Episode 15

Why organizations must be proactive in their cybersecurity approach | Eric Avigdor – Votiro

By the time you detect malware or a cyberattack, it’s too late. Yet many organizations are still approaching cybersecurity in a reactive manner.

In this episode, Votiro VP of product management Eric Avigdor discusses the dangers of approaching cybersecurity in this way, and how the shift-left and zero-trust models offer solutions. After all, in a world where SaaS and cloud-products are ubiquitous, and many are unsanctioned by IT, it is vital that privacy is built into all levels, and members of the organization only have access to what they need to do their jobs.

They also discuss:

  • Votiro’s approach to protecting sensitive data.  
  • Why it may be time to move beyond the traditional zero-trust approach, focused on identity and access, and into a more data centric one.  
  • The benefits of automated classification.
  • Providing security without user disruption.  
  • The privacy risk that unstructured data can bring.  
  • The problem of data governance and understanding where your data is.  

Resources

Transcript

ANTHONY WOODWARD
Welcome to FILED, a conversation with those of the convergence of data privacy, data security, data regulations, records, and governance. I'm Anthony Woodward, CEO of RecordPoint. And today we've got Eric Avigdor, who is the vice president of product at Votiro.

ANTHONY WOODWARD
It'd be great to hear a little bit about Votiro and yourself, Eric, and how you all came to be here.  

ERIC AVIGDOR
Yeah, absolutely, Anthony, and thank you for having me here. My name is Eric, I run product management- I'm vice president of product management for Votiro. And when we, my background comes from, you know, identity and access management in the past over two decades in cybersecurity.

ERIC AVIGDOR
But I'm spending the past year in this very, very interesting space of protecting sensitive data. And what we do at Votiro is we actually look at protecting data, but from the two sides of the coin, I would say the two different angles of how we protect data. The first one being, how do we prevent malware, ransomware from coming in and having an impact on an IT organization and the company as a whole?

ERIC AVIGDOR
And the second side of that same coin is, how do we ensure that sensitive and private data is protected? Not only where it resides, but also in motion. So that is what Votiro does.  

ANTHONY WOODWARD
No, and a really interesting concept. Here at RecordPoint. We've been doing a lot of work around the notion of shifting left and moving right up the value chain to focus on how we can avoid problems and understand better how to be proactive versus reactive. And I know that's a lot of the space that you've been looking at.  

ERIC AVIGDOR
Yeah, that's a really good point. And shift left beyond just the general term that everyone is recognizing, the fact that security should be proactive instead of reactive. I'd like to maybe talk about two specific examples from my world.

ERIC AVIGDOR
So, we talked about these two sides of the coin, right? First, we really want to prevent a hacker or an external third party from breaching our organization, exploiting different capabilities, exfiltrating data. So, the first angle is how do we prevent that malware from being deployed, or that ransomware from being deployed, without having to deal with the consequences of that initial piece of malware actually landing. So, the legacy way of dealing with that would be hoping that a detection tool, for example, antivirus or sandbox, would detect that malware coming in, hopefully would detect it. We know that doesn't always work. So, what we've done as an industry is we've developed more sophisticated capabilities such as endpoint detection.

ERIC AVIGDOR
But what we're still doing is, we're still looking after the fact at something that came in and has already landed on my endpoint and has infected it, and now we're detecting that we need to clean up. So, the approach that Votiro took is, how do we prevent that in the first place? Because content coming in is content that in most cases should be delivered to the user for user productivity.

ERIC AVIGDOR
But what we really want to do is to leave behind things that shouldn't be there in the first place. So how do we solve for the need to deliver content and yet prevent the risk from starting in the first place and by that taking a shift left approach? I think the second time of that same coin, the same exact story could probably be told for data privacy.

ERIC AVIGDOR
What do we do? So, we scan our file folders on premise and in the cloud and cloud storage. And once a year, or once in audit, we search for PII and PHI and PCI, and we find it. And then we go out and remediate and we remove a database, delete a database, move information from one folder to the other.

