? Like sometimes there are some situations when you will need to adjust the SLA if you have a team change or like, I mean, some things need to be adjusted. So we allow you to do that in the platform and still be very aware of the the risks you're accepting and how it's being managed.

I was going to say the benchmarking is really helpful. And you know, I haven't used your product, but I've used it in the past too. It is, you know, so helpful when you're going for budget or you're going to buy something, you need to justify it and say like, look, here's what our peers have. Here's what other people are doing. I'm not just making this up. although I do on occasion, but you know, not just making this up, but also when you don't want to spend on something and when you want to be able to, especially when you've been told, cut some stuff out, cut the budget, we need to get, get, get, get leaner, or we just have too much, like I said, we have too much stuff, knowing where you can take away from, uh, you know, safely is, it can be scary, even if you really know, know what you're doing, but having some data to back it up is, is very helpful.

So what I find interesting is, sometimes the subjective versus the objective and how you quantify and qualify certain things. Like certain EDRs or endpoint detection response, they came up with these confidence scores and things and these secret formulas of how they compare this to that. Sometimes it's hard to figure out how do we figure the value out of what the risk is for things that are kind of unique. And that's where I think sometimes the issue comes. Like, how do I figure out, okay, I have an EDR, I have a SIM, I have this, I have that. What is the risk to my surface? Is it X amount? Is it that amount? Does one product help increase my security? Does another product decrease my security? Does my firewall give me more risks? And these are the things that we have to figure out, right?

Yeah, I mean, I totally agree. And that's the same thing I hear from many sisters we're speaking with. It's really always about trying to use your very limited resources to manage all the efforts that you have. And often, you know, sisters really need to, I think it's getting better. I mean, I think now with the And there is more awareness of management and boards like about security. So they're usually more supportive. But most of the time, it's really like the CISO against everyone else.

Even when it isn't. You're right. You have limited resources. We've talked about it. on the show before, it's like, you know, when, when someone is trying to sell you that nice shiny new thing and it's, and it's great and you'd like it, um, whatever you think it might have value. Well, you know, that means you're not going to be spending money on something else. So that means your people are, you're going to have to pull them over to use it. And, you know, you may get some increase and stuff, but you know, things are, there are a lot of decisions to make and knowing, you know, again, where you need help. and where you can take from, where you're actually good or overdoing things is something I would have loved to have, to have had for a long time. So that's very cool.

But let's be honest too, right? In the last couple of years, there was more compliance in legislative actions that require you to maintain a certain level of security. Or if you don't meet those levels of security and a breach happens, you can get serious fines. Now, state, federal, even some counties now have done that, right? In certain parts of the country of the US, you don't meet the level of security, you have a breach, you're getting hit with a fine.

Yeah, I mean, I can tell you that what really happened in the past year with the SEC really affected the market. I'm sure you're you're know that and besides the fact that I mean, the new cybersecurity SEC A rule required companies to disclose incidents in four days, but they were also talking about disclosing security programs and strategies. And when the regulator is coming, you can't just show them Excel sheets. You really need to show data. You need to have the ability to show how you took all the actions in order to protect the company and even show progress over time. And it's not something that you can really track manually, because sometimes you really need to do a very deep correlation of the data behind the scenes to understand if you really meet your goals. And many companies really find this helpful. We have actually one company. It's a public company. And they reached out to us. We're new in the market, right? It's not like everyone knows us. But they really had a specific issue with the SEC, they came to audit them, and they were really diving into their cybersecurity program. So eventually, yeah, and they were okay. I mean, they passed this audit, but then the CISA was like, I don't want to handle that with this anymore. I have to have something in place for the next time they're coming because That could have been really, really bad if I didn't really have the ability to show them things and now we're progressing and we're growing and it's going to be even harder to track. So I think this is something that we hear often and this is what makes Onyxia a must to have. platform in my mind, I mean.

To give everyone the background, within the past few months or the past year, whatever, the SEC has become not much more active. They've appointed themselves much of a cybersecurity regulator. They have regulation where if there is a material security incident, whatever that means for a public company, it needs to be reported within a few hours, a few days, whatever it is. And also, there's also the big elephant in the room, which is the SolarWinds situation where the CSO and others have been, are being sued, pursued, whatever it is, by the SEC for not doing a good job in security, not having a sufficient program and also not disclosing it. And CSOs are freaking out. And you know, one of the things is it's very hard to show that you have a sufficient program and that what you have, you know, nobody has a perfect program. Nobody has, nobody does everything. Nobody has a perfect. The trick is to get it just right. But getting it just right and being able to demonstrate that you have it just right, or even that you're competent and that you're doing well is incredibly challenging.

