Amer Deeba of Normalyze: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
An Interview with Tyler Gallagher
Get visibility on your entire IT, cloud and data footprint. Simply put: Know what you have and where your crown jewels are so you can secure it.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Amer Deeba.
Amer Deeba is Co-founder and CEO of Normalzye. He is a senior go-to-market executive with extensive experience in driving product, marketing and sales go-to-market strategies for enterprise and cloud technologies. In his 17 years tenure at Qualys (NASDAQ: QLYS), Amer led all aspects of marketing, business development, strategic alliances and global enterprise accounts. He also played an instrumental role in taking the company public in 2012.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in 1967 in Marjayoun, a small picturesque town in southern Lebanon. Despite its quaint meaning in English (“meadow of little creeks”), a military conflict was then brewing that would soon lead to civil war.
Growing up, my brothers and I enjoyed a wonderful childhood full of love, family and playing outside in the fields — until the conflict erupted in 1975. The sound of military jets, machine gun fire and bombs became a part of my daily life. Many friends and relatives were hurt or killed. Eventually the fighting got so bad where we lived that, in the middle of a siege, my mother smuggled me and my brothers out of town in the trunk of a taxi. We headed to Beirut to seek shelter and refuge.
While civil war continued around us, my home was always filled with love. My parents did their best to protect us. They stressed the importance of education, telling us it would give us the chance to build a better future. My brothers and I took their advice to heart. We all became professionals. I graduated from the American University of Beirut with an Electrical Engineering degree, and later moved to California to pursue a master’s degree. I’ve lived here ever since.
As chaotic and crazy as it was growing up in a war zone, it gave me a great perspective on life. I don’t take for granted the privilege of living in a free, democratic society with civil liberties, peace, and opportunity. I learned to be resourceful and resilient. My experience taught me it’s important to be decisive and to trust my judgment. It made me prioritize life-long learning and hard work. I have always been willing to stretch beyond my comfort zone to grow personally and professionally.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
As a Lebanese student in 1985, I saw the James Bond movie “A View to a Kill,” which takes place around Silicon Valley. I left the theater and said to myself: “I am moving there when I finish my electrical engineering degree; this is the future!” Three years later I did exactly that to start my Masters in Electrical Engineering and Computer Science at Santa Clara University. Inspiration for my life’s work sprang from a class on cybersecurity. The rest is history.
Can you share the most interesting story that happened to you since you began this fascinating career?
In 2005, I witnessed a cyber attack happen in real time on an internet retailer who happened to be my customer. The impact of that attack in terms of damages it left behind and the aftermath to clean it up is still engraved in my memory. That event cemented my belief in the work I do to help customers prevent such expensive and unpleasant incidents.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
The biggest personal impact on my life was Philippe Courtot, who I met in 1993. I met Philippe when I joined Verity that year and I immediately was drawn to his vision and ability to create technology platforms and make them ubiquitous. Philippe since then became a mentor to me and we worked together in three start-ups, turning all of them into market leaders.
Are you working on any exciting new projects now? How do you think that will help people?
Yes, I am continuing to pursue my passion and mission in cybersecurity. I recently co-founded a cloud security company focused on data security in cloud environments called Normalyze.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Burnout in tech and especially in Silicon Valley is a classic syndrome. Working on something you love and passionate about helps you to continue the mission and enjoy it along the way. It will also help you avoid burnout and inspire you to take the necessary break to recharge and get reinspired. I personally like to spend time with my family and my 1-year old son who puts it all in perspective to me.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
- The move to the cloud is a huge area of innovation and with it comes multiple cybersecurity challenges that require new approaches and new solutions to solve these problems at the scale of cloud technology.
- Use of artificial intelligence and machine learning (AI/ML) to make better and faster decisions in our fight against cyberattacks.
- As more and more data moves into the cloud, security teams will need to shift focus on securing data and applications. This is a huge opportunity for innovators in cybersecurity.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Data threats are looming in customers’ cloud environments. Companies need to start preparing for that by getting the necessary visibility to determine where sensitive data resides and put the right solutions in place to secure it.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
As mentioned earlier, I was struck by the breach I witnessed during my Qualys tenure at an internet retailer and how impactful it was on the customer’s overall business. The main takeaways were to have access to the right data on time in order to make the right decisions and drive quick and effective remediation to address the breach.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
To keep it simple, a comprehensive security framework starts with understanding what tools and assets you have, and getting visibility across your entire infrastructure both on premise and in the cloud. Visibility allows you to prioritize where critical assets and sensitive data reside and to put the right controls, tools and solutions in place to protect it. This is the safe setup to implement ongoing security monitoring tools to respond to threats in real time and block any potential cyber attacks.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
The move to the cloud has simplified computing in many ways as the focus shifts from securing infrastructure to securing data and applications. With that in mind, organizations have many choices now to adopt the right cloud computing platforms to fit their business needs. Cloud makes it easier to pick security solutions that will help them secure their apps and data as they embark on their digital transformation journey. Hiring a CISO typically becomes a priority as organizations grow their IT and cloud footprint to support customers — especially as they scale operations with more users and data. Everything needs ongoing protection and usually must address regulatory compliance mandates.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Each environment has different user behavior so security teams should have a clear understanding of what is normal and what is not. Looking for anomalies that pop up in the environment for no apparent reason is typically a good indicator of suspicious behavior that needs investigation. Ongoing monitoring of the infrastructure including workloads, applications and data will also help mitigate any suspicious activity and block it from causing more damage.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Assessment of the breach and a thorough investigation is required immediately to assess where, what and size of the breach impact. Responses will guide implementation of processes and procedures to alert impacted users and their corresponding data. For example, if user accounts were compromised, all users should be immediately alerted to update their passwords. Scope of the breach will dictate necessary steps to remedy the situation and alert the impacted/compromised parties, organizations or systems.
Regulations like these are globally helping organizations to streamline cybersecurity operations. They are establishing clear and measurable security best practices that we all should follow and implement to better protect our privacy and ensure cyber safety for our customers, employees and business partners.
What are the most common data security and cybersecurity mistakes you have seen companies make?
- Security by obscurity often fuels excuses like, “If I don’t know it there, then it’s not my problem.”
- Doing security for the sake of achieving point-in-time compliance creates a false sense of security. Your tools must show you how to improve the security posture of the business.
- Piling on security solutions without a clear vision is a recipe for disaster! This approach is the opposite of the true need: Building a security framework that is well integrated and shares data and intelligence between tools to provide better context and decision making before or during a cyber attack.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
COVID forced more applications and data to rapidly move to the cloud to support remote work and mobility. There has been a rise of cybersecurity solutions for protecting remote users and the flow of sensitive data between applications and clouds. We have also seen the emergence of new flows in remote work applications like Zoom and Teams that spawned different cybersecurity and privacy issues.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
- Get visibility on your entire IT, cloud and data footprint. Simply put: Know what you have and where your crown jewels are so you can secure it.
- Understand who has access and what type of access to sensitive data.
- Implement ongoing monitoring to detect anomalies or out-of-norm behaviors across your entire compute footprint to detect early signs of a cyber attack.
- Embed security best practices into all your business processes. Ad hoc reactions after-the-fact do not prevent breaches!
- Create the right awareness programs to educate and train your employees to take security and privacy at heart in everything they do.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Practice mindfulness and how to be in the moment and not get too distracted with everything happening around you. Mindfulness leads to better decisions as you can understand situations better and gather the information needed to act and respond to whatever is facing you — including cyber threats.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!