Innovation happens fast in the cloud-first era of today. Yet the tools and processes that allow software developers to ensure their products are secure were designed for a different era. As such, existing risk controls often act as an impediment to the digital transformation and hinder developers’ ability to quickly ship software.
Idan Plotnik and Yonatan Eldar understood this challenge all too well. While working as leaders of product and engineering teams at Microsoft, they were tasked with satisfying the two (often competing) demands of product delivery times as well as security and compliance requirements. Across the industry, most teams were still using point solutions and manual, periodic controls that slowed down production. So in 2019, the two branched out to start apiiro: an end-to-end platform designed to enable developers to embed security earlier in the software development process.
The company, which came out of stealth and announced a $35 million Series A in October, now works with enterprise customers across multiple sectors including financial services, healthcare and gaming.
“We formed apiiro to reinvent the secure software development life cycle,” says Plotnik, who serves as apiiro CEO. “We wanted to solve the board-level challenge by bridging the gap between CISOs and build trust between development, security and compliance teams.”
Imperva CISO Samir Sherif, whose company works with apiiro, says the ability for developers to shorten their time to market and build products that are quickly adopted by businesses depends on their ability to transition from waterfall to agile development. Having a unified platform to achieve that while meeting security and compliance regulations is critical.
“The practical reality is that technology is moving much faster, but the rules of the road are still there,” says Sherif.
On the latest episode of Greymatter, Greylock general partner and apiiro board member Saam Motamedi sat down with Plotnik and Imperva CISO Samir Sherif, whose company partnered with apiiro. You can listen to the podcast here.
EPISODE TRANSCRIPT
Saam Motamedi:
Hi, everyone. Welcome to Greymatter, where we share stories from company builders and business leaders. I’m Saam Motamedi, a general partner at Greylock. Today, I’m speaking with Idan Plotnik, CEO of Apiiro Security, and Samir Sherif, Chief Information Security Officer of Imperva. We have a fascinating conversation covering the DevSecOps movement and how it addresses the new security challenges created by the acceleration of digital transformation in the enterprise. Thanks for joining us and enjoy the podcast.
Let’s start off by just introducing yourselves. Idan, maybe we’ll start with you. Can you give our listeners a quick introduction?
Idan Plotnik:
Sure. Thanks, Saam. So I’m Idan Plotnik. I’ve been in the cybersecurity industry for more than 19 years now, started my career in a cyber security unit at the IDF, left the army after five years. And I founded a consulting services company focused on pen testing, risk assessment and security design reviews. I sold this company in 2011 and then I founded a startup called Aorato. We were basically pioneers in the user and entity behavior analytics space (the UEBA). Aorato was acquired by Microsoft in 2015. And I was a director of engineering, running engineering, product, security, research, data science and DevOps across two product lines. And now I’m the founder and CEO with Apiiro.
SM:
Awesome. And we’re going to hear a lot more about Apiiro. And Samir, can you please introduce yourself?
Samir Sherif:
Sure. Samir Sherif, currently CISO at Imperva. Like Idan, I’ve been in the technology cyber business for quite a long time. I would say close to 22 years, most of it spent in Citigroup where I was in the technology space, both from development, product management audit and risk and compliance. So [I have spent] probably the last 10 years in information security running various programs related to application security including biometrics, digital efforts, and programs around biometrics specifically to enable businesses for innovation and fraud management. But [I have also worked in] the general secure development vulnerability assessment, risk assessments, and really driving a lot of changes in terms of policy development, but also tooling and innovation for the technology teams.
SM:
Great. Well, I’m excited to get both of your perspectives on a number of questions that we have here.
I want to start off by just talking about the trends we’re seeing around digital transformation.
You know, we’re recording this in October 2020 in the midst of the COVID pandemic, which has had a really interesting impact on software. Satya Nadella, CEO of Microsoft, recently said something to the effect that two years of digital transformation have been compressed into a couple of months. And that’s a trend I certainly hear a lot about from every large enterprise I talked to: [There’s a trend of] digital transformation, and every company is becoming a software company, and seeing software development as a core competency. And as part of that, a move from waterfall to agile development to CI/CD and an increased focus on developer effectiveness and productivity.
Idan, let’s start with you. What does all that mean? And can you talk about how this transformation played out at Microsoft?
IP:
Yes, sure. So in fact, I was fortunate enough to meet Satya Nadella in person. Most of the executives and board members already acknowledged that their business will be disrupted in the next two to five years.
“What I also noticed is that enterprises that allowed developers to be responsible for the end-to-end delivery process are at the forefront of digital transformation.”
In these environments, development teams have the ownership, cross architecture, security controls, business logic, data flows, and infrastructure. And the developer ownership is one of – I think from my point of view – is one of the fundamental culture changes in the enterprises and it’s what drives growth. And in a very short period of time, I think this is the magic here. Even development teams begin to see their immediate impact on business growth. And this is the unique moment where digital transformation is behind these culture shifts.
