Asset visibility and vulnerability detection

[00:00:00] Chris Sienko: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well try this, go to infosecinstitute.com/free to get your free cybersecurity talent development eBook. It's got in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employees and the team of subject matter experts to build training plans that align with the most in demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans plus many more free resources for Cyber Work listeners. Do it. infosecinstitute.com/free. Now, on with the show.

Today on Cyber Work, I'm joined by Yossi Appleboum, CEO of Sepio. Yossi and I shared a great conversation about the cybersecurity and infrastructure security agency or CISAs, operational directive for nonmilitary federal agencies to adopt a strict set of asset visibility and vulnerability detection systems starting as early as April of 2023.

Yossi discusses this directive, saying that it takes FCEB agencies out of the cybersecurity stone age and into the future. But can it work in such a short timeframe? Yossi has thoughts. Find out today on Cyber Work.

[00:01:37] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

With more than 25 years of experience in security networking, computer science and control systems, Yossi Appleboum brings wide angle vision on cybersecurity. In the early ‘90s, Mr. Appleboum joined the Israeli Army Intelligence and served as a team leader and as a chief architect, focusing on design and development of critical infrastructure network monitoring and security systems. In 1998, Mr. Appleboum was one of the founders of WebSilicon, an Israeli company which focused on delivering networking and security systems. As the VP of R&D, Mr. Appleboum was in involved in design and implementation for more than 250 systems for eight government agencies, integrators and vendors. Mr. Appleboum served as the CTO for cybersecurity of Senstar Inc., and North American division of Magal, and relocated to the United States to work more closely with key customers and partners. In 2016, Mr. Appleboum co-founded Sepio. He also serves as the CEO of Sepio, and is responsible for its North American operations.

So, today's topic, we are going to be talking about asset visibility and vulnerability detection, and specifically in the CISAs Binding Operational Directive 23-01. So, I'm really looking forward to this. Yossi, thank you very much for joining me today and welcome to Cyber Work.

[00:03:09] Yossi Appleboum: Great. Thank you so much.

[00:03:11] CS: So, to kick things off here, Yossi, can you tell me about how you first got interested in computers and cybersecurity? What was the initial draw? When did you decide that you wanted to devote your career to it?

[00:03:22] YA: Well, I'm old enough not to start by saying I was dragged into cybersecurity because there was no cybersecurity, at least, not in soft term at that time. But as a young kid, I was dragged into computers. Apple and Sinclair, really, really old. The kids now will ask themselves, “What is he talking about?”

I finished my high school. And as an Israeli, most of the kids go to the army, and you have an option to postpone the army service for a while and go studying, and then joining the army later on as a professional. That's the path I chose. I was picked eventually, by the Israeli Intelligence Forces to join a team there that was eventually led to all the activities that I was involved in my entire career. So, I studied computers and electronics and such. I always were interested in diverge between understanding vulnerabilities and understanding how to exploit them, sometimes in my past and protect against them the rest of my career. And this is what led me to creating together with my other co-founders that we worked together for 30 years, both WebSilicon, another company where we’re involved in, and eventually Sepio.

[00:04:53] CS: Yeah. Now, it sounds like you are probably already studying tech and security before you joined or you did your course of study. But did that particular course of study in moving towards your time in the Israeli army, was that – did that like really – was that like a big jump up? Or were you already pretty well established as sort of a computer expert at that point, and we're sort of like brought in because you already had the skills. I guess I'm trying to figure out the chicken or the egg here. Did you get a big step up by having the service and the education that came with it? Or were you already kind of on that path?

[00:05:31] YA: Funny, if you will ask Yossi in ’91, he was saying to you, that is, he knows everything, because he's full of ego and he’s –

[00:05:39] CS: Yeah. Nobody can tell him nothing.

[00:05:40] YA: Convinced that everyone else has no value and he's the smartest in the room. In later phases, I realized that I knew very little, and it's all about experience. So, I had some experience pass through that. But most of my experience started, when I joined the craziness of the intelligence machine there. It’s literally like an incubator of startups, in essence of running between so many projects and no breakouts between them.

[00:06:21] CS: Right. Now, your early career, you mentioned this a bit here, involved the co-founding of two companies, WebSilicon and CyberSeal. Well, prior to your co-founding of Sepio, your current business. What made you decide to found these two companies and what needs did you see in the industry that needed satisfying by these companies?

