Cherif Sleiman, Chief Revenue Officer At Safe Security, tells Anita Joseph why knowing is critical to build a Safer Digital Future.
Cherif Sleiman is a man on a mission – a mission to make the world a safe place as its journey into cyberspace gains momentum. In fact, his recent career move to the Palo Alto based startup SAFE Security is testament to this commitment. SAFE Security, unlike any other cybersecurity organisation today, takes a “proactive” approach to cyber defence as opposed to the “reactive” approach commonly being practiced. Its focus on cyber risk quantification is a unique first step in an attempt to recognise and classify cyber risks and the steps that can be taken to mitigate their impact. Says Sleiman about the move: “My decision to join SAFE Security was not a light one. I’m very, very selective and opinionated about what I want to do. So when I crossed paths with SAFE Security, I felt that this is my home for the next few years. The company is a pioneer in the field of cyber risk quantification and breach prediction – a new and upcoming field that is critical to creating a safer digital future. SAFE Security is one of those amazing organisations that has seen much acceptance by stellar people and organisations out there including John Chambers, British Telecom, Paypal and many others who realised the opportunity and potential that SAFE Security has in shaping the future of the tech industry and making it safer”.
So, what is cyber risk quantification and why is it so important today?
According to Sleiman: “Cyber risk quantification involves measuring and mitigating enterprise-wide cyber risk in real-time by aggregating signals across five different vectors of assessment (people, process, technology, cyber security, and third-party partnerships) to dynamically predict the breach likelihood and assign a dollar value to the risk an organisation is facing. Cyber risk quantification is not just important, it is extremely vital and foundational to how organisations need to run and manage their digital footprint, moving forward. It’s no longer an option”. To substantiate this, he comes out with a few “bold” statements that showcase the pitfalls of the practice of cybersecurity as it exists today.
Firstly: “It doesn’t matter how much effort, energy, focus and money we spend to secure ourselves, all of it just seems futile. We listen to analysts, read the journals, buy the products and the antidotes that the experts tell us we need to better secure our people and organisations. We follow frameworks like SASE and Zero-Trust and we pivot security from the datacentre to the edge. We feel like we’re doing everything we’re being told. And yet, we never once, even for a minute, feel safer”.
The second statement which is thought provoking: “If you’re piling up all these products and listening to all the experts, and still falling short of the noble objective of making things safer, the question is: Why?”
He has the answers as well: “Because there is a severe lack of proper contextual visibility and for the most part, organisations are still product focused when approaching the security of the enterprise. To put it simply: When you know the risks involved, you’re able to take informed decisions about safety and security. Safety inspires confidence, confidence inspires courage, courage inspires action. So, safety is all about knowledge. The problem we have today is that organisations are throwing so much money, resources and products at a problem, but the mindset still hasn’t changed. The fallacy is in thinking that the organisation continues to be centred around a data centre where there’s only one way in and one way out. We are putting all our bodyguards there thinking that we have done a good job when in fact today’s organisation is borderless and entry points are numerous”.
According to him, the Covid-19 pandemic should serve as an eye-opener.
“Ever since the start of the pandemic early last year, there’s been an average of 5-7 years’ worth of digital acceleration, both in the back-end and the front-end of the enterprise, in under twelve months. No organisation in the world could have planned for Covid or had a business continuity plan that factored in an event like this. But with remote working and the hybrid workplace becoming the norm, organisations had to embrace Cloud Computing and SaaS as a matter of survival, even though they might have been resistant to these technologies to begin with”.
“Transitioning to cloud-based technologies has created the ‘Swiss Cheese’ architecture, as I’d like to put it, with many holes, and with so many ways in and out of the organisation”, he says. “Your employees are all over the place, connecting to workloads and data that’s now in a multi-cloud fabric dispersed all over the place, using different devices from different locations. In addition, your customers and suppliers have also changed the way they do business with you. They’re all over the place as well. How can you really expect to secure every aspect of every interaction? So, the number one issue we have today is that we have no visibility, as the digital footprint is so vast. We do not have the right knowledge of our cyber risk and therefore everything we do is based on hope and best intentions. But the fact of the matter is that we are stuck in a vicious cycle of more breaches every time we make more technology investments”.
The second problem, in his opinion, is that for the longest time, the concept of risk has been focused around policies and procedures in a brick and mortar manner. “When we started becoming more digitally inclined, we realised that cyber risk assessment should not just consider the basic organisational architecture, but other moving parts including people, technology and partnerships that are scattered everywhere. Take business partnerships as an example – all organisations have suppliers, partners, etc. We realised that if a company does a great job at securing its infrastructure and its people, that’s not enough. No company is an island and if it is to thrive in today’s world, it has to deal with customers, suppliers and partners where a lot of information has to be exchanged. And if a partner that an organisation is interacting with does not adhere to any kind of data privacy policy, then data can leak through their network, despite an organisation’s best efforts. So, assessing your partners’ risk profile and practices and how they secure their data and your own data is important before you ink a contract with them, however attractive the terms of the contract may be”.
