Go Phish: Amir Jerbi, CTO at Aqua Security

We get to know Amir Jerbi, CTO at Aqua Security, who talks about his career in technology and how he set up his own company.

What would you describe as your most memorable achievement in the cybersecurity industry?

My personal memorable achievement is related to starting my company about five years ago and the story of how it happened.

I was the Chief Architect of a large security software company, working on some very challenging problems that involved virtualisation and infrastructure security. As part of my work, I used to attend meetups on a weekly basis, ensuring I get up to speed with the greatest and latest technologies. At one of the meetups, I saw a demo of a cool new technology called Docker. It was a DevOps tool that allowed easy packaging of Linux applications. I remember getting back home and starting to use the technology – I was amazed by its simplicity and the range of capabilities it had. It took me a few more days of working with the technology to actually ‘fall in love’ with it.

Over the next few weeks, I started looking more closely at the technology, trying to understand what else could be done with it. The concept of software that you can build once and run anywhere triggered my thinking about what security applications could be built with it, and whether there is a way that applications packaged as containers can also be ‘secured anywhere’.

After several more weeks I decided that leveraging containers for better security was my destiny – I left my job and started working on this new hobby, this time as a full-time entrepreneur. A year later I founded Aqua with my friends.

What first made you think of a career in cybersecurity?

I started my career in the Israel Defence Forces (IDF), a mandatory service in Israel. I served there for about four years. Being part of the armed forces IT unit and working day-to-day on cyberthreats made me realise that the world is changing, from one that deals with crimes that are physical into a world that deals with crimes that are cyber. Someone with just a computer and an Internet connection can attack commercial companies as well as countries and critical industries. For me, understanding this as a young person of 18 joining the IDF and being exposed to these kinds of dangers made me realise that this world is changing. In order to defend against these attacks, you need to understand the attack vector, how attackers work and create multiple levels of defence. I started very young!

What style of management philosophy do you employ with your current position?

I believe in flat organisations. Ideas can and should come from all over the company, and everyone has a voice regardless of position or responsibility. At Aqua, all of our employees can very easily approach us with any idea, and if it’s a good idea we will give them the opportunity to go for it, to try it out and to promote it, regardless of their title and role in the organisation

What do you think is the current hot cybersecurity talking point?

I think that the world is moving into open source and into a place where 80-90% of the code that organisations are writing is being taken from open source/third parties. This puts organisations at risk of another threat – the supply chain attack – where someone can poison your organisation, not from the outside trying to penetrate in, but instead from within. Attackers can poison the open-source software you are using and enter the production environment through the development process, the supply chain and the build systems. I suspect that within two to three years from now, this attack surface will become much more impactful and something that we will all need to address by applying more security controls into the DevOps process.

How do you deal with stress and unwind outside the office?

I like to go for long daily walks. We have fantastic beaches in Israel so the combination of nature and taking an hour for myself to think helps to bring new energy into the day.

If you could go back and change one career decision what would it be?

Without wanting to necessarily encourage people to quit their jobs, from my own perspective I stayed too long in the same place prior to Aqua, and I wish I’d started my own company sooner.

What do you currently identify as the major areas of investment in the cybersecurity industry?

Following on from what I said earlier, let’s continue with shift left – in the last 10 years a lot of the security investments went into infrastructure – adding more and more layers of defence into infrastructure and runtime environments. What the world should be moving into is investing more and more security into the development and deployment cycles – adding security gates as part of the development lifecycle and making sure that software that is developed doesn’t have security issues and vulnerabilities. We will still need additional layers of security for the infrastructure, as not all issues can be ‘caught’ in the development stage, but it will greatly reduce the attack surface and will allow to develop smarter security tools that are acting ‘in context’ of an application.
An important part of this is investing in DevOps – providing education about security and investing in security tools for DevOps.

Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?

I wouldn’t split it regionally; I’d focus more on the different personas – Security persona vs DevOps – where each one needs to tackle a different aspect of the software lifecycle. The security persona needs to focus on production, monitoring and incident response while the DevOps persona needs to focus more on the build, deployment and software delivery.

What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?

I’m going to answer this one in terms of the security job role rather than my job role specifically – in the last year we’ve seen security professionals being asked to expand their control over the development environments, as well as being involved in the software development lifecycle, ensuring that developers are building secure code.
On the other hand, we have the DevOps person, who is being asked to adapt into a modern agile world of development and cloud, with continuous delivery – software being written and deployed every day. DevOps are now being asked to ensure that the software they are deploying has the right security posture.

What we have seen over the past 12 months is DevOps teams are being asked to include more security practices in their work, and security teams are being asked to have more visibility and control into what DevOps are doing – this overlap is creating a new kind of team – DevSecOps.

What advice would you offer somebody aspiring to obtain a C-level position in the security industry

What I would say is that you should think about what you can do to create an impact for the business, show that you can do the work expected of the role that you want, then getting the C-level title will just be a formality.