So one of the people in my community, I want to be careful what I say here, who works for a governmental agency, not at the federal level, who does audits, let's say, has told me that they're kind of, and I say it nicely, right, professionally, forcing him into the cyber world to be more cognizant and aware of these institutions and whether or not they're meeting certain requirements in a cyber form. And I think going back to what you were saying, Siobhan, your product gives you that visibility into the domain to see whether or not you're in compliance. Now, I don't know enough about this and I'm not aware, but I don't think anybody has said, these are the things that you have to meet. I think it's more subjective, right? Do you have a good cyber program? Do you have a good visibility? It wasn't like check, check, check, check, check. Yeah, we think you do mean it. No, we don't think you mean it. Is that correct?

So again, I guess it really depends, right? I mean, some auditors do have this checklist. So for example, I mean, we did our own ISO for our company and the auditor asked me, Do you have a security program? How are you managing it? And I was like, okay, let me show you something. And then I opened, you know, Onyxia and we're actually using it for our own purposes. And he was amazed. So in this case, I mean, he had to check many other boxes, but when he saw that he really, I think it was like an easier way for him to check the boxes. For the SEC, I believe they do have things, specific things they're checking, but I do agree with you that there is no standard for security programs. It's still something that each CISO basically builds for himself, which I think it makes sense. I mean, companies are different. There should be, so for example, Gartner, and this is another thing we have in our platform, like the ability to use the 16 metrics that are suggested by Gartner for SISOs to measure. So this is a more high-level thing. But if you want to get extra measures and extra metrics, you can add on top of this some other options. And you'll always have those CISOs who wants to come up with our own unique special metrics that no one has heard about before. So that's something that we also learned at the beginning and we're now trying to see how we can allow you to customize KPIs and create your own KPIs. And in the backend, we're like just doing all the data correlation for you. I think it's very interesting and I think we will have a standard very soon because the regulation is what usually drives it. And now when we see more involvement of management, the SEC, and everyone has to have the ability to track these things, there should be a standard. And I think we'll see that coming very soon.

Well, the thing that makes me nervous is that standards are kind of a double-edged sword. You know, as we were talking earlier, you know, it's great to say, there's the checklist. I would say, you know, whenever I get audited, I like to ask, well, what am I being audited against? I don't like getting audited against what mood the auditor is in that day or which auditor I get, you know, you want to stand there. The problem though, I know it often is, and that's part of the art of it, but, but the problem with that is that, you know, as you're saying, everyone is different. Every, people just looking to check the box you know you may I've said for a long time and I've caught heat about it whatever it's like if you're checking the boxes and doing all these things it can actually be harmful and the reason it's harmful is there are things in there that are are probably not relevant to what you're doing that need to be, uh, you know, or need to be deemphasized or whatever. And if you're spending resource on that, you're not spending resources on the things that matter. And that drives me, drives me nuts. You know, just when I see that it's just wasteful and it doesn't enhance your security. We need a better way, you know, I think of showing that, you know, not just we're following best practice, we're following a standard, but you know, our program, you know, works and it's appropriate, you know, for our business. That's my holy grail as far as these things go.

So like, like what we'll get is, Hey, Adam, give me a screenshot of your DLP solution. DLP. What's DLP? Is it my email? Is it my exfiltration of data for my shares? Give us, I mean, some things are easier, right? Give me a screenshot of your proxy. Okay, proxies are pretty standard, right? Oh, do you have a NAC? Oh, NACs are gone. We wouldn't do NACs anymore. So some people will ask legacy questions. Some people will ask you whether or not you have an EDR. Do you have antivirals? Do you have next generation firewalls? It really varies. One, financial institution one, might be very different from financial decision two, which might be very different from the organization that's giving you cybersecurity insurance. There really is no standard. And I've seen auditors come in from government bodies. Their interpretation of checkbox one might be different from the other order of checkbox one. So, you know, there is some subject subjectivity. It's not like, oh, this product meets box one. They will never mention products, but they'll mention kind of features.

So, yep. Yeah, but sometimes they will want to see a product if they say like, we need an EDR. What's your EDR product? You know, that's your endpoint detection. But not a literature product. Well, no, but I mean, the auditor will say that, you know, what's your product for that? And you're like, you need to show them that they have a product that on their website or in the box, even though our boss anymore, it says EDR. And they say, okay, when really the right answer is how are you protecting your end points?

And let's keep it, let's keep it. Let's keep in mind, right? Your EDR might not have all the protection boxes on that it's supposed to have merely installing an EDR. and not turning on the features is not good enough, but for an order that might be.