And this is my point of view – and last but not least from a practical point of view –when you want to move fast and you may want to adopt agile and CI/CD, you don’t have any long design specifications. You don’t have processes and documents that you hand off to developers like what we did in waterfall. And this is something to think about. There may not be any design specifications that you, as a security architect, can review as part of your risk assessment and you need to do a minimal design work. So the only thing that was left is that the code is the actual design. And if the code is the actual design, where do you identify security and compliance issues in the design? And this, I think, is one of the interesting questions that we at Apiiro learned when we worked with customers across their digital transformation process.
SM:
It’s interesting. You’re both talking about the opportunity here around driving more developer ownership and letting developers drive business metrics directly. But then also the challenges that get created when that happens around, lack of, or perhaps existing process and tooling not being effective in this new world. And so I want to talk a lot more about that.
But first Samir, I want to ask you the same question. You’ve had a really interesting perspective into this at Citi and now Imperva. Talk to us about how you’ve led some of these efforts and what you think of the opportunities and challenges.
SS:
I’ll give it to you from the perspective of a recipient of the demand to innovate and change supporting business within my previous experience, (obviously, but it’s interesting).
So the digital transformation – when I was being challenged around really looking at how we can streamline and innovate and move faster – was really about knowing how the customers and the consumers are interacting. And what I mean by that is there’s been a significant change, obviously both on how companies and businesses, especially in the financial industry, want to change. And also how quickly the consumer is wanting to change at the same time.
So, for example, if you’re used to picking up the phone and calling your broker and making a trade, now all of a sudden you can do it at the tip of your finger. What is the risk threshold? Is it a million dollars? Is it a hundred million dollars? What’s the appetite for the company to actually take a risk? Do they really know who that person is behind the tablet, right? And that created an entirely different risk profile and challenge for the business on one angle is to innovate and move faster. On the other side, or I would say in the middle side, is all the connectivity that came with digital transformation, which has all the external relationships.
So there is no longer a dependency on somebody pushing paper around for authorizations approval. They’re all integrated with external businesses. Just think of APIs and B2B relationships. They’ve also been moving to the digital space. On top of that, you have the regulators who are telling you, well, you know, you are responsible for a thousand different controls and guess what? It hasn’t changed now that you can do it systemically. We’re going to expect you to be, but I mean, if we want to move faster, we’re going to expect you to be able to answer the same question. So the challenge for me supporting the business and also working with the technology heads and developers was, how can you now move to agile, let alone DevOps, move to agile and still be working in like a waterfall model, following the same waterfall, risk and compliance requirements? It was mind boggling. It took many, many years to put together a really good, strong automation, so much layers of complexity. Not only you have to innovate, move, support the business for digital transformation and cloud, moving to the cloud, but also using the same mentality to stay compliant and be risk averse and be fully cyber secure, you know, implement all the right controls. And I think that’s where in my discussions with companies like Apiiro, it really begins to answer a lot of those questions and bring it upon maybe the concept of governance as code being it, becoming a reality over time, right? And I think that journey now is catching up, finally. And I think we’re going to move even faster in the future.
SM:
I want to double click on one thing Samir, I think in the past you said something like everything is becoming code and there’s a lot of positive there. You know, developers can spin up new infrastructure much more easily and quickly than ever before. But then to your point, it creates a whole new set of challenges. And how does it change how you prioritize your time and your efforts across different areas?
SS:
What I’ve done even after joining Imperva is to kind of rethink security technology risk in general, more about business transformation and business enablement. And what I mean by that is, we have to get out of the habit of just looking at the frameworks and controls and saying, well, if the technology need and demand is X, then we have to apply Y. It doesn’t work anymore.
I think for all of us in the cybersecurity space is to really rethink and remind ourselves that we’re actually there to support business. We’re not there just for security, which means we have to change the way, we think we have to actually innovate as well.
“It’s understanding the innovations side of it, but more so really challenging the risk professionals to really rethink and enable some of the automation that needs to come along with it.”
Because if the two don’t come together, we’re never going to be able to support the businesses to innovate.
SM:
Yeah, absolutely. You and I have talked a lot about some of these challenges, you know, Samir is referencing and the problem with existing approaches to risk and security and how they become blockers in this new world. Now’s a good time to tell us why you started Apiiro and what Appirio does, and how Apiiro addresses some of the challenges Samir is talking about.
