Welcome to The Did You Know Podcast by Varisource, where we interview founders, executives and experts at amazing technology companies that can help your business save a lot of time, money and grow faster. Especially bring awareness to smarter, better, faster solutions that can transform your business and give you a competitive advantage----https://www.varisource.com
Welcome to The Did You Know Podcast by Varisource, where we interview founders, executives and experts at amazing technology companies that can help your business save a lot of time, money and grow faster. Especially bring awareness to smarter, better, faster solutions that can transform your business and give you a competitive advantage----https://www.varisource.com
Welcome to the did you know Podcast by Varisource, where we interview founders and executives at amazing technology companies that can help your business save time and money and grow, especially bring awareness to smarter, better, faster solutions that can transform your business. 1.4s Hello, everyone. This is Victor with varisource. Welcome to another episode of the Did You Know? Podcast. Today I'm excited to have Lior Yari, who is the CEO and founder of Grip Security, 1s on the show with us. Grip is the world's first SaaS security control plane. Welcome to the show, Leor.
U1
Hey, Victor. Thank you so much for having me today.
U2
Yeah, you have a tremendous background and there's a lot of very fun insights and questions we're going to go through with you today. First of all, you are originally from Israel and 1.1s I think the education of Israel is amazing or just the process because there is tremendous amount of unicorns and just amazing founders and entrepreneurs in Israel building amazing technology. Right? And so you actually had a great view into all of that because part of your background was the CTO of Yl Ventures. And as you told me, they are now one of the, if not the biggest cyber focused VC globally. So can you give us a little bit of background, kind of your history and the founder story? Yeah. 1.7s
U1
Yeah would love to. And as you said, I started my career in cybersecurity, as many people do in Israel, in the Israeli intelligence. And I ended up, after working for a few startups as the CTO at Wild Ventures. They're managing almost a billion dollars that's solely invested in seed stage security companies in Israel. And while there's many seed state security companies in Israel 1.4s siphoning through the noise and finding the best investment opportunities and those companies who could go to a billion dollars or more is not easy work. And what Wild Ventures focuses on is finding the best team, the best problem spaces, matching them together and taking them to market in the US. So they have over 120 advisors from Fortune 1000 companies who sit in the board of advisors and those people help accelerate both investment decisions and go to market opportunities for the portfolio. I had the pleasure of being CTO for Wild Ventures starting in 2020, which was a fascinating era because it was right on the brink of market collapse. If you remember March of 2020 when I 1.3s started, which was followed by the best time in history to be a cybersecurity startup. And we've seen. 1.7s Of how the market reacts to digital transformation at scale. So overnight, cyber became one of the most pressing priorities for organizations, and we were in this position to analyze and understand how it affected the market. 1s I had the pleasure of having a very balanced view. So in 2020, I've personally met 97% of cybersecurity entrepreneurs in Israel. Know there was a few deals that we missed, but we met almost everyone. And I used to joke that my job was not investing in startups because you meet everyone. We ended up investing in three companies in 2021 of them was Grip Security. So I don't know if it counted an investor because it was two weeks after I've left the VC loan. 1.2s
U2
I see. Wow. 1.4s Again, it's really amazing that you have the background from being able to talk to 90% of entrepreneurs because security is so broad. There are security and everything. And for you to kind of be able to talk to them, learn what they think, what they think the future should be, what the challenges are, and coming in now becoming the founder of Grid. So what made though want to go from on the VC side to on the founder and entrepreneur side to make that leap? It must be something you've seen, Grip, that you said, I cannot miss this. Right? Because you went from mentoring, helping every company to now focus on this one thing. So why was. 1.4s
U1
But there's two things that happen when as a technologies you move to the VC investment site. One, you start getting jealous of giving other people money, but that's not the big issue. The real thing is that you go so deep on the market challenges that you're trying to solve. You spend so much time talking to market leaders 1.1s and technology and friends in the industry about 1.8s getting to the core of the problem and understanding how you can solve it so that you can invest in it. So I made a recommendation to invest in cybersecurity 1.5s about three, four months into my role. But at that time it wasn't this is the solution, it's more of like this is a big problem, let's find a smart team with an interesting idea in the space and give them money because the problem space is going to be bigger and go year over year for the next ten years. It was an assumption based on some theories and research 1s for six or seven months after that I was looking to invest in a security company and didn't end up doing so. Not because they didn't want to, but because market conditions, meaning the people that we've met and the ideas that they had at the time were the perfect fit for us. 1.4s And seeing this market continues to grow, not being a part of the race, neither from an investment investor perspective or founder perspective, made me to take the decision to maybe I'll do it myself. And I was lucky enough to have Wild Ventures decide to join me on this journey as well. So they invested. 1.2s A few weeks after I decided to go this route. 1.5s
