The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

76. Yaron Singer, Cisco: The hard truth about deploying AI today

Hello, everyone, and welcome to another episode of the security podcast of Silicon Valley. I'm one of the hosts, John McLaughlin. I'm joined today by our other host, Sasha Sinkovich. This is a Y Security production.

And today we have a spectacular guest, the founder and CEO of an awesome new security AI startup called Prime Security, Michael Nov. Welcome to the show, Michael. Welcome, Michael. Thank you, John.

Thank you, Sasha. Pleasure to be here. Thanks for having me. And Michael, I believe this is your first time on the show, on the podcast.

It is. It is. Been following you guys for a while, John. It was great connecting with you not on the podcast.

And it's an absolute pleasure to be here. No, thanks for joining. It's always a true honor and a great pleasure to connect with a fellow entrepreneur, especially one in security. There's always a story behind that.

There's always like something that sparked your passion or maybe your journey down this entrepreneurial road. But for you, Michael, what was that? Good question. I think I've been an entrepreneur at heart since very, very early days.

I kind of get it in the blood from my dad, who was an entrepreneur back in the day. And my grandpa that was an entrepreneur. Started very early on with random ventures growing up. I won't even get into it, but I owned a bar when I was 18 in Israel, which is just a funny tidbit.

But after moving to the States, I knew I kind of want to pursue an entrepreneurial journey and not be forever in large companies in a corporate America. I wanted to build something because I take both a lot of pleasure and pride in building and was waiting for the right opportunity, right people, right problem that I felt passionate about. And I thought that I can build at the right team and I can find the right co-founders to solve it with. And here I am today, kind of close to a year and a half into building prime security.

How did you tap into security space? I got an opportunity just as COVID was starting to join a company called Own Backup, which was a data protection security company at heart doing backup and recovery. And I truly was exposed to the depth and complexity of the problems in the space there as an operator, but from the vendor side, not just from a security. And I got the pleasure of leading product strategy for the company for a decent amount of time.

And we were always kind of starting from backup and recovery, which is security adjacent. There I got exposed to the space and started building more and more products in the space, helped own back in the day, spent security posture management and other areas. And as part of that was also helping the CTO to manage our entire technical team, which was 300 and had to collaborate a lot with our product security team. That's what sparked the idea of building prime.

What is the biggest pain point that you see in the marketplace? So I focus on my small universe, which is not that small, but on the universe of product security. I'll come to this pain point from a business standpoint. And I'll kind of give you the backstory of this.

While at my old company, I identified a gap where there was consistent friction between the security engineering teams. But there have been a ton of tools and companies that tried to solve this friction by automating a lot of security work and allowing security to better collaborate. And we had SNCC to help us identify the vulnerabilities and the scans in the pipeline. But there was one gap that was a root cause of a lot of the problems we kept having.

And that was at the design stage of the software. At the end of the day, the SDLC starts from designing and planning what you're going to build. And that work was done at OWN by three fantastic humans. The founder of OWN Backup, Ariel Berkman, he was the head of product security.

So he deeply cared about products being secured from the get-go. But he had a team of him and two more. And there was 300 technical professionals. He couldn't get to review every single change, every single issue we had, every single thing we wanted to build.

And we, many times, were getting to the last minute before deployment where security was find out, hey, you guys are building this? What do we hold on? Is this secure? And in many cases, the answer to this is no.

So we're talking about that initial stage of the SSDLC cycle. Is the addressable pinpoint that you are solving today? Yes. So we, at Prime, we focus on the design stage of the software, where the critical decisions of how to design and architect a software are being made.

But security is not always in the room, because the existing processes in this are just manual. It's a consultative process, where product security or security architecture practitioners have to give guidance to the engineers what to do. And because of terrible ratios of security to engineers, and the fact that the process is manual creates a lot of friction. The outcome of this friction is delayed development, delaying deployment of features, and in some cases, lost revenue, because you just miss deadlines.

And that's something I dealt with. And I felt very passionate about solving this problem. What would you say your superpower is? And maybe was there something that happened that sort of brought that out of you?

I think it's making genuine connections with people and knowing how to do it with people from all walks of life. I grew up in a very poor neighborhood in Jerusalem and learned how to make, as an immigrant, which taught me how to make connections with all different people. And then served six years in the army, making connections with everything from generals to line soldiers, and then moved to the States and learned how to make connections with folks that are Israeli, they're American, or Spanish, or Brazilian, or Lebanese. Made connections and became friends.

And kind of learning how to do that and building true relationships, true connections with people, I believe it's a super skill that I had to have. Yeah, that's so important, because everything that we do, if it doesn't go back to a human being, if we're not improving the lives of our fellow inhabitants of this planet, what are we doing? And I love that, like, being a security practitioner, that that's your superpower. Yeah, it's been fun.