IP:
We all know the famous saying, Marc Andreessen in 2011 proclaim that “software is eating the world.” I think in 2020 is “code is changing the world” because in the cloud-first era, enterprises cannot distinguish anymore between software and infrastructure. It’s all code. And if we’ll take it one level down and in going back to what I said about developers, ownership and digital transformation, developer will not open a ticket anymore for IT. Or manually will go to the cloud provider UI to fire up the compute resource change network structure, ed roles, or policies, or even change the API gateway configuration whenever the introduce a new API. It’s all code. So the challenge we are facing to application security will be multi-tiered by several levels.
“So this is basically how I see the picture and, and I see a huge shift to developers owning the end-to-end process and basically codifying everything across the application security, compliance, governance, and infrastructure.”
Going back to your question. So, so as a director of engineering at Microsoft, I was also an owner of product risk. I was responsible for prioritizing, remediating and also communicating risks to upper management. And I think, you know, basically it was a constant struggle. The number of features that we delivered to production grew exponentially, and each change had to go through the same labor intensive processes that Samir was talking about before deploying to production. Maybe we should cover only two, two or three of them, like risk assessment and threat models tools tend to rely heavily on self at the station, which leads to, eventually to poor data quality or inconsistent unreliable identification of, or in remediation of risks. And in addition, these tools were not being validated against code changes, you know. And this is what was eventually delivered to production. And there was, there was a huge wall between the risk practitioners and the developers, and eventually the code that you deliver to production.
Let’s take just two more examples: penetration testing, which is a labor-intensive process that must be contextual to be able to produce meaningful insights. How do you do that? You have basically two options. One, you can interview the development teams and understand what are the material risky changes and focus on them, or manually go one by one on your JIRA tickets and understand the context of these changes. But, we’re going back, again, to this set up of relying on self at the station – which for inability scanning tools, like static code analysis and others, is identifying only for inabilities. The reason that they produce a lot of false positives is because of the lack of context that is around the developer knowledge and behavior and the code changes. And this is why we formed Apiiro to reinvent the secure software developing life cycle, solve this board level challenge by bridging the gap between CIOs, CSOs and build trust between development, security and compliance teams.
SS:
And to add to that, the practical reality is as technology has been moving more, much more to agile. It’s been really around the simple fact that instead of one big change that you take two or three months to deploy, now let’s become 50 small agile, right? So for risk professionals for cyber, everything was designed around, well, if there’s a significant change and I need to do Y right? I need to involve a privacy person to review for cross border data transfer, or I need to do this certain type of security assessment. But because there are now all tons, you know, dozens of small little changes, it’s easy for them to bypass these controls, but then ultimately when you do the release three months down the line, but everything has been developed in an agile fashion, then you’re still bound by the same regulatory requirements. Where do you get that visibility to even make that determination and assessment? And you can see what’s been happening with some of the regulatory responses and some of the fines for companies with lack of effective controls, especially around moving to cloud. And it’s creating jitters in the marketplace. And this is purely because of the lack of visibility that currently exists in the innovation space.
SM:
Yeah, absolutely. Samir, I want to follow up on that. And maybe with two questions, one is, how much of this is a technology problem versus a cultural problem? And then the second piece is, comment on Apirro and your perspective on the role Apiiro’s product can play in driving transformation.
SS:
Sure. Everybody’s trying to move faster, but what really happens on the ground is the rules of the road are still there. The rules haven’t changed. They’ve become a lot more structured, right? Regardless of where you operate in the world, you can be bound by a certain set of regulatory and compliance requirements. And what’s happening is the culture change has already started, but has it started with the business and digital teams, even the technology teams are adopting and innovating very, very quickly.
“The challenge though, the culture that hasn’t really changed is the risk compliance and security, right? And I think that’s the challenge that we need to solve for.”
It makes perfect sense, but because everything, like I said, was moving to code, we also need to rethink how we apply and change the risk tooling that we currently rely on. We need to really push them to the edge so they can also innovate and help the business and transform. There was really nothing in the industry that really gives you a context in view of a technology change, right? Especially aggregating it, understanding where it’s happening, who’s doing what, and being able to systemically and more efficiently actually answer those compliance questions. And not rely on hundreds of people on the ground who are just really constantly, you know, engaging directly with technology teams and developers to get visibility, right? If you can automate it, at least bring about some sort of technical capability to it, then that will be amazing.
SM:
Yeah, absolutely. One last question on Apiiro, what’s the status of the company? You know, some of the learnings you’ve had from customers you’re working with and, and the types of customers that could benefit from something like Apiiro.
IP:
So Apiiro now is deployed across industries, including large banks, large enterprises in the gaming, healthcare, and software development verticals. What we managed to do is to measure in a quantitative manner, what are the success criterias? And this is the key element here. So our customers stopped using manual risk assessment questionnaires, and they automated the assurance before releasing code to production. This is a quantitative measurement on how you can reduce time between compliance and security teams. You can allow them to focus on bringing value to the business instead of wasting time on tedious questions that repeat themselves again and again and again, without basically validating them against the code changes. We also reduce the money that our customers invested on prem testing, and they got better results because we narrowed down the scope only on material changes that are risky, that has business impact.
