With more and more business taking place in the digital space, the ability to prevent data breaches, server takeovers, phishing and ransomware attacks has increased in importance. Malicious actors are taking note, too, increasing the sophistication and volume of their attacks.
In order to keep up, CISOs are turning to proven cybersecurity frameworks, documenting their compliance with regulatory organizations and using those frameworks’ requirements as springboards for any number of situation-specific tactics to ensure business safety. Indeed, today the CISO is a strategic member of the c-suite, making risk management decisions that impact business health and investor relations.
Together with Yahav Peri, Arik Solomon co-founded Cypago, the startup that he leads as CEO, to assist companies with their cyber GRC efforts.
What’s your background, and how did you get into the cyber compliance space?
I’ve been around cybersecurity and technology for the last 25 years, holding multiple positions from engineering team leader to VP R&D.
I spent a significant part of my career with the Israeli Intelligence Services, where I led offensive cyber research and operations. Most recently, before starting Cypago, I served as CTO for EY’s Cybersecurity Center, where I learned first-hand about the challenges enterprises face when trying to manage their cybersecurity programs.
I’ve witnessed how aligning cybersecurity efforts with business requirements, including regulators’ and customers’ demands, becomes a rapidly growing challenge for any security leader.
How did you and your co-founders come up with the idea for Cypago?
While working with and supporting US-based enterprises as CTO for EY, I came to realize that there is no technology available that can alleviate the burden of the mundane and sisyphean task of implementing and tracking security controls.
Nine out of ten companies out there are running all of their cyber GRC processes in a manual fashion, using spreadsheets and even sticky notes, generating excessive legwork and increasing friction between the stakeholders involved. With the abundance of new technologies we have at our disposal today, we have identified not only a dire and well-defined need, but also the means to serve it.
By leveraging cutting-edge technologies and implementing innovative ideas and methods, we were able to come up with a platform to automate the entire cyber GRC process, end-to-end.
Why do you see automation as so important to proper cyber GRC?
Governance, risk, and compliance processes are by all means not new. They have been around for years now, and so are the tools created through the years to support these processes.
GRC usually involves document editing, gathering large amounts of data, repetitive configuration reviews, and constant interaction with multiple stakeholders. All these aspects can be done manually, and as mentioned, it’s been done that way for years. However, when the move to the cloud exploded – an average company today uses dozens over dozens of SaaS tools, and data is literally everywhere – using the same old manual processes doesn’t cut the mustard anymore.
This is exactly where automation technology can come to the rescue and provide scalable means to help cyber GRC teams and security leaders. True, practical, and smart automation-based platforms are the key to the future of cyber GRC in a world where complexity is growing exponentially.
What are some of the attributes that you think every founder needs to embody?
I guess every founder and entrepreneur will have a different answer to such a question, so I’ll share my take on that by raising flexibility as a key merit. Of course, there are multiple other attributes such as optimism, innovation, and endurance, but I see the ability to react to constantly materializing changes without losing sight of the greater goal as the main one.
Being flexible doesn’t mean that founders need to recalculate their goals every time they face a challenge. It does mean that they need to find new ways or be able to contain a difficulty until such time they can continue forward with their original plan.
Having said that, there are still so many different attributes that come into play for a founder to see success in such a difficult and challenging journey.
Which cyber compliance frameworks are most in demand from what you’re seeing, and why are businesses interested in those the most?
The good thing about compliance frameworks is that there are plenty of them for everyone. Currently, the data points to over 250 frameworks available globally for companies to implement.
Companies at any stage, in any industry, in every region may have the need to implement a different set of frameworks. The need can come from federal authorities, regulators, or as an industry best practice that companies want to follow. Therefore, it’s impossible to name specific frameworks that are more popular or required than others.
However, it can be said that if a company handles credit card data, for example, they will have to attest to PCI-DSS, whereas for early-stage tech companies, having a SOC2 Type II report is essential before going to market. In addition, financial institutions will need to implement a list of frameworks even to get a permit for doing business, such as the NYDFS or FFIEC in the State of New York.
In general, it is safe to assume that an average mid-size enterprise in the US will have three to five frameworks implemented and monitored on an ongoing basis.
What aspects of cyber compliance do today’s CISOs need to pay more attention to?
Cyber compliance, or cyber GRC, used to be viewed as that annoying process companies have to go through but don’t really want to. In today’s business world, however, cyber GRC is not only a must but a true business enabler.
Only when an organization can continuously assess and measure its cybersecurity risks can it stand behind its promises to its customers.
Using cyber GRC and the multitude of available frameworks as leverage, not a burden, to design and validate a cybersecurity strategy is key to the success of any company these days. Cyber GRC should be used as a compass, or a blueprint, by which CISOs and other security leaders can safely build their cybersecurity plans and measure those plans’ effectiveness.