ERIC AVIGDOR
Restrict privilege access privileges. But that's an after the fact. Do we have technology in place that could be proactive and automated in a way that would not require remediation? That is the type of problem we tackle.  

ANTHONY WOODWARD
It's a super interesting capability there. I'd like to look at it from two different angles.

ANTHONY WOODWARD
Around how you think about the regulators and the people that are looking to put regulation on how we do this data capture. And then secondly, for the IT folk, how do they think about your system integrating into their environment in that kind of shift left paradigm?  

ERIC AVIGDOR
I think that's where the challenge lies, right?

ERIC AVIGDOR
Because especially for the large enterprise, there is a lot that they have invested in. It might be, in one case, you know, that DLP product that they put in place a while back. Or maybe, based on Microsoft's baked-in capabilities. So maybe you have that DLP that you put in place, right? In order to avoid data infiltration.

ERIC AVIGDOR
Or maybe you've started a data security posture management project because you really just don't know where your sensitive data is. Is it in OneDrive or SharePoint or coming in through email or going out through a Teams message? And one of the first things that we were looking to do is to help organizations first realize where sensitive data is.

ERIC AVIGDOR
So, in terms of the auditor view versus the internal IT view, from an auditor perspective, it's a one snapshot problem. I come in, I audit the logs, I audit the environment, you're done, you're signed, you're good. Our job as an industry is to help companies not only pass that audit but remain in compliance throughout the year.

ERIC AVIGDOR
That is the real challenge. Because if you pass the audit, but then you're not compliant for the remainder of the year, but then you're most probably going to be breached at some point. So that's problem number one. You mean audits are more than just ticking boxes? Yeah, it's a surprise, you know. It is surprising, but yeah.

ERIC AVIGDOR
In an ideal world, if we could be always compliant, that would be the best way to avoid breaches. On a second aspect, from an integration standpoint, there is a lot going on in the data protection space at the moment. There are many next gen new vendors and existing vendors that have been around for a while, completely revamping and refreshing their portfolio with new next generation capabilities, which are more, Cloud forward, you know, data is everywhere right now.

ERIC AVIGDOR
So, we are out there trying to solve those new age problems of data everywhere. And how do you find it? How do you remediate it in real time? And it's a good, interesting problem to solve.  

ANTHONY WOODWARD
Talking about the IT folk then, in terms of the hard point of coming into the enterprise, how have you guys really solved the deployment problem and getting integrated into people's workflow, considering all the devices and the way we operate these days is very different to even what it was five years ago.

ERIC AVIGDOR
So, I think in the past, I'd say 10 years, but definitely in the past five years, the world has completely changed from an on-prem-focused world to a hybrid world, which is heavily leaning on cloud. Most large companies I talk to currently have anywhere between hundreds to thousands of SaaS applications being used.

ERIC AVIGDOR
Some sanctioned and controlled by IT, but many not. The approach we took as a company, as a cybersecurity vendor, is realizing that we should not go after the endpoint business. Being an endpoint product is a very complex, complex, not only for the vendor itself, but very, very complex for the customers and companies using the product because of the need to continuously update endpoint software, patch it.

ERIC AVIGDOR
There's a lot that goes into managing an endpoint. And as such, because we realized that the data that we secure. Has now completely exploded out in the wild and exists way beyond the end point in many different hybrid multi-cloud environments, SaaS environments, cloud storage, web portals, which are third-party facing, maybe partner portals, customer portals. Data is everywhere, and it doesn't always travel through the end point.

ERIC AVIGDOR
The approach we took is building an open API-based product, which integrates API to API, cloud to cloud, service to service. We catch content as it's moving in real time, remediate it in line. So, to your point, we are not only In line from an IT stack perspective, we're also in line from a user experience perspective.