[00:06:41] YA: In many essence, WebSilicon was the first IoT security company, but we realized that in retrospect after that. But eventually WebSilicon was a bootstrap company. We started it in ‘98. And again, the same founding team. So, working together for so many years, each one is trying to bring his own expertise. We had roughly the same path. But WebSilicon was literally addressing customer needs, and customers were mostly OEM vendors. So, we had discussions with many companies. They raised a list of ideas and requests, and eventually, we can help here and we can help there, but we cannot help in another place. And as part of that, we were able to eventually create platforms that were more generic to address network monitoring needs. And eventually, it led to network security and other.

We built our devices, God forbid, and eventually software platforms that enabled us to create first industrial Ethernet switch with cybersecurity embedded inside. We were able to win a competition with Cisco at that time, which was really exciting. But generally, when we started, it was more like, this is what we know and who needs that? In Sepio, it's different, because we're old enough, we understand the market way better than we used to, and we know what is missing and what is covered by other technologies and that was a totally different story.

[00:08:30] CS: That's interesting. So yeah, I just want to make sure that I'm teasing this out so that I'm getting the distinction properly. WebSilicon and CyberSeal, your idea for starting them was we have the certain knowledge, how do we turn into a company. Whereas with Sepio, it's, what does the market need? Let's build a company around this particular need. Is that a fair assessment?

[00:08:54] YA: In day one, yes. Of course, WebSilicon eventually became one of the strongest players in understanding network monitoring, and in bringing solutions that are not just working in a lab, but literally efficient in the field. In Sepio, it was literally understanding the market, seeing in the past what is missing, having multiple discussions with potential buyers, and then getting into – and it's not like a smooth path from day one to now. But at least we knew from beginning what we are going to do.

[00:09:26] CS: Yeah. You had the game plan in place first. Okay. So, I'm asking all this because a lot of our listeners are newly starting in cybersecurity, or have just started and they'd like to hear more about people's choices throughout their career as well as the day to day work that our guests performing these positions. So, can you tell me about what the average tasks are like in your week, in a given week as CEO of Sepio?

[00:09:53] YA: Oh, my gosh. No day is similar to the other one, and there is a big difference between different types of the company. You start, you have an empty office, you start to put furniture, and then you sit next to the phone and start calling people to tell the story. Now, the company is close to 80 people. Eventually, I can tell myself, I'm the CEO of the company, but eventually, the company manages me in a way. It's always a very delicate balance between responding to be proactive, and eventually pushing your initiatives. There’s no one answer.

But generally speaking, it starts with weekly meetings with stakeholders in the company, that's an element key of knowing what's going on. Because there's plenty of ad hoc meetings, there are plenty of that. But unless you have a weekly meeting that keeps you organized and keeps you disciplined and the party member, the one that speaks with you, you won't be able to figure out problems that eventually becomes bigger problems, unmanaged. So that's one thing.

Another challenge, Sepio is global from day one. We have engineering in Tel Aviv. Now, we have also engineering in Lisbon in the last several years. We have a sales team spread around the US. We have our teams in Europe. And in Israel, again, not just engineering, but sales and support and all of that, and product. So, it's really our time difference. There are like four days overlap in a week. Israel works on Sundays, but they don't work on Fridays. In the US, we know how it is. So, there's very limited time, which is efficient, in order to collect the information and create one map.

The second thing is, there is a lot of responsibility in front of the board, investors and all of that which require a significant amount of that. There are phases during the year that are different, like we are planning now ‘23, or actually closing the planning of ‘23 the budget. Budget is not just what we spend. It’s what we are going to sell. So, there is income, there is outcome and there are spending and profitability issues, and many other concerns that require discussions with sales and marketing and finance and you name it, engineering.

So, literally, trying to be organized, it's not easy. It's not easy at all. I'm a great believer that eventually it's all about, and it's a cliché, but I really, really believe in it. It's the quality of the management team that works with you, and not what works for you. If you don't have that, you're in a really, really dangerous zone.

[00:12:57] CS: This is not really Sepio, specifically. But can you tell us about your activities as an ambassador of the Global Cyber Alliance of which you've been a part since 2018?

[00:13:07] YA: Yes, so Global Cyber Alliance keeps growing and actually, it's nice to see that. But Global Cyber Alliance came as an initiative of the City of New York and City of London and a couple of very smart people that were building it here and, in the UK, and eventually they initiative require a voice to be heard, because there are plenty of projects. At the beginning, it was really few. Now, there are kit for reporters, especially in election years, or in places. We see what's going on now in Peru, for example, or in Iran. So, we need these reporters and journalists to have as clean as possible infrastructure, in any case, during big risk and problems.

