Great ResignationDiversity and InclusionCompensationCEO DailyCFO DailyModern Board

How today’s cybersecurity pros ‘think like the attacker’ and look for ‘regular’ threats

March 17, 2022, 3:15 AM UTC

On this week’s episode of Fortune‘s Leadership Next podcast, co-hosts Alan Murray and Ellen McGirt talk with CyberArk CEO Udi Mokady about what companies should know and focus on to protect against cyber attacks. Listen to the episode or read the full transcript below.

Alan Murray (0:07): Leadership Next is powered by the folks at Deloitte, who, like me, are super focused on how CEOs can lead in the context of disruption and evolving societal expectations.

Welcome to Leadership Next, the podcast about the changing rules of business leadership. 

I’m Alan Murray, and I’m here with my incomparable co-host, Ellen McGirt.

Ellen McGirt (00:27): I love these moments. Alan, thank you so much for that, and hello, everyone. But we do have a pretty serious conversation ahead of us today.

Murray (00:35): Yeah, I think Ellen, you and I both felt it was important to talk about what’s going on in Ukraine, not just because it’s significant for the world—and it certainly is—but it has become a significant issue for business. I was surprised and really kind of amazed by how quickly big companies acted to cut off their businesses in Russia. You take a company like McDonald’s, which has more than 800 stores there, nearly $10 billion in revenue, and they shut them down. They ended it. That’s really Ellen, a form of what we talk about on this show. That’s stakeholder capitalism in action. It’s businesses taking responsibility for a significant problem in the world.

McGirt (01:16): Now, I agree with you. There’s just been astonishing. Let me just tell you what has surprised me. I think I mentioned that earlier that I attended an online briefing with Ukrainian Deputy Minister Alex Bornyakov, and he was responsible for the digital transformation of Ukraine. And it was an amazing thing. You know, the technology he’s zooming in from a bunker, you know, well, the rest of us are listening and asking him questions.

But one of the things that he talks about was how intentional they’ve been at creating an engineering culture in Ukraine, specifically to transform government services to make the country a beacon, but also how hard they’ve been working to create an investment haven, particularly around crypto. As I was listening to him talk, besides all the horrors of the war, it really hit me that all the hard work they’ve been doing to build a democratic business-friendly environment innovation forward environment now hangs in the balance. So I’m hoping that the business community will step up yet again, and begin to help them rebuild there, too.

McGirt (02:15): So today, we’re focusing on a threat that received a lot of attention in the days leading up to Russia’s attack on Ukraine, and it’s top of mind for CEOs, even when there’s not a war going on. And that’s cybersecurity.

Murray (02:28): Yeah. Today’s guest has spent decades studying this. He’s Udi Mokady, he’s co-founder and now CEO of cybersecurity company, CyberArk. Udi, thanks for being with us on Leadership Next.

Udi Mokady (02:41): Oh great to join you. Great to meet you, Ellen and Alan.

McGirt (02:45): Oh, it’s really wonderful that you’re here. We have so much to talk about with you. But before we dig in, could you just give us a really broad overview about what CyberArk does and how and where you operate?

Mokady (02:56): Absolutely. So CyberArk is, we’ve founded or pioneered a space called privilege access management, which is all about securing the keys to the kingdom in organizations—how humans and machines have access to systems. And we’ve expanded that to basically identity security securing how all types of humans and machines access the variety of resources in an organization. And it’s what organizations need to enable digital transformation, but it’s also what attackers go after. Because once you have access, you can behave like that machine or that human, especially if you’re able to get in as a privileged user, so you have full access to the bank, or to the airline, or to the manufacturer. But more and more attackers, are going after the regular workforce employee or supply chain access, and those are the things that we defend against.

We built a large company. We went public more than seven years ago, and I have more than 7,000 customers and more than half of the Fortune 500, But I wake up every morning with this mission to provide what we call impactful security to our customers.

Murray (04:01): It’s like the main entrance. It’s the critical touchpoint in protecting against cyberattacks.

Mokady (04:07): Yeah, I would say that if we take physical analogies. People always focus on just the main door, but were unaware that there are so many back doors where people are fixing things, and those are what’s called administrative access. But yeah, it’s right now identity has become the new perimeter. Everybody’s working from home, everybody’s spread out. And the way for attackers is to get into and to pretend to be a regular human or machine.

Murray (04:32): So Udi, ahead of the Russian attack on Ukraine. We were all warned, companies were all warned to brace for serious cyber warfare. We know Russia has the skills. President Putin has all but said that we have declared war on him. So he has the motivation. And yet we haven’t really seen much yet. Well, how do you interpret that? What is going on? What have you learned from your internal data?

