[00:00:00] Erez: Thanks for inviting me. So I started thinking about it. You know, when, how many, you know, when you're asking how many years do you have experience? So, as you said, I started my journey after I. Big in my army, I was, um, as an officer and I joined the Israeli airport authority in the security division. And my last role from 2008 was in the technological knowledge of the security division.

[00:00:25] Erez: I was responsible on the operational side of, uh, that inspection. Technologies and also on the perimeter technologies so this is 1 aspect from on the cyber security wall, the physical 1 and from there, I was until 2017 working. Uh, in days in Ben Gurion airport, they're also consulting on different projects and.

[00:00:53] Erez: I started, I started working with the cyber security teams within the Israeli airport authority. Uh, then started looking on, you know, my next role and where do I, what do I aim now? Uh, and my next role was as a cybersecurity, uh, consultant company. I think after I finished working at Israel airport authority and made my next leap as a consultant company, I then understood what is the cybersecurity role and it's, you know, Uh, bigger than just physical security and access control, I saw the various roles within and, and, um, they start to drill down more and more, um, to that world and eventually aiming for a CISO.

[00:01:44] Erez: So the, the, the whole phases that I took from, uh, project manager to a consultant, then CISO service. And then, uh, GRSC role and through their ASISO full time in the company. I think that was the roadmap that I planned for myself. Nice.

[00:02:05] Tamir: Amazing. And, and so when you're looking at your day now, what's, what's the most interesting, interesting part of, of your day to day work?

[00:02:15] Erez: I think when I, you know, finish my day and just do some sort of a conclusion with myself, how did the day go? What did I do today? What did I find today? Uh, did I finish all my goals? Was it a hectic day? Did everything was a messed up and I haven't completed anything or I made, you know, a breakthrough in, in some projects and we can advance that.

[00:02:37] Erez: Because the time I would say the daily, day to day tasks are, you know, can change rapidly. Uh, we're dealing with regular projects that we're planning. We're dealing, uh, mostly involving sales, uh, efforts. This is the father, this is a role. So, if you have urgent tasks, you need to complete except, you know, security related alerts.

[00:03:02] Erez: You need to monitor systems so that they can change. So, and when I. Fitting myself, you know, think that five minutes break and just see what I did, or what can I plan and change it? I think that's the most interesting part. And, uh, see what we can improve.

[00:03:22] Tamir: Nice. And yeah, it really sounds like you're touching everything the organization, uh, is doing.

[00:03:29] Tamir: So it's a, it's really interesting, uh, I think role, uh, to be in, and you get to see a little bit of, of everything. So. And you studied criminology previously, and do you feel this somehow helps in your day to day work? Does it give you like a certain perspective or insight into the job you're doing? Not much.

[00:03:56] Erez: Uh, I think, I think it's, it comes with a different background and, you know, knowledge and experience. And I think the best thing is, you know, this is just to collaborate and then I can bring from my insides and learn from other people. My background is more on the physical security and controls and processes and other systems that come from development background.

[00:04:21] Erez: So I don't think it's the study itself is just the experience, because if you saw a lot of various companies, when I was a system service, so I was in a small startup with 30 people and also see. So for 300, uh, employees from Israel, uh, and Asia, I think that's that thing that, you know, shape a lot of things and help me, you know, succeed in whatever I do.

[00:04:49] Tamir: Amazing. And, and so if, if I follow up on that, so really what you're saying is what's more important is the experience and maybe you could share how you're seeing the security field, uh, in general, uh, because security is a very elusive concept. It's very. Uh, it's very easy to think you're secured when you are completely like in a mortal danger.

[00:05:12] Tamir: And it's very easy to think you're in danger when you're actually secured. So how, how do you perceive this, the field of security? So,

[00:05:23] Erez: Phil, um, I'll give you an example. Uh, for an onboarding that we do take place within the company. Um, I'm talking to each team in fleet. We have a session onboarding session.

[00:05:35] Erez: One, I think, uh, you know, the expectations from this meeting is one talk about cyber security. Cyber security is not just, you know, it's my role, my responsibility and everything is that happens is, is unaccountable for, but cyber security is a world of work together. It means each employee within the company does cyber security.