I think in the end, I mean, we still need to allow the CISOs make decisions. Standards and compliance are good, but CISOs are there for a reason. Like they have the knowledge, they know what the the knowledge, the expertise, and they know the business best. So there should be some things that are standardized, but I do think we need to keep CISOs, to allow them the freedom to make some decisions and to adjust some of the programs and maybe to avoid it from some processes or have extra processes where they do think they should have them. I mean, if we were just following the Uh, I mean, regulation is important and I think it's, it's, I mean, I think there are many advantages of the, uh, SSE regulations now, but on the other end, we don't want to make CISOs robots, right? We want to allow them to just. To use their knowledge and expertise to manage to the best of their knowledge, their security programs and the business.

And it's fun. You bring up CISOs, right? There's no standing for CISOs either, right? You can be the guy. or woman sitting at a help desk and be the person implementing the EDR for organization, a medium sized organization and be the CISO, or you can be a person that went to school specifically and has an MBA that understands the fiduciary responsibilities as well as the, you know, the cyber responsibilities and really be senior and be different. So, I mean, I've seen CISOs, I'm like, wow, you're a CISO? God bless you. You know, I'm not trying to be obnoxious, but there are people there.

Yeah. Well, there's a whole other discussion where it's interesting, like some, you know, regulations have come out where it says like, you need someone to be responsible for security. You need a CISO, you need a security chief or something. And you know, for a lot of places, that makes sense. They need someone in charge. They do that. But you know, people, people are clever. People find ways around things and they just, you know, in some organizations they're taking the, senior security engineer or the guy doing security, they're like, Oh, congratulations. You're the CISO now, you know, and.

And you know what? I understand what you say. I don't know if I mentioned that, but besides, I mean, but another passion of mine is really cyber education. And I developed master's program in cybersecurity for YU, and I'm the program director of the master's program. And I can tell you that I have students who are coming from different backgrounds. It's a master's program, but some of the students who are coming are basically changing their career. And it's very, very interesting to see that I think that you can come from different backgrounds and still use some of the knowledge you're getting in many different positions in order to be a CISO. And some of them are really, really good CISOs, even though they didn't grow up in IT or security and it wasn't their initial career. So, I mean, I think it's really about being able to understand the business. Risk management is really a huge part of what we're doing. And some of the people are coming, you know, from business, from the business side, and they have all these like risk management capabilities and understanding. They can apply many of the models they know and the knowledge they have and be really good CISOs. And you know, I mean, I have a really amazing story of one of our students who was a police officer who used to I mean, in the forensic side, but not forensics as we know. And he completed the program. He became an amazing ethical hacker. He got a job in one of the big four. And now he's on the way to land a CISO position. And I'm very confident he's going to be an amazing CISO. So I think the fact that we have now cybersecurity programs in the academia, it's a huge step. And I think, I mean, when I started, there was no CISO program. There was no master's program in cybersecurity. It's very, very new thing. And I think it's going to help build this standard for security experts, and especially CISOs. But I also think that there are many, different expertise that can make a CISO a good CISO, even though he's not coming from an IT background.

I didn't want to imply that there are people, I'm trying to say this the right way, I think people have been thrusted into CISO positions that didn't necessarily expect to be a CISO. It's not to take away from a person who's a police officer, who has that passion, who's become that CISO. It's not to take away from a woman that was working at Starbucks three years ago was probably a better cybersecurity person than I'll ever be. What I'm getting at is that there are certain people that are CISOs that have never even challenged themselves or they were put in the precarious position to be a CISO that actually is a detriment to the organization because they have not learned enough in order to protect the assets. So again, I don't want to get hate mail from people like, who the hell are you to say that? I don't even think necessarily I would be a good CISO. I'm just saying that.

That's the reality. I mean, I get it. I understand what you're saying.

Yeah. And I mean, what, you know, what I was getting to also is something similar that, you know, that there is a great tradition in IT still, although we have more training now and everything. There is still a great tradition of people advance and get to management who are the best technical person. Sometimes it's because there's no one else there and something opens up. I can tell you that happened to me also, and actually spent a lot of time kind of retroactively learning management and learning the business stuff. And I think we see a lot of that in security too, frankly, right now, as we see very tight budgets. There are great security people, you know, great technical people, great even all around security people who are being kind of want to say thrust into, but placed into positions of, of, uh, you know, leadership and a CISO type role where they, they're not ready for it. Maybe they're not even interested in it. Um, they just happened to be the most senior security person there. And now with all these things that, you know, the regulation and the complexity and all this stuff, there is quite a bit more to it than there used to be.