And last but not least is that we allowed security and compliance practitioners just to focus on the changes that really mattered to the business. And even one more use case is that we reduce the amount of false positives that these customers got from different tools by enriching our own intellectual property around developer behavior and business impact knowledge.
SM:
Great. Two closing questions. I think one, you know, it’s so interesting to be on this podcast with Idan, someone who’s built multiple security companies from scratch, and Samir who’s helped lead some of the largest security programs in the world. Talk about how you work with each other and how can startups be most effective in working with large enterprises and delivering new innovative solutions to large enterprises. Maybe Samir, we can start with you.
SS:
Sure. I think the best way to engage with startups around innovation and change is really, “Yes, I agree,” starting at the top. In my engagement with the Idan, I think the visibility around really what goes on in the heavily regulated industry is helpful, but it’s also transformed our conversation to even more around risk management. The reality is even smaller, mid-size organizations who may not have the robust risk culture, risk frameworks can begin to use tools like Apiiro and really begin to much more quickly adopt similar capabilities like a lot of the larger organizations have to follow. Because regardless at the end of the day, they’re servicing the same industry, right? Or similar industries, whether it’s healthcare or some of the other critical infrastructures. And I think coming with that mindset is important to help shape where the technology needs to go. And I think that’s where the value comes in.
SM:
Absolutely. And Idan – I’d love to get your perspective.
IP:
So, I think it’s priceless. I will say it’s priceless to have someone like Samir, with the knowledge and the day by day struggle of such large organizations and complex security programs. And to understand and hear firsthand from a person like Samir about these challenges helps me personally shape the strategy of Apiiro, the product of Apiiro. And it helped us also provide a solution to other large enterprises that had similar challenges. Every startup must have someone, you know, like Samir or like other CISOs in large enterprises, and just listen. Just sit with them and just listen, don’t talk and listen to their insights and, and eventually compile the insight into a working product that solves the real world challenges.
SM:
Yeah Idan, you’re hitting on a really important thing that we see, which is, companies early need to have a very tight feedback loop from customers back to product. And you want that feedback loop to iterate as quickly as possible.
SS:
Right. And have an open mind.
SM:
Absolutely.
IP:
Don’t invest in entrepreneurs that are not like that. And you cannot succeed. You cannot build a large company without this specific process.
SM:
I like to close these podcasts with a personal question. So we’re, we’re sitting here in 2020, it’s an unusual year. For both of you guys, either in your personal lives or with the teams that you help lead, what’s an interesting routine that you’ve adopted in 2020 to stay balanced, energized, you know, refreshed as we all work through this year? Maybe Idan, we’ll start with you.
IP:
So I will do a tactical answer and a bigger one or a strategic strategic answer. From a tactical point of view, you know, it’s just sending wine, beers to your team and jump on a zoom call and, and just talk about not work, you know, have fun with the team across Zoom and let them know that you care about them, even if you’re not sitting next to them at the office. That’s one thing. And the second thing, which is, you know, the broader picture is you need to train your team or give them the tools to interact with your customers over, you know, a video conference and, and train them and talk to them. And this is what I did. I invested, I think I will say between two to four hours a month to allow my team to understand what are the processes and tools they need to do to implement, to have to build trust with customers over zoom and other things that the customer will feel, you know, we were working with with the largest enterprises in the world, they need to deploy Apiiro if it’s on-prem or as a software, as a service, they need to trust us over video.
SM:
Those are both great recommendations. And I’m looking forward to my wine delivery before the next Apiiro board meeting. Samir, same question for you.
SS:
The only thing I would add is encouragement to everyone to get out, right? Do as much physical movement, exercise, refresh. We are social humans at the end of the day. Our creativity really comes out when we are together in a room collaborating and doing things like that. But now, because of COVID, we’re changing our habits. Zoom is helping, but it’s not solving the basic questions around the humanity, right? So I think everyone on my organization and my team have been encouraged to do more outdoors. I think we’re all riding bikes and doing different things, just to kind of remind ourselves that we do stand up and do something different. And the flexibility that that allows us now is we’re all remote. So the work-life balance I think is significantly better.
SM:
Absolutely. It’s such an important point, Samir. Well, Idan, Samir, thank you both for joining us on Greymatter and thanks everyone for listening.
SS:
Thank you.
IP:
Thank you for having us.
SM:
That concludes this episode of Greymatter. You can subscribe to our podcast on soundcloud.com/greylock-partners or wherever you get your podcasts. You can also find new episodes and blogs on our website grelock.com. You can also follow us on Twitter @GreylockVC. I’m Saam Motamedi and thanks for listening.