Summary
Andy Ellis, Advisory CISO at Orca Security and Operating Partner at YL Ventures, explains the significance of computer security and the need for the industry to foster an inclusive culture by bringing together people with diverse skill sets. He also talks about Orca Security’s cloud-based, agentless approach to provide side scanning to identify vulnerabilities that matter, and how their product aligns with the Sustainable Development Goals (SDGs).
Highlights
- 🛡️ The significance of computer security and fostering an inclusive culture with diverse skill sets in the industry.
- 🔍 Orca Security’s cloud-based, agentless approach to provide side scanning and identify vulnerabilities that matter.
- 🌏 How Orca Security’s product aligns with the SDGs and promotes sustainable development by minimizing waste and utilizing cloud technology to maximize value and save costs.
- 💻 YL Ventures’ role as a seed-stage Israeli cybersecurity startup venture capital fund in mentoring and supporting portfolio companies to develop innovative security products.
- 📈 The need to invest in human capital by providing training and security tools to empower people and advance the next wave of innovation.
Transcript (raw)
(00:00) i think we’re starting to reach a point of maturity in the cyber security industry we’ve already passed it in some other tech industries which is good of recognizing that this is not an artisan industry if you look back over the last 20 years i think what you see is security professionals who started from
(00:16) the ground up and they sort of perfected their craft and they can do everything they can design systems they can tear apart systems they can do risk management they’re expected to lead people you know they’re sort of like this unicorn or maybe voltron i don’t know if you have a had a similar cartoon growing up
(00:35) of you know the five robots that come together um and so you had like all of these abilities in one person and that’s not how a mature industry works that’s actually very immature it’s what contributes to what’s often you know called hero culture where you always expect to be saved by the person who’s the expert
(00:54) and in mature industries what we realize is it’s about bringing people together who have disparate skill sets and making them work well as part of a team [Music] welcome andy alice advisory ciso at orca security among other things deep expertise in security managing risks and leading inclusive culture all of these
(01:17) things especially the inclusive culture part super relevant for my work and my spectrum and yeah i’m happy to include the security aspect to attack verticals again and you should be doing this more but i guess that’s the same thing with most companies as we also discussed in the pre-chat um yeah i’m happy that we
(01:35) can talk a bit more about your work and how you see the current developments and also maybe what’s what would you see coming up on the horizon what’s maybe next so hi and welcome andy fabian thank you thanks for having me i’m really glad to be here and chat with you you know lively pre-called pre-call
(01:51) spiriting so hope we’ll we’ll keep doing that as we go forward yes yeah i am very very confident about that and um yeah let’s first things first let’s talk about your work first yep let’s introduce ciso advice to cso and our security can you maybe share a bit about your organization and also you do so much more you about your overall
(02:10) scope of work please so first of all yeah one of my roles is as the advisory cso at orca security so orca is a cloud-native platform to provide security in the cloud using an agentless approach and the whole model is looks on the back end through your cloud api to sort of scan every image understand
(02:30) what’s there and tell you what’s wrong from a security perspective so that you can quickly address the things that matter instead of trying to implement agents and do you know all of the normal heavy lifting before you even know what you need to fix just sort of jumps past that to hey here’s what you need to go fix
(02:48) as an advisor you see so my role is twofold one is to be out and about as a face of the business so being here it’s part of my job is sharing you know what orca does you know my experience is a cso and then another piece of it is actually being the voice of the customer back in to the product and development
(03:05) teams at orca so as they’re designing new capabilities they can run them by me and get a cso’s view you know having been a cso for the past 20 years about what they’re doing so i love working for orca it’s great being part of a company that is making security easy uh quick and simple rather than adding
(03:24) complexity to a solution so that’s a big piece of my role uh then also i’m an operating partner at yl ventures and in that frame we’re a seed stage israeli cyber security startup venture capital fund we help about i think 12 13 startups in our portfolio right now and my job is sort of a smaller version of what i’m
(03:46) doing for orca be that voice of the cso in as they’re developing products sometimes that’s doing executive mentoring uh teaching people how to do marketing towards the cso sometimes it’s doing product support or even helping people create their websites the first time around and i love doing that and then i’m also just out and about
(04:05) helping people you know teaching leadership working with other csos you’re trying to help improve the state of the practice for our industry and um yeah two four questions if you allow one is um can you maybe share a bit about the your orchestra more in detail from the technical perspective the second one is
(04:26) talk about values i think you came across a lot of startup companies that uh have good ideas to change the vote for the better and i’d like to what maybe have you seen recently or maybe something some in your portfolio that’s interesting to know from especially from this values point of view um that they really
(04:49) you you got the feeling that this is really a real impact also for society at large and as like an extension to the question can you relate to the uh this particular case to the sdgs sustainable development goals of the united nations uh is this somehow relevant for this particular case as well um so maybe start first with the
