the interview: Rita Gurevich
Rita Gurevich is the CEO and founder of SPHERE, a venture-backed industry leader in security assessments and remediation services. Rita founded SPHERE after gaining a massive amount of relevant experience during the Lehman Brothers bankruptcy, where she was placed on a SWAT team that had to desegregate all their IT assets based on analyzing what technology under the Lehman umbrella should belong to which buying entity. Gaining knowledge almost overnight on how to analyze all the different platforms and systems in scope, along with the enhanced regulatory environment that began to dominate the financial industry, Rita knew that whether the driver was proper governance or improving security postures, her newly found skills would be valuable for other CIO’s and CISO’s across Wall Street. Rita founded SPHERE as a solo founder and bootstrapped the company for eleven years before accepting venture funding (Sereis A round led by ForgePoint.) Rita is also the recipient of multiple honors and awards including recognition of her entrepreneurial skills by Ernst & Young and SmartCEO. She was also named to NJBIZ’s 40 Under 40 list in 2017. Rita also sits on the Board of Directors for the New Jersey Technology Council.
Thanks so much for being here with us today. I’d love to start by understanding what initially sparked your interest in cyber security?
My career started at Lehman Brothers, and I was there during the bankruptcy. I was essentially put on a SWAT team where we had to figure out how to disaggregate all their technology assets. Almost overnight, you had these banks buying different parts of the Lehman business and we had to figure out what belonged to Barclays versus Nomura. It was a very interesting project and not many people have done anything like that in that timeframe and at that scale. I learned some really valuable skills around data analytics and how to collect and analyze all this information about technology assets. I started to offer these services to help other banks with a lot of the core things that we had to do as part of the disaggregation of all the Lehman assets. Shortly after I started the company, security became a huge driving force in how these companies were looking at analyzing their assets, so we started to overlay security metrics into all the different analytics that we were providing. Understanding who has access to a group drive, who the owner of a SharePoint site is, whether or not people are getting emails and mailboxes that shouldn’t be sharing content, everything around access management and proper governance from an entitlements perspective became really important. It’s a space that nobody wants to touch because you have no idea what you’re walking into with permissions. Nobody was governing access. The regulators wanted them to, but it’s hard with all these legacy systems and all the M&A they’ve gone through. They don’t even know where to start.
Wow, I love that genesis story. It’s really a unique experience and insight into the complexity of these institutions’ infrastructure. You’ve been building SPHERE for 11 years, how has the company evolved over time?
Initially, we were a services company that focused on ways to make assessment and remediation projects very repeatable. Throughout this process, we started to learn that there were a lot of shortcuts we could take by automating some of the activities that we were doing on a regular basis. A lot of the heavy lifting was consistent when it came to collecting the data: understanding what referential data sets had contextual metadata, reaching out to asset owners and asking the relevant questions, and fixing issues based on how the business is providing data. We found that we could cut projects down by as much as 40%. We found ourselves doing projects in a fraction of the time we used too, which allowed us to go a lot wider and deeper in our engagements. Once we started to automate, we realized we could standardize permissions across the entire set of platforms, and all of the assets, and that became really interesting. So we fully productized our services, building in as much automation as we could into the platform.
The other thing that we learned, and that our customers learned alongside us, is that these are not one-and-done projects. The concept of access management is ongoing. The people that work at your company are not static, people change roles, move to different organizations, access can’t follow them.
The reality is you have people coming and going, and you probably have some unhappy people accessing data that they simply shouldn’t have access to. You’ve seen the reports on internal threats being just as pervasive as outsiders penetrating the perimeter. Even when outsiders get through now, they’re stealing the credentials of internal employees and leveraging all of the excessive privileges to traverse the network. What we found ourselves doing is not just standardizing for better governance, but also minimizing the risk of somebody doing something malicious internally. At the same time, if somebody was able to get in from the outside, we really minimized the impact they were able to have by preventing misuse of internal credentials.
The way we’ve transformed the business is related to how we solve these problems and how wide and deep we’re able to go. For many years, our mission was to build a one-stop shop software platform. As cybersecurity started to evolve, we realized that that we shouldn’t negate the fact that having cybersecurity talent on staff is valuable to the customer. Cybersecurity isn’t an easy button that you can click that solves all security challenges. So we decided not to move away from our services altogether and we built out a managed service practice. This gives our customers ongoing access to our expertise (SPHERE experts.) This combination of automation and expertise is required to solve this problem once and for all.
Wow, that’s such an interesting evolution. SPHERE is now an industry leader in providing security assessments and remediation services, what do you think differentiates SPHERE from others in the space?
I think we’re very unique, because a lot of software companies had a bunch of PhDs sitting in a room and coming up with really cool, innovative ideas, but we came at it from a totally different perspective. We’re like “data janitors,” we do access control cleanup. We are brought in to get to an end state, and we almost work backwards from there.
There’s a lot of practicality in our solution and approach. It’s built on common sense and logic. We’ve seen every edge case, we’ve seen every nuance with the data, every abnormality, we’ve really seen it all. We’ve seen it, so we know the preventative measures to take and I think that’s very special.
