Get to know your design partner: Rapyd’s CISO Nir Rothenberg
Here at Vertex Ventures, we work with our founders to help them find and partner with champions from Israel’s startup ecosystem. These local executives can make a significant contribution to entrepreneurs and startups at an early stage. Their proximity, openness, local and global market knowledge and stature in the ecosystem can assist entrepreneurs. They can help identify the problem/product market fit, and turn into design partners who will eventually turn into production onboarding partners and paying customers.
While this does not replace the search for partners and champions in target markets, we know how much value a local partner can bring.
And therefore -
We’re starting a series of short posts and articles as an initial introduction to your potential local champions.
You’ll be able to learn what they are looking for and what will make them want to become your design partner.
Founders, if you have any questions to ask these champions, reach out to me firstname.lastname@example.org
9 Insights from the Field for CyberSecurity Entrepreneurs
Cybersecurity entrepreneurs, meet Nir Rothenberg, the CISO of Rapyd. What blew me away with Nir was the number and the variety of companies that work with him as design partners. These companies gain a real advantage by partnering with Nir. His vast experience, profound knowledge with the security ecosystem, and open mind attitude make him a real partner.
Let’s see what he has to say:
1.What is your top priority right now — your main pain?
As a CISO I am required to manage assets and then manage risks. Right now, my crown jewels reside on the cloud — all our data and services are there. So my attention is focused on cloud security.
The main problems I experience as a CISO with cloud security:
- Scope — It is much more complicated to get a clear picture of which components require protection, what type of protection is required, and where protection is needed, unlike classic IT security.
- Talent — There are very few people with high-level expertise, skills, and knowledge in cloud security. To make things worse, we’re competing over these people with huge companies like Netflix.
- Training — To overcome the previous challenge, we need to constantly train employees with different skill sets.
- Modern Tools — We need cloud security tools, access management, data access and control, connectivity, etc. The real challenge is that technology & cyberattacks keep evolving, and we need to constantly keep track of these evolutionary changes and upgrade our tools.
- Mature Products — The software solutions that are supposed to answer these needs are not mature enough and are often fragmented, even those by very large vendors. This creates solution silos that force us to work with multiple products.
2.What will you be focusing on in the next six months?
Cross organization and cross topics security visibility. As a CISO I want to be all-knowing and all-seeing. But at the same time, I don’t want to be flooded with data and alerts that I can’t handle. I know this is a tough one.
Companies that provide me with a 360-degree view of the security posture/state of my company with just the right amount of data that I can react on — will gain my attention. The best solution would be to see a summary of all the security topics, with the option to dive in and learn more if I want to.
Note to founders — Many startups work on a very small portion or a subset of security visibility. They take open source (Netflix, for example), add a UI, and call it a product. It might work, but I read the same articles as you, so I am familiar with these capabilities. It’s an uphill battle: many companies are bringing good open source. If you are doing the same, make sure you have a unique value proposition.
3.What’s your take on regulation, compliance, and privacy?
GDPR — Many startups claim that they can assist with GDPR, but there is a secret about GDPR that is worth revealing. GDPR is important, and we take private data extremely seriously, but it is not the big scary boogeyman you think it is. For many companies, it’s not a top risk or a top priority. (Unless you are in the private data business, peddle private information, or have a giant spotlight on you, like Facebook).
Thinking that an organization will pay a huge sum of money just to check the GDPR box is not reasonable. From my experience, most organizations will settle for a simple solution like manual mapping in a spreadsheet (a list where all sensitive data resides) and having reasonable and common privacy policies that provide good coverage (there are many common templates out there). If your value proposition is that you will automatically help organizations be super compliant with GDPR — you are in for a tough time. As the saying goes — it’s a feature, not a product.
PCI-DSS — As a payments company we need to comply with PCI. This is much more complex. It is structured, the technical requirements are clear, and the review is conducted by technical experts with a good understanding of the cloud.
Today we use the native solutions of our cloud providers, but they are not always good or thorough enough. There are companies that provide baselines for PCI. But the baselines I know of are quite weak and don’t provide full coverage of the different cases.
I don’t want to discover that we missed something that I didn’t know about during a PCI compliance audit. I wish there was a product that could alert me about them prior to the audit. A company that would allow me to better understand how I can protect my cloud data based on PCI, where the risky places in the cloud are, and what the best practices are, would provide me with a lot of value. This exists in silos, there are bits and pieces here and there, but there is never context regarding the scope of the audit, or full coverage of all my requirements.
It is critical for me to know everything. Our goal is not to pass an annual PCI-DSS review but to really protect PCI data at all times and make educated decisions based on the data we have — it’s visibility all over again.
SOC2 — This audit is less technical, with only a few technical tests. It mainly revolves around processes and governance/management systems.
Vendors Compliance — Here’s another secret — frameworks are losing steam fast, and customers are asking less and less for certification. I can’t remember when anyone cared about my ISO 27001 certification. Even SOC2 is declining. (PC-DSSI is different because of the way payment cards are self-regulated).
When companies like Google and Facebook consider working with a vendor, they don’t really care about SOC2 that much. They care about specific security parameters that can reflect the security exposure of their potential vendor. They ask ten or twenty laser-focused questions that reflect the current security state of the potential vendor. These are great questions to start with if you are an entrepreneur who wants to help a CISO.
For example, Google has a portal that gathers all the security requirements that potential vendors are required to answer. I see this more and more from other vendors as well.
Generally speaking, after answering a few compliance questionnaires, many questions are repeatable and they are a huge waste of time. Everyone hates answering these questionnaires as with any boring, repetitive tasks.
GRC (Governance, Risk management and Compliance) — A GRC startup focusing on a dashboard that reflects a specific state is cool. Still, we need something operational to shorten the time it takes to get compliance approval.