You grow up this way, essentially. You build a superpower, not because you want to, but because you have to at some point, and you continue to work on it. Being a double-8 immigrant works in my advantage, just because I had to learn how to build real relationship, real connections with people that are very different than I am. When did you move to the States?

I moved to the States in 2012 to go to Duke. I knew that I kind of don't want to continue for a long career in the army. I was a captain in the army, and kind of figured out that I want to go into corporate world or entrepreneurship world. And the best path for me back in the day was going through business school.

And I wanted to come to the States. It was always kind of a dream of mine, growing up, watching American television and saying, yeah, one day I'll get there. Speaking of people and connections, it sounds like you're a co-founder. And so I'm super curious, how did you meet your co-founder and how did you know, like, you could start a business with this person?

So we're four co-founders. And there is multiple stories that are intertwined between all four of us. And all four of us know each other from different walks of life in different ways. So it all started when I was at OWN.

And my CEO back in the day asked me to acquire the best technical team I could find in Israel. And I got introduced by Wild Ventures to these two guys that were running a offensive cybersecurity company. And they wanted to sell the company, get out of the business. And we did a relatively complex transaction where they sold portions of it to one company.

And then we bought the people. It was deep into COVID. And we had to build, do a transaction that is buying the people, the human capital over the phone. So you can't meet in person, which is already complicated when you do M&A because you want to get to know the people.

Their names are Makan and Donnie. And we had to build this deep relationship where they had to trust me and I had to trust them over phone calls. And we used to spend days talking over the phone, which basically made us very good friends. And then we ended up working together for three years at OWN before starting Prime.

And then Dimitri comes into the picture. He moved to the States five or six years ago while working at PayPal as a security practitioner. So he led security architecture and threat modeling and security strategy reporting to the CISO there. He's also an immigrant from the Soviet Union, also Israeli, also living in New York.

And Matan, one of my co-founders, knew him from his earlier career doing security consulting. He basically said when we met each other that, hey, there's this guy Dimitri. He also lives in New York. You are same age, same background.

You guys should meet and become friends. That's how Dimitri and I got to know each other. So it was very natural that when we started talking about the company and we identified this problem, we kind of called Dimitri and he's like, well, I'm leading this space at PayPal. I'm literally the practitioner doing this.

It's a huge problem for me at the enterprise. And it was a huge problem for us at the middle market. Well, fantastic. And his background is product.

I'll call it a happy marriage that we were all friends. We're all passionate about the same problem. And we all bring completely different skill sets to the table, making us a best in class team. What is the proudest day so far at the company?

I think the first call from a customer. So specifically, if you go to security design stage, the entire process is you get a bunch of documentations from engineers. You need to review them, identify risk, provide that feedback to the engineer. And how we're unique here is that we built a platform that allows you to practically identify risk for you.

And this is based on integrations we have and so on. And we identified a risk at design stage, kind of an inception based on engineering plans that the security team were not aware. And this is a regulated healthcare company. They knew if it would go to development and developers would start working, they would have no idea it's happening.

And it will create a regulatory issue. Getting that call and saying, look, guys, you identified something that is critical, the entire engineering team working on, but nobody notified me because it's kind of urgent and they need to deploy it. You gave me eyes and ears that I didn't have before. Sign me up.

I bet that felt just spectacular to land real value and someone bringing something to market. You could be part of their entrepreneurial journey too. And so to see all of the hard work that has led up to that point, just sort of pay off right in that moment. So what about the converse of that question?

What's been the most challenging day along your entrepreneurial journey so far? It was October 8th, 2023. I'll explain. Okay.

We left, quit our jobs on October 1st, 2023. October 7th is a day that we'll all remember for the rest of our lives as we are all Israelis. But we left on October 1st and started our fundraising calls on October 6th. And then October 7th happened.

Everybody was affected. But for us, the impact is not outside of the personal lives. On a professional front, it was like, what do we do? We had this fantastic fundraising plan.

We know all the funds that we need to talk to. We're deep in the Israeli ecosystem. It all goes away. So what do you do?

How do you essentially pivot on your second day of fundraising to figure out a new plan? And who do you need to talk to? How do you build a relationship with different funds in the U. S.

? Do you proceed here? Which is always a question like, hey, we just left our jobs. Should we go back?

What did the rest of the day unfold to look like? So we put the board to the side for a day and make sure that on a personal front, everybody's okay. One of our co-founders whose wife is in the army, that he can manage the kids. On the home front, we're stable at least.

Then we start figuring out, okay, what is the plan? And we quickly agreed that, A, we're proceeding. There's no going back. We're committed to the vision.

This is what we want to build. And that everybody's bought it. Because you cannot do it yourself. You can force people to do this.

I don't believe in that style of leadership. And then secondly, what's the plan? And we go to the drawing board, figure out who we know, who we can ask for introductions. The story is the same story.

