Cygov’s Centraleyes™ platform equips organizations with unparalleled tools to achieve and sustain cyber resilience and compliance in a rapidly changing world. In this fascinating interview, Founder and CEO Yair Solow discusses the security strategy behind Cygov’s platform and its benefits for organizations.
Please describe Cygov’s story: What sparked the idea, and how has it evolved so far?
In my background, I was a senior executive at Visa. I was part of a team that was launching innovation hubs around Europe, so I got to see a lot of cyber risk and privacy startups out there, both in Israel and globally.
I slowly recognized that on the one hand, there is this tremendously growing challenge and risk to businesses on the cyber front, with compliance constantly on the rise in parallel, yet the tools to address this challenge were archaic and often the famous spreadsheet became the primary solution. The gap in the market that I recognized early on was also a massive opportunity that I decided to pursue. A next-generation cyber risk management platform was clearly needed, and I set out to reimagine how that should be built.
I spent a year and a half on the road, just meeting with CISOs, Chief Information Security Officers, Chief Risk Officers, and heads of GRC practices. I met with over 150 different companies before writing a single line of code. And through that process, I mapped out the pain points in the market for different areas in cyber risk management.
One was the collection of data, the second was the analysis of the data, and the third was the remediation process: How do you fix problems once you’ve found them and how do you prioritize them?
The last piece was how do you make all of that continuous? How do you make that change from a static snapshot in time to an ongoing, living, breathing platform? Those were the four areas I was focusing on where I saw a lot of pain points.
We started building the platform in 2018, when we had what we felt was the blueprint for a next-generation cyber risk management platform that would turn it into an active risk platform. We brought on the best R&D team, which included former senior 8200 leaders as well as US corporate executives, and brought everybody together to mix best practices from the military with the needs of the global business environment.
Based on all those pain points that we saw in the market, we started to build a cloud-based risk management platform that addresses all these areas in a much more automated and orchestrated way. The collection of data from various sources and the analysis of that data are helping people understand what they need to protect and create automated remediation. That’s literally the silver platter of cyber risk and compliance, serving you what you need to do tomorrow morning. Of course, you still need to manage the implementation of solutions, but you get a lot more time to focus on improving your cyber posture while ensuring you are also meeting compliance and using automation across the entire environment.
In 2019 we went out to the market and started selling the platform, so it’s relatively new in the market, but we immediately saw a strong product-market fit and really strong validation from CISO’s and Risk Officers confirming the tremendous value in the cyber risk and compliance solution we had created.
Most consumers are well educated on the problem, as many organizations must meet compliance today, and cyber risk has become the number one operational risk. This is why they need a solution like this, so we spend the majority of our time with customers and potential customers, talking about how our platform solves their problems. We get very strong, positive feedback because the platform addresses the real pain points which we identified in our rigorous research process, which helps us differentiate ourselves, as we are nothing like any existing solution.
Here’s a quick preview of Cygov’s Centraleyes Dashboard
How does Centraleyes work?
We break down the organization’s assets into 6 categories: people, hardware, software, facilities, data, and networks. We then prioritize those assets and begin to break down the protections around each one of them. We do this through frameworks like the NIST CSF – The National Institute of Standards and Cyber Security Framework.
We use the NIST CSF 5 function areas as the fundamental building blocks of our assessment: Identify, Protect, Detect, Respond, and Recover.
We have a very strategic, holistic way of looking at the risks around those specific assets. First, you need to identify your crown jewels, which are your most important asset, and then categorize and prioritize them, and make sure they are protected.
The critical measures we have in place for the protection layer are the common live monitoring tools, processes and policies positioned to defend organizations from being attacked. A lot of it also has to do with the people themselves and how they behave, so you need training, awareness, and proper cyber hygiene.
That leads us to the third stage, which is detection. If you’re already being attacked, how do you detect that? How do you find out that you’re under attack? By ensuring the tools are properly defined, policies are enforced and procedures are in place.
The last two stages are about response and recovery. What’s interesting is that those things address the post-breach stage, so a large part of this framework is about the day after you’re breached.
That tells you a little bit about the dissonance between where the world is, and reality. The world is putting high walls around a building to protect it, but in reality, it’s not too hard to get into the building. You have to assume the attackers are going to get into the building, the question is how would you respond and recover once they are in?
If I run with that analogy on a building that we’re trying to protect, then we need to identify the crown jewels and hide them. Where are they being hidden in this building and how are we protecting them? The answer is, in a protected room in a safe behind concrete walls with many locks, and we also are going to lock all the doors to all the rooms so even when someone gets in, they can’t gain access to any of the rooms.
We’ve seen a lot of attacks where they got in through one open door and then managed to reach the entire organization, critical assets included. So, being able to respond and recover is of utter importance.
There’s also reputational damage that is at stake, and that goes far beyond getting the system back up and running. Even if you recover, your customers would know that their information wasn’t protected. That’s why you need to look at all five stages.
How does Cygov interact with third-party software applications such as CRM, cloud storage, and collaboration platforms?
That’s a very interesting topic. Cygov differentiates between your supply chain and the platforms that you’re using to conduct your day to day operations. You have to look at both of them, and have some kind of vendor risk solution in place, whether it’s through manual processes at the very least, or preferably through an automated platform.
One of our three core solutions is a third-party vendor risk solution, so it’s one of the primary use cases we focus on. Through this, you oversee the vendors who have any kind of access to your assets. This could include your SaaS providers, physical contractors, consultants, and all kinds of other third parties that you are either interacting with or dependent on both physically and virtually. Each one of them may be an attack vector to the most sensitive data.
