CyberArk CIO’s insights on building a passwordless future

Image courtesy of Onur Binay.

With attack surfaces continuously expanding every waking second, it is evident that enterprises cannot rely on security tools and strategies that were previously considered “good enough.”

To outsmart malicious actors at their own game, solutions are being developed to provide businesses a head start, rather than merely reacting to data breaches.

CyberArk, a publicly traded information security firm working in the identity management space, believes that enterprises can use the very tools employed by hackers to defend themselves against cyberattacks.

Frontier Enterprise sat down with Omer Grossman, Global Chief Information Officer of CyberArk, to explore the concept of a passwordless future, and how his military background helped him transition into the enterprise security landscape.

You’ve been with CyberArk since December last year, and before that, you’re pretty much with the Israel Defense Forces (IDF) all the way. How has that transition been like for you?

I joined the IDF in 1997, and even during my time in university, it was part of my military career path. While attending university, I would dedicate my vacation time to serving in different positions within the IDF. So I was always in the IDF for as long as I can remember.

I started as a signal officer in the ground forces, progressing to specialised units and commands. After university, I returned to help establish the Cyber Defense Department, which eventually grew into a division within the IDF. This marked a shift where militaries worldwide recognised the importance of cyber as an operational domain, alongside air, land, and sea. 

The concept was to treat cyber as a full-fledged operational effort, though we didn’t refer to it as an operational domain at that time. Over a decade ago, we possessed the technical knowledge, but we also aimed to incorporate operational wisdom. It wasn’t solely about the technology; it encompassed understanding the impact and effects from both offensive and defensive perspectives. I had the privilege of being among the pioneers who established the Cyber Defense Department and later led the joint cyber defence division. In my final leadership role, I was responsible for leading Mamram, which is the IDF’s largest IT infrastructure unit and essentially serves as the primary cloud service provider for the IDF.

In fact, I find common ground with many of our customers these days, as they operate extensive IT infrastructure environments. The digital and IT domains have become essential enablers for businesses today. It is worth noting that the IDF itself is a highly technologically advanced military, which grants us a quantitative advantage. We leverage our knowledge and digital capabilities as integral parts of our operational capabilities, thereby providing operational value.

After my time at Mamram, I spent a year with my family in the United States, pursuing a master’s degree at the National Defense University. Upon returning, I assumed the role of head of operations in the cyber defence division, effectively serving as the IDF Chief Information Security Officer (CISO). It was a demanding position, but one that contributed to enhancing the overall security of the IDF.

Omer Grossman, Global Chief Information Officer, CyberArk. Image courtesy of CyberArk.

Speaking of the transition, there are notable