There are elections. So, there are kits for elections. There are small businesses that really don't have the capacity, the budget, the knowledge on where to start. And these initiatives are extremely important. As an Ambassador, a you are a voice that people know, and you can post and you can talk and you can bring the initiatives to the attention of more and more people. I would admit that I'm not doing the best job there, eventually win the day job in Sepio and being ambassador. I'm not super happy with my performance there. But I’m totally aligned with the mission and totally aligned with whatever I can in order to help.

[00:14:47] CS: Yeah. I mean, to that end, how much time does being the ambassador – how does it sort of like, what's the percentage of like a given month where you're having to do that or does it vary a lot?

[00:14:58] YA: It's a very small percentage you. It’s several hours. But no one really asked you to do specific things. But you have another responsibility. And again, I'm not super happy with what I'm doing. But I'm not super happy as part of, the way I'm looking on my entire life is you want way more in any aspect. I want more time with my kids and my wife. I want way more time in office. I want more time as ambassador. I want more time to mentor and helping people here in Sepio. But there’s physical limitations.

[00:15:33] CS: Exactly. Yeah, only so many hours in the day. So, today's topic is a recently announced directive from the cybersecurity and infrastructure security agency, or CISA, for short. It's called Binding Operational Directive, BOD 23-01, improving asset visibility and vulnerability detection on federal networks. And it is aimed at, “Establishing baseline requirements for all federal civilian executive branch agencies to identify assets and vulnerabilities on their networks, and provide data to CISA on defined intervals.”

So, I want to walk through some of the requirements of this slowly for any listeners who are coming to the directive for the first time. So first of all, can we define what the federal civilian executive branch agencies are within the requirement? This directive, we're talking about. Nonmilitary federal organizations like the Postal Service, and the Department of Motor Vehicles. Who's going to be affected by this?

[00:16:27] YA: Eventually, all of them, because eventually, let's go back to the beginning of what that directive says. Eventually the government come and say, “We tasked the DoD to know what they are doing.” We are working with several DoD agencies, and they know what they're doing. Nothing is perfect anywhere, but they know what they want to do. In civilian, there's the DHS, and in some cases, in times of cybersecurity, there are many other agencies that are not exactly experts in cybersecurity, and some of them are very small, some of them are bigger. That's just on the federal level. But we can go another level, another layer into the state and local, which is not part of that directive. But eventually, as a security expert, managing risk is your job. There's no zero risk. But uncontrolled risk is enemy number one of you being able to do your job, right?

[00:17:24] CS: Yeah.

[00:17:24] YA: So, the basic requirement to know what you have in your infrastructure is a lot of impact on their ability to manage that risk. Because, literally, and it's not unique to the government. But as a big, big organization, you really don't know what's there. So, you have rules, and you have requirements, and you have compliance to that, and you have a regulation in a way that want to apply that on agencies. But you get into a discussion, and they really don't know what's there.

So, this is eventually, in a long sentence, but in one sentence, the entire initiative. Now, there are eventually, priorities. It's simple to say, “Okay, so now let's map all the infrastructure.” It costs endless amount of dollars, it takes so much time, and there's so many tools to be considered while you do that. There's, of course, discussions, what is more important, what is less important. And are some decisions regarding that, and CISA is a great advocate of that. And I think they were significant in part of creating that directive. It's not like, without due respect to the president, he was not sitting next to –

[00:18:49] CS: Oh, yeah, right. Office manual open.

[00:18:51] YA: But eventually, that is a key element in any effective cybersecurity program, regardless the size and regardless, the nature of your business, agency or not agency.

[00:19:06] CS: Yeah. I literally just got off the previous episode with Steve Judd of Venafi, and we were talking specifically about how DoD is moving towards zero trust. So, we know they're well on their way. So yeah, this makes sense. This is sort of a stopgap catch up for the other parts of the government.

Again, for the benefit of new listeners, when we talk about things like asset management and vulnerability, you mentioned a little bit. But what are we concretely talking about specifically? And related to that, when CISA requires that these agencies, “Identify assets and vulnerabilities on their network and provide data to CISA on defined intervals.” What does that entail? Is this type of asset management something that most civilian agencies are doing anyway? And reporting it to CISA, as simply an additional step? Or is this asking agencies who haven't done much asset management in their past to start thinking about it for the first time? Or is it a wide spectrum?