Now we need to get to different people. Let's get to the different people. Build a plan. Go execute.

That will happen not the first or the last time it will happen in my company's history. And it will continue happening. You need to be resilient. And that's what defines a great leader is that resiliency.

Ability to acknowledge the difficulties that happen all the time. And focus on continuing to build the company. As you went through the raise of the seed round, what was the most challenging part of that? Besides the events that led up to the kickoff of the round?

Finding the right story and how do you tell the story properly. At the end of the day, building a company is writing a book. You need to write the first chapter and figure out how to start properly. And what story and what narrative you want to tell.

But I would still roll back and say that doing this while everything in Israel was unfolding. It always was looming in the background. What's going to happen? Is everybody okay?

Who's going to go to the reserves? Two of my co-founders went to reserve duty for a while during that period. So that was kind of the main event that we're managing then. Still impacting every company in Israel till today.

That was always looming. And that was kind of the hardest part was trying to manage everything while knowing this is happening. That does speak mountains to leadership. I think oftentimes people think of like, ooh, troubling times for a company.

You know, it must be some economic or internal thing. But oftentimes it's like life events totally outside of our control and totally outside of the company that they can make being an entrepreneur especially challenging. Yeah, look, life events will forever happen. I genuinely believe that if your home front is not okay, you cannot commit yourself to building a company.

And it will never work well. You need to make sure that you have the support at home. What is the next pain point that you have to deal with as the co-founder of the company? Where do you want me to start?

At the very top, at the biggest pain point. Figuring out what's within your hypothesis. And our hypothesis is that the design stage is broken. What is the right way to go about addressing that pain point?

And what is the right sequence to build the product? Who are the right customers? Who do you want on your team building that with you? Don't just hire anybody.

Hire the right people. Who do you want to be there with you in the trenches? I'm super curious. Do you have a mentor as someone that you've looked up to maybe over the years?

And maybe it doesn't necessarily need to be someone that you know personally, but as an entrepreneur? My three previous managers are probably the closest thing to interest in me. And I'm still in very, very good relationship with all of them. One of them was the CTO of JP Morgan.

He was my directing boss at his own. The one before, he was the vice chairman of Deloitte Consulting. And the one before was he was a two-star general in the Israeli army. And I learned that very early that work for the right people.

It will pay out. You don't know how, you don't know when, but it will definitely pay off eventually. What do you think will be the biggest challenge that security experts, security practitioners will face in five years? Well, you know I'm going to say the obvious.

I mean, sometimes the obvious is not so obvious. The obvious is AI. It's moving at such crazy speed. Cursor went to zero to $300 million in ARR in, what, two years?

And it's producing a bunch of code from prompts, which prompts are designed. So there's way more code being produced that somehow needs to be secured. Let's assume you can secure it with the code scanning tools. But there's a bunch of new designs being produced that nobody's ever looking at.

And all of those are, I'm not saying that particularly is the largest problem, but it all goes back to AI. What AI will do, how it will change our work. Agents talking to agents, you can extrapolate out so much. And the challenge is, I think, that we don't know how it's going to work.

It's such an exponential curve that it's very hard to imagine what's going to come next. So would you say the biggest pain point is that we as practitioners will face? Data governance? Is it access controls?

Is it insecure design that is produced by AI tools? If you would name one, which one would it be? I'll phrase it a little differently. I'll say keeping up with the ever-growing and net new attack surface from driven by AI innovation.

You're suggesting that things are moving so fast and that change is happening so quickly and that new technologies are being adopted at unprecedented rates of people trying to keep up with being competitive or whatever. That as security practitioners, it's going to be impossible to follow and to secure this new ecosystem of stuff. Is that fair? Is that what you're going?

I'm not suggesting it's going to be impossible. I'm suggesting that's going to be the biggest challenge because the rate of change and the adoption of the change is nothing we have seen before. We'll have to adjust. We'll have to not adopt, but embrace what AI brings to the table.

Because if not, it's going to be very, very hard to manage the change that's happening around. How do you guys embrace AI at PrimeSec? We're not a cloud native. We're an AI native company.

AI is the core of our product. But outside of that, that operationally, I think it's embedded in every single thing we do and every single function in the company. From engineering to sales to marketing to finance, everything will have an AI tool. I believe it's a new standard.

Do you think we'll get to a point where AI actually starts replacing humans? Or do you think there will always be a human kind of there watching, checking, approving? Depends for what roles. I think that for some roles, kind of lower level ones from a white collar perspective.

Yes. For the more complex tasks, I believe that at some point, yes. But where this point is, there's AGI scientists that are working on this day in and day out that can probably tell you better than I do. So I won't do presumptions to say, okay, it's going to happen next month.