U2
Yeah. So, again, you've seen a lot, right, in security, in cyber and a lot of SaaS companies. So why do you think SaaS security has become so important, yet challenging at the same time for companies of all sizes? 1.8s It's a great question, and I think one of the most important passing question is why now? SAS is not new, it's not a 2021 problem, and SaaS applications have been with us for 1520 years now. But there was something that happened in 1.6s
U1
2020 ish maybe a bit before. It's not COVID, it's just the sheer scale of how essential SaaS became to the business. So SAS was with us for 20 years, and it's been growing 30% re year over year. In spend a number of applications nonstop for 15 years. 1.6s
U2
Which means 2.3s
U1
that every organization today used most of the It based on third party tools accessible from everywhere on the Internet, meaning SaaS applications. And we reached a boiling point where traditional solutions we used to look at SaaS like a network problem. As we assumed, all of our employees are in the network and we feel blocked, dropbox on the firewall, they wouldn't be able to use the app itself. What we forgot is now every business unit is using. 1.8s 15 different tools to do their job. Those tools have the data, have access to our sensitive access in the organization, 1.7s and every traditional control we used to have, proxy Casp Firewall, doesn't work anymore. In order to find those SAS identities and add security layer to it 1.6s is the big hit for SaaS Security now. It's going to be in two years. But this is why you need to start building the tech so when SaaS Security would become a new pillar in security budgets. Pillar meaning there's more than a single tool that solves this problem. Same as appsec or network SEC or cloud SEC. We're going to be the biggest player at the time. 1.1s
U2
But why do you think as far as the challenges, I think a lot of companies or It and It teams and security teams are aware of that, but it's also so challenging for them to get a grasp of it or control it today. And why do you think that is? Is it because just they lack the tools or they lack kind of the understanding of what's possible that these tools even exist? Why do you think it's still so challenging for these enterprises?
U1
So I'll start with a story. I've been in a 1.8s discussion panel about SaaS Security a few weeks ago with a group of CCRs and one of them was giving an example of how they stopped SaaS. They stopped SaaS from coming in an approved way by looking at purchasing decisions and not allowing money to be spent without security approval. And I told them we call it finance as a gateway. And I told them, do you remember we used to have It as a gateway? So in the past you couldn't deploy technology in the organization without it setting up a server, connecting it to the network. What changed is that the new barrier for technology adoption became a sign up form. Every user, every business unit can use the tools that make them successful, but bypass all of the gateways used to have. Financial gateways are great, but most applications start with a premium by the time they get to a financial decision. The organization has invested so much in the tool that no one could say no, 1.3s this result in a SaaS or identity spawn that's. There's not a lot of tools that can help you deal with it. It's not like it's an easy problem. 2.3s
U2
And you mentioned something interestingly or which is you mentioned that in two years 1.2s this will become kind of more mainstream. So I would think people understand. So why do you think it's not as mainstream right now? Like immediately, even in 2023, you feel like it's still going to take a couple of years for companies to really is it recognize the problem or is it feel enough pain to want to solve it? Why do you think it's still going to take a couple of years? So I have an investor view on 1.1s security markets. Well, the boiling point, the right time for a startup is not when the market is already mature, because if the market is mature and SaaS security is commoditized, it's not the right time to build a technology solution. I would tell you right now, there's almost not a single company that we talk to that doesn't have a SaaS problem. Doesn't mean that they all buy grip. No. Even though many of them do. But
U1
the notion of SaaS being this new going vector 2s is something that's inevitable and undeniable by most companies will. 2.1s
U2
Um, we're seeing the change from internal. For example, in the banking industry, if you're talking to banks a year ago, which I did, they would tell you, no, banks 1.1s use SaaS. No problem here. When you talk to banks this year, the new NYSF 1.4s legislation requires every bank who's doing business in New York to have a full list of the SaaS application and prove that they're using technology to build this list instead of manual processes. It's a complete change in how the industry sees the SaaS challenge. And as we see more attacks, and we've seen many of them recently block, Cash, App, 1s Mailchimpian Circus, CI and others, we're going to have a four J moment in the space once people see how identities fall. An identity? That is affecting them within SaaS applications.