[00:05:58] Erez: Even if they don't do cyber security, when they see that on the background, they do cyber security. If you follow procedures, if you deal with the, if you raise, you know, red flag, if something happens. Follow, uh, best practices for development, you do cyber security. I see, so guide the ship to where he's aiming at, and everybody's working together and on these onboarding sessions.

[00:06:28] Erez: 1 thing is, as I said, I'm talking about child security, but I'm also talking about expectations. What do we expect from? Because people come from different backgrounds. No, a death company, they allowed a lot of things to do personally come from a company. They didn't allow anything. No problem. You can work since it was a neighbor.

[00:06:51] Erez: So, as I see it, you know, side of security is is adopting. Adapting to the challenges we have, adapting to the various risks, changing the company system will work according to where the company needs to and adopt his controls. Accordingly, when we talk about doing cyber security, sometimes I see a company and they said, okay, I had a problem with an email and then asking yourself, what would errors do?

[00:07:21] Erez: Or someone left his computer open and said, well, you know, what there is to, you know, close it immediately. And they start calling, you know, each other and this way, I know you succeeded because everybody's doing self secure.

[00:07:34] Tamir: Yeah. So it's, it's more, you're seeing security more as a mindset in the organization.

[00:07:39] Tamir: Like everyone needs, if you're able to install a security mindset, then in everyone, then that's already a win for you.

[00:07:49] Erez: As I see, uh, on a big part, but the power of the security is being seamless. Security. 'cause people don't need to see that. Yes, they know, they log into the system, but they don't know what happens in the background.

[00:08:01] Erez: How many controls do implement, or what we needed to, to implement it. And just know that I can log in only from my computer. And using secure passwords and then they understand the meaning of it. And once the, you have a different set of mind of doing cybersecurity, I think this is a big, large success, uh, uh, over the coming, uh, not just mine.

[00:08:25] Tamir: Yeah. So, so you make, you make security a mindset and you make security easy for them. That's,

[00:08:31] Erez: yeah, that's kind of, I totally understand what people, okay, why do we need so many? Why do I need, you know, to log in every day or every few days while they need to change password? Once you explain the meaning of it, they will just do that.

[00:08:47] Erez: You know, they will accept it. We send them ask you a question, you know, any other bank account or medical services. Why do you change your password? Why do you use an NFA code? Because they understand the need of safeguarding your information. And companies that adopt it really understand the need. Um, As I see cyber security, no.

[00:09:12] Erez: This is one of the conversation on the onboarding part. Cyber security is first internally for the company, means we, we, uh, a more secure, uh, company also for our clients. You, when you're working self services, trust is the main thing. We need to trust that, how do we trust us? We're compliant. Uh, uh, we do a lot of, of, I would say actions.

[00:09:38] Erez: I don't wanna say no controls from the bad meaning of it. But we're doing things securely, so the security is something, something important. And I saw that in various companies, uh, some of the more, some of the less, but still they understand the meaning of it.

[00:09:54] Tamir: Yeah. So it's, it's also for the company. It's also for the trust of, of the customers in the company.

[00:10:00] Tamir: So it's double the benefit for, for, for like investing in security creates this double benefit and amazing. So, yeah, so if, if you go into a bit of more, more like career stories or stories from your past experiences, so how do, do you feel like the bad cop sometimes do you feel like you kind of like, like enforce stuff on people sometimes or how do you, how do you perceive that?

[00:10:30] Erez: Um, I think at the basis of it to see stories, people acting as. You know, here is the cop coming depends on past experience that they have, right? It can be very nice. He still, I know. Now that depends on the, on the event occasion type of company, by the way. Uh, companies that needs to be super secure. And we see that breaches of companies holding very sensitive information.

[00:10:59] Erez: They have to be more, I would say, straight. That's the difference. Yeah. I feel like the best part.

[00:11:10] Tamir: Yeah. And you're, and you like the, the, the image of the, of the bad cop sometimes? Um, It's a good cop, bad cop and you play them both.

[00:11:19] Erez: I think once they understand where I'm coming from or what is cybersecurity and why do we need it? As I said, for, you know, there's life thinking as it. Don't leave your bag here.

