Reducing Risks by Optimizing Your Cybersecurity WorkflowSeemplicity's Yoran Sirkis on How CISOs Can Improve the Remediation Process
CISOs have enough tools to identify security weaknesses, says Yoran Sirkis, but they need a way to make the information those tools gather more accessible and to streamline the remediation process. How does he know this? Before starting Seemplicity, an Israeli startup that focuses on driving and scaling risk reduction efforts, he and his team spoke with over 70 CISOs in the United States, Europe and Israel.
The CISOs, Sirkis says, "were looking for a way to make the findings" from their security tools - which might be native, open-source or commercial - more accessible and to make the "remediation process more efficient and scalable." Seemplicity achieves these goals by duplicating, normalizing, aggregating and correlating information from all of an organization's security tools in a single platform, he says.
In this episode of "Cybersecurity Unplugged," Sirkis discusses:
- How Seemplicity is "creating a new category" in the market;
- How the platform allows for continuous remediation by automating the risk reduction workflow;
- How streamlining the cybersecurity workflow can help CISOs present updates to the board.
Sirkis is a veteran of the security industry with over 20 years of extensive, hands-on experience in sales and technology. He previously served as the CEO of Covertix, which was acquired by Micro Focus, and as a managing partner at Comsec Innovation, running professional services at Comsec Global.
Steve King: Good day, everyone. This is Steve King. I'm the managing director at CyberTheory and our podcast today is going to talk with Yoran Sirkis who is the CEO and co-founder of Seemplicity, an Israeli startup that came out of stealth mode with a $32 million round of funding from several firms beginning from summer. And their play here is complex risk remediation. It's a risk reduction and productivity platform. It focuses on workflow. And they automate and optimize and scale all risk reduction workflows into a single workspace. And now, you've gotten about as deep as we're going to get with me. So I'll let Yoran talk about that as we get going here. But that value proposition is interesting. We don't know too many companies that are focused on workflow in the cybersecurity space, they've got some impressive benchmarking numbers in terms of their performance. Yoran is a veteran of the security industry. He's had extensive hands-on experience in sales and technology, previously served as the CEO of Covertix, which was acquired by Micro Focus, and was also managing partner at Comsec Innovation and ran professional services at Comsec Global. So, welcome, Yoran, and thanks for joining us today.
Yoran Sirkis: Thanks for having me.
King: Sure. Let's jump right in here. Perhaps you can tell us - me and our audience - about Seemplicity and your inspiration for the company.
Sirkis: Yeah, we focus on driving remediation and orchestration. And as you mentioned, I have over 20 years of hands-on experience with multiple type of executive roles. So the pain of security teams from all different angles. When we established the company, we went through a comprehensive ideation process, which we spoke with more than 70 CISOs in the US, Europe and in Israel. It was clear that the security team felt that they had enough tools to identify weaknesses and vulnerabilities across the organization. They felt that they aren't able to get to all those findings that their deployed tools generate, what they will hear very clear from them is that they were looking for a way to make the findings to fix remediation process more efficient and scalable. And that's exactly where we put our focus in Seemplicity. The security teams are in a very unique position. They have a responsibility to fix security weaknesses, but not the authority. So we knew that we are out to solve a problem that involved not only the orchestration of findings across different tools, but also the coordination of workflow across multiple teams and across an organization. That's our focus. What we build in Seemplicity is that we gather the information from all the different tools, native tools, open-source tools, as well as commercial tools. We duplicate it, normalize it, aggregate it and correlate it. And we know how to take those findings and dispatch them to the right people in the organization, the right fixers, the developers, the DevOps, the IT, the cloud engineers.
King: Let's say I'm a CISO, ABC Company, and I'm not using your product. What am I doing that you automate and will look completely different tomorrow?
Sirkis: Yeah, so while all the people around the security teams in the organization have a dedicated productivity platform to make their day-to-day process more efficient, security teams are left behind using spreadsheets or PDF on a non-dedicated platform in order to manage the risk reduction need programs. So, a lot of manual work is done today, a lot of investment in a PMO task, rather than to automate those. And we, with our platform, enable those security teams to build out and automate risk reduction workflow, streamline the handover between them, the things and synchronize activity between stakeholders, the DevOps, developers and cloud engineers. I call them the fixers and to operate as a single, shared dashboard, closing the gaps between the identification, assignment and the remediation, that's exactly the value that they gain, that they have, using Seemplicity, rather than to do that in a manual work, rather than to try and develop it as a propriety process of tools in their organization.
King: I'm unaware myself of many companies that have addressed the workflow issue as a cybersecurity solution. I find it interesting what you guys are doing. Are there a lot of competitors in the space now?