Mokady (04:59): I would say even ahead of this, the cyber environment was probably the highest that we can remember even before this, this conflict or this move. But you’re right, the world was expecting that the cyber attacks coming out of Russia would probably have a bigger event. There were events, I mean, they launched their attack with wiper attacks, with malware called HermeticWiper, which was attacking Ukrainian government organizations and enterprise and wiping out systems. But it didn’t have the effect that a previous attack they did in 2017 called Petya had, that we’re all familiar, that spread out and hit almost 65 countries, thousands of organizations around the world. And so we didn’t see that yet. I think cyber conflicts can remain much after the physical conflicts, and I think organizations should remain in in high alert.

Murray (05:52): But why haven’t we seen it yet? I mean, he’s threatened to use nuclear weapons. Why haven’t we seen the cyber weapon unveiled yet?

Mokady (06:00): Yeah, there are many explanations of, and some tried to downplay the type of arsenal that Russia has, I would actually think that they’re very capable. They’re behind some of the most sophisticated attacks ever written in cyber history. So I think they do have nation-state level capabilities. Perhaps they’re saving it for a later time like. You don’t suddenly pull out all of your arsenal at once. And of course, my concern is that some of it will be taking against countries that are participating in sanctions. And I guess that’s what we, and I know many of the customers I talked to, are worried about.

McGirt (06:35): So when you say high alert, what does high alert really mean? And what should we be looking for? And what does this say about the future of cyber warfare? What are we learning about that?

Mokady (06:47): Yeah, Ellen, I think it would be probably a mistake for leaders to look at it as a point in time and just oh, we raised the level, but nothing happened, or it wasn’t as serious, and we went down. I think leaders should view this as a turning point because, on top of everything else we’ve seen in the past couple of years, ransomware and criminal organizations and nation-states attacks, now we have a real-life conflict with one of the major nation states.

I think what organizations should be thinking about is, in any case, they are digitally transforming, they’re embracing the good things that are coming with digital transformation, but they’re creating a lot of cyber debt. They have legacy systems, they’re rushing to the cloud, they’re allowing employees to work from home. Couple that with more and more bad actors that can attack it, and I think it’s just, it shouldn’t be a blip. It should be a continuous improvement that organizations should take on best practices in cybersecurity. Always get better at it, because it’s here to stay.

Murray (07:40): Udi, in the nuclear weapons space, the U.S. and Russia have roughly equal numbers of warheads. That was a principle of arms reduction over the course of the last decade. So we’re kind of at parity. Where are we in terms of cyber warfare? Does one side have the advantage? Is it parity? How do you evaluate it?

Mokady (07:59): I think for sure the U.S. has advantage, because the arsenal hasn’t been out, at least for the last couple of years. So if we look at any new weapon introduced out there, and Russia has been using attacks, and they’ve been discovered over the past couple of years, and so the world had a chance to investigate.

Murray (08:18): So we know more about their weapons than they know about ours.

Mokady (08:20): Because they’ve used it, and by the way, it probably applies more on physical warfare that happened now, and I’m sure NATO and the U.S. is studying what’s going on with with missiles used and tanks used. So the fact that they’re using it already gives the U.S. an advantage. I think the U.S. has a great advantage in terms of the amount of resources that are spent at it and the creativity that one needs. Freedom creates creativity. And I think that’s why I would probably vote that the free countries would have more creative white hacking going on, or positive hacking going.

McGirt (08:53): Speaking of creativity, every cybersecurity expert I’ve talked to in the last few years—granted it’s not that many—but all have spoken about not having enough talent. The talent pipeline in cybersecurity jobs, which is a really rich array of expertises and job functions and strengths and capabilities is always an issue. How do you see the cybersecurity-ready workforce shaping up, and what should we be doing about that?

Mokady (09:21): I think one of the elements is to further market it with the cool factor that it has. I think studying cybersecurity, and it’s a high school age, or or making it a program in a variety of colleges, there actually is a cool factor, and also something positive where you can make a positive impact on humanity. In Israel, we’ve seen that has become a program where people can matriculate at it in high school, where you actually, just like you can study physics, or be honors in math or others, you can actually take cybersecurity, and people know that it’s going to be helpful for their careers. It can affect where they serve in the military. So I think bringing it to the younger parts of students today would be a big part of of the solution.

Murray (10:04): And how about for you? How did you end up in the cybersecurity industry? What was your route to this career?

Mokady (10:11): Oh, wow. Yeah. So when we, when we founded CyberArk, the space was not even called cybersecurity. I mean, we started the company back in ’99. I served in an intelligence unit in Israel that had the beginnings of defensive and offensive use of computers, but it was very early. The space was called information security, wasn’t even called cyber. And my co-founder and I were attracted to it.