A company that offers a way to make this process more efficient will solve a real problem. We need:
- A DB that can be used as a reference and source of truth for all compliance questions.
- A DB that allows you to search for a specific term, auto-completes you, redirects from one answer to another based on context, etc.
- A solution that can comprehend which type of data you are looking for (context) and which compliance you are trying to answer — to save you the endless back and forth between Google Docs.
If I need to perform a boring, repetitive task, but I do it in your system instead of a spreadsheet — I prefer sticking to the spreadsheet.
The founders need to understand the process of filling out all these tedious forms — they need to understand the problem they came to solve. The need is not technical. A dashboard and a cool UI are a good start.
4.Which strategies do you use for access or authorization management?
We are a cloud company that mainly works on or with cloud services. My goal is to allow only to users I know, from devices I know, which answer a specific policy — to access a specific service.
Today we are using several well-known access services to try and give context-based access. The current solutions are far from perfect. There are still many implementation gaps: if access requests need to be excluded from an access solution because it doesn’t work well — there is room for innovation and for someone new to step up and do it right.
5.If a security product requires ongoing involvement from Devops/R&D, what should the founder pay attention to?
Any tool requiring other teams to be involved in an ongoing manner should better offer value to those teams. Since most security tools don’t, the implementation of those tools becomes dependent on human relationships just as much as technology. So now you have another thing to worry about as a CISO.
You might have an awesome tool, but it’s on me to optimize my relationship with these teams to get your awesome tool to give value. Many tools require dev attention or collaboration and this limits the value they can give to the security team because the dev team cares about development (shocking, right?), and not about a “cool” security tool with colorful dashboards. In fact, chances are that they hate your tool — because it is slowing them down. If you could minimize the dependency on other teams, it would allow the security team to own the process and raise the chances of giving real value.
6.If an agent needs to be installed — what do the founders need to pay attention to?
Installing an agent is painful. Once you need to install an agent on your servers, DevOps often becomes the owner of the process. This reduces the chance that I will want to become a design partner by 70%. The most successful new security companies are agentless or out of band and easy to deploy and manage.
Many companies ask that we add/embed their code in ours. This is scary and I for sure will not do that without a long cross-organization approval process and many, many tests. Even in small companies, this requires time and approval.
The common answer is “don’t worry, Datadog does it”. That’s great, but for now, you are not Datadog. In fact, Datadog is also after security right now, so maybe I should just partner with them? This route puts you in a big disadvantage right off the bat. If there is no other way besides using an agent, you must prove that it is super light, non-intrusive and brings a huge amount of value.
Another note regarding agents, but for laptops: many startups come from the Win\Unix environment, but what about Mac? If you want to deploy an agent in my organization, you need to support Mac as well and make sure you don’t have much effect on performance.
7.How can a startup convince you to become their design partner?
There are three important considerations that determine who will become our design partner.
First, solve a real pain. A real pain is an issue that is a top priority for me, it is on my agenda and I am actively searching for a REAL solution to it. For example, holistic access management or a zero trust solution that answers our needs. Today, I need to use four different products to do that.
Second, understand the problem they are solving. It is very important that the founders understand the pain they are trying to solve.
Many founders have practical experience in security, but sometimes they are held hostage by their experience and come with a problem/solution that answers a very specific need that only applies to their former company. They can’t understand the problem in a different context. The companies that get us excited about partnering with them not only solve our pain, but also let us feel they understand our specific angle of it. That way, they can partner with us even if it’s not my top priority.
Third, understand my company’s context and work environment.
An entrepreneur needs to conduct a minimal amount of research in order not to waste our time:
- What the company is doing, how it works, how many employees it has and where they are. For example, If you are working on an amazing Windows defense tool it makes no sense to partner with a company that is 90% Macs. If your tool protects Github, why are you talking to a design partner who’s on Bitbucket? If I feel your focus is not on our context, I’ll save us both some time. Go focus on someone else who fits your direction.
- Another key context to understand could be the pain in the space: regulation, distribution management, the size of the security team, etc. If a startup offers me a solution that can be used by the purple team… guys I don’t have a purple team, and it’s easy to see that on Linkedin.
- Which cloud we operate on: you can check the SSL certificate and see that, for example, an Azure solution is not relevant for us.
- Many founders approach me with great ideas, but if they fit large enterprise organizations, and not a three hundred people company, then it’s not going to work. In addition, when they are looking for an SME design partner, they need to think whether they are willing to adjust their solution in a way that will answer the partner’s needs.
8.How do you determine how much you are willing to pay?
If you’re a founder and can’t figure out how to charge, you’re not looking hard enough. Plenty of companies offer transparent pricing and you can model after them. You can also look at the Amazon marketplace for a similar product and get an idea of the range. Decrease 20% — for a common discount.
If you are not a mature product and I am a design partner, I expect to pay 0.
If you solve a huge problem with no alternative I will be willing to pay more. Price for me is about value and priority. If the product gives me the value in a top priority — it’s worth good money.
9. Do you have some final tips for founders?
Maintain good relationships, be open, be empathetic. A good founder must have these capabilities. Design partners are here to help, but they want their needs met. If a founder thinks they have all the answers and will not listen (but really listen), that could be a sign that all they want is the logo, or the testing ground. That’s not really a partnership,
Let’s take a very simple example. I can say that the product is great and that I will be happy to start the engagement in two months. If the founders keep pushing for an installation right now, it is obvious they are not thinking about me and about my needs. If they would try to understand why I need to start in two months we could get to a win-win solution — with empathy and an open mindset.
Remember: a design partner is first of all your customer. Act accordingly. This is great practice for the future.
Originally published at https://www.linkedin.com.