What we do isn’t sexy, we clean up permissions, but we love it, we’re obsessed with it. We truly understand the need and know how to do it and that makes it very rewarding for us. We started the company as a services organization, so we had to use the products that our customers already had deployed and we had to become experts in those solutions. We learned first-hand about the gaps that a lot of those solutions have. We were able to start to plug in those holes with our own IP and our own little scripts and drips and drabs of code that organically became a platform over time. That allows our solution to be really purpose-built.
I guess it might not be sexy, but access and permissioning has only become more important with the accelerated shift to cloud and SaaS applications, the remote workforce, etc. I would love to get your take on how recent trends, mostly pandemic-driven, have impacted the business?
One of the reasons we partnered with ForgePoint is that we want to expand the coverage of our solution and our expertise to more and more cloud platforms. Our initial customer base was comprised of the most complicated large global financial institutions in the world, so we got our footing in really complicated environments. What got really interesting during the pandemic is that while these big banks were historically slow to embrace the cloud, the pandemic forced a rapid shift. Suddenly, everybody was getting all their users on Microsoft Office 365, everyone started to talk about Box and AWS. It happened overnight, so they didn’t have time to do any sort of analysis, any sort of standardization. They essentially doubled their risk because they were simply moving terrible entitlements from point A to point B. They know they need to start fixing this now, so more customers are asking us to start with their cloud platforms. Cloud used to be thought of as a nice-to-have. So we are doubling down on our efforts to collect more data from the cloud platforms and figure out the proper ways to remediate those entitlements for the long term.
What advice would you give to other founders or operators in our community that are building products or services and cybersecurity?
Customer empathy is very important. I’ve had great ideas that in my office, within my four walls, I thought were genius. What I learned early on is that you have to engage with your customers and make sure that you’re solving a real issue that they have, not just that you think that they have. The other thing is that when you’re a boutique shop, or just starting out, you’re competing with known players, you’re not creating a completely new industry or Gartner quadrant. So, you have to think about how you’ll stack up.
What I find very fascinating is that companies are more willing and interested and almost more energized to work with startups now. Cyber is still a fairly young industry. We’ve been around for 11 years, which is ancient in this space. I think there used to be this stigma that if you were a smaller startup you wouldn’t be able to scale or there was too much risk. Now, I actually see different customers viewing startups as more agile, willing, more eager, and more flexible than incumbents. I think it’s the right ecosystem for startups in technology, and definitely in cyber, to be able to get much bigger contracts with much bigger brands than probably a decade ago. Don’t be shy, go for it.
I can think of some very successful cyber companies that started off in services. I think that’s such a valuable background because you’ve worked so closely with customers.
If you’re a services company that wants to build software, you have a perfect testbed of users: your own staff. Build products that are solving the problems your engineers are facing when they’re doing the project, because I assure you that the customer has similar pain points. Our service revenue essentially funded the product development, because we bootstrapped everything. The way we were able to do it is our engineers were our first users. These were toolkits that they brought with them to the customer. It’s almost like a paid proof of concept. They saw the product in action. Their auditors were getting reports and scorecards every week showing the numbers going down, getting better. Management wanted reports to show progress, they wanted to make sure the problems didn’t come back. The product almost sold itself.
We’ve touched on a small portion of the of the many things that you’ve accomplished, what work or accomplishment are you most proud of?
It just might be perfect timing, because Monday is International Woman’s Day. Being a woman in cybersecurity, running a company, it’s a good example for other women that may be starting their careers, going to college and thinking about what they’re going to do, or even deciding if they want to start their own business or do something entrepreneurial later in life. I like to mentor, both internally and with other organizations. It’s important to me to make that known. We’re also fortunate to be ForgePoint’s first female founder, which is pretty exciting.
I’m trying to use this position to be very positive and encourage women that are thinking about starting something, but that may be a little bit scared and timid, to be themselves and go out there and get what they deserve.
Yeah, definitely, you’re paving the path. When you think about the next 2–5 years, what are you most excited about?
I’m very excited to be able to do things that I never thought I could do with this business. When I started the company, I was 25. I didn’t really have any idea what venture capital or private equity or any of those words meant. In my mind, I thought, “cash in, cash out,” that’s how people run businesses. I had no idea that people invest in companies, if I’m being very honest. Over time, I learned, but I still kept the company bootstrapped for quite some time. I really wanted to grow it myself for as long as I could, until I felt that I needed assistance. Now I’m excited that I’m able to take it to the next level. We’ve had tremendous growth on our own, but it was very organic, very referral based. Most of our customers have been buying from us for a very long time, and they love us, and we love them. Now we get to touch a much wider audience, we get to get our name out there to more people. I’m excited for the day when I don’t know all the customers. That’s gonna be an interesting experience for me, because I just love to be in front of the customers and to hear what they’re going through and working on. I’m excited for those new experiences. I’m also excited to do some introspection afterwards. To think about how it felt, how I reacted, what it was like, because I’m sure it’ll feel quite different than what I’m used to. I’m excited to learn about myself as part of this whole process. It’s very exciting to see how the next phase of growth will unfold. It’s been a whirlwind.