[00:11:31] Erez: What others would say about it. Yeah. That's a big conclusion. Yeah.

[00:11:36] Tamir: So you, you start, you started the bet as the bet cap, and then gradually you're, uh, growing up to be the security leader and, and the, and the guide, tell me about your biggest challenge as a CISO.

[00:11:51] Erez: So if you look at AccessiB, it's a, it's a fast growing company.

[00:11:55] Erez: It's amazing company. And my team supports over 200 employees. Our office is in Israel and, uh, York, my team is in me. I have IP manager, IP admin. Uh, this is the team. I would say the challenge is, is bring the proper systems. Uh, I really, I would say prefer to have less systems, less places to look at, more insight, it can be easier.

[00:12:30] Erez: Breath to work with. Uh, and this is the main challenge. I would say systems automation. We need to work a lot on them. But once you set an automation or the proper system in place, it will be a whole lot easier. So, we don't need a big team to do that. Just need to pick the proper systems.

[00:12:51] Tamir: Yeah. So you're trying to build your kind of very commando information security unit in AccessDB and then just equip them with the right tools to, to do their job.

[00:13:03] Erez: You don't want to bring a lot of systems because the team is small. Bring a lot of system. As I see it, there's a mistake, right? You need to bring the proper system to handle the proper, the, the, the, I would say the risky areas. And of course, let your, your risk. And too many systems, you will have like elephants.

[00:13:23] Erez: You won't look at them. You won't challenge them and see that they're working fine. And don't be afraid. You know, you need to replace it. You replace it because you need the best 1 that will do the best job

[00:13:35] Tamir: for the company. And so how do you balance, for example, going with something that is all in one, like we give you everything, versus something that is very point on, a solution that solves a certain problem but solves it very well.

[00:13:52] Tamir: How do you balance when you make a decision like this?

[00:13:56] Erez: So I can give you an example from a POC I did recently. Um, I was keep very consistent and I would check it. Uh, one of the things they check how easy to use the system, because some systems you need, you know, a full team with, uh, uh, doing courses for a few months, just to understand how, you know, to, to set a basic rule.

[00:14:22] Erez: And I'm looking for simplicity, I need the system to work. I need to make, you know, fast changes or adopt according to various risks. And if I can work with the system, you know, it could be an amazing, but they're going to try it with it. I won't go anywhere. So these are the things that we're looking at.

[00:14:41] Erez: And yes, there is a long discussion between best of green or all in one. I think there are a few solutions. That are very good if you're talking, uh, when you're working with false targets, because they have a precise solution or a precise problem. And no one has that in, you know, uh, I would say even a good level.

[00:15:05] Erez: So I will use. Yeah. And sometimes you have best of, uh, you know, uh, only in one solution that. We can see from the changes in the technology and where the market goes that they combine more and more solutions inside. Yeah, I'm, I'm, I'm, you know, it's, it's good. Why? Because less eyes on less screens, less menus to look at and you had everything.

[00:15:31] Erez: No, in the single platform think about it. I'm not the only one that's working with the system. So, you had the development in the sense I'm working on the system, the it team, the one would sit. You want it to be easier for them to 1st understand what the problem is and how to solve it.

[00:15:48] Tamir: Nice. So, so you, the more you can consolidate really, maybe even into your existing systems, like if you, if you plug, if you can plug something into what you're already using, then that's an advantage for you.

[00:16:02] Erez: And don't be afraid to plan ahead. If you need to replace a system, you will replace it. Cause as I said, I need the best system to do the best job for me in the company. So if a system doesn't work well, it doesn't, you know, produces the expectation.

[00:16:17] Tamir: What was this? You don't get emotionally attached. Nice.

[00:16:24] Tamir: One comment that I can

[00:16:25] Erez: say. Yeah. We was headed around the park. And stuff from there. One thing that I can say is I see vendors. I don't see vendors, I see partners. So one thing is I'm not justifying the system partnering with someone and we consider in some of the systems that how well do they want them to work with the system, how, how is it important to them to improve the system?