ERIC AVIGDOR
The end-user doesn't need to know we exist. We help them without them even knowing that the product exists.  

ANTHONY WOODWARD
I think the mantra of this industry needs to be that, right? There's a lot of sophistication and what we've seen in the endpoint management tools and some of the other spaces is expecting users to understand what's occurring inside those tools and then do something. So that notion of being able to be in the middle and to provide that protection, but be not seen, I think is really critical to how it can be most effective out there for the average user.  

ERIC AVIGDOR
I think you're touching on a point which is becoming so visible in the past couple of years, the industry has provided a breadth of visibility tools, a lot of visibility tools. So now, poor CISO or CIO, they have so much information incoming from the SOC and from compliance teams, and here's another report, and here's another dashboard, and here are 450 problems which you now need to figure out how to fix. And with that said, a gaping hole in the fact that there's a significant lack of remediation tools.

ERIC AVIGDOR
So, one of the things that we insist at Votiro is we're building visibility and analytics, but not for the purpose of analytics, not for the purpose of letting you know that you're in trouble. We actually remediate in real-time, and we provide the insights that we find as analytics so a company can improve its security posture.

ERIC AVIGDOR
However, that insight is not a red flag. Go fix it right now. We've already fixed it in real time.  

ANTHONY WOODWARD
I love Votiro's data detection and response. The DDR, sorry, DDR acronym that, that I see plastered all over your website and other places I've read. It'd be really interesting to understand that response that occurs.

ANTHONY WOODWARD
When you talk about privacy or you talk about detection of, of different threats, have you mapped that particular regulations or have you thought about, or is it more general in nature?  

ERIC AVIGDOR
So, I think the answer is twofold. First, the response is general in the sense that it can apply to any environment, any vertical, any country, any regulation, and still, it can very specifically apply also to regional regulations.

ERIC AVIGDOR
So, let's think about the use case. And I'm going to use a very specific use case that can probably help explain the two different risks that a file can carry, unstructured data can carry. Let's say I am a large company that is continuously hiring. And because of that, I have an applicant portal where applicants can upload a resume.

ERIC AVIGDOR
That resume carries two risks with it. The first risk is, let's talk about a legitimate scenario. I am a real, genuine applicant, I send in a resume, that resume here in the U. S. contains a Social Security number. Why? Because HR needs to run a background check. So, while the HR person is legitimately exposed to that Social Security number, which they should be, once that hiring, once that HR person now maybe Slacks that file or emails that file to the hiring manager, the hiring manager wants to see the resume, but should never see the Social Security number.

ERIC AVIGDOR
So, the first response, or as we say, you know, data detection and response, the response angle that Votiro takes is we will mask or redact or anonymize the content within that file based on the content. sensitivity based on context. So, if the HR person is downloading it, they will be exposed and they will see the Social Security number where any other group will receive the resume with the Social Security number masked.

ERIC AVIGDOR
So that is that first angle. But the second angle is, take that entire story I just told you, and think about: now I'm a hacker sitting in a country far away and I want to hack into this specific organization. What's the easiest way to do that? The easiest way to do that is to send a resume as an application with a weaponized document.

ERIC AVIGDOR
That weaponized document lands with HR and starts moving laterally within the organization. So, at the same time, what we do at Votiro is disarm that file from known and unknown threats. including zero-day attacks, so that file is safe from a malware, ransomware standpoint, but also from a privacy standpoint.

ANTHONY WOODWARD
No, it's super interesting and really trying to stop the process in its tracks. Certainly, we've seen and operating in our world here at RecordPoint, we're very much behind your process in that we're recordizing content and dealing with the governance of content over time, but we scan content even when we catch it up, which is very much a different position to yourselves.

ANTHONY WOODWARD
We see a lot of malware out there, so you must see a lot. I don't know if you have any statistics you can share about the amount of malware that's happening in the enterprise and what people might not even be aware of what. is flowing over the gateways and occurring inside their businesses.  

