“They use our software to play war games within their infrastructure.”
During his time as CISO, Guy Bejerano wanted a simple solution to simulate cyber attacks, and it bothered him that one didn’t exist. He wanted to fix that gap in the industry, so he co-founded SafeBreach, where he is CEO. Bejerano shares that SafeBreach’s software is a layer of truth for organizations that hope their security will perform well against threats, but can’t really be sure. Although he knew the change he wanted to create in the mindset of the cybersecurity industry, he explains that he didn’t have much of a plan for starting a company. By working with CISOs and studying market needs, the SafeBreach solution was developed. Bejerano describes their software as a way for organizations to play war games in their systems. He says the journey is very different from what he expected, but he is passionate about improving cyber security and helping young entrepreneurs.
Tell me about your own interaction with the security world. What draws you into it?
What drew me into the security room, it was by accident. I had an accident that took my course from entering the Israeli Air Force pilot course in the security area. I fell in love with this room that developed in the 90s. I built a red team in the Air Force. Through that I grew into a few CISO roles and built SafeBreach about eight years ago.
What were some of the key insights from these journeys that led to the formation of SafeBreach?
The CISO’s role is very challenging. I saw my role as the person who needs to translate a lot of technical data into business data. And the business realization of: What is our real risk? There was nothing in the market that really helped me do that. Many of the challenges were convincing the large companies to move their critical data to our platform. We did that by proving that we’re worth the security by actually showing behind the curtains and really being transparent with what you have and letting them challenge you.
Then I literally hit a glass ceiling because there was nothing in the market that could help me with that. We tried to build some homegrown solutions, but none of them were scalable enough. I brought in some white hat hackers. After they showed me four ways to hack into our system and get confidential information, I asked them, “Is there a fifth scenario? Is there a 10th scenario or more?” One of them understood what I’m trying to do and he actually connected me to my co-founder.
If we look at the world eight years ago and at this idea of attack simulations, where is the world from a marketing education perspective?
There is much unknown in what should be trivial. Any average organization today, if you want to ask the CISO if they’re susceptible to an attack that happened a few months back, if they’re not using something like SafeBreach, there’s no way for them to know. They will guess. What we’ve introduced to the market is, for the first time, the ability to really test yourself against something that might happen and use that data to understand how good your defenses are.
Indeed, the latest announcement from the US government embraces continuous validation testing as part of the standard for a business to truly increase security effectiveness and reduce risk. These are concepts that we established a few years ago and are now becoming more and more acceptable by the industry.
Take me back eight years. How do you build this company from the ground up?
I could tell you we had a plan beforehand, but that wouldn’t be true.
We have actually partnered with a great VC. We started to really listen to the market and the market’s needs. I decided that the corporate market is our main focus. By listening to the needs of their CISOs, we began to build a platform. In the beginning we only focused on the red side. And then we realized that the blue side is also very important because not only showing an organization that they have gaps, but actually helping them reduce the gaps would be critical.
Walk me through the traditional use case for what an engagement with SafeBreach would look like. What is actually happening from a business perspective?
Basically, we have built a software solution; it is fully automated. We wanted to bring the attack into an organization in a controlled manner. They use our software to actually play war games within their infrastructure. It does not affect your production. We listen to the controls and we try to understand: What did they see? What were they trying to do? How did they try to prevent our action? Have they discovered it? Did they send the right notice? We then aggregate all of these into one picture that the CISO gets that shows them what their level of prevention and detection is and how much they missed. We take all of this information and look back at the security controls so that they can change their configuration based on our attacks and make sure that the next time someone launches a similar attack, they will either prevent it or detect it.
In what way do you envision your customers positioning SafeBreach in their cognitive landscape?
We are literally the team of truth; the actual what will happen if they do nothing. What is the cost to avoid? We look at it from two different angles. One would be the security provider and the control validation. People talk about an average of 70 to 100 security tools used by the enterprise today. The level of complexity is just enormous. They have no real way to really deal with the level of complexity. We show them what the effect of all these controls is. Sometimes it’s a configuration issue. In fact most of the time. Sometimes there is a blind spot that the specific provider has. Then our customers can go to that supplier and ask for a solution.
The other side comes from the threat landscape. What we have compiled into our software are all the threat actors. We will provide them within the platform and they can actually know exactly how you will deal with them when the time comes. CISOs then take this information into the boardroom and actually talk about real risk.
If you look at your own journey, where do you see yourself as part of your own personal vision?
I’m enjoying myself because it’s all new. It is literally groundbreaking. It goes against the notion of what I believe to be a broken industry. I am trying, and I can see today that I am succeeding, to change the mindset in the industry. I really love the fact that we’ve been able to make a change in something that was personally a pain point as a CISO. We have managed to build a solution that provides a simple answer.
Do you see yourself as living in safety as a life mission?
I’ve been in security my whole adult life, and I definitely see it as a mission for me. If something doesn’t work and if it’s broken, and for years people have accepted it, it really bothers me. That’s where I find my real drive. Other than that, I like everything about building a company.
Were there things you didn’t really expect on your entrepreneurial journey?
I want to say a lot. The journey turned out to be nothing I thought about in terms of expecting ups and downs. Building a company has many aspects unrelated to security or the security market that you actually need to learn and grow into. My personal growth is also something I really enjoy about being a first-time CEO.
What is one conceptual thing you would advise students to consider as they approach this journey?
I work with young entrepreneurs in several programs and share my scars and my experience. First of all, do something you are passionate about. It is a tough journey; it’s a long journey. Second, surround yourself with people you trust and people who are positive. The third part is not to get excited or depressed too often about ups and downs. It’s a rollercoaster. Take it down a notch either way.
Michael Matias, Forbes 30 Under 30, is a Venture Fellow at Innovation Endeavors as well as an investment partner at Secret Chord and J-Ventures. He studies artificial intelligence and human-computer interaction at Stanford University, and was an engineer at Hippo Insurance. Matias previously served as an officer in the 8200 unit. 20MinuteLeaders is a tech entrepreneurship interview series that features one-on-one interviews with fascinating founders, innovators and thought leaders who share their journeys and experiences.
Contributing Editors: Michael Matias, Megan Ryan