[00:16:52] Erez: And I think that's, that makes a big difference.

[00:16:57] Tamir: Yeah, it's always, I think, and maybe my perspective on this is there is a lot of, uh, technical jargon and technical complexities in cybersecurity, but eventually it's still, it's still people and you're still dealing with, it. With people on the other side, and I think no matter the technology and no matter the field, it's always like how, how easy and how, um, how good the relationship is between the people you are working with and yourself.

[00:17:26] Tamir: So I think this is something that, that carries over to almost every field. You want to work with, with people that care about what you are doing and you want to feel that you're in a partnership. So. What is one blind spot you think other CISOs don't pay enough attention to and they should definitely start looking at tomorrow morning?

[00:17:48] Erez: I would say take a step back and ask yourself from time to time. What was the area that I haven't touched for for a long time or never touched it. Uh, I see people is that before it's done their background. Will you get on more on the development side or more on the processes side? And sometimes avoid some of the parts and dealing with, um, so take a step back, see what you haven't done for a long time.

[00:18:18] Erez: We haven't touched or any other plans that you put in the background and you want to work and change your plans. If you need to, um, this is, I think, things that, uh, wouldn't make a difference.

[00:18:39] Erez: Yeah. And we'll work plan or everything you need to adopt yourself. He does that changes.

[00:18:46] Tamir: Amazing. So it's, it's more about looking at where, you know, you're kind of neglecting because you don't feel comfortable there and just go head's on onto, onto this and, and say, okay, I'm, I'm going to look at, at the thing I don't want to look for.

[00:19:02] Tamir: I didn't want to look at for a long time. And now it's the time I'm, I'll dive into that then. Exactly.

[00:19:08] Erez: It could be, could be systems, it could be processes, it could be, you know, specific things. And sometimes, you know, you discover other surprises, but things that you haven't thought could be all very critical to the company or things that we need to correct.

[00:19:24] Erez: And all these things, you need to improve. I know all of this is, you know, your, your task list is full of the whole time, but sometimes you can, you know, miss things.

[00:19:37] Tamir: Amazing. And so tell me about the most unexpected obstacle people don't know about when they get into cybersecurity.

[00:19:50] Erez: Uh, some security is, as you said, is, is, uh, is a big place, depends where you're getting it.

[00:19:57] Erez: Uh, I would say one of the things that I saw that people, uh, you know, sometimes stick to what they know, for example, hey, I worked with that firewall, the previous companies, that's the best I can, and you invest whole every time, you know, to replace is something, you know. Learn new things you need to learn every day, something new and could be a surprise that you'll find, you know, discover that it's any better or something.

[00:20:25] Erez: So, okay, we have a problem, but you will do that and this will go to your task list and you understand that you're making a change or, or, or dealing with something that can send it's problematic. That's because you feel a little bit comfortable with it. Um, I would say to understand that cybersecurity is a big world and not just, you know, specific part.

[00:20:50] Tamir: And I think it's a moving, it's also in a sense, a moving target, because two years ago, you were not concerned with generative AI security. And now you probably have to think about what happens if someone types in. ChatGPT, like a full list of our customers to, to do something in like a spreadsheet or do some calculations.

[00:21:13] Tamir: So it's, it's a field, I guess, that you always have to keep adopting and learning. Right? Exactly. I was in one

[00:21:21] Erez: of the companies that they decided on, um, next phase will be to work with, I would say European market. And then overnight something changes, then move to Australia market. A lot of things change from there and you need, okay, let's, let's learn the regulation there.

[00:21:39] Erez: And then you need, okay, I need, uh, uh, different, uh, cloud environment. So suddenly you're dealing with a lot of things you didn't thought you would deal with now or wasn't on your work map. Now you need to change them. You need to be aligned with the business, always be aligned with the business. Because if you won't work together, cyber security, you know, won't do this.

[00:22:01] Erez: Push it aside.

[00:22:03] Tamir: Amazing. Yeah. Sometimes you have to learn the New Zealand cloud regulations, but it is what it is. Yeah. And nice. So if, if we're talking about your role in AccessCB and you've been in bigger organizations before, how has being a hands on CISO different from being in a big, from working in a big team?