ERIC AVIGDOR
Yeah, no, I think that's a point that to some extent is under-discussed.

ERIC AVIGDOR
The exposure to the amount of malware being out there is just unbelievable. I'll give you an example. There are between hundreds to thousands of new variants of malware being released every day into the wild. And while we, many security teams have this somewhat of a psychological relief assuming that their antivirus and sandbox or endpoint detection will find that new variant, the reality is that it doesn't.

ERIC AVIGDOR
A new variant is released, antivirus, sandbox in most cases don't detect it. Endpoint detection will at some point hopefully detect malicious behavior. What really happens, and this is something interesting that we see, when you use a technology such as content disarm and reconstruction, which truly reconstructs the file and provides a true, as close as possible to a hundred percent guarantee that that file is safe from zero-day attack.

ERIC AVIGDOR
What we usually find is that files that we've sanitized and cleansed on day zero, six weeks later are detected by Microsoft or one of the antivirus engines then flagged as malware. And we track that because we then can say, okay, six weeks ago, we've. remove this suspicious object without even knowing that it's malicious.

ERIC AVIGDOR
Back to your point from the beginning of our discussion, how do we be more proactive and preventative instead of hoping to find something one day and then it's too late? We're focusing here on the security aspect of doing that, but there are two significant, very significant side benefits to doing that and in general to the preventative approach.

ERIC AVIGDOR
The first one is your endpoint detection is most probably screaming at you multiple times a day with false positives and alarms shooting off that, "Hey, go analyze this file." Or maybe there's a file blocked in quarantine and there's a user screaming now because they need that file and they needed to do their job.

ERIC AVIGDOR
Maybe it's a purchase order or a marketing PowerPoint presentation. So, our goal is to deliver files in real time, in milliseconds, and make them safe in real time. And the reason is, yes, security is a big thing, but we also want users to be productive. Right? If a user doesn't have access to their files, they're not productive.

ERIC AVIGDOR
So that's one angle. By actually deploying preventative security, you're making every single one of your employees more productive. The second piece is you're making your SOC and your security team more efficient. So, the Security Operations Center, right? That's the heart and center of every IT organization which tracks incoming threats, analyzes incoming threats, and remediates incoming threats. That intelligence center is bombarded continuously with threats coming in from all over, which need to be analyzed. And if a file is blocked or quarantined, guess what? Many of these analysts will be jumping on it and spending many hours to release a file by taking a preventative and proactive approach, which sanitizes files and makes them safe from a privacy perspective.

ERIC AVIGDOR
And from a manual perspective, you're actually reducing the noise in that security operations center, and you're actually reducing the noise in your endpoint detection. Where your security team can now actually deal with things that truly matter.  

ANTHONY WOODWARD
It's a really evolving landscape as the threat and the opportunity evolves.

ANTHONY WOODWARD
When you think about Zero Trust and the notion of the actors that are out there and how we protect that user community. How do you see that feeding into data governance? I'm really interested because it's, there's kind of two sides of the coin here, and one of the things that I've certainly been talking about in the industry and we're seeing out there is.

ANTHONY WOODWARD
The cyber folk are very worried about the firewall and the gateway and the perimeter. They're not actually as worried about the data estate and what the data estate means in terms of not just the short-term threat of malware, but the longer-term threat of the combination of these things. It sounds like you're all thinking about that quite a lot.

ERIC AVIGDO
Yeah, and I think the whole industry is maybe at turning point on realizing that Zero Trust is not all about identity management and access management, right? That's where it started, right? Let's ensure that only the right people have access to the right things. That's easier said than done, but having solved that problem for many years, then you need to take a step further and look at, okay, beyond identity, should we really maybe set a perimeter tighter on the data itself?

ERIC AVIGDOR
Because all other cyber technologies at the end of the day are put in place to secure data, to secure sensitive data from leaving the company in one way or the other, right, either through exfiltration or through ransomware or through any other mechanism or IP theft. So, if we narrow that perimeter on data, then the Zero Trust question is not only who can access what, but where can that data reside?