Once we’ve categorized and prioritized our crown jewels properly, we can now think about who has access to these assets. We want to tier these third-parties out based on their impact, as an attack on each can result in a different outcome for the organization. We will then assess the probability of an attack using a variety of factors.
In our platform, you can oversee all your vendors and map out where you have the highest impact and probability of an attack. Those vendors who are at the highest risk pose the greatest threat to your organization and you will need to establish a plan to lower their risk level or remove them if necessary.
Google, Amazon, Microsoft, and other giants are perceived as relatively highly protected, so while they might have a lot of our data, people trust that they have enough controls in place to lower the probability of an attack because they take security seriously.
Similarly, there may be other vendors you trust with your data because they’re your service providers. People seem to forget that very often, these organizations are not securing themselves properly, and as a result, the information is at risk.
You might be using a smaller vendor that doesn’t have proper information security practices in place, is not responsible, and doesn’t have “good hygiene” when it comes to information security.
With so many third-party vendors, you should be running an assessment and security audit at least once a year. Doing that through a platform is much easier because you usually have at least 10 vendors, and sometimes hundreds or thousands of vendors.
To manage that properly and be up to speed, one of the things that we do is actively scan those vendors for new threats that might arise. It could be that when you onboarded, they were clear and clean, but then they were breached six months later. You want to know about that. It’s actually more important because now they have your data.
You want to be able to have the vendors’ self attest about how protected they are and give you some kind of written approval of liability that they take it seriously.
At minimum, you should have a list of all your vendors, prioritize them, and then focus on your most critical ones from top to bottom to make sure you have practices in place.
How do you expect emerging privacy regulations to impact the way businesses operate today?
Privacy regulations are an evolving trend that continues to spread. When we started CyGov, a few years back, we already recognized privacy as one of the areas that were going to grow quite a bit in the years to come.
GDPR has now been out for a few years, CCPA came out the past year in California, and NIST recently published a privacy standard that we’ve already incorporated in our solution as we believe this is an area that will pick up quite a bit in the US over the next two years.
COVID may have delayed it a bit, but we’ll start to see more privacy acts across the US in the near future. It will have a huge impact on organizations, simply by the fact that these regulations create accountability for organizations when it comes to people’s information.
Up until now, it’s been a free fall, anybody could collect whatever data they wanted on anybody. I believe the general public is not usually aware to what extent companies can collect information on them, and the degree of sensitivity the data they’re collecting, from emails, physical address, bank statements, and millions of other details people would not want in the hands of these big companies, let alone for it to be leaked into the public sphere.
When it comes to cyber-attacks, the level of sophistication only grows, and it moves in opposite paths of privacy. As more of our information goes online, and the hackers’ ability to get information increases, the problem grows twofold.
There’s always a balance of powers, and with the global digital transformation comes the rise in cyber risk. It’s not like we want to slow the world down, but the world needs to take security and privacy into account to begin with, and I think that’s slowly starting to happen, much as a result of regulations like GDPR.
What are the roles of AI and ML in information security?
AI and ML play a very important role. We all hear stories about hackers and their growing capabilities. Once upon a time, hackers had the equivalent of a hammer in their hand, and they could cause a limited amount of damage. Today, a 16-year-old hacker has the equivalent of an F-35 fighter jet in their backyard, literally.
So you have this unbalanced war where the attackers are far stronger and greater than the defenders. An organization, as a potential target, needs to protect itself from all these powerful attackers. This asymmetrical war creates a situation where if you don’t “arm” the defenders with the proper “weapons” to deal with all of the attacks, they have no chance of resisting these widespread assaults.
Automation and orchestration, using AI and machine learning are mechanisms that start to level the playing field, making it a more symmetrical battle. One person can now potentially interact with millions of data points and find the needle in a haystack to identify anomalies.
This is where risk management balances out how you spend your budgets and resources to truly focus on where you are most likely to be attacked. You can buy all the tools in the world and you still might not be protected because it’s not just about spending money, it’s also about how you spend that money. You’re always limited by budget and therefore you’re gonna have to prioritize the assets you want to protect, know where you’re most likely to be attacked, and put the right measures in the right places.
How do you envision the future of cybersecurity?
There are many different verticals within cybersecurity. When we started the company, the focus was on threat intelligence, live monitoring, honeypots, and more, but a lot has changed in the past 4 years and today, risk management has moved to the top of the list. Cyber Risk and Compliance is a fundamental piece of cyber defense that you have to focus on in order to ensure your business can function today. Cyber is now a business risk and that is what has truly changed.
Understanding cyber risks today is beyond just technology. If you look at things like physical security, intelligence, administration, training, awareness, etc, and not just what tools are in place, that alone is not even the majority of cyber defense anymore. Thinking about what happens on the day after the attack, and how you react to minimize the damage, are very important pieces in cybersecurity.
IoT is another area that continues to grow. If you look at it subjectively, it’s obvious that cybersecurity around IoT is going to be huge because the world is moving toward tens of billions of connected devices in the years to come and growing at a rapid pace.
If you had to give one tip to our readers, what would it be?
I would say that people need to think about cyber not as a cost, but as a critical piece of the business. Everybody wants to build a business quickly and just onboard clients and drive revenue as fast as possible, but as they work hard to do this, in a split second somebody can take away their entire life’s work, simply because security was an afterthought, if a thought at all. I would strongly encourage people to take security as part of upfront investment. Small, early investments into implementing best practices will save you a lot of money in the future and simply let you focus on driving more revenue and success.