[00:20:02] YA: It's a wide spectrum, because there are some that are doing something and there are some that are not doing anything. Eventually, let's define what is an asset. In my perspective and what we do in Sepio is taking that in the broader definitions. So, every device that has any sort of connectivity, wired or wireless to your infrastructure, I’m intentionally not saying network, but infrastructure, or data is an asset in terms of risk, minimal. Meaning that your mouse, your keyboard, your disk key, or a thumb drive, your computer, your network infrastructure, your OT, IoT, and IT equipment are assets.

Now, the challenge is first to – and it's not unique to the government again, but to agree that this is the span of assets. Because if you go to IoT security company, they will say IoT assets. OT security company, OT assets. You go to a company that sells kind of a network access control system, NAC, they will say IT. We just bought an OT or IoT and all that. But generally speaking, asset is an asset regardless what it is doing, as any sort of connectivity into your infrastructure. That's my belief.

I would say that the narrow definitions of IoT and OT and IT are dangerous, because many, many devices will fall between the cracks. So, that's element number one. Now, when you have a definition of an asset, we all agree that when a person gets into an office, he brings a risk. The risk, he may be an insider, he may carry something knowingly on or unknowingly, and many sorts of that we can spend hours on that. But a device exactly like a software asset is the same false. So, device can carry something knowingly or unknowingly. Someone brings that device knowingly or unknowingly. And the risk of that device as a multiple contributor.

For example, US, the United States decided, I’m not against that, but decided, of course, that there are specific vendors that should be blacklisted, and we do not welcome these manufacturers in our infrastructure. I'm not getting into the politics, but that was a decision. So, this is a risk indicator, right? So, if I see these, I'm not in compliance with regulation. Some agencies and some organizations say that I don't allow any detachable media for so and so reasons. So, devices from sort of detachable media creates a unique risk to these sorts of organizations, while other organization can I don't care, because that's the nature of me doing things.

[00:23:04] CS: Because it is necessary, yeah, right.

[00:23:07] YA: [Inaudible 00:23:08]. Now, some may say, I don't want specific types of devices in specific areas within my infrastructure. Another risk indicator. And there's the reputation of the device. There is the reputation of the vendor on top of the blacklisted, bad practice, or good practice in designing and implementation based on media, based on many, many other incidents involved with these specific devices and vendors. And we can again, spend hours on that.

But eventually, all of that create a risk score for each one of the devices. So, that risk score is a key element in trying to figure out what's your risk posture of the organization. Unfortunately, today, too many parts in the government, in the industry, are not aligned with that. In contrast, for example, with what they do now with software release, which is really great in some organizations, are now behind in implementation of that into our hardware. And when they will, I think we will gain way better security for all of us, especially in the government aspect on our life.

[00:24:34] CS: Yeah. It's a challenge, but I think it's going to be a worthwhile one. So, CISA Director Jen Easterly’s comments on the directive, she said, “Knowing what's on your network is the first step for any organization to reduce risk.” So, this is part of a larger quote saying that even though this is a requirement for federal agencies, even nonfederal agencies should consider doing the same. But I want to drill down a bit into this quote, first step aspect of Ms. Easterly’s quote. So asset management, as you rightly pointed out, is the first step to finding out what your unprotected and under protected assets are. So, Yossi, can you tell me what are the next – what's the next step after that? Will CISA be providing recommendations for protecting these assets? Or will it be on the respective agencies to determine their own security hardening strategies?

[00:25:21] YA: CISA is one of the very few organizations that I cannot say anything bad about the way they are running. I think there are really, really interesting and remarkable way of doing things. I don't want to talk on behalf of CISA on what is next. I trust them completely. What I would say is that what we see in many, many global organizations is that after you have that knowledge, you start to apply policies. Policies mean, at minimum, I want to be alerted about things that are outside the comfort zone that I created to myself, or literally throw these connections out of my infrastructure. So, I don't want these devices to have any connectivity into my network, I want them to be DMZ’d. I want them to be totally isolated. I want them to literally close the port, whatever the application would be.

The reason for that is, first, we're talking about tens of millions of devices within the government, if not more. And as such, you cannot do it manually. The second thing is, of course, you want to know about that, and you want to track about and you want to see plans and you want – because this will give way more intelligence than we have today. It is part of a really big initiative that are running in the government. For example, better grip on the supply chain, better grip on the road to zero trust. You cannot gain zero trust unless you have a quite good idea of what's there, right?