(05:09) technical more technical details of the orcas um security product and the second part maybe a portfolio company sure so what orca does is what’s called side scanning so the way the cloud works very high level for those who don’t understand it if you do i’m going to overly simplify is you’re continuously taking snapshots
(05:31) in the cloud that’s just a feature of aws or google cloud or azure is they’re taking a snapshot of every image you have in the cloud and sort of storing them for you so that they can reboot from that image if something goes wrong with your running image and but those those become a repository so imagine if you’d had a data breach
(05:51) you might come in and say oh i’ve got all these snapshots i want to look through them and do forensics to figure out how my data breach happened what orca does is does that live in real time so it’s continuously looking through all of those snapshots and being able to understand which machines have sensitive
(06:06) data on them or have keys that give them access to other machines with sensitive data or have vulnerabilities that are unpatched and now you can take those three things and put them together and so instead of saying hey you have 50 machines with unpatched vulnerabilities you can say this machine with an
(06:23) unpatched vulnerability has keys that give it access to a machine that has you know sensitive information or gdpr regulated information and so maybe you should patch that one first because if you can fix that you’re going to prevent an imminent compromise from being a serious problem from your business
(06:41) whereas the other 49 machines that also have that vulnerability are less sensitive you should still fix them it’ll be embarrassing if they’re compromised but it’s not the sort of compromise that’s going to put you you know front page on their spiegel so that’s sort of the core of how orca you know operates um when i think about
(07:00) the the sustainable development you know a lot of what we’re doing across our portfolio first of all very early companies all cyber security tech focused so you know everything i’m saying here is really sort of almost market watching to say how is what we do happen to be aligned with the sdgs rather than saying
(07:17) we’re deliberately trying to you know drive forward those goals but one piece obviously is that the drive to cloud is about sustainable development one of the biggest challenges in all it is wasted resources how often have you discovered you know systems that were implemented never actually did anything but nobody cleaned them up but
(07:41) they’re sitting in your data center it’s a piece of hardware that you know has no other no purpose and no value that’s unsustainable development it’s not really called out into sdgs when you think about what the cloud is the cloud is about maximizing the value we can produce out of some cost that we created right
(07:59) every server that ever gets built is a drain on our environment you know it includes heavy metals it’s going to you know a lot of energy goes into production and a lot of energy goes into operation so the more that we can minimize waste just in how we’re using those servers we’re advancing the sdgs sort of by happenstance it’s not that
(08:20) anybody goes to the cloud specifically to be green i guess it’s blue in some countries now instead you’re going to the cloud to save money and this is one of the places where money aligns with the sdgs so that’s a place where i think all of our companies do that in our portfolio you know and also you know how
(08:39) do you make sure that your people are advancing themselves you know i don’t actually know if that’s you know really called out well in the sdgs but i think that human capital is one of the things we have to stop wasting on our planet there’s an awful lot of people who could provide more value if we only gave them
(08:56) the tools and the education and made things easier for them so rather than having security tools that require somebody with advanced degrees to operate can you provide tools that allow people to come into the security workforce so that we can train people who might not have had better opportunities and help develop them so
(09:15) that they can power the next wave of innovation yeah thanks uh um got me thinking and uh i have two more follow-up questions i just thought okay i’m i’m asking two questions at the same time and i just realized up two threads which one i answer right it’s it’s no it’s it’s opening up two threads so i have two full questions we
(09:39) have two threads keep them uh alive at the same time which doesn’t make sense at all i have to rethink that that’s a live feedback from my side into my direction of course um yeah i i’m very happy you answered the question about the sdgs because i think that’s something i picked up from all the conversations i follow that this
(10:03) becomes more and more relevant to talk about that and how this is relevant for the industry we are in or the guest is in and it just also sometimes just to create creative awareness if this is relevant if this can be of value for for the sector and then that’s the reason why i started asking about that
(10:20) every time and um whether it makes sense or not but i it’s really i think it’s an important angle to discuss to discuss how we create products and in which direction we want to go so thank you for for sharing a bit about that your thoughts about that and then also thanks for expanding a bit more on your product and orku security i
(10:40) was super interested in what they’re they’re not what would you say i think you said i oversimplified a bit uh what the not so oversimplified uh version would look like but um let’s maybe um because this is a short version of an interview um share one more trend since you’re here andy um always interested in trends and security
(11:01) is super interesting actually for me as well what is maybe something that you see uh in your sector in your daily business um that only few people even in your sector discuss and you think this is something that more people should be aware of what people should be discussing not only in your particular