Sirkis: No, we are creating a new category in the market. Looking at the existing Gartner category, we bridge the gap between four main categories, the vulnerability virtualization technology, application security, orchestration and correlation, there are a sub, which become more popular. In DevOps, in cybersecurity asset attack surface management, which is also a popular category, we decided to focus not on the prioritization or the visibility side, but on the operation of the remediation, how to drive the remediation. So, on one hand, we bridge the gap as we deal with the findings across the entire security stack, from OPSEC to vulnerability management, to pentesting to bug bounty and more. On the other hand, we also offer capabilities that are more operational focus, how to dispatch the right findings to the right fixer.
King: Yeah. And then what was it about? You've been in the space for a long time, like many of us, and so you've watched all this happening. What was the inspiration? You talked to a lot of CISOs, you looked at all these operations. What, for example, got your attention, when you looked at, let's say, DevOps, what were the missing links in that workflow? Just use that as one use case.
Sirkis: So we heard that from all the people that we spoke with. I think that all of them emphasize that they have a lot of tools that enable them to identify a variety of problems. They also have a lot of capabilities on those tools and other tools that enable them to analyze and understand the risk impacts for their organization. But what we understand is that they spend a lot of time - it came when we gather all the answers that they spend between 30 to 60% of their time just by operating the remediation, which means that they try to understand that at the beginning, it takes them time to see the alerts, then the time that they spend in order to check if this alert is previously identified or resolved, then the time that they spent to prioritize it, then they spent more time to understand to whom should they attach it, who is the person or the team that is responsible to fix it, then the time that they spent in order to notify this person to open the ticket, etc. And then the end of the day when the developers or the DevOps report that he fixed it, those security guys need to assure that indeed, the risk was mitigated. So the time that they spend in order to verify that weaknesses have been resolved, a lot of time, as you can understand, is spent on operating those remediation processes. And that's where we decided to try and bring in innovation to try and bring a new solution to the market, a new concept, in order to empower those security teams by being able to simplifying the whole process in removing a lot of time-consuming tasks, which allow them to focus on a real remediation on securing the organization.
King: I see if it weren't for you guys, how does DevOps resolve that assurance today?
Sirkis: Today, with our solution on one single platform, we take it from A to Z from the tools that we identified, make sure that everything, or those findings, goes to the right people that fix them. And then we also ensure with our system that we report it back or ensure it was the tool that found it, that the risk is mitigated.
King: So essentially, that workflow was self-managing. It needs to check its own boxes as it goes along that.
Sirkis: Exactly. At the moment that someone in the organization builds his own workflow. So everything - the whole process - is automated, we consolidate everything, we duplicate and aggregate and normalize, and then we orchestrate those findings from multiple solid security tools and generate one consistent security backlog. And this backlog is dispatched to the right team. And then we go back to the tool while those teams report that they fixed it, and make sure that the risk was mitigated.
King: Yeah. So now that I understand this a little bit, I was going to ask you, what's the secret to your ability to impact manual operations? And as much as you do, you gave me numbers that were 80%, 6x, and so forth. But now that I understand how your workflow operates, it's obvious to me that by simply automating that process, you're going to have substantial increases in productivity here.
Sirkis: Yet, we also take into account that by automating it, we create a continuous remediation. We know there is no need to wait for the CISO that will define the top 10 risks that should be fixed in the next sprint. We backfill the queue every time that someone fixes it. And by that we can enable the organization to fix more with the same team, the same tools, the same data that they already have.
King: Do you tie your workflows to a particular vulnerability or to a particular breach? Or are they just best practice workflows?
Sirkis: No, there isn't best practice workflows that are specific for vulnerability or specific for Log4j and Log4Shell and others. In fact, when we build our solution, we understand that each organization is a different risk matrix. And therefore, we build a platform where everything is configurable, you can adjust it based on your risk matrix. So you can build a workflow that is dedicated or proprietary for your organization. And there are also templates in our generic workflows that are relevant or fit for every organization.
King: Right. So, if a company is doing a lot of development in repository, like a GitHub, for example, you would have a workflow that would be focused around SecOps or multiple workflows. And then focused on specific vulnerabilities that we're now frequently finding in open-source APIs and an open-source code.
Sirkis: Yep. As a productivity platform, we try to support all the multiple technology stack that you have, all the multiple risk reduction programs that the security teams need to manage. So, we know to manage and we have workflow for a misconfiguration for vulnerability management, as well as for application security and open-source findings. And it goes to API security and SAS compliance and more. So we have a template for each of those risk reduction programs and domains. And we also enable you to define and build your own security workflows.