Back to that physical analogy you talked about earlier. We looked at this missed perspective on, so much is invested in creating boundaries, but once you’re inside an organization, you can move freely. And then we looked at the physical world and the physical world—you wouldn’t think about just locking down the front door. And that led us to really innovate and to think about a physical digital concept and we invented something called the digital vault. How do we protect something beyond the borders of an organization? And of course we were ahead of our time, we were thinking about insider threat. What happens if a human is actually just part of the network? Do we trust them? We saw the soldiers around us and they had full access to things and some of them just because of curiosity, were looking at things that they shouldn’t have, but they were trusted because they were already on the inside. And we took that analogy and started a startup. At the time, you had only a handful of security companies and it was a great journey to discover what are our customers worried about?

McGirt (11:33): A phrase I’ve learned is threat innovation. You know that the fact that these bad actors are innovators. It’s a funny way of thinking about it. So who is most likely to be a bad actor now to launch a cyberattack against the company versus what they were even 5 10 years ago?

Mokady (11:51): Yeah, you’re so right, that they changed so much. I think when we were beginning it, you had these curious type of actors. They were doing it just to prove that they can. So it was kind of an individual endeavor. Countries began to develop it but not every country now, it grew to a point where every country understands that they have to have cyber capabilities both both for defense and offensive. But outside of nation states today you have really organized criminal organizations. And just like you said, Ellen, they’ll be sitting in rooms, like, like we’re sitting in, they’ll have air conditioning or heating and they’ll have a lab and they would really be developing the elements of the attack and they won’t have to do it all on their own. There’s a whole ecosystem for the cyber attackers. If you’re a ransomware developer, you don’t have to actually develop the ransomware, you can rent it from from ransomware developers, just share a piece of the proceeds. So the more the world became digital, the more the ecosystem has thrived for criminal actors. And of course for nation states. It’s much more organized and they’re investing in innovation.

[Music]

Murray (12:59): I’m here with Joe Ucuzoglu, who is the CEO of Deloitte US and had the good sense to sponsor this podcast. Thanks for being with us and thanks for your support.

Joe Ucuzoglu (13:08): Thanks, Alan. Pleasure to be here.

Murray (13:09): So Joe, this new wave of business technology, artificial intelligence, Internet of Things, the ability to make intelligence out of data, is creating huge opportunities for companies. But a lot of the CEOs I talked to feel daunted by it. It’s like where do they get the imagination to rethink their entire corporation? How did they deal with that?

Joe Ucuzoglu (13:32): The opportunities are immense, particularly when you look at not just any one of these technologies individually, but the convergence of all of them collectively creating the opportunity to truly transform business models. And I know it can seem daunting, but the reality is taking the first step in actually produces huge benefits. Because what we’re finding is that many of the cutting-edge applications are not coming out of the corporate headquarters. They’re coming out of putting the technology in the hands of our people on the front lines. They find new and innovative uses, we then funnel them back up and leverage them across the entire client base.

Murray (14:10): It really gets to the importance of a culture of innovation at the company.

Joe Ucuzoglu (14:14): It is essential that our people feel empowered to take the latest and greatest and define new and innovative ways to use it for productive purposes.

Murray (14:23): Thank you, Joe.

Joe Ucuzoglu (14:24): Alan, it’s a real pleasure.

[Music]

Murray (14:30): So CyberArk has built its business to protect organizations from incursion by bad actors. But now we have this moment in our history where we’re looking really at least the possibility, maybe it’s not the likelihood, but a possibility out there of real cyber warfare. To the average person, what does that mean? Like my wife has been telling me take a couple $1,000 out of the bank because you don’t know if you’re going to have access to your money. And make sure that the generator is filled with fuel because we don’t know if there’s going to be some sort of shutdown in the delivery systems. What should the average person look out for in a world where cyber warfare is on the horizon? Potentially.

Mokady (15:14): I’ll try to give a very balanced answer because, again, like I said, I’m wired optimistically…

McGirt (15:19): I’m not. I’m picturing planes falling out of the sky.

Murray (15:25): Ellen is the cloud, not the silver lining.

Mokady (15:29): I would actually say that we are, and I think, I think you can see that, not just in Ukraine, but actually the Russian citizens today. And we’re hearing about that they’re running out to the ATMs and they’re limited and suddenly they have their own panic on the street, but definitely you can see the impact on Ukraine. So theoretically, given how digitized we are, given how everything we do is with a click of a button these days, if that’s disrupted, it could disrupt our way of life. And those examples of an ATM access and electricity down and things of that sort, those could be part of cyber warfare.