(11:19) vertical but also across all tech verticals across all industries this very something you could share here so i think there’s i in the spirit of having two threads i can give you two different answers to that one but i’ll first continue with the human capital threat i think we’re starting to reach a point of maturity in the cyber
(11:37) security industry we’ve already passed it in some other tech industries which is good of recognizing that this is not an artisan industry if you look back over the last 20 years i think what you see is security professionals who started from the ground up and they sort of perfected their craft and they can do
(11:57) everything they can design systems they can tear apart systems they can do risk management they’re expected to lead people you know they’re sort of like this unicorn or maybe voltron i don’t know if you have a had a similar cartoon growing up of you know the five robots that come together um and so you had like all of these
(12:17) abilities in one person and that’s not how a mature industry works that’s actually very immature it’s what contributes to what’s often you know called hero culture where you always expect to be saved by the person who’s the expert and in mature industries what we realize is it’s about bringing people together who
(12:35) have disparate skill sets and making them work well as part of a team and so you don’t expect to have somebody who can design a system for every role in your career because there are jobs that don’t do system design maybe it’s the people who write the security documentation which is part of the security you know career field they
(12:54) don’t have to be able to build the systems or tear them apart but they do have to be able to write user-friendly documentation you know similar to building a car you don’t expect everybody who works on everything about building a car to be able to build a car from the ground up by themselves that’s what the industrial revolution brought
(13:12) us and i think that’s a key piece of the information revolution that the security career field is just on this cusp of recognizing that the people who do not have the deep technical abilities provide value to us in ways that people with deep technical skills aren’t able to provide they just don’t scale
(13:32) and they’re probably not actually good at it if you’re a manager who hears and says well what does this mean for me you know my challenge to you is to say look at every job that you have and understand what primary skills you actually need for those jobs if you have tech writers you need people who can write not people
(13:48) who can build systems and maybe you can then hire out of career fields that are struggling journalism is a problem right now there’s a lot of journalists who aren’t being paid but they’re really good at writing and so maybe you can figure out how do you hire those people and develop them into the security
(14:06) professionals they need to be without having to now train somebody who’s a security architect into how to write in whatever language you’re targeting your audience in yeah that’s a very very good point um we see the the huge demanding hugely increasing demand for for people in the tech industry and that’s something i hear from from the hr
(14:27) um like guys out there also that is okay we need to on board anyone who’s interested who has also his willingness to to be there and to to move forward and then we don’t need to like they don’t need to be trained on the technical uh things which takes years maybe they haven’t even qualified for that it’s also just said just be that we
(14:49) need so many people and um yeah totally makes sense um and uh it’s an interesting interesting let’s say um development that i see also for countries like i guess in the us it’s it’s like more practical they don’t think about it too much in germany for example as opposed to us you need a title you need a specific qualification
(15:11) you need this and that and that and that this so it really like slows down the process uh in getting people abroad that do maybe uh like right to have this kind of a career especially at career change because people are trying to solve the problem often at the start of the career and say well how do you bring in people to an
(15:30) entry level and this is more how do you just bring people across like if you’re a security team and you’re large enough do you have any marketing professionals on your team because really half of security is convincing other people what to do and there’s an entire career field that focuses on convincing people to do
(15:47) things they weren’t planning on doing why are you not hiring out of that career and yes in some countries it’s a little bit harder because you want to hire a security person not a marketing manager because if you opened a job for marketing manager your cmo would be like why are you trying to steal my career
(16:03) field yeah um it’s uh it’s interesting to see that and it isn’t it’s not even a career change you’re absolutely right um a harsh break of this discussion but i some something i need to squeeze in any time like every time i used to talk a lot about the pandemic and ask my guests all sorts of questions about the pandemic
(16:29) and i now i need to like i want to want to focus on on the future i don’t want to talk about the pandemics so much anymore but i need to bring that up the question because it’s still some kind of it has some relevance still and um and that’s easy it’s hard for me to squeeze in this question for some time
(16:45) so um because i want to come back to something which is for me a bit more interesting even uh the next question but we need to i need to talk about the pandemic because there’s still so much going on and my question pandemic question is for you um since we talked a lot about that we included a lot um what is something
(17:05) maybe you missed in the general discussion till today what is maybe something you look same the same thing basically as a question from from before what is something that we missed here people should be talking about that more uh okay is this something you you solve for yourself in your sector sure so the pandemic i think has still