No, I appreciate that. This is really interesting. We have all of these moving parts. AI is just accelerating everything.

If we keep looking into the future and we think about, okay, what does success look like for prime security? Maybe for your team, maybe even for yourself. What does success look like? How do you know that you've made that impact?

Going back to my previous point that the change is so rapid around security, I want to leverage the existing AI tools to change some of the work done by security to allow them to adjust and adapt to this new paradigm. That's what success looks like, actually driving this change. Looking backwards and saying that I created something that helped practitioners, helped my customers and left a significant impact on them. Allowing them to let the business run with this change while not feeling that they are insecure or being the bad cop, saying, no, we can't do that.

No, we can't do that because you're pushing forward and I can support the way you push forward because I have the support as a practitioner. If you could ask someone else to build a solution to a pain point that you're currently not working on, what would that pain point be and what would that solution look like? I have an answer that is very, very timely. And maybe when this show airs, there are going to be companies that are announced.

But one of the largest pain points that I see now is MCP management, specifically at the enterprise. Like MCPs all of a sudden became everywhere, but there's no tooling for the enterprise to actually manage MCPs. What is installed where? What can be installed?

What has to be installed? What cannot be installed? And within the MCP, there's data. So what is an RBAC on that data even?

And I can give you different use cases of how you have some of the MCPs will help you secure. So those are the ones that have to be there on different developer endpoints or employee endpoints. That has to have a kind of deal. Think about a DLP product.

It's there, but you don't know it's there. You employees can opt out, opt in, and you want to see who opted in. And if somebody opted out, you want to see. That does not exist.

So we're in such a wild, wild west of this space. And talking to enterprises, I know, and we have, and I'm saying it from a pain point perspective, because we have an MCP server and we can deliver design risks and recommendations directly into the ID and to the agentic platforms. It's very difficult to deploy because you can't expect security teams to go install it one developer at a time. So you need some management and you want to make sure everybody opts in and track if somebody opts out that does not exist, which creates friction for me as a vendor, let alone a friction for the buyer who's looking at so many solutions with everybody now has an MCP server.

So yes, anecdotally, I know of one or two teams that are working on it slash thinking about it. So I'm pretty sure that by the time this airs, somebody will announce like, hey, we have a solution. It's just such a time to put problem. If you could travel back in time and meet your younger self, would you?

And if you would, what advice would you have for yourself? Take more risk and take them sooner. As an immigrant, you're a little bit risk averse. You grow up in an environment that you can take a lot of risks because there is, in many cases, no backstop.

I mean, as a double immigrant, it's double that. My advice would be, if I knew that I wanted to be an entrepreneur, I should have done it sooner. So take those risks. And if you think you can only do it when you do X, no, think again.

You can do it earlier. Because the learning curve is just so steep. And the sooner you have it, the more it compounds. And you want to start the compounding effect as soon as you can.

That's true. Because it adds up and it piles up. Yep. So start it early.

You can start earning that interest on all of your new knowledge, your new experience. So that's probably going to be the biggest advice. There's never a good time to take a risk anyway. There's never a good time to start a company.

You can always find a reason not to do it. Always. We're four co-founders. One has three kids.

Two of us have two kids. Both the seconds were born while we already were working on trying. And the fourth one has one. As you can say, it's not a good time.

You're having kids. Your kids are super young. It's never a good time. You always have excuses why not to do it.

What would have been your excuse not to do it? It's not a good time. I'm going to have a second child. I have a one-year-old.

Like, is it a good time? I was a senior executive role at a very successful CRZ startup. Should you leave? Why are you leaving?

This is a fantastic job. A super nice growing company. Messing up something perfectly good. Fixing a problem that doesn't exist.

Fixing a problem, yes. And that nobody could fix. It's thinking that there's a net new category somewhere. There it is.

I mean, we're all a little bit crazy. Something that I like to share with folks is that normal people are people we just don't know very well. That includes ourselves. You know, my wife would agree with you.

She would say that I get bored with normal people. But she sounds like a keeper. Yeah, she is a keeper. I never thought about it.

I just think that you put it this way. Cool. I'll tell her. Just a different way of looking at things.

Okay. Well, thank you so much for joining us on another episode of the Security Podcast of Silicon Valley. I'm John McLaughlin, one of the hosts. I'm joined today with Sasha Sinkovich, the other host, and our amazing guest, Michael Nov, the co-founder and CEO of Prime Security.

Thank you, guys. It's a pleasure having you on the show, Michael. And a huge thank you to all of our listeners for tuning in to this episode. And stay tuned for the next.

This has been a YSecurity production. Thank you, everyone. Thanks, guys. Thank you.

‹ 77. Inside Augment Code: Why security starts at line one (with Dirk Meister)

75. How to Use AI Without Giving Up Your Data (with Jonathan Mortensen) ›