U1
We get to a point where the board starts asking for SaaS, and this is really of SAS security, and this is when it's really commoditized. 1.9s
U2
I yeah, I love that, man. That's that's what they call having a vision. You know, like, if you start yeah, I know. You say the market is hot and everybody's doing it, and then you try to build it, you're just one of a dozen, right? Yet you build it now knowing that in two, three years it's going to mature and it's inevitable. Yeah. I love that vision, man. So there are several other players, obviously now a few that share similar vision as you guys. So what do you think? Either approach or feature function, product wise, make you guys unique? Or how have you kind of taken a different approach? Especially you've probably seen all the other players
U1
already. 1.3s I would start by saying it might hint that we're competitors. It's not necessarily the case. I think we all share a joint marketing budget trying to teach the world how SaaS could be secured. And we benefit from each other's hard work on making SaaS a problem. So SAS is not a single challenge, the same way appsec is not. So many of our partner SaaS Security companies 1.6s are ones that have maybe we fight with for budget, we don't fight with for use cases or value propositions. And it's an important thing because it means if you want to bake off grip with my good friends at Adaptive Shield SSPM, saskati Posture Management Solution, 1.1s it might be hard sometimes to convince the CFO that you need to come companies that start with SaaS Security SSPM SSCP. 1.4s But if you test the product next to each other, there's not a single use case that you can test them both. And it's an important thing when we think of SaaS. 2.7s We we see that the SaaS Security Challenge is a mile wide and a mile deep. There's hundreds and thousands of applications that used by every
U2
organization and each one of those applications is so deep, with its own unique use cases, privilege model, configuration structure that you need to focus down and go deep within it. 1.8s Most SaaS security startups today, especially the three out of the Big Four. Focus on the deep challenge, meaning go one by one. Integrate with applications, build your own security configuration management or privilege manager for this application specifically, 1.6s and try to focus on what matters most to customers, which is often the big tier one application with Salesforce and Slack and Dropbox. And Google workspace the challenge with it. And this is what Grip differentiates, is that it doesn't scale. It goes very deep, but it doesn't really scale because you start getting into an API race of adding additional applications with going marginal value. 2.1s Just as an example, if you support ten applications, your average customer is probably using five out of the ten statistically. But as you decrease in popularity when you go from ten to 20, the applications that your customer use don't go from five to ten because you start supporting less popular applications, they go from five to eight. When you go from 20 to 40, it's not eight to 16, it's eight to twelve. So you invest more and more value, but you invest more and more development resources but don't go in value, but.
U1
Makes sense so far.
U2
Yeah. No, 1.1s it makes a lot of sense. I kind of love your approach, and I think it really helps when you came from that, like you said, investor side, I love kind of what you said about everybody share the same marketing budget to promote that security and promote this category together. And so it's really fascinating just how you kind of see the world. So to maybe go into just for the audience to better understand your service and what it can do, maybe we go into a couple kind of use case questions. Right? 1.2s So can you kind of tell the audience about what is CASB and what are some of the limitations of CASB in this new modern, in this new 2023 world? And how do you guys become alternative to something like Casp?
U1
Wonderful. Yeah. So just to finish off what I said for the previous question, we focus on the wide problem. How do you build things that support 1.2s thousands of applications at once so organizations could handle them? And it ties very well to Casm because SAS is not a new problem. There was an amazing streak of the first wave of what started at SaaS Security Solutions, cloud access, security brokers in 2013, some of them due to be Netscale. Most of them were acquired by all of the big vendors. 1.5s But as CASB founded in 2013, ten years ago. 1.3s Kind of stays the same.