[00:22:26] Erez: I would say, you know, challenges of different, uh, is this, you know, handle this, they need to be knowledgeable in a lot of aspects of the flow. As we said, from the technological side, uh, environment, cloud programming a little bit, uh, and through regulation, control standards, we need to know everything. So I think that's the big difference from a big team and priorities.

[00:22:55] Erez: Priorities can change and it will affect directly on you. It's not like, you know, you have a task to the team, you can set priorities. You're, you're the team. So I would say you need to be very precise with what you do. You need to plan ahead, you know. leave climbing for unexpected things that will happen and decide what's more important.

[00:23:17] Erez: So I think the priorities is something that's super critical when working on a small team.

[00:23:24] Tamir: And I guess you need to be more like a T shaped, uh, CISO. So you need to know a little bit in, in everything, and then maybe have like a certain, uh, domain you're, you're an expert on, but you have to know. Uh, everything that's going on, you

[00:23:41] Erez: have, and this, that leads me, as I said about, you know, vendors when you're working, but what I'm looking for is a word system, a call for someone to support that someone I can address who will have issues and talk to him because you want the best thing.

[00:23:58] Erez: I don't, I will let, I will not let anything tell right. So the system to work the best, if I'm lack of knowledge or We will, you know, add whoever we need or consult whatever we need, just need to work as best.

[00:24:15] Tamir: Yeah. You need, you need your, your systems to be like a multiplier for you and not, uh, not drag you down.

[00:24:22] Tamir: Yeah. And so what do you tell people who think the only role of security is to warn them about phishing emails? Like, how do you make the case for security as a mindset, security as a positive driver in the organization?

[00:24:44] Erez: Um, I would tell them they can come and look in alerts from, from overnight. Um,

[00:24:51] Tamir: everything that happened last night, this is what people try to do to us.

[00:24:57] Erez: I think, uh, one of the things that I said on the onboarding part, I explained that cyber security, everybody does it. I'm responsible eventually and everything that happens, but everybody does cyber security.

[00:25:09] Erez: Fishing, you know, for example, when we're doing some, uh, fishing trips. The goal is not to fail you. Fishing is easy. You want to teach people. You want to understand. So if someone fails you, you teach them. What was the problem? You have different suppliers. We prefer it that way. We, we want to. 1st, not to send the general send it for size for the team and make sure they're ready.

[00:25:35] Erez: And you see the success rate and you see when people come. Hey, I saw that. That was good. Real. But we paid attention and then you can check. If what you said in the onboarding part and the ongoing awareness training of employees, if they, you know, act accordingly, usually what we do is 1st, we explain people how their actions can affect the whole company.

[00:26:00] Erez: So, it's not just no, I got a phishing email and we succeeded in the drill that you, uh, uh, you did this. Uh, they need to understand the effect. Every employee eventually affects the company. The little senior level, everybody eventually. Uh, do cyber security. Everybody does it, uh, it could be, as I said, phishing email, it could be, uh, uh, sending information and correct people.

[00:26:30] Erez: It was, we said, they don't want to be, you know, the office should want to explain what they do. So, the next time they would do something, they understand the meaning of it. How do I share information? What information can I share? Can I give access to someone? Um, is it, uh, um, okay to use a short password or sort of the local to fully understand that.

[00:26:55] Erez: And once you explain them, they will, they will do some of the security.

[00:27:00] Tamir: Nice. So, so you really focus on, on teaching them and letting them know how they, how they should be working around security versus just telling them, Oh, this is wrong. Oh, this is right. And so you kind of like teach, but you, you lead by example.

[00:27:16] Tamir: Okay.

[00:27:18] Erez: Yes, so we have our controls implemented in the background. They don't see them. As I said, seamless security as much as we can. They don't need to see the red flag or something that pops up the screen or you're being locked for a few days. But they understand the meaning of it. If they will do mistakes, we can correct them.

[00:27:37] Erez: Right. We're there background to correct the mistake, but my role is eventually don't do the mistake.

[00:27:45] Tamir: Nice. And awesome. And as, as we kind of like, uh, getting to the last questions and I want to speak a bit more about your personal journey and motivation. So you've seen this field for almost like 15 years or so.