King: Yeah, and it seems to me that if I'm a CISO, I can now go to the board and say, "We finally found a true risk reduction set of workflows that address every major vulnerability and open-source vulnerability," and some of the best practice solutions for a lot of sloppy work that we've historically done here. And by implementing this network of workflow, we can substantially reduce the risk of attacks, like the ones that you've been hearing about through the supply chain, or through whomever. That's a conversation that you enabled now.
Sirkis: Exactly. We enable the security teams to drive remediation in a more efficient way. And we enable the CISO that needs to report to the board to be able to measure in a better way the velocity and the performance of his team. Now, he knows exactly which finding was remediate, how long it took them, how it is compared to the SLA, which team is solving it, or needs more support in order to mitigate their risk. So, we provide a lot of information that the CISO had before, but he had to do a lot of legwork in order to gather all this information. And it was also always a friction between the engineering and the security, if the information is accurate enough, if it is a real information. Now, everything is based on one platform, one dashboard that collect automatically all the information and present it and enable a much better discussion between the security and the engineering and the DevOps and the development.
King: I'm sure. And you mentioned earlier in our conversation that your partners didn't have a category for you. Did I misunderstand that or have they figured out where to slot you?
Sirkis: No, currently there is no specific category. As I mentioned, we are the bridge between four main categories. And therefore, we are working closely with Gartner in order to define a category.
King: Once you define that category, Gartner will have to come up with some competitors to give you credibility and being a leadership position that upper right hand quartile.
Sirkis: Just to clarify, there are multiple solutions. But what we believe is that there is no solution that only sticks is ours. So, there are the risk-based vulnerability management and the ace of the application security orchestration and correlations. And they are many tools from both that aggregate fundings from multiple tools, but most of them do that only on a narrow set of findings.
King: Well, that's all good because those are your strengths and your competitors' weaknesses. So, in this market, you guys recently took 32 million. What's your plan for that money? How much runway is that going to get you?
Sirkis: As you mentioned, we already have customer base and client who are extremely happy with our platform, the main use of proceeds of the money that we raise go to build a go-to-market team in the US, the sales in the North America. And that is our main focus right now.
King: Okay. In Israel or outside of the US, do you have big clients now, like major banks or insurance companies, or are you going to look to America to be the source of that kind of business?
Sirkis: Most of our current customers are US customers. Some of them are publicly traded companies that are coming from multiple domains. Most of them are Fortune 1000. And this is our main focus. We try to focus on those kinds of similar organizations that have a footprint in the cloud and multiple processes that are done between security and engineering, and we will continue to focus on the North American market right now.
King: I haven't heard of you guys before you and I talked originally about coming on the show here. Have you just not spent yet on marketing? Is that just that I missed the boat here?
Sirkis: We were fortunate to have seen incredible success with our existing customers and pipeline that we have. And therefore we were in stealth for almost one and a half year, joining the people that we want in moving forward with the customers that they want. In a certain time after we raised the money, we went out of sales. And now we are trying to extend our customer base, by extending our sales team that will enable us to move to approach more customers.
King: Yeah. And is there a segment that you are particularly good fit for, as financial services better than manufacturing or healthcare better than financials? Or are they all about the same?
Sirkis: They are all about the same. We are mainly focused on customers with footprint in the cloud, and they need to meet several regulation, and therefore, they implemented several security scanners or security tools. And they have a big spaghetti of processes that they need to manage. And with our platform, they can manage it in an automated way.
King: I'm conscious of the time. So I have one final question. This economy has taken a toll on many companies. How has it impacted your progress, if at all? And then, what are your growth plans? Let's say that we're in a recession, let's say it'll be not as devastating as many people suggest. And so, nine-to-12 month horizon. Cybersecurity is an interesting business. People don't stop spending on cybersecurity. If you do, then you're asking for the result you're going to get, so have you seen any impact of the recession in terms of span here?
Sirkis: Not really. Maybe because we are at the beginning, but as a productivity platform that assists those organizations that before had shortage of skilled people. And right now some of them also don't have the necessary budgets to implement all the tools that they plan. To be as a platform that assists them to consume and to manage native tools and open-source tools, as well as to automate those processes that assist them, to do some of the manual work instead of the people, I think that we are in a very attractive position to support those organizations and to enable them to have the same security level with less people and sometimes with less budget.
King: It's good that you also have the benefit you can share. It's been an absolute delight getting to know you and chatting about your company, and if you don't mind, I'd love to have you back around the first of the year to see what progress you've made. And whether you've gotten Gartner to agree that you are a leader and in the upper right hand quartile and see what we find at that time.
Sirkis: Alright. Great. Thank you very much for having me.
King: It's been a pleasure. And I hope that our audience enjoyed it. Another episode as well. And until next time, I'm Steve King, your host signing off here and all the best of luck to you Yoran and Seemplicity. Thank you. All right. Bye.