ERIC AVIGDOR
Is that specific data allowed to live over this specific medium? Is that specific data allowed to be used, edited, manipulated by that specific person or that specific group? Is that data safe to be consumed in this environment or that environment? There are many questions which are data centric and not identity centric or person centric, which is why when we try tackling the data protection problem, we look at it first and foremost from a data centric view, looking at is that data safe?

ERIC AVIGDOR
How sensitive is it? Now that we have that full blown question, how do we make that data available in real time? Because we don't want to put the guns, guards, and gates right around everything and isolate everything on an island and hope that everyone coming in through VPN will be, you know, legit.  

ANTHONY WOODWARD
What's your advice to folks starting, you know, starting their career out or thinking about their career out that intersection and how they should be thinking about the approach to cyber privacy and data management?

ERIC AVIGDOR
I just came back from a big cybersecurity event in the US, and I spoke to many CISOs, and I've heard a common theme. This is interesting because it applies very directly to your question, especially for folks coming into the industry. What I've heard from these CISOs again and again and again is our biggest problem today is that we just don't know where our data is.

ERIC AVIGDOR
It's not that we know what the problem is and now let's figure out a way to remediate it. The first step is, we're not even sure where the data is because we know we have a bunch of stuff in OneDrive and a lot in SharePoint and we may have some on Google Drive and a lot of unstructured data in an S3 bucket in Amazon.

ERIC AVIGDOR
How do we even go about finding the problem first and then how do we remediate once we know where the problem lives? And an interesting, another interesting use case that keeps coming up is. My team is using a, you know, thousands of files, business data, maybe financial data or customer success data to train AI and AI models, maybe to improve a chatbot or maybe to improve a business process.

ERIC AVIGDOR
And we don't even know if that data being pushed into that model is safe to be used. Does it carry malware on it? Does it carry PII on it? And what about the outputs? I mean, the outputs being used by the analysts and engineers, are they safe to be used? So, now that we've identified this big gap that needs to be dealt with, I think for folks coming into this industry, I would start by looking into how can we learn more about easier ways to detect where that sensitive data is?

ERIC AVIGDOR
How do we learn to think more in a solution-oriented way, a use case-oriented way, instead of trying to tackle the 30,000-foot-high problem, which is I need to secure my data. That problem is too big to be solved, right? Let's start with what are my crown jewels? Are they Social Security Number, bank account, and credit card number?

ERIC AVIGDOR
Okay, good. We've mapped out those. Where are we concerned about that living? Is it that OneDrive environment or is it someone sending a message over Teams or Slack? Let's figure out what are the crown jewels, where are the most sensitive environments, where data flows, and let's solve that first.  

ANTHONY WOODWARD
It's interesting you bring up the topic of AI and chatbots and large language models.

ANTHONY WOODWARD
We've talked a little bit on this podcast, and we've been doing work here at RecordPoint around the problem you're talking about from, I think, again, a different dimension to yourself around how do we export data that has been cleansed, is known to be good, actually is effectively the crown jewels to train on.

ANTHONY WOODWARD
And how do you create that filtering based on the controls that you need there? We're really seeing, I think, a change in thinking around data management to look at it again, in that shift left philosophy of doing that tagging and those elements early, because there's this value downstream. Are you seeing the same?

ANTHONY WOODWARD
And are you starting to then see how I build a set of capabilities which really interface into large language models and the chat GPTs of the world? Is that where you see the industry going in that realm?  

ERIC AVIGDOR
So, I think yes, from a few different angles. The first one is you mentioned tagging and classification.

ERIC AVIGDOR
That's a huge problem, right? Because most of the technology available today will basically ask the users to classify manually their documents, right? So, you're now asking the user to choose the sensitivity level, whether it's confidential or restricted within a document. So, guess what? Most users won't do that.