[00:27:04] CS: And clear paths of how to navigate it all.

[00:27:07] YA: Exactly.

[00:27:09] CS: This always sounds to me like some, we're looking out for an old, that equivalent of like an old security or like an old like janitor's closet or something that someone forgot about and didn't realize there's a door in there that will – that if you have the right thing –

[00:27:23] YA: I keep remembering a couple of years ago, we had a meeting with – I'm not going to mention a name, but with one bank here in the US and the response from one of their top cybersecurity leaders was I don't care about my hardware anymore, because I'm moving to the cloud. Unfortunately, by the way, they realized later on in a bad way, that it was not really a great statement. Because what do you mean you move to the cloud? There is no hardware in the cloud, you are not responsible for that, maybe. What about your endpoints? What about the fact that you are using a computer while you Zoom into the meeting with me? So, your computer, your network connection of the computer, the mouse next to the computer, all of these are hardware. And in any research in the last couple of years, there was more hardware today than in any other time in human history. And it is true now and it's true in a minute because it keeps going. So, ignoring that is literally not exactly the best practice in security.

[00:28:27] CS: Yeah, I know. When I hear someone say, I don't need to worry about that, I’m moving to the cloud. All that sounds like is, “I don't want to think about this. Please just stop talking to me.” And that's not good. So yeah, next question. CISA set a deadline of April 3, 2023 for all FCEB agencies to hit the first stage step of the process, such as performing automated asset discovery every seven days, and initiate vulnerability enumeration across all discovered assets including all discovered nomadic/roaming devices every 14 days.

Now, Yossi, do you think this is a realistic deadline? I've been thinking so many guests lately who are behind the eight ball or know people who are when it comes to things like the long rumored CMMC 2.0 compliance for vendors next year. Is this a similarly tighter, scary deadline? Do you think that 3, 6, 12 and 18-month tracking and reporting deadlines will be attainable?

[00:29:21] YA: I think they know what they're doing. Okay. So, it starts with that, and in contrast to CMMC, that is being delayed all the time, for good reasons, by the way. Not an excellent result, but I understand why it is being delayed. It is easier, I think, in terms of implementing that. So that's one thing. I would give them the benefit or give them the credit, not the benefit of the doubt, but literally, the credit, that until today, I am not really aware of big faults. So, maybe it will take a bit more time. But unless you put some target and put pressure on managers, we all know it's not going to happen in any time unless you put something. I'm sure they have case by case discussions. I'm sure based on guesstimate, not that I know about any, but a I'm not going to a say that I'm 100% sure. Because I really don't know. But I would say that it seems to be very know what they're doing and seriously to ask them.

[00:30:33] CS: So, it's making people sweat, but no one's saying like, this is impossible.

[00:30:36] YA: I don't think it's impossible.

[00:30:38] CS: Yeah. So, I want to pivot from that into the actual work of doing things like asset visibility and vulnerability detection, as someone who might be entering the industry now. Will this directive require a new set of security professionals who have this type of experience to fill in emerging job roles?

[00:30:59] YA: Absolutely. I think one of the failures in the industry, especially on the vendor side, is literally understanding the difference between the risk that is coming from hardware, to the risk that is coming from software. And especially, the difference between, let's call it the soft IT world and the old infrastructure world. Because of that, we see, and again, I'm talking on behalf of myself and Sepio. I think I know what I'm talking about. But some people may think I'm seeing different, is that generally speaking, some technologies, and I'm not going to mention names of vendors. But some technologies today are trying to apply kind of their software way of mapping and understanding the risk on hardware. It's not efficient, it's not scalable, and again, talking on my behalf, not scalable enough, and not accurate enough.

Because of that, and I can give couple of technology examples. And because of that, the lack of a solutions is not based on someone being lazy, or someone being not smart. It is based on experience. It is based on skill set, and it goes back to your question, and then I'll give the example. It goes to the fact that it's totally different skill set. It's not the direct path from IT to cybersecurity or from software, to that, it requires understanding physics, it requires understanding in electronics. It is deep, deep, deep understanding in what we all know as Ethernet, Wi Fi, and all of that, works underneath the hood. Because otherwise, it's not going to change enough.

