Home Interviews “I am eagerly waiting for more innovation in incident response and supply...

“I am eagerly waiting for more innovation in incident response and supply chain security”

Ryan Gurney, CISO-in-Residence at YL Ventures, shares how the new role will provide a perfect platform to provide value and learn the business. He also discusses how Israel has been a hotbed for innovation in security.

SHARE
innovation

According to Israel National Cyber Directorate, Israeli cyber companies raised $3.36 billion in the first half of 2021, an amount that constitutes about 41% of the total recruitment in the world, in about 50 transactions. This figure stood at $1.2 billion in 2020. It highlights that a third of the world’s cyber unicorns are represented by seven Israeli cyber companies. As venture capitalists have a field day with easy cash flows for these cybersecurity startups, we see these ventures looking for disruptive innovation in ideas and the people who will lead.

In an exclusive interaction with Minu Sirsalewala, Editorial Consultant at CISO MAG, Ryan Gurney, CISO-in-Residence, YL Ventures, shares insight on the booming cybersecurity startup industry, his role as a newly appointed CISO-in-Residence, and what areas of innovation are seeing heightened activity.

As a full-time CISO-in-Residence, Gurney will work directly with entrepreneurs pre-and post-investment, supporting their ideation processes, highlighting greenfield market opportunities, validating their value propositions, refining go-to-market strategies and optimizing their early-stage success in closing paying customers.

Prior to joining YL Ventures, Gurney was the former Chief Security Officer (CSO) at Looker, a business intelligence software and Big Data analytics platform acquired by Google for $2.6B, now part of the Google Cloud Platform. Prior to the acquisition, he served as Looker’s CSO, leading security and compliance and helping Google and Looker integrate and centralize key security processes post-acquisition. Previously, Gurney led all security functions at Zendesk in his role as VP of Information Security, where he played a key role in the company’s successful IPO. Additionally, he held security leadership roles at Engine Yard, eBay and PwC.

Edited excerpts of the interview follow:

In your varied leadership roles, right from PwC, eBay, Engine Yard, Zendesk, Looker (now part of Google Cloud Platform), and now YL Ventures, how has the journey been? How has the cybersecurity landscape evolved over the years?

It has been a highly rewarding journey and a privilege to work with such innovative companies and leaders. The cybersecurity landscape has really grown since I began my career. When I started, the CISO role was still relatively new.  It is reassuring to see how vital companies feel about it now and how far the security industry has come as a whole.  It is also pretty inspiring to see so many brilliant minds rise to the occasion and tackle the hard security problems companies struggle with today.

What brings you to YL Ventures as a CISO, and what piece of advantage do you bring to the table?

I had already been working with YL Ventures as a Venture Advisor for a number of years consulting seed-stage cybersecurity entrepreneurs on their early product and market strategies.  My industry experience, especially as a cybersecurity leader and often target-customer, gave the entrepreneurs I worked with vital insight into customer needs, preferences, and decision-making. Joining YL Ventures in this new role allows me to do that in a far more involved and hands-on way.

This seemed like the most natural and meaningful step for me to take at this point in my career. Following Google’s acquisition of Looker (where I was the CSO), I spent a year helping transition our security program over.  Once that was complete, I took some time off, and had a desire to do something different.  I had always enjoyed advising and investing in startups and now wanted to understand more closely the business aspects of how a VC firm operates. At YL Ventures, the CISO-in-Residence role provides a perfect platform for me to provide value and learn the business.

Hopefully, I can offer a wealth of first-hand knowledge through my time as a CISO at various fast-paced, engineering-focused SaaS companies.  Specifically, I’ve scaled high-growth companies and teams, been a part of multiple acquisitions, seen companies fail, prepared a company for a successful IPO, and been acquired by a heavyweight company like Google. In each role, I’ve managed product feature development and budgets that required critical due diligence when it came to selecting what vendors I partnered with. Entrepreneur access to this kind of knowledge and experience can dramatically accelerate their company journey.

What traction do you see in the cybersecurity startup space today? What are some of the frontiers/opportunities that you are looking for in this space?

There are so many opportunities, and it has been exciting to talk to passionate founders and hear how they are innovating and disrupting traditional security approaches. Our recent, joint-published CISO Survival Guide, on which we partnered with Cisco Investments, Forgepoint Capital, and Norwest Venture Partners, outlines four areas that I am particularly interested in at the moment – namely SASE, DevSecOps, Privacy Engineering, and Security Automation. I am also eagerly waiting for more innovation in incident response and supply chain security.