ERIC AVIGDOR
And what's the next thing that will happen? Documents not classified. So, your DLP will block it. Or, you know, or something you're trying to do will not work because you haven't classified the document. So now you need to classify it. And now we rely on the integrity and the right choice of that user to classify the document.

ERIC AVIGDOR
So, it introduces a whole lot of problems. I'd say that in this new world, we need to find more sophisticated ways of auto classifying documents and content within documents so they can be safely used. For those that have trained a model, an AI or ML model, it requires a lot of data. I know because we, we do that continuously.

ERIC AVIGDOR
We run several machine learning models analyzing different aspects of cybersecurity within the Votiro product. It requires hundreds of thousands of files to train a model. It takes time. And many of these files are acquired online from repositories that are public. That is a massive risk. And interesting enough, it is yet another interesting.

ERIC AVIGDORIt's expanding the threat surface of any enterprise because this is yet another injection point where hackers can exploit poison data.  

ANTHONY WOODWARDIt's interesting you bring up data classification and I'll put in the, the work here that we're doing at RecordPoint, the whole notion of autoclass and the ability to tag that data without the user doing it is key to our philosophy as well.

ANTHONY WOODWARD
It goes back to what you were talking about before around how you move that process behind the scenes rather than it being a user activity because it doesn't fit into their process flow when they're trying to achieve something else to start thinking, “Oh, what is this? How do I tag it?” And it's quite difficult to teach that the good thing is you can teach a machine to do that.

ANTHONY WOODWARD
And I think those are the opportunities that we're all seeing out there in the marketplace. And I guess that, that really comes to this intersection element in your experience. Are you seeing organizations now moving to this proactive set of processes rather than trying to treat data management, governance, cybersecurity as an afterthought?

ANTHONY WOODWARD
And how do you see people in the C-suite prioritizing things? Because that's been a big change in the industry in the last 12 months, even.  

ERIC AVIGDOR
Let's tackle two different aspects here. One of the biggest trends I've seen in the, maybe the past 12 months is that if in the past security was a security team's issue, that was with the CISO, with the security team, with the SOC, they deal with it, done.

ERIC AVIGDOR
Compliance and privacy were a thing for the compliance team. Using the words of a good friend who is a CISO: the compliance team is mainly, they're mainly lawyers. They know what we can do, and we can't do. They just don't know how to do it. What's happening in the past 12 months is that compliance teams are starting to realize that the problem set is so big that they cannot resolve it on their own. And that problem is starting to overlap with IT problems, which is why your chief data officers, your compliance officers are now going to IT saying, I have this set of problems. How can you help me? So, we're starting to see a situation where first IT is now piled with a new set of problems, but that that problem could potentially overlap with some similar problems that exist within their space, their cybersecurity space.

ERIC AVIGDOR
So, we talked earlier about the intersection of malware and ransomware on the front end, exfiltrating data, then on the back end, hey, we have sensitive data. How do we protect it from being exfiltrated as well? So having that discussion between these two organizations is fascinating and being able to facilitate it is convincing us that there's a new world that we need to adjust to.

ERIC AVIGDOR
And that new world must include preventative elements. Otherwise, the task is just way too big. Teams would need to double or triple in size to be able to tackle the new data protection problem.  

ANTHONY WOODWARD
Yeah, absolutely. As you say that. The new ways of working and looking out 10 years from now with the impact of AI and the other elements, and we see organizations starting to merge data sets across different organizations.

ANTHONY WOODWARD
Where do you see the evolution of this going right now? We're really dealing at a fairly atomic level, and we talked today about, you know, thinking about files and malware, but the very notion of what a file is, is changing. I use Notion a lot for taking notes. There's no file in Notion, right? I can share it, other people can consume it, but it's no longer an attachment in the same form. Where do you see that going? And where's the evolution? What's Eric's prediction of where we'll be in 10 years' time?  

