Amir Mizroch
Welcome to The Dejargonizer. I'm your host Amir Mizroch. In this podcast, I speak to startup founders. I subject myself to their tech jargon to try and decipher what their company really does. I do this to find out if there's a bigger story there that matters to broader audiences like you. Today, we're joined by Roy Azoulay. He's the co founder and COO of Cynomi. Cynomi helps small companies protect themselves against cyber threats. People often think cybersecurity is a problem for governments and big companies, not mom and pop stores. For many small businesses, cybersecurity is never even on the to do list. It's certainly not something they can afford. But here's the thing. The Dark Side of the internet, where cybercrime, hacking and exploitation are rampant, that doesn't only hit big businesses and governments. Increasingly, you and I are the target. Your small business is a potential target, even your mom-and-pop stores,
YouTube
it's no longer a question of if we would be attacked. It's more a question about when we would be attacked? And how are you have to think about how have hackers evolved in their tradecraft to even do this with something that's so simple that anybody would fall for it.
Amir Mizroch
So what can small businesses without big security budgets do to keep themselves safe online? That's what Roy Azoulay and I talked about.
Amir Mizroch
Roy Azoulay. Thanks for coming on to The Dejargonizer.
Roy Azoulay
Thank you for having me.
Amir Mizroch
I visited Cynomi.com and saw that it's described as an "AI-powered automated VCISO platform." Can you explain what an AI-powered automated VCISO platform is?
Roy Azoulay
Sure. First, let me clarify that the website is tailored for use by managed security service providers, so we catered the jargon to our audience. To explain what a VCISO is, I need to first discuss what a CISO is. A CISO (Chief Information Security Officer) is a position that's becoming more common, primarily at the enterprise level. The individual in this role has ultimate ownership for the company's cybersecurity posture.
Amir Mizroch
Every time you say the word "posture," a butterfly dies, painfully, somewhere.
Roy Azoulay
Let's dig into it because it sounds complicated. When we say "posture," we mean readiness or risk level. A CISO's job is to understand the company, determine the most relevant and prioritized risks, set a plan for remediation, and ensure that the plan gets executed. This role largely exists at the enterprise level. We believe at Cynomi that smaller companies still need this level of protection.
Amir Mizroch
I can understand why hackers would want to hack into banks and big tech companies, but why would anyone want to hack small and mid-market size businesses?
Roy Azoulay
That's a good question. It boils down to the fact that it's a numbers game. No one is going to specifically target a 400-employee law firm in Oxford, but hackers scan as many organizations as they can for vulnerabilities.
Amir Mizroch
When a hacker scans your website or apps, is that how they look for ways in?
Roy Azoulay
That's right. Anything that's externally visible or facing the internet publicly can be scanned. It could be a login portal, your website, or workstations that may be exposed to the internet in one way or another.
Amir Mizroch
Now, with many people working from home, the attack surface for hackers has become even larger. They start by carpet bombing everything to see where they can get in, and then what happens?
Roy Azoulay
We could see a ransomware attack, which has been very common, or a data leak. Some organizations may be sensitive to defacement, where their website is taken over and populated with content that reflects poorly on the company. In some cases, there could be financial effects, such as an email asking you to transfer funds to a recipient, like a Nigerian prince. But we've seen attacks that are far more sophisticated, like a man-in-the-middle attack between an investor and a company.
Amir Mizroch
If I'm the CEO of a small business, who do I call? What do I do when we get hacked?
Roy Azoulay
There are basically three choices at the moment. The first choice is business as usual, where they say, "Okay, I understand the risks, I don't have the resources to deal with it, I'm going to hope for the best, maybe I'll upgrade my firewall, but it won't go further than that." The second option is to hire a CISO, which will cost between $200,000 to $400,000 per year. The third option is to get someone to give CISO-level advice but as an external contributor, often referred to as a fractional CISO or a virtual CISO (VCISO). This option is becoming increasingly popular.
Amir Mizroch
So, if you can't afford a CISO, your next best thing is to get a consultant or an automated platform. Small and medium businesses typically rely on external service providers for IT support, such as Managed Service Providers (MSPs) or Managed Security Service Providers (MSSP).
Amir Mizroch
MSSP is a Managed Security Service Provider, correct? And these are IT security companies that cater specifically for smaller businesses?
Roy Azoulay
"Small" is a relative term. Some of them go up to the sub-enterprise level.
Amir Mizroch
Sub-enterprise, meaning what, between 500 to 1000 people?
Roy Azoulay
No, I've seen MSPs that support much bigger companies, so even a few thousand employees could easily be supported by an MSSP.
Amir Mizroch
So we're not talking about some of the world's biggest, well-known names in cybersecurity like Check Point, or Palo Alto Networks, CrowdStrike, etc.?
Roy Azoulay
An MSSP would use all the tools that you mentioned earlier, but they would know how to use them, customize them for your needs, and monitor their outputs and report to management. Our platform is provided to MSSPs that want to provide VCISO services because providing a VCISO service is very complex. Things rarely remain static, both within the company and externally, in terms of the threat landscape.
Amir Mizroch
What is the threat landscape?