As per ‘The Rise of Global Cybersecurity Venture Funding’ report, Israel is the second leading country after the U.S. with over 20% of the country’s venture funding finding its way to cybersecurity companies in 2020. Is that a result of the pandemic for a sustainable growth model? 

Israel has been a hotbed of innovation in security for years, and that can absolutely be attributed to a sustainable growth model.  The combination of mandatory military service (and the cyber education received), constant threat from known and active adversaries, national interest in producing top technical talent, and a relatively small population size (leading to a tight-knit community) results in an extraordinary ecosystem for cybersecurity startups to thrive.

When it comes to disruptive technologies, what kind of startups interest you? Which areas of cybersecurity are seeing increased adoption?

Adoption tends to be reactionary and fluctuates according to what is in the news.  Recent breaches associated with supply chains and ransomware have led to more companies investing more dollars in third-party risk and compliance, identity management, EDR/XDR, Zero Trust / SASE technologies.

There is a noticeable shortage of cybersecurity professionals. How big is the problem and how can this gap be bridged?

It is a huge problem, and it is not improving at the rate the industry needs. There are way more job openings than dedicated security professionals available, and that gap seems to grow with every public data breach announcement as executive boards react. For years, we have acknowledged that an important solution lies in automating our security stacks, but it is also time to recognize that security is everyone’s responsibility and delegate more security-related tasks to other departments within an organization. Finally, security leaders must be willing to take chances on hiring and mentoring those that may not have traditional security experience but are eager to learn.  It is imperative that security leaders take the time to get to know employees outside the security organization who may be interested and have the aptitude to become great security professionals.

There is much talk around API security and management. Can you share your thoughts on the changing landscape and current challenges?

APIs have long been a difficult challenge for CISOs to manage. With increased cloud adoption, specifically SaaS, CISOs have lost visibility and control over how these applications are being configured in their environments. They are blind to who has access, what data is housed, and how APIs are being managed.  This can make it challenging to protect data properly and defend their organizations against third-party data breaches. Rising up to the challenge, we see an increase in API security startups and tools that attempt to address these risks. We have even invested in a few ourselves, including build.security and Grip Security,  who are addressing API authorization and SaaS discovery challenges. And we will continue to talk to founders about other API management ideas to further improve the space.

With remote working as the new norm, compromised IoT devices are an obvious threat. How can we mitigate this risk, and how foolproof is this approach?

This is an interesting question because it can affect industries differently. In any case, IoT devices have always been a challenge to secure as they were not traditionally designed with security in mind. They are often fairly lightweight, and in some cases, not easily patched if a security vulnerability is discovered.  Their lightweight nature also makes it difficult to add additional controls, such as encryption, access control, or deeper logging and monitoring. Companies today attempt to secure IoT devices instead through a combination of approaches, including network segmentation, authentication, patching, and encryption. However, managing and coordinating the activity necessarily is challenging without tooling.  Startups, including our portfolio company Medigate, which provides a dedicated security solution for medical devices, are innovating this space with the promise of asset management to manage the important risks that these devices place on their administration.

Medigate’s journey is an excellent example of how IoT is transforming traditional sectors; the healthcare industry received quite the shock as COVID-19 accelerated our dependence on personal and connected devices to manage health. This includes laptops, cellular phones, tablets, and a range of remote patient monitoring devices – everything from an Apple Watch to a device used to treat chronic disease. As hospitals bureaucratically catch up to the digital age, more of these devices are attempting to connect to unprepared healthcare networks from unsecured sources. This lack of preparedness cannot go on, considering the sensitivity of the data stored in such organizations.

What are some technology business drivers and strategies that are affecting or influencing innovation in the security realm?

As I mentioned, publicly reported attacks are key drivers of cybersecurity industry innovation. However, we have also seen a heavy influence from emerging regulatory requirements and the COVID pandemic as well. A significant increase in ransomware attacks has led to more conversations about least privilege access, especially on authorization, zero trust access, incident response, supply chain management and business continuity practices. GDPR single-handedly transformed the regulatory landscape and increased interest in “privacy by design,” leading to more founders exploring data discovery and privacy engineering solutions. Finally, the COVID-19 pandemic forced companies to revisit, and in some cases, completely reorganize their distributed workforce practices.  This has allowed for more urgency and dialogue around remote employee security, zero trust principles and SaaS security — the latter of which is finally being addressed by our latest portfolio company, Grip Security.


Minu

About the Interviewer

Minu Sirsalewala is an Editorial Consultant at CISO MAG. She writes news features and interviews.