ERIC AVIGDOR
Ooh, that's a big one. So first, I fully agree that content is content. Content can be shared in many different ways, in a file, outside a file, in a message, in a note, in a, in a Notion, in so many different formats.

ERIC AVIGDOR
And one of the challenges actually, you know, if I look at a very, very real example from the past few months is many of the new attacks are in the form of a from an external entity through a Teams or Slack, right? But in many cases, it happens through Teams because of the differences in how Teams treats internal versus external messages.

ERIC AVIGDOR
An incoming message comes in with a link to a SharePoint location, which does not have legitimate content in it. The user clicks on the link and is then infected, right? So not only is the way content is shared changing, hackers are exploiting that because they realize the vulnerabilities and the psychology that is being used here is incredible.

ERIC AVIGDOR
I, as a user, I trust my team's platform. I trust my Slack platform. I wouldn't even think of someone attacking me through those platforms because I associate that with people I trust. There's another psychological element, but to your point, as content is evolving, and as content in its many forms will evolve, continuously now train AI models, which will be used to improve a business process to interact with customers to analyze financial data and more interesting to support cybersecurity products.

ERIC AVIGDOR
Many cybersecurity vendors are now baking AI into their platform. So, this explosion of data and content, if we don't ensure that the data itself is not poisoned, that source data being poisoned could have such a broad impact. I expect that to happen. Back to what do I predict? I expect multiple cybersecurity platforms and SaaS platforms and data platforms to experience the result of poisoned data.

ERIC AVIGDOR
So, my call to action to myself as a product leader and to my peers in the industry is first and foremost, ensure that the data that you're using for training is safe, both when it goes into the model for training and when it's extracted and used by the team.  

ANTHONY WOODWARD
And to probably come back then, where do you think we are in 10 years?

ANTHONY WOODWARD
Is that problem solved? Are we on to the next problem? Where do you forecast that going?  

ERIC AVIGDOR
10 years is a long time, but I would say I, I don't expect the problem to ever be truly solved. Otherwise, hackers would be out of business. As there will always be hackers around, there will always be a way to circumvent.

ERIC AVIGDOR
However, I do expect us to, in the next three to five years, to have completely evolved how we secure data used by machine learning and AI. There are many, many initiatives today from the large analysts and data protection bodies that are now starting to regulate how AI is being used.

ERIC AVIGDOR
I expect that entire industry not only to transform, but also to create a whole lot of new business opportunities for many different companies.  

ANTHONY WOODWARD
And I guess one of the things that we're talking about a lot here again on the podcast and that kind of future forecasting, and I know you touched on it, this notion of trust, so this notion of, you know, how do we know that SaaS vendor is doing the right things?

ANTHONY WOODWARD
What are the procedures and processes that give us that, those sets of assurances? I think as an industry, we haven't yet cracked that. Are you all thinking about what that is and how you can not only provide that trust, you know, for an organization for their users, but for that organization in the supply chain that they exist?

ANTHONY WOODWARD
How does that factor into your thinking around how you're attacking the problem?  

ERIC AVIGDOR
That's a really interesting and challenging aspect of cybersecurity in general. We started seeing this years ago when. An example would be a large car manufacturer, I won't name the name, but a large German car manufacturer requires every single one of their contractors or suppliers to deploy specific authentication capabilities, for example, when logging into their platform.

ERIC AVIGDOR
Great, so that's step number one. But now step number two, and this is something that I've been looking at lately a lot because I'm hearing from CISOs, we have our security in place. We, okay, we've sealed it. We're good. Now my small legal contractor or my, you know, small business suppliers, don't have the budget to secure their data.

ERIC AVIGDOR
They're sending me content and files. They're sharing, they have access into me, into my environments. How do I ensure their security? So, one of the things that we work with these organizations to do. is to be able to enforce some outbound capabilities with their vendors, but more importantly, ensure that every web portal you have or every platform or application you use where content can be shared will be secured on the inbound.

