When it comes to securing your business, it’s being proactive that counts, according to Sphere CEO Rita Gurevich. Speaking to CEO Hiba Sharief, Gurevich spoke on positive improvements in the security space and the merits of cyber security insurance.
Hiba Sharief: Hello, everyone. Today, we have with us, Rita Gurevich, the CEO of Sphere. The last time we were together, you were the AVP at Lehman Brothers. That was in 2006 and you were playing with messaging, being in the weeds of infrastructure and I.T. Tell us what you have been up to since then.
Rita Gurevich: I was one of the lucky few to be at Lehman Brothers during the bankruptcy in 2008. About a year later, I started Sphere. I’ve been busy growing a technology cyber-security company. It is a solutions provider within the cyber-space. We specifically focus on helping regulated companies better manage their data and put controls in place to protect it.
Hiba Sharief: What led you to move into this space?
Rita Gurevich: When I started the company, we were providing services to infrastructure teams. But in 2008, it was still a very bad recession. Budgets were tight, but security seemed to be a driver across all companies. I always say security found me, and now we solely focus on cyber security. Every company cares about security, every job now has some security aspect to it, even on the operations and the infrastructure side. And it’s a very innovative field, so it’s very interesting.
Companies are being more and more innovative and realizing that they have to be proactive instead of reactive, particularly when it comes to managing security threats.
Hiba Sharief: We can see a lot of security folks in conferences this year. What are you seeing as a theme at this time?
Rita Gurevich: A big theme that I noticed, just walking the expo floors, was around user behavior analytics, machine learning, and AI. Companies are being more and more innovative and realizing that they have to be proactive instead of reactive, particularly when it comes to managing security threats. The way you do that is through AI. Gone are the days of manual intervention, of doing things in simplistic ways. We’ve been there, done that. The bad actors are becoming more complicated and it’s harder to find and harder to deal with. That’s a big trend. I don’t see that slowing down at all.
Hiba Sharief: Do you think there are more bad actors? Or are we just getting better at finding them?
Rita Gurevich: I definitely think there are more bad actors and few reasons. One, kids grow up with technology. A kid in a basement can hack into a network. It’s unbelievable and I’ve seen people do it. If you rob a bank at gunpoint, 90% chance, you’re going to get caught. If you steal a bunch of credit card numbers, there’s only a 10% chance you’re going to get caught. People realize it’s easy to do. You can even find YouTube videos on how to do some of the simpler hacks.
That’s the unfortunate reality. With that comes a lot of positivity, too. Because of this, the world responds and you have some really interesting companies coming up that do really cool tech to tech initiatives. There are more bad actors and I think it’s going to get worse before it gets better.
Hiba Sharief: Security has always been at the forefront of everything. The companies taking initiatives and making sure that security holds its place, is that something that you’re seeing as another shift in the industry?
Rita Gurevich: Hundred fifty percent! Not just within these companies that we work with, but on television, you now see commercials for cyber security. You walk through an airport, you see huge banners focusing on cyber products. A decade ago, my grandmother didn’t know what cyber security was, but now she does. It’s interesting. The world has evolved, it is changing and that’s a good thing.
Hiba Sharief: I can see more and more females play a vital role in the technology space. As one yourself, how has it been for you in security specifically?
Rita Gurevich: There’s a lot more than there used to be, so that’s positive. I think that more women from a younger age are getting involved with technology. The world encourages STEM. More and more women are seeing that it’s not just a male dominated field across the board. At the same time, what I’ve seen is that women band together and support each other. There are so many diversity programs within these big corporations. Even on the entrepreneurial side it’s not hard to find a women’s group with people that are like minded and you can share and learn based on their experiences.
This is happening across industries. If you look at financial services, they really focus on diversity. It’s because women are starting to get into technology at a much younger age and it’s being promoted.
It’s not just an IT problem anymore, it’s a company problem.
Hiba Sharief: What advice do you have for CIOs, CSOs, CDO’s, and CCO’s that you’re hearing from every day?
Rita Gurevich: I think that C-level folks care about their IP, about protecting their data. It’s not just about perimeter security anymore. People are starting to realize cyber security is not just preventing people from coming in but protecting everything from the inside out. So, that is definitely a huge trend and people are talking about it.
A piece of advice I would give to folks that are thinking about this is that there’s a lot of expertise out there and you’ve got to go find it. Whether you’re hiring internally or you’re looking for a third party to help you, look for those who have that experience and are a little bit niche instead of end solutions. Then you can really start solving a problem quickly.