Definitely. And for me, my first cybersecurity role was I was more of a security network engineer. And then everyone left the organization. And they said, by the way, you're handling the cybersecurity. I was like, oh my God. And people would ask me questions. I had no clue what I was talking about. I never lied, but I was sitting there sweating bullets. And I'll tell you this, and Joe kind of makes fun of me sometimes. When I started experiencing, I don't want to say the name of the organization that they work for, but when they came from the 8200 area, And I started learning some of the stuff they learned. I'm like, boy, I feel so inferior. And then Joe would remind me, Adam, they did that for a living. I mean, so I gauge myself against higher people in certain areas, which I'll never achieve because I've never had that opportunity, but it doesn't mean I'm not a good cyber security practitioner. It just means that my experience in certain areas is limited. Whereas those CISO people, their experiences translate from maybe other fields that have given them stuff I'll never think about. You know, if you come from, let's say the hospitality industry, there might be things for you to offer in an operations point in cybersecurity that I could never think of. Everyone has unique experiences and can add to things. My only fear is that I've seen people that have been thrust into positions where they were put in positions of failure, and some of us succeeded, but some, you know, got hurt.

Well, unfortunately for you, when you were thrust into the role as the sole security person and were unprepared, your manager was very kind and had very low expectations. So you did well.

And what about you?

That was me. No, but it's true, but you, well, you always have to be realistic with your people, but yeah, the landscape has changed so much in terms of there being education out there. And I think that's really, really important. You know, we've, I've even seen in, you know, my career and work with that too, you know. We now interview people completely differently for security roles than we used to, because it used to be, okay, we know you're an IT person, where did you learn security from? Now we get people who are actually trained in security, which is helpful.

Yeah, and I think, I mean, we know like the CISO role is a relatively new role, right? It's something from the past 10 years maybe. And it's like the evolution of this role is very interesting. And I think like now we want, and I think it's important to have more CISOs at the board level. But with that comes more and more responsibility and accountability as we see here. So I think it's going to change. I mean, the fact that the CISO role is becoming more and more important will affect also the way we're interviewing and choosing CISOs and I think we're going to see less of these situations when you're just like appoint someone as a CISO, like randomly in a company because it was there and he has like extra few free hours.

Right. And I should say that if you're, in case you didn't realize it, if you have a company and you have a regulation or something that says you need a CISO or a security leader or something, and you pick whoever is hanging around, you're not doing a good job. Following the regulation means you need someone who knows what they're doing. It's not fair to the person you're putting into that position either. That's not cool.

Think about this, Joe and Siobhan. How many CIOs do you know? Not as much. How many CTOs do you know? So the CIO and the CTO has effectively become the CISO role. What is the CISO role going to be 10 years from now?

Yeah, I think that's a super interesting question. And I think it will be, I mean, again, we're already seeing the evolution, right? It started when the CISO had used to report to the CIO. Now it's becoming like a more independent role and now CISOs are on the boards.

Um, so I'm going to make some predictive analysis here. Eventually, there's going to be a C-A-I-O role. Chief Artificial Intelligence Officer. Somebody responsible for how the ethical use of the AI, how it's going to transform the organization, whether or not they're getting it from legitimate sources, and then they'll be auditing based on that. All right, guys, let me know in 10 years if I'm right.

Adam, I hope this prediction is better than your lottery numbers because

Anything is better than my prediction of the lottery numbers. I can tell you the weather in five days and still be right.

All right. So at this point, I think we are getting to the end. We're not going to have a super long, long episode today. And this is a last call.

No, but we missed one important thing. Wait, wait, wait, wait. What are we supposed to be drinking?

Oh, that's right. What are we drinking? Is that water? Are you out for this one or not?

It's actually sparkling water. I know I say that I should have tequila, but it's still middle of the day. But the reason why I say that is because my name is Sivan Tequila. But when I moved here, everyone struggled with pronouncing my last name. So they often say Sivan Tequila. So I was like, OK, I'll take that. I'll be Sivan Tequila. And since then, that's my drink.

Well, Siobhan, we're drinking tequila, Adam and I, and we'll make up for you. Siobhan, next time. Anytime we can do that. Noah and I are together.

We're going to come see you and we're going to get some tequila.

Sounds good. Well, thanks for the opportunity. I really enjoyed the discussion.

I really appreciate it. Thank you very much for coming on. This is a big field and a big discussion. And I think that it's going to continue to evolve and get even more interesting over time. You're right.

This is not nearly over yet. There's a lot happening in this area. Is there anything you want to mention about your company before we go? What was that again?

Well, I mean, I think we're really building something meaningful and helpful to help CISOs solve some of the challenges we were discussing now, addressing the new SEC requirements and managing better security programs and be more efficient. So we're trying to help CISOs and help companies to be in a better place and happy to discuss with anyone who's interested.

Okay, well, great. Everyone check it out. Thank you so much for joining us. We really appreciate you taking the time. Thank you so much. Take it easy.

We'll catch you next time.