ERIC AVIGDOR
So, the inbound is interesting from a, how do we secure our own infrastructure, right? That's, that's one aspect, but there's a very interesting aspect, which I'm hearing more about lately, which is, I also want to secure my outbound. Because if my customer or partner is breached because of my data, my reputation goes down the drain.

ERIC AVIGDOR
So how do I make them safe by deploying new sophisticated capabilities, which is interesting.  

ANTHONY WOODWARD
And are you seeing customers coming and asking that of you to look at the supply chain beyond just, you know, what's inside their firewall and coming through that process?  

ERIC AVIGDOR
Yes, a really interesting example is actually one of Votiro's customers, a large financial organization was actually impacted by a weaponized document that came in through a legal firm that they work with. So, this legal firm unintentionally, unknowingly received the weaponized document, which they then used as a template for all their contracts. Now, think about this. Now you have a legal firm, a small legal firm, maybe five to ten people, and every single one of their documents, the contracts they create and send out, is now weaponized because the template is weaponized.

ERIC AVIGDOR
So, this large financial organization is now receiving contracts, every single one of them is weaponized. How do we tackle that problem? So absolutely. Yes. We're hearing about this problem every single day from our customers and prospects, and companies we work with.  

ANTHONY WOODWARD
No, great. And look, we could talk for hours.

ANTHONY WOODWARD
I think about this topic, Eric, you know, really appreciate the time and, and going through all the pieces. Are there any kind of closing remarks that you'd like to leave for the audience? Certainly, about where things are at and where you’re really seeing a big impact today.  

ERIC AVIGDOR
I think I've mentioned two or three things.

ERIC AVIGDOR
The first one is, we're absolutely seeing a need to shift left. But shifting left, we need to define exactly what that means. It doesn't mean, in my mind, it doesn't mean doing the same task just earlier. That's the easy route. That's not always the route that fixes things. So, we need to look at things from a slightly different angle, thinking about whether we are doing the thing the right way, or whether we should be doing it differently, to prevent the problem in the first place.

ERIC AVIGDOR
The second angle is security, just for security purposes, is one thing. I appreciate more security that enhances productivity. One of the biggest problems we've been hearing about in the past two years is SOC burnout, right? Security team members are being burnt out by just way too much stuff they need to deal with.

ERIC AVIGDOR
Too many alerts, too many alarms, too many problems. Every single day we're tackling another potential breach. How do we put in place technology that reduces that noise so we don't need to go chase so much stuff and we can actually relieve that pressure and make the security teams more efficient. And I think my third one would be: gain more visibility, acquire products that give you more visibility.

ERIC AVIGDOR
But I would insist on not buying products that just give me visibility for the purpose of visibility, visibility for the purpose of creating more work for me. I appreciate more products that give me visibility while also mitigating and solving the problem. If you can do that, that's the trifecta of cybersecurity.

ANTHONY WOODWARD
That's a really great closing set of thoughts. I couldn't agree more on the notion of doing the work, you know, it's great to create visibility, but if you can't take action from that visibility and then actually sell that back to, you know, your C suite and your board, you've really achieved nothing.

ANTHONY WOODWARD
Knowing that something's a risk and me how to call it out doesn't actually help anybody. So, it's an amazing point to wrap up today with. I really thank you for a great conversation, Eric. It's such a broad topic. There's a lot of pieces there. I'm sure that there'll be some follow up questions from the audience.

ANTHONY WOODWARD
I'll definitely get those over to you. And we'd love to have you on the podcast again to talk more. Thanks very much for making some time.  

ERIC AVIGDOR
Thanks Anthony. This has been a pleasure, and I would be happy to join again at any time, anytime soon.  

ANTHONY WOODWARD
Thank you very much out there in listening world on the next one.

ANTHONY WOODWARD
This has been FILED.

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic