We Go Phishing with Ofer Maor, Director of Solutions Management, Synopsys, who tells us about life inside and outside the office.
What would you describe as your most memorable achievement in the cybersecurity industry?
The Seeker product. The technology that my team created when Seeker was a standalone company (now a part of Synopsys) was a completely new technology that automatically identified vulnerabilities in applications. Known as interactive application security testing (IAST), this technology is now transforming how software security testing takes place in many firms. IAST fits into the DevOps toolchain as organisations are switching to faster development cycles and continuous delivery of software.
What first made you think of a career in cybersecurity?
I’ve always been drawn to understanding how things work and how they can be broken. One of my first jobs in IT was as a technical support engineer for an ISP in the early days of the Internet. This exposed me to the amazing capabilities of the Internet, but also to how easy it is to abuse it and take advantage of it. I quickly became fascinated by this space, seeing what can be broken and how, but also how it can be fixed. I’ve spent a large part of my career working as an ethical hacker, breaking into systems and researching new vulnerabilities, while helping organisations build protection against such attacks. To this date, I’m still fascinated by the innovation and creativity hackers (preferably ethical ones) demonstrate in breaking into systems and code.
What style of management philosophy do you employ with your current position?
I am generally a ‘hands off’ manager. I focus on recruiting people that can do the job they are tasked with and I let them do it. I like to set achievable goals and to provide my team with the tools they need to achieve those goals. For the role I’m in today, I’m also in favour of matrix activities – driving initiatives that are cross-organisational and getting the right resources for each such initiative as needed.
What do you think is the current hot cybersecurity talking point?
It’s hard to choose just one, as there are so many different hot topics. In the software security space, the most pervasive theme dictating the evolving approach organisations take to cybersecurity is the push for faster software development. This idea completely changes the way software is built. It is also causing a paradigm shift in how we secure those systems.
To achieve this ever-faster approach to software development, we are seeing two important trends. First is the use of open source software, which is rapidly increasing. This introduces a whole new set of risks to organisations. Second, the move to the cloud and more specifically to new cloud architectures (such as micro services, serverless, etc.) is changing how we look at software delivery.
Outside of the software space, one of the most challenging areas today is endpoint protection. With the exponential growth of ransomware and other endpoint attacks, combined with ‘click-eager’ users, it is becoming a huge challenge for organisations to defend and contain endpoint attacks.
How do you deal with stress and unwind outside the office?
I don’t deal with stress. I embrace it. A good level of stress is very helpful in keeping one focused. You need, of course, to make sure it doesn’t get out of hand. But as long as you keep it to a reasonable level, it’s good.
Outside of work, I tend to split my free time into three parts. The most important part is family. I spend as much time as I can with my family, especially as I travel a lot for work.
The second part is my relaxing hobbies. I enjoy photography and I scuba dive (and sometimes I combine the two). Both of these things are the opposite of my hectic life. They are slow, relaxed and stress-free. The third part connects to the geek in me.
I always have some sort of technology-oriented project or hobby going on. For the past few months this is building a smart home. It started because I wanted to learn more about IoT technology. I figured that learning by doing would be the best way to go about it. Since then, it has evolved into converting everything in my house, while learning more about how electricity, HVAC systems, plumbing, etc. actually work.
If you could go back and change one career decision what would it be?
Nothing. I have no regrets about my career decisions. Sure, I have made mistakes along the way, but they were all part of the learning process and I wouldn’t change anything.
What do you currently identify as the major areas of investment in the cybersecurity industry?
I would say that the biggest area of investment right now, in terms of security, is people. The shortage of qualified talent in this space is driving huge investments in any technology or service that can either reduce the need for human involvement or increase skilled personnel’s availability to focus on tasks requiring their time and attention. This means that we see increased investment in anything that can automate a process traditionally carried out by human beings, with emphasise on Machine Learning and AI. At the same time, we are seeing increased investment in different types of training to grow the pool of security professionals. Vendors today must be prepared to provide managed services around their products and/or technologies and to scale such managed services teams (through recruiting and training).
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions? (Middle East, Africa, Europe, Americas)
Yes and no. Overall, the challenges are the same. The concepts are global and, more importantly, the attackers are global. Thus, the way to tackle the challenges is generally similar. Having said that, there are nuances derived from various aspects, such as local regulation, language barriers, etc. For instance, we see that in smaller countries with a unique language, there is a noticeably smaller number of phishing attacks compared to countries with a more widespread language. I should also note that in Europe, GDPR is having a huge influence on, among other things, cybersecurity solutions.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
I have been involved in building a new solutions management team within the Synopsys Software Integrity Group. The aim of this new team is to bring our different products and services together to address the needs of strategic verticals, such as financial services and automotive. Building this group from the ground up takes a lot of effort, but it also gives me the opportunity to help solve our customers’ problems in the best way possible. In the upcoming year, I expect this group to grow and to show our strategic customers how the synergy of our products and services can benefit them, while making sure that our product management and R&D teams are focusing on adding more capabilities that customers truly need.
What advice would you offer somebody aspiring to obtain c-level position in the security industry?
Grow beyond security technology and think about organisational risk. One of the biggest challenges of many security professionals is sticking to the totality of the technological aspects of security – painting things in black and white. The question is not whether something can be hacked (the answer is ALWAYS ‘yes’) but rather how easy it is to be hacked, how likely it will be hacked and how much damage that hack may pose. The most effective c-level security professionals know to put the technological aspects in perspective while weighing the risks objectively. This allows them to have a seat at the table when corporate decisions are made. Security is just one risk out of many that a given firm will face. Thinking in these terms makes your input to the other executives far more valuable.