I would balance that the U.S. and and major countries have been investing in protecting critical infrastructure to the point where, the hope is that it can come back up fast and things can be temporary down, but there’s a way to back up. A lot of the way cybersecurity is approached today is, think like the attacker. Where are they going to go, and what are they going to do? And even simulate what the adversary would do, but also simulate the recovery. That has become a big part of companies’ drills. So I think the menu can include anything from from light disruption to major disruption to our way of life, and that’s why we really have to be out there vigilant and to defend it.

Murray (16:48): Hey, Udi, one of the things we talk a lot about on this podcast is that tech companies have not been terribly diverse. There are not a lot of women. There are not a lot of people of color. Building a tech company, how do you deal with that?

Mokady (17:01): Yeah, I always think it’s a work in progress. But I was I was always very proud when you even when you walk through our R&D center that you saw a lot of women, disproportional to what I’ve seen in other companies, and part of it is because in Israel you have a lot of the R&D is in Israel for us. And there’s mandatory military service in Israel. And so you were actually you have a lot of women who are actually going into technical roles and computer science roles in the military and, and they’re out there and they’re coming out for jobs. So I think we had a good opening, I would say position from from that perspective, but we’re all changing how we think about it. I would say on a daily basis for me, it was always very important.

I mention Israel a lot but it was always very important to build a a global company, like a truly global company, no matter how you walked in, you can feel part of it, and that people really have a sense of belonging and and diversity. I think we put in a lot of steps leveraging our Boston presence and others to hire more and more staff from community colleges. There’s so much that can be done on teaching on the job that once you put practice steps into it, we’re seeing that diversity increase also on the on the minority side in the company. So I think it’s a it’s always a it’s gonna be a work in progress, but the the attitude is there, and the culture and the company supports it.

Murray (17:04): Ellen, are you going to make Udi do the lightning round.

McGirt  (18:27): We got a lightning round for you. This is where you put your CEO hat on. We’ve been asking all of our guests for the season for just quick responses. What’s top of mind for you on three key areas. The first is what’s top of mind for you when you think about COVID?

Mokady  (18:41): Oh, for me top of mind is beginning to get back to normal with with encouragement, kind of with a new mindset that encourages employees to get back. But finds a nice dynamic of what we’ve learned from this, this environment. So what’s top of mind for me is getting back to normal living with it and actually can see it. I’m talking to after visiting both of our offices and seeing the team back. That’s what top of mind for me is getting behind it but leveraging what we’ve learned for it to allow more more dynamic work

McGirt  (19:14): That makes perfect sense. Top of mind for you when you look at, in your case, the global economy.

Mokady  (19:20): So obviously we talked about cybersecurity and the huge opportunity that we have. I mean, we like I said, we have 7000 customers and they’re really spread around the world and we’re going after the the next 30 40 50,000 enterprises out there. And to be positioned, I would say, to leverage our global presence for continued growth. I think diversity also in how we’ve been spread has been very strong. It was very, I remember early days here in Boston, I told fellow CEOs how much business we’re doing in Europe and Asia. They were they were shocked and I said no, we wanted to build a global company from the get-go. So to be able to fire on all cylinders and be able to resist, I would say, global hiccups.

McGirt (20:04): And finally, what’s top of mind for you as you think about what’s next for you as a leader personally?

Mokady (20:11): Well, I always wanted to, as a founder in cyber, get the culture so strong that we can scale the organization, get to the point and we’re in that point right now where I don’t know every single employee. But that I can visit our office in Singapore or office in Paris or, or anywhere and feel that the alchemy that got us here actually trickled to every one of the last employees so for me that’s important. Scale the organization, continue to grow, but protect that culture.

Murray (20:41): Wow. Well, that’s a whole nother podcast. We’ll come back to creating cultures that scale and last. Udi, thank you so much for taking the time to be with us.

Mokady (20:50): A pleasure for me and thank you. It was fun.

MurrayLeadership Next is edited by Nicole Vergalla, written by me, Alan Murray, along with my amazing colleagues, Ellen McGirt and Megan Arnold. Our theme is by Jason Snell. Executive producers are Mason Cohn and Megan Arnold. Leadership Next is a production of Fortune MediaLeadership Next episodes are produced by Fortune‘s editorial team.

The views and opinions expressed by podcast speakers and guests are solely their own and do not reflect the opinions of Deloitte or its personnel. Nor does Deloitte advocate or endorse any individuals or entities featured on the episodes.

Never miss a story: Follow your favorite topics and authors to get a personalized email with the journalism that matters most to you.