[00:28:04] Tamir: What do you think it's going to look like in the next few years?

[00:28:10] Erez: Um, interesting, you just think we're always, you know, searching, let's just start talking about AI. No one thought that AI, years ago, will be that integrated part in every system that you use. So, I would say, first, a lot of automation, AI, you know, inside and produces results.

[00:28:36] Erez: For various, for various, uh, departments means to be for sales and marketing and R& D. We see that all of the, uh, I would say different products that help them, you know, improve and be faster, sometimes they will do things automatically. So I see that I see a lot of automation, a lot of AI consolidated together.

[00:29:00] Erez: It will still remain person that takes some of the decisions because you cannot put everything on autopilot. They make a decision because every decision you make affects the environment. So companies like by people that think that plan ahead, uh, but if you look at the cyber security world, a lot of more automation.

[00:29:24] Tamir: You feel like more, more companies would have like someone that is a hands on CISO and then use automation and platforms to automate a lot of the work they're currently doing with, with the employees, right?

[00:29:40] Erez: Also, yeah, also see a consolidation of system. We're asking if you're going to use a vessel breed or all in one, I would see more all in one.

[00:29:49] Erez: Because it will take, um, um, clouds. Right. So you have a product that does that perimeter security and another product that does one over building, start combining them together. And, uh, data security, everything will be incorporated in one place.

[00:30:11] Tamir: Nice. And, and so on the, on the flip side of that, what keeps you up at night as a, as a cso,

[00:30:22] Erez: Um, so about everything,

[00:30:24] Tamir: uh, you don't sleep too well. Oh

[00:30:28] Erez: yeah, never. Uh, I would say first, as I said, you know, going over the day what we did, what we did, and if I had more time, we need to do more things as one. Secondly, you see that, uh, since October 7th, I think a lot of things changed. And you see the, the, the threat landscape on Israel, on various companies beside of the databases that you get, you know, another notification on, uh, other companies that got launched over there, companies that breached over there.

[00:31:04] Erez: And, you know, always trying to be on the watch and react or plan ahead. So your mind is, is just the whole time thinking, okay, what can I improve here? What can I change? What can I do better? And, and these are the things. Eglurvin.

[00:31:23] Tamir: Amazing. Yeah. It's, it's always changing. It's all, it's always on the go.

[00:31:28] Erez: Always. Yeah.

[00:31:29] Tamir: And yeah, as we wrap up, what's your most unusual piece of advice you would give someone starting a career in cyber security?

[00:31:41] Erez: V Cal. I would say, you know, V Cal, um, if you look, we said, as you look, a CISO role or someone from cyber security always sound intimidating, so you need to understand who you're talking to. And how do you talk? Who do you talk with? You need to explain. Some people are not technical. They don't really understand, you need to explain what you're saying, because what you see, what you understand, what you plan ahead, not a lot of people understand, you need to explain yourself, see what you're talking, talking to the business, and something that will affect the business, uh, needs to be fully understood by the, you know, various sellers, so be clear, um, understand what you're going to say, or what you're aiming at, and what's the reason for it, So just study every day, so something amazing.

[00:32:40] Tamir: So basically you're acting like you're acting as a bridge between the business and security technology and, and you're essentially bridging this gap, uh, that the business users have about their security, about their technology and. And yeah, so that's a lot of work, so I totally get what you're saying.

[00:33:04] Tamir: Awesome. Anything else you wanted to add maybe?

[00:33:10] Erez: Um, no, no, um, anything, you know, a lot of things that you're doing the whole day and as we said, don't stop every day and start thinking, okay, well, I'll get what I did till now and where I mean, yeah, it all was going to be, um, but yeah, it was a great call.

[00:33:28] Tamir: Yeah, thank you so much.

[00:33:29] Tamir: Yeah, this is, it's, it's great to reflect sometimes to, to see where, where you're going. So thank you very much for, for the time and I hope to see you again soon. Thanks for

[00:33:40] Erez: inviting me. Sure.

[00:33:41] Tamir: Sure. Thank you. Bye.