“Assessing your cyber risk is also about assessing your technology infrastructure and cyber security products and capabilities to score every aspect of your organisation – every end-point, server, workload, application, system, database, storage, middleware, etc regardless of whether it is on premise or in the cloud. There should be an integrated and objective view on a single dashboard that aggregates data from all these products along with prioritised actionable insights on what’s failing and what is working. Secondly, the impact of these vulnerabilities has to be represented in a universally understood language – business consequences, that could be the financial impact, loss of reputation, customer retention, etc depending on business priorities. This is something that doesn’t exist today. And when you do that quantification, with all the insights, you are able to make decisions. What are the risks I need to mitigate? What are the minimal risks that I can accept? And what are the risks I can transfer to cyber insurance?”
Security & risk management leaders including CFOs, CIOs, CISOs have more than enough cybersecurity tools and services. In fact, the average organisation has more than 40 cyber security products to manage, but what is missing is a real-time objective view into the effectiveness of their cybersecurity program, investments, and tools, and this is where SAFE is disrupting the market. SAFE Security brings rich insights to CXOs about their cyber risk posture with the real-time, enterprise-wide breach- likelihood score.
“With SAFE Security, we have a common language that binds very different roles and functions from the board down to the security operations team”, Sleiman adds.
That brings us to the next important question: How aware are organisations of the need to quantify risk?
He says: “There’s no doubt that our region has in the past, and continues to experience, plenty of geopolitical conflicts. This creates insecurity among organisations in certain sectors and with it a pressing need to protect the infrastructure. On a positive note, there’s an incredible amount of regional awareness about cybersecurity. However, I don’t think enterprises are going about it with the right mindset. IT leaders need to understand that they can greatly enhance their security posture with the same effort, money and resources spent, if only they do things differently and in a more strategic manner. That is really what SAFE Security will focus on for the next few months as we roll out awareness sessions and campaigns with partners. Our mission as a company is anchored on making the world a safe place and we’ll spare no effort in this regard”.
With these goals in mind, SAFE Security is making sure it is leaving no stone unturned to become the de facto standard for measuring and mitigating risk in the cyber world. “What appeals to me about SAFE Security is the company’s approach to engaging with business leaders in a way that bridges the divide between technology and business. Risk is the ownership of C-level management. So, we’ve been extremely selective in who we partner with, because we want to form alliances with organisations that are able to have the inroads to meet with appropriate organisational stakeholders, in order to help them quickly”.
When it comes to how SAFE will make all of this happen, Sleiman says that they will partner with like- minded organisations that are focused on protecting the region’s mission critical infrastructure. He said that the company’s strategy is centred around five routes to market: 1) The consultants that are writing the digital blueprint for organisations – companies like Accenture, Deloitte, KPMG and the like. 2) The global SIs – the ones implementing these digital blueprints – Infosys, Wipro, Tata, Capgemini and so on, with their multinational footprints. 3) The Managed Service Providers – the ones who take the products and make it part of their network so it becomes a utility and a service that can be delivered to organisations that don’t want to do it themselves. 4) The VARs – that have built a cybersecurity practice and understand risk in the cyber world and 5) Alliances, Elite cyber security vendors that sell a lot of diverse products. By partnering with SAFE, they can assess how well their solutions are implemented and can plug any gaps that are uncovered.
So, how future-proof are SAFE Security’s products?
Sleiman points out that SAFE Security is not a defence mechanism or an in-line technology. “We integrate and ingest signals and data from over 100 Cyber Security vendors and use concepts like Bayesian Network and Monte Carlo Simulations that are used by Financial and Insurance companies to assess risk. We also leverage a comprehensive set of standards and frameworks such as NICE, NIST, ISO, CIS, STIG, MITRE, and many others. We have codified all the controls in these standards and have done an incredible amount of automation in the way we apply all these controls to people and various assets in the organisation to have a prescriptive and quantitative score indicating breach likelihood and dollar value impact. All of it bubbles up into the overall organisational risk… This is something really unique in the industry”. Sleiman also notes that at the end of the day, none of it is as complicated as it sounds. “There’s an incredible amount of intimidation for any professional, no matter how skilled, when they hear about things like AI, Machine Learning, Automation & Predictive Analysis. There’s also no doubt that there is a huge amount of complexity and genius behind these technologies. However, the great thing is that organisations don’t have to deal with these complexities – we’re bringing it to you as a utility in a natural language that is easy to use. Of course, you need to understand the basics like your network etc, in order to optimally configure the solution. But you’re not going to have to tweak and tune AI or any of those complicated technologies under the hood. It’s like flipping on a light switch – you press the switch and the light comes on. You’re not involved with the wires or the circuit breakers or any of the intricacies. What we do is similar. We’ve packaged all these intricate technologies into a SaaS-based product, and like the underlying principles of SaaS, it is all about simplification”, he adds.
Sleiman reiterates that the mistake businesses and governments make is they think they can use new technologies without making changes to their underlying business processes and regulatory frameworks. The rise in digital has created more security risks. And these risks don’t only extend to government agencies or financial service firms. It is integrated into our supply chain, which impacts every company and every person.
In conclusion, Cherif indicates that if we are to break the current vicious cycle of ‘the more we invest,
the more we get breached’, then a real bold step is required by various government bodies and ministries as well as enterprise security and risk management leaders to embrace a Cyber Risk Quantification mindset and institutionalise such practice in their organisations. Only then, we can say we are heading to a safer digital future.