GO PHISH
What do you think is the current hot cybersecurity talking point ?
I think that the world is moving into open source and into a place where 80 – 90 % of the code that organisations are writing is being taken from open source / third parties . This puts organisations at risk of another threat – the supply chain attack – where someone can poison your organisation , not from the outside trying to penetrate in , but instead from within . Attackers can poison the open source software you are using and enter the production environment through the development process , the supply chain and the build systems . I suspect that within two to three years from now , this attack surface will become much more impactful and something that we will all need to address by applying more security controls into the DevOps process .
How do you deal with stress and unwind outside the office ?
I like to go for long daily walks . We have fantastic beaches in Israel so the combination of nature and taking an hour for myself to think helps to bring new energy into the day .
If you could go back and change one career decision what would it be ?
Without wanting to necessarily encourage people to quit their jobs , from my own perspective I stayed too long in the same place prior to Aqua , and I wish I ’ d started my own company sooner .
What do you currently identify as the major areas of investment in the cybersecurity industry ?
Following on from what I said earlier , let ’ s continue with shift left – in the last 10 years a lot of the security investments went into infrastructure – adding more and more layers of defence into infrastructure and runtime environments .
What the world should be moving into is investing more and more security into the development and deployment cycles – adding security gates as part of the development life cycle and making sure software that is developed doesn ’ t have security issues and vulnerabilities .
We will still need additional layers of security for the infrastructure , as not all issues can be ‘ caught ’ in the development stage , but it will greatly reduce the attack surface and will allow to develop smarter security tools that are acting ‘ in context ’ of an application .
An important part of this is investing in DevOps – providing education about security and investing in security tools for DevOps .
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions ?
I wouldn ’ t split it regionally ; I ’ d focus more on the different personas – security persona vs DevOps – where each one needs to tackle a different aspect of the software life cycle . The security persona needs to focus on production , monitoring and incident response , while the DevOps persona needs to focus more on the build , deployment and software delivery .
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months ?
I ’ m going to answer this one in terms of the security job role rather than my job role specifically – in the last year we ’ ve seen security professionals being asked to expand their control over the development environments , as well as being involved in the software development life cycle , ensuring that developers are building secure code .
On the other hand , we have the DevOps person , who is being asked to adapt into a modern agile world of development and cloud , with continuous delivery – software being written and deployed every day . DevOps are now being asked to ensure that the software they are deploying has the right security posture .
What we have seen over the past 12 months is DevOps teams are being asked to include more security practices in their work , and security teams are being asked to have more visibility and control into what DevOps are doing – this overlap is creating a new kind of team – DevSecOps .
What advice would you offer somebody aspiring to obtain a C-level position in the security industry
What I would say is that you should think about what you can do to create an impact for the business , show that you can do the work expected of the role that you want , then getting the C-level title will just be a formality . u
72 www . intelligentciso . com