Roy Azoulay
It's the assessment of what your security professional knows is going on out there and what they want to best prepare you for.
Amir Mizroch
Okay, let's talk a little bit about the business. Tell me about your market. Historically,
Roy Azoulay
If you're a founder in the cybersecurity space, your dream would be to show how you sell to the Fortune 500. That was basically the Holy Grail. Now we're seeing more and more companies that are actually saying, "You know what, mid-market is the next big opportunity in cyber; we're seeing mid-market attacks intensify." So we see that the number of successful attacks has risen dramatically.
YOUTUBE: Tonight, we're also learning about a new cybersecurity and ransomware threat directed towards schools nationwide, how easy it is to hack into a computer. Hackers are making a killing and secret payments by major companies. What would you do if every computer in your office was hijacked by hackers? That's what happened to a Norwegian company recently. And they faced a dilemma: to pay or not to pay. Recovery for them has so far cost more than 45 million pounds.
Amir Mizroch
I want to try and get a sense also for people who are listening how this works. So a VCISO platform is basically the virtual chief information security officer that then also based on that data gives me the recommendations that I need a little bit more of this, a little bit more of that.
Roy Azoulay
Okay, I think that's right. I will just make one subtle note here. The platform that we built right now is for that individual providing the VCISO service to the CEO and to the company. Think of a VCISO platform as the strategic manager platform; it sets out the activities that you need to undertake, but it cannot replace all the tools that you need to do so. It doesn't replace the firewall, for example. So on that basis, in terms of social engineering, it will highlight the fact that you need to run phishing tests on your employees.
Amir Mizroch
Phishing tests, by the way, are pH. Phishing, and just a quick de-jargon on that means this is not you sending to see if your employees can fish; what are you testing them for?
Roy Azoulay
Sure. So what you're testing is whether your employees can identify a malicious email that is meant to retrieve information or access credentials from it. So rather than waiting for that malicious email to find its way to their inbox, you write your own version of the malicious email and check who was able to identify it and who hasn't been able to identify it, and those that haven't been able to identify it, work with them and explain to them.
Amir Mizroch
Okay. Always get laughed at when I ask this question. But, you know, if someone with
a gun came in, robbed me, robbed the store owner, and ran out, the police would be on that, I hope, in many places. That just almost never happens on the internet, right? I mean, you can just get hacked, and assuming you know what I'm reading about, you know, everyone's already been infected. Where are the cops? Why is crime online? Breaking and Entering so rampant? Where are the authorities?
Roy Azoulay
Well, that's a good question. I never actually thought about it. What immediately would come to my mind is a question of jurisdiction. Most law enforcement is local, whereas most cyber breaches are global, and many of them operate out of jurisdictions which make it more convenient to keep operating. That's part of the answer. I guess. The second part is that you know, when we think about law enforcement or even how our countries protect us from a military perspective, they can do that. Because, you know, they have the bigger guns, right? Or they have more guns. When we're talking about cyber attacks, that's not always the case, right? The very sophisticated tools that are out there. And those tools are increasingly being commoditized. It's software which by its nature, it's very difficult to limit distribution or access to.
Roy Azoulay
You know the story about the two people confronted by a bear? It's like, I don't need to run faster than the bear; I just need to run faster and better. Right. So, going back to what we discussed at the beginning, it's not that the hackers would try to crack this VCISO platform right away; we're still looking at 20% of market uptake at best. Gartner optimistically sees the demand for VCISO Services at 20%. So, even in a best-case scenario, you still have 80% not using the services.
Amir Mizroch
The vast majority of small businesses are not using any type of cyber automation service. Strategic cyber service. Yeah, strategic, meaning not just a firewall here and there, but holistic.
Roy Azoulay
Exactly, not strategic tools, but using some methodology on how those tools are
employed and used.
Amir Mizroch
I'm going to try and tell you a story again here. At the moment, we're seeing a couple of trends: a lot of small to medium-sized businesses are starting to use the tools they need to protect themselves online. But still, the vast majority of small businesses and mid-market companies are not taking that strategically. They're just using tools ad hoc. This is a problem because hacking is not just isolated to high-value targets like banks, governments, and contractors for governments and big firms. It's going down the value chain because there is value in hacking small businesses, potentially also because they are vendors to larger businesses, what's called the supply chain hack. Cynomi, your company has built a holistic strategic tool that has traditionally been the purview of bigger companies who can afford a $400,000 a year Chief Information Security Officer.
Roy Azoulay
That is a really good summary.
Amir Mizroch
Brilliant, what's the next chapter for Cynomi?
Roy Azoulay
If I had to summarize the narrative earlier, we just dejargonized CISO at the start of this conversation, and we believe every company needs a CISO. The question is how we get there for the next two years; that is going to be through service providers. Later down the line, we're planning to roll out directly to small and mid-market businesses or in-house IT teams.
Amir Mizroch
Interesting. Great. Is there anything you feel like I've missed or haven't touched on?
Roy Azoulay
No, this has been great. I think we covered everything.
Amir Mizroch
Thank you very much.
Roy Azoulay
Thank you, Amir. This has been great.