(17:23) has a lot of people not thinking coherently about risk at the margin right we’ve we’ve sort of said it’s either has to be perfect or it’s awful um and i see that in discourse an awful lot people aim for you know what’s sometimes called covid zero like how are we gonna get to a world where we’ve eliminated covet and we’re never going
(17:42) to um but that’s a security problem like in the security world we often suffer the same challenge we want to eliminate risk rather than getting it to an acceptable and manageable point and as long as we talk about elimination of risk we’re never actually having coherent conversations and i miss those
(17:59) coherent conversations uh when you talked about a pandemic in terms of you know what do we do to manage it you have two weeks to flatten the curve um for those of us who remember that’s how it all started like i was right on that bandwagon how do i get people home quickly um and now i think the what i
(18:15) miss is the conversation about what are acceptable trade-offs and what’s the nuanced conversation so that’s that’s the thing that i miss i also actually do miss in person with colleagues um i change jobs in the pandemic so i don’t even have colleagues in boston where i live anymore since i no longer work for boston-based company
(18:37) i work for israeli-based companies and that means that i only get to see my colleagues when i travel to israel otherwise i’m working here and will continue to do so whether or not everybody else goes back to work which opens up another great aspect which is um for what like region are you paid or in
(18:57) like what what’s what’s this for remote work what’s the um what’s the wages is it in in for you in israel or is it u.s otherwise the state of massachusetts would have issues with paying taking taxes out okay i mean uh i guess i mean more the um what i mean is uh so like like you yeah but i don’t want to like have it have it
(19:24) focused on on your particular case it’s more like which super super interesting and it’s i think east israel and uh or yeah you or or us is not much of different but um uh onboarding people from india for example or um so what what wages can you control and you run into the challenges with you know global remote
(19:44) work is you still have to be authorized to operate as an employer in the place where your employee works so i might say oh look all of my people could work from home and maybe i was a massachusetts company now they’ll go to new hampshire and massachusetts is like hey wait a second they were massachusetts employees
(20:03) we want to tax them in this state whereas new hampshire was like we don’t have a state tax why are you taxing our people and that there literally is a supreme court case about that the state of new hampshire suing the state of the commonwealth of massachusetts over tax rights but we’ve had employees who said
(20:20) i want to move you know when is it my old employer and the employer was like we don’t have any employee in that country like we can’t pay you if you’re in that country and to the to the employee they’re like why should it matter what country i physically sit in i’m doing the same job and they don’t really think about how borders operate
(20:37) and national sovereignty and so it can be an interesting challenge uh you know i’ve had an employee who we were relocating we’re hiring him in our krakow office in poland but he was based out of brazil and this is right at the start of the pandemic he had a work visa and he’s in brazil and the border is all close
(20:58) and now we were authorized to operate in brazil but you know poland is a little you know very finicky about its borders and immigration and basically what we were told is that if we let him work in brazil that poland would just cancel his work visa they’d say well if you can pay for him in brazil there’s no reason for us
(21:18) to let another immigrant into poland because then at some point he’ll take a job from somebody else that was here and so it became this really interesting tension of you know how long would he wait could we move him to poland would did we just want to have him work in brazil and if we did that you know he
(21:34) wanted to move to poland with his wife and if we had done that there was a good chance he would have left us as soon as he found another job in poland yeah that’s that’s that this is super interesting questions and i thought coming back to the texas last week i thought germans the german state is highly obsessed with
(21:52) texas but i i see that’s just i think that’s a worldwide thing i need to text yeah um that’s that this is actually really this remote thing and uh it has become very very interesting topic and um also yeah also for people from us i guess people from all around the world want to work for companies indeed based in the
(22:16) us and now it’s the other way around also interesting to see that so we also touched on a very very very very relevant very current topic as well in the end and um yeah i um happy that we we had this conversation it was super fun and also very very insightful uh we touched the security aspect which i
(22:36) find very very interesting and cover too little to be honest um and i should be doing that more maybe you can recommend a few people that i should be investigating it oh absolutely i can certainly uh send you some names i’ll contact some folks who i think you’d love to chat with perfect perfect yeah it’s all for the
(22:56) audience so we we talk a bit more about security because super that’s something i i in the the talk before our talk about the the prior to our talk about security as well i learned that this really was neglected in 2020 and that was the reason for so many security breaches because some the companies will focus on
(23:17) what’s next like what’s that how does the next week look like for our company and the security was really like highly neglected and i think we should be talking about that more than included so again andy thank you very much for being the guest today was super fun and for having me perfect thanks thanks a lot
(23:35) [Music] [Music]