Aviva Zacks had the wonderful opportunity to interview Reuven Harrison, CTO and Co-Founder of Tufin, and he told her how cybersecurity is changing now that we are living through a global pandemic.
Safety Detective: What got you interested in cybersecurity and what do you love about it?
Reuven Harrison: Check Point is the epicenter of the cyber business in Israel and I was hired to work there as a software developer. I met a lot of talented people there, and later they joined me in the startup that we created after Check Point.
It’s very difficult to define the span of the domain—it continues to expand. There is always new stuff to explore, new technologies, new ways to defend and to attack systems. So, it’s rapidly evolving and you can touch every aspect of the business through cybersecurity because it applies to every domain. So that’s like an endless playground for somebody who likes to play with technology.
SD: How did you start Tufin?
RH: Ruvi Kitov, our CEO, and I started the company 16 years ago. We had been searching for a foundation that we could start a business upon. So we explored various areas and we eventually landed back where we started, which often happens to founders and entrepreneurs; when you’re doing research, you tend to get drawn back to where you came from.
We realized that there’s a whole domain of security policy management which was largely ignored at the time. This is where security meets business. Security vendors often stop delivering solutions at that point. The business processes are less interesting to them. And that’s where we engaged.
Today we see a huge need for business processes around security because in essence, you can keep the bad guys out and you can respond to attacks, but just like any other aspect of a business, if there’s no business process around it, it becomes almost impossible to operate at scale. Over time, we realized that there is a need for a management process around security policies because the business process is essential to security. You can’t do good security without a good business process around it. And that point where they meet is security policy.
SD: What’s your favorite Tufin product or service?
RH: Our first product was SecureTrack. It provided visibility, tracking, and reporting for security policies. There are a lot of nice things that we invented, like the automatic policy generator, which we filed a couple of patents on. The ability to analyze policies and remove the elements of the policies that are not being used which means they are not justified by business is also an area that we innovated. People love it because it works out of the box and provides good value for the money.
Then came security policy automation. We were the first ones to start doing it. Today it’s an established market, and it’s our leading market opportunity.
At the time when we started with automation, we got a lot of pushback from the firewall vendors. They didn’t like the concept.
But today, everyone needs automation, and all the firewall vendors obviously cooperate with us because their customers want to do this. So that’s reflected in our product called SecureChange, which has become hugely successful. And the concept of automation was expanded in many, many ways so that’s also a nice area.
More recently, the whole area of cloud and Kubernetes security, which I’ve been working on for the past three years, is also a lovely playground to discover new stuff and invent new technologies.
SD: What type of companies use your technology?
RH: Mainly large companies. If you’re a home user and you have a router with three firewall rules, then you don’t really need to manage them. You configure them once and forget about them.
But large organizations have business processes. The bigger you are, the more you need business processes to scale. It’s an interesting way to think about a system, an organization. When you want to scale, you need business processes. You can’t be thinking about every decision from scratch. You have to have established business processes that automate your behavior for specific events.
SD: What do you think is the worst cyberthreat out there?
RH: I don’t think there is one specific threat that is more important than others. With cybersecurity, there are so many ways to attack and defend. There are so many opportunities for hackers and so many motivations and different ways to go around and try and get to the target. Recently cyberattacks have become a weapon for nation-states. That’s something that we have been seeing over the past 10 years – more and more organizations the size of countries are using cybersecurity for actual war, even though it’s a Cold War at this point in time. I think that’s a very significant threat.
And sometimes you see some of these state-owned attacks happening at a business level as well, because a large bank or a large infrastructure, like an electrical grid company, often become victims of these types of attacks that are run by states. I think that’s one type of major threat that we will see more of in the coming years.
Another type of threat has to do with privacy, which has become a major controversy, I think that’s also a threat to democracy and human rights.
SD: How do you think the COVID-19 pandemic has changed cybersecurity?
RH: The first thing that became clear is that cyber attackers have no empathy. They weren’t giving us any breaks during the COVID crisis. We saw more attacks and a cynical abuse of the situation to take advantage of weaknesses that happened during this time. So, now we know even more than before that cybersecurity is a real threat. It’s not something that will just disappear. There’s a real strong motivation behind it and it will continue to expand and grow.
The other aspect is that the privacy has become an even greater issue. Privacy is controversial because it can have positive and negative consequences at the same time. And people are still trying to work out where they want to put their boundary. There’s been a lot of talk about wanting to track people to prevent the disease from spreading. But at the same time, there’s been also a lot of concern about states taking advantage of these tracking capabilities to do more than just prevent the disease.