Hiba Sharief: That has always been one of the biggest challenges. There is very limited supply of good cyber security talent especially when we look at demand. Are you or any of your customers facing the same challenges?
Rita Gurevich: Yeah, the people portion of it is very challenging. There’s such great demand and just not enough people out there with cyber security backgrounds that have done this before. It’s a fairly new field. A trend that I see is that people are focusing on automation. To be able to do more with less. And that goes back to AI and machine learning. It doesn’t solve the problem but does help it.
Take risks, calculated risks. It’s better to fail than do nothing, when it comes to cyber security. The other piece of advice is be prepared that you will get breached. More likely than not you are being breached. You just don’t know it. That doesn’t mean that you necessarily failed but learn from those past events and continue to be innovative.
There’s not enough data out there for insurance companies to 100% even know whether this is a lucrative business for them.
Gone are the days with compliance checklists. Now it’s more about “how do I go a few steps further? How do I do a little bit more than I did yesterday?” I think the best thing particularly for CIOs and CSOs that has changed is that they’re being supported by their boards and given the ability to execute. These leaders are evolving business users as well.
It’s not just an IT problem anymore, it’s a company problem. You encourage your business users to participate. Whether its training them or explaining to them how you can get efficient at emails. It might look like your CEO wants you to get $500.00 worth of gift cards, but they don’t. It is important to do all sorts of education internally so that everybody is on the same page and thinking security first.
Hiba Sharief: What are your thoughts on virtual CCO versus a physical, on-premise body that has butt in seat?
Rita Gurevich: I think it really depends on the organization, the people and the culture of the company. There are definitely traditional companies, banking for example, where I’m not sure that that would work. But then you have these new tech companies that are growing and need that expertise. They are completely comfortable with a virtual CCO. So, I don’t think that there’s a perfect answer for that. You have to evaluate your company and its needs. Only then can you make that decision.
Hiba Sharief: I absolutely agree and I think that It is something that can work. In fact, they are more likely to be happier, more productive, and keeping the environment more secure. Because there is also a big advantage to working from home and having that quiet where you’re not getting interrupted and you’re able to actually get stuff done.
What would you say is really important that a CCO needs to address?
Rita Gurevich: I think that everyone is recognizing that you have to protect the exterior, but protecting the internal side of it is harder. There’s a lot of sensitivity around it. You’re playing big brother a little bit. You naturally want to trust the people inside your company but the reality is, especially in the larger organizations, that you’re going to have somebody who is upset about not getting the right bonus.
You’re going to have somebody who knows that there’s down moving information that they have access to and can give it to a competitor. There are those bad actors internally as well. More and more CCOs are paying attention to that now. And a piece of advice that I would give is, don’t neglect that, address it as an issue and put controls in place so you can manage better.
It’s not a simple answer. But I can’t imagine somebody saying “ cyber insurance is bad.”
Hiba Sharief: What are your thoughts on cyber security insurance, and the process of getting a policy for that?
Rita Gurevich: Cyber security insurance is so new. How do you decide what kind of policy to get? How do you know what the cost of the breach will be? Can you know if you’re not over insuring? When you fill out those forms, how does the provider know that you actually are putting the right controls in place? Because so much in security is not just about a product or a document. It’s data and there’s unfortunately not enough data.
Think about the insurance industry and how long it’s been around. The cyber piece is just like this tiny little freckle, just starting. There’s not enough data out there for insurance companies to 100% even know whether this is a lucrative business for them. When it comes to buying cyber security insurance, every company is doing this now to some degree. I think that people are just going to continue to buy cyber security insurance, because more than likely you already have been breached, you just don’t know it.
Hiba Sharief: Also, it’s hard to quantify. All the companies just want to put value to their data. If they can’t do it without cyber security in the mix then it’s going to be hard to figure out how much money to get back after being breached.
Rita Gurevich: Yeah. Even the risk profile, how does an insurance company identify that this type of policy holder has this type of risk profile? They have to learn about the business, the kind of data they have. Is this the kind of data that others want and why would they want it? Who are the people that would want to gain access to that information and attempt to do something malicious?
There’s a lot to it. It’s not a simple answer. But I can’t imagine somebody saying “no, cyber insurance is bad.”
Hiba Sharief: Honestly, I’ve nothing in the cyber security space is an easy answer. Thank you so much for spending time with us today Rita.
Rita Gurevich: It’s my pleasure. Thank you.