U2
SaaS has
U1
grown by 1000%, and you have the same technology that worked in the 2013 era that doesn't really fit how we consume SaaS today. And SaaS is now such an essential part of the business that 2.9s see where people are signing up to using a proxy technology or approach doesn't really fit anymore. It doesn't fit for a few reasons. It doesn't fit because there's real importance in differentiating between private use and personal use of applications. Our employees are using their own SaaS from corporate devices or that we're using the corporate apps from private devices. And either way, we need to learn how to differentiate. Otherwise we get nervous that's one, two, they're not in the office, so we cannot assume they're going through a proxy. And
U2
three, 1.1s
U1
if we block an application on the proxy level, the identity is still
U2
active. So if ten years ago, the challenge with SAS was someone in my company is using Dropbox, and my DLP tool doesn't catch it, so I disapprove Dropbox today. The challenge would be 2.9s I have an entire business unit that's using Dropbox. One of the employees left, and I don't know who is the admin that can deactivate their account because otherwise they would have continuous access to all of my files, even when leaving the organization. And this is because if you have a username and a password, they stay active. 1.5s What grip differentiates is that we plug in with no proxies of age or agents. So instead of a six month long CASB POC, you do a one week long grip. One, 1.3s we're able to find all of the SAS historically. So instead of waiting for people to log into SAS, we can map out an historical view and find new identities as they're being created. So no matter what device or network is used, and we leverage this unique approach 1.5s in order to align with the SaaS security lifecycle within the organization. So GLC controls, identity controls, setup controls, all are built to a really unique discovery view or inventory view of the organization. SAS risk 1.1s and the speed
U1
to value and the focus on the low hanging fruits is what makes it successful. It.
U2
Yeah, you mentioned a couple of things where I want to talk about additional use cases. So SaaS offboarding. Right. So if you think about just for those that are not in it or security, like when somebody leaves the company, that person may have access to 1020, 30, 40 different software throughout their time at the company. And first of all, it's very right. Imagine somebody leaving and what does it have to do to figure out what applications did they have access to? And that alone is something we'll cover in the next question, where I shadow it, but it's like, okay, once I even know what application I have access to, how do I go turn those off or deactivate it to prevent security leakage? Right. So that whole thing is really challenging for a lot of companies that I see. So how do you guys solve that and support SaaS authority? 1.4s It's a
U1
wonderful question because it also shows that the difference between visibility to actionability. 1.3s Visibility is great and it's important. It's the basis for everything we do in security. But it has a chance of piling up more work for the security team, which is already 1s busier than ever. 1.6s We wanted to allow
U2
for actionability, meaning reduce the time you need to spend as an example, interviewing an offboarded employee for all of the SAS that they used by having a
U1
tool that can find it and offboarding it automatically. And we have some unique tech around this. We leverage the email native password rotation sequences that every SAS application has out of the forgot your passwords of the world that sends an email that essentially allows you to lock a user outside of the environment. And we use a combination of RPA Robotics Processing, automation, and NLP Natural Language Processing in order to be able to invoke this process, send out an email and then detect it on the other end and lock the identity outside of the SAS application itself. So we've done a massive investment in being able to do that. And the real advantage is that it doesn't require any API support from the app, any unscalable measure that will require us to go one by one, because each and every application has 1.5s a password location for them. 1.7s Yeah, you might have to trademark that word. Actionability. I love it. Instead of visibility. I don't know if you just came up with that, if you've been using that before, but I love that because even on the verisource side, first of all, data is very important. If you want to make any good business decision, you should have data. But I think a lot of times data actually means more work. And I think what we realized at very source, people want answers. You call it actionability, we call it answers, in that I think part of why chat GPT, again, we talk a lot about why has been so popular so quickly and gone viral is, I think because Google gives you data. It's a bunch of links, but you still have to do work after you get the data, whereas Chat GPT, in a way, gives you answers. Right? And I think that's an interesting phenomenon that's going on is companies only have less and less resources and time, and giving them a lot more data is great. But then they start to do a lot of work that they have less and less people to do and figure out what to do with the data versus just actions or answers. So totally with you there, man. 1.7s So one of the last areas we want to cover is we talked about shadow it. And that's not just on security, that's impacting top line, bottom line, because you don't even know. You call it shelfware, right? You buy software you don't even use, or 1s you have these software and people aren't even using it. Meaning you have 100 licenses, but only 50% of the people are using it. So this shadow it is a combination of business problems and security problems and finance problems. 2s You kind of briefly touched on that. But can you talk about kind of 1.6s shadow it, especially in SaaS for companies? There's not a lot of visibility 1.1s into that. And what problem does that cause for security teams and business teams or executives? Right? T O CEO, CFO, CSOs in general, 1.6s
U2
I'll start with the terminology you would like to use, because shadow it, shadow Sass is. 1.1s Has a negative connotation to it. It's being done in the shadows. It's something you need to eliminate. And we like to say business led It, because most of those applications are used for business use cases to drive the business forward. And instead of eliminating them, you need to support them. Business led SaaS applications that use by the business. And I'll say I adopted this terminology from Sean Harris, who's the deputy CEO at Chipotle. So he first meeting together completely changed how we tell the story, because I strongly agree with this. 1s The problem with business led It or business led SaaS applications is that it's another attack surface on the organization. 1s The same way an unknown cloud app, self hosted AWS is a problem. An unknown business critical application is a security risk to the company. It's a security risk because this application could be breached, affecting how we operate. Because the users of the applications could be breached, meaning losing their password to a phishing campaign doesn't necessarily the important app, but because one of the most popular means of attack those days is credential stuffing. If you lose your password and username to adidas.com website that you sign up for to buy shoes, attackers can use it to try and log into your core business applications. 1.2s And three, because identities are created and data is going there. So I think the essential part of every security plan is to know what you have. You cannot do anything without having visibility. 1.7s But this notion of what happens when we find the app for you is not necessarily that we help you close them down, but we help you move them into the light and
U1
help you govern them in a way that makes them secure within the organization. I'll finish with one simple example not hammering on a specific vendor, because Circuit CI specifically handled the Internet very well. But the first question that comes to mind when Circuit CI was breached for most organizations, for most CSIRs, is not it's. I wonder what data I have in silk. CI it's. Do I even have this in this company? Because the developers are so far away you don't know what specific 1.1s CI CD tool they're using in each and every team, but this immediate understanding that you have a problem wouldn't be possible without the visibility. 2.6s
U2
Yeah, that is actually sweet. I love all the kind of quotes and business led it. I'm going to have to borrow that and take conversations because yeah, again, as Verisource we focus a lot on cost optimization and optimization in general for tech spend 1s the shadow SaaS or business led it. Again, it's a security problem for sure, but it's also very much a spend problem and shelfware problem, the multiple areas. And so I love this business led it and this problem is going to keep going because like you said, it's so easy to buy SaaS and I don't think these people do it on purpose. They just buy dropbox and they need it and they connect to the data. They have no idea the consequences or impact of the company. 2.4s But any person in the company could be creating an attack surface for you that you're not even aware. That to me, when I just think about that is so daunting. 2.3s That's why I totally agree with you that Grip is definitely the right partner for us. So to kind of finish all the conversation, leor, obviously you've seen a lot, you've done a lot. If you have to give one personal and or business advice to the audience that you're really passionate about, what would that be you think? 1.5s Ah, well,
U1
I'm trying to find something that is not about SAS. I need to be unique, 2.3s
U2
but 1.7s
U1
I'm often talking to entrepreneurs or people who are looking to get into security 1.4s and 1.5s my recent agenda is that startups or running a startup is like driving a burning hurry. It's very luxurious, it's moving very fast and everything is always on fire, 2.1s which is an amazing experience so far. I think the most important thing going into security, obviously we have too many vendors, I don't think anyone would disagree on that. But the cybersecurity space is not sat rate, it is just noisy. If you have good tech and you're solving a growing problem, then those space for you as a vendor. And 1.2s the hardest part leaving a VC is that I stopped seeing a market wide innovation and I started seeing SaaS specific market. So I'm always very excited by new technologies coming into the market and.
U2
Yeah. So maybe actually, you spurred up another kind of interesting thing I thought I want to ask you about. Obviously, look, AI has been a hot topic, at least on the world view, not just on the technologist, but worldview of what AI can do. Automation. Right? Even though OpenAI has been around multiple years with the APIs, chat GPT literally kind of went everything went over. Now, literally, in the last two months, I've seen at least 200 companies launching their product with something. With AI, it just become a phenomenon. So I'm interested to see what's your point of view on how AI could. And I'm sure there's a lot of obviously, security companies already implementing AI, but in the next two, three years, where do you see kind of AI to take things even to the next level? What do you think that could look like, potentially? 1.8s
U1
It's a good question. 1.1s What I love most about AI, and especially about what Chat GPT and Dali Two has done, is that it made AI commoditized. 1.6s And seven years ago, people would tell you TensorFlow commoditized AI by allowing every developer to write neural networks. But now you don't need an AI PhD developer to write your design, your plan. You plug it into the newly released, I think this morning, OpenAI API 1.1s and you can start building capabilities that didn't exist before. I'll give you an example. 1.5s We've plugged in our product team with Chat GPT to save them time writing jira tickets. So when they define a new feature, we can save half of the time by Chat GPT 1.1s building this understanding of what's going on in the feature, what should be done. And it's based itself on previous tickets that we wrote. We use the same thing for SDRS. They auto generate custom emails using Chat GPT, and we've seen tremendous success 1.5s being, on the one hand, 1.9s hyper focused on the customer. Each customer gets a completely separate email that's tailored to his needs and the business that he works for. And on the other hand, we're able to do those and send 50 an hour. And those small tricks that we do would develop into startups and technologies that are based themselves on commoditized AI, which I'm looking forward to the innovation, because there used to be a big barrier on adopting AI technologies to your till startup. Now there's none. 1.4s
U2
Yeah, I love those examples, man. Sometimes people just don't know how to even apply the technology to their business, right? They think, AI, 1.1s it's got to be game changing, it's got to do the transformation thing for my business. Yet sometimes like, well, how about just helps you write email faster? 1.6s That's already improvement in ROI and productivity improvement. Right? But also, again, last question as we wrap up here, how do you feel like, obviously, as companies are looking to implement AI in their business more and more, what do you feel like about the security side of things? What should they be watching out for or think about when implementing these AI things? Because obviously data is a security concern, right? And so what do you think from an enterprise? How should they look at implementing AI and security? Like, kind of that correlating these two things.
U1
I can talk about AI security for hours. It's a very
U2
complicated topic. We only have two minutes. 1.5s
U1
Cash goes into 1.2s AI Security. 2.5s Relying on AI is a good chance to affect the business. And I think the biggest problem with relying on AI is data drift. So you build a technology that's based on a model that was once trained, but the model changes. For example, if you're doing real estate investments and you look at the last ten years, in five years from now, the average price 1.3s for land would go either up or down. It wouldn't stay the same. So any model that's based on historical data would stop working eventually. 1.4s And if you have a tool that makes decisions based on predefined models, it's important to know once this data is not relevant anymore. 1.2s And I think the companies who are now in the AI space that usually starts from AI security, how to avoid looking at malicious data, end up with a business 1.1s reliance on security technology around data drift. How to flag out what happens when the model is no longer relevant so that your AI model wouldn't accidentally approve 1000 loans that it shouldn't have. 2.3s
U2
Yeah, again, it's a topic for sure. I can talk to you for hours as well. It's where the future is going. And again, as technologists, it's just so fascinating and interesting to see how 1.2s we can all leverage these technology to improve our business. So, no, again, thank you so much for your time. Leora, it was great having you.
U1
Yeah, thank you for having me today. Have a good day. Victor 1.2s
U2
that was an amazing episode of the did you know podcast with Varisource. Hope you enjoyed it and got some great insights from it. Make sure you follow us on social media for the next episode. And if you want to get the best deals from the guests today, make sure to send us a message at sales@varisource.com.