Many, many technologies today in mapping, in the game of mapping hardware, based on a topic monitoring. Eventually, it's a new generation of ideas, which is a great idea. The problem with that is, it is limited by the amount of resources you can dedicate for that. And big agencies will have so much traffic running on the network. So, mapping all of that traffic is a big issue. The other side effects that some traffic may be encrypted, so breaking that encryption is another issue. Compliance and running through a third party, sensitive information is another risk factor. We have all seen what happens in some incidents with that, related to that.

So, I know what we're doing in Sepio. But generally speaking, I keep telling the story that imagine a dark room, you don't see anyone and what is an idea? So, you sit there, put a microphone and start to analyze who's speaking to whom, and based on that, “Hey, Yossi, is speaking to Chris. Yossi is in the room and Chris is in the room.” But if Yossi is sitting quietly and not sewing saying anything, Yossi is still in the room, still brings risks, but he's not saying anything. This is a significant fault of traffic and activity monitoring, versus the fact that I believe that hardware identification should be based on eventually you put your hand on the desk, you are there.

So, if a device, a device, has any sort of connectivity, it’s there, and you need to discover that connectivity, and not activity, right, and that's a great example. So unfortunately, not enough people have the right skill set to be involved in such.

[00:35:07] CS: I have a good follow up for that. So, I'm sure it probably varies depending on the size of the respective agencies. But is this the type of work that you're seeking your traffic analysis or hardware identification? Is this the type of work that requires master level vulnerability management or something that can be worked toward with less experienced professionals?

[00:35:33] YA: I think it's like a different level, which is better understanding the physics behind, more than the certification. But yes, when it goes eventually towards the level, eventually what we bring is a risk score, and then invulnerability report, then you need people like that, that will be narrowed into understanding what does it mean. But it starts by creating that, by generating that. Now, I don't want to push millions of people to go there, because then I'll have competitors. But seriously, there is not enough people that are.

[00:36:13] CS: So, this isn't necessarily something that you have to wait till nearer the end of your career to start working with. You can start working in this field pretty much from the beginning and have something to do, to sort of build your experience.

[00:36:25] YA: Yes, absolutely.

[00:36:27] CS: Okay. So, for listeners who want to make some or all of their work in cybersecurity, be around asset visibility and vulnerabilities either for federal agencies or anywhere else, what type of learning paths or experiences or qualification should they be trying to achieve, to make themselves look like top of pile candidates within the resume stack?

[00:36:45] YA: Oh, it depends where in the food of chain they want to be. But if they want to be on the vendor side, that really creates the technology, they really need to seek a deep understanding of engineering, and physics and things like that. If they are more into understanding the risk that is coming from that, classic cybersecurity path is the great thing to do. But I would recommend that eventually, building their knowledge around hardware, building their knowledge about understanding the ecosystem, it's not going to disappear the tension between the US and China and other. It's not going to be different. Actually, it's going to be worse, I believe. The fight on world domination is not going to stop. That's the human nature. Hopefully, America is not giving up. And such, as well as manufacturing so much mostly in China, and I don't believe there is an alternative for a common hardware in any other place. We need to recognize the problem and we need to recognize that we need to address the problem, not by stop buying, but by more understanding the risk and assessing the risk on a continuous basis.

[00:38:08] CS: Right. Yeah, there's never a zero risk. Yeah, it’s makes sense. So, if you were – this is a hypothetical question. If you were entering this cybersecurity field right now with the requirements and experiences that are needed to compete with this particular level of speed, would you have done anything differently compared to your early years in the business? What are some maybe things that, if given the chance, you would have studied more of this, or you would have gotten on the ground floor of this technology or any anything like that?

[00:38:40] YA: Well, the given answer is yes, absolutely. I don't have details, because I need to think about that deeply. But absolutely, yes. And I would give one thing, and I totally believe that eventually, I was, in a way lucky to be joining the intelligence of Israel literally, several months after the first Iraqi War of the Desert Storm. The entire Middle East changed. Iraq was not exactly a risk or a or threat in Israel anymore and Iran became top tier, way more modern, way computerized, were more interesting. It affects eventually, 30 years later, you understand where it starts.

But the only advice I keep giving to young engineers and young professionals is use what you got and make it the best – make lemonade out of lemons. But seriously make lemonade out of lemon. You can compare yourself to the other, “Oh, you got that and I got only that.” But I think that comparing to some of my colleagues and friends in the past, I did quite okay, even though, equals zero I think, as some may say they got the better position at day one. It's all about you. It's all about you. That's the only really advice I can give to young professionals.

[00:40:09] CS: So, if you want to look in your magic crystal ball or whatever, how do you think this directive – let's assume it's properly implemented and stuff. How do you see this sort of changing the security stance, platform, whatever of federal agencies? Do you see this going far enough? Do you see they're like pushing the needle in terms of closing backdoors and closing vulnerabilities and things like that? Do you see good results for the possibilities of this directive?

[00:40:44] YA: Hypothetical. Hypothetical, it's not moving the needle, it's moving walls, and boulders. Seriously, it's like, almost from stone age to a modern era in understanding modern risk. I applaud the agencies that will do it faster than the rest. I think that we should all support that initiative, regardless, it's not politics. It has only one main issue, which is, as being most secured, and we're not secured enough, and this is a big change. I would say that, and some vendors will have to forgive me for that. But when you changed from EDR-1 to EDR-2, you may have a difference and change in the organization. But this is an incremental change. Here, we are talking about a leap. A leap in security. So, it's significant.

[00:41:47] CS: Yeah. That's also very, sort of exciting sounding, because I think for people who are already intrigued by this as a line of work, I think, hearing that this is going to go from the stone age into the modern world, in terms of security and federal agencies and stuff like that. I can't imagine someone listening to this now wouldn't be incredibly inspired to sort of jump into this space, and yeah, lend a hand. But here's hoping.

So, as we wrap up today, Yossi, could you tell people about Sepio, the services and products your company offers? And if there's anything that your company is looking forward to in 2023, if there's something you're looking to unveil, or big changes?

[00:42:32] YA: Yeah, well, some of our people call it a rocket and I think it is a rocket. Nothing here is boring. We are learning very quickly, providing solutions to the problems we discussed today to many organizations, from financial institutions, to healthcare, to critical infrastructure, and, of course, to the US government, both DoD and, and civilian. This is why I feel very comfortable to applaud these agencies, and not just because they gave me money, which I really appreciate their business. But really making decisions, not always easy decisions, but smart decisions, I believe.

So, that's one thing. We keep going, and we'll keep going all around the world. So, we have always open positions. Feel free, people, to take a look on that. I think, eventually, we are working hard, all of us, and we try to make a difference. It's all about making difference. We pay like the rest, and we give options like the rest. But making a difference and being part of something that changes is, first, it’s a smart career move. But literally, good people want to make a positive change in the world. That's really the place, one of the places to be in order to do that.

[00:43:56] CS: That's awesome. So, one last question. Very important. If our listeners want to learn more about Yossi Appleboum or Sepio, where can they go online?

[00:44:05] YA: LinkedIn. I'm not a Facebook guy. But I’m getting into that. LinkedIn is the right place –

[00:44:14] CS: Can our listeners drop you a line?

[00:44:15] YA: Excuse me?

[00:44:16] CS: Can our listeners drop you a line?

[00:44:18] YA: Yeah, of course. Please do. I have plenty of people in my network. I like to discuss with people and please do. Feel free to.

[00:44:26] CS: Wonderful. And Sepio’s email or URL?

[00:44:30] YA: So, it's www.sepiocyber.com. There's plenty of materials there that might be interesting to many people, not just sales material, but literally, deep tech information.

[00:44:44] CS: Cool. Yossi, thank you so much for joining me today. This was really informative and a lot of fun.

[00:44:49] YA: Thank you so much.

[00:44:50] CS: As always, I'd like to thank you all for listening to and watching the Cyber Work podcast on an unprecedented scale. We're wrapping up 2022 here, and we're delighted to have so many people long for the ride and such a big jump in subscriptions and listening time and viewing time. So, thank you. Thank you all so much.

Now, I'll just say, go to infosecinstitute.com/free to get your free cybersecurity talent development eBook. It's got in depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. So, we took notes from employers and a team of subject matter experts to build training plans that align with the most in demand skills. You can use these plans as is or customize them to create a unique training plan that aligns with all of your unique career goals. And that's going to be very useful, especially if you're going to get into asset management in the federal government.

So, one more time, go to infosecinstitute.com/free or click the link in the description below to get your Free training plans, plus many more free research resources for Cyber Work listeners.

Thank you, once again, to Yossi Appleboum and Sepio. And thank you all so much for watching and listening. As always, we will speak to you next week and I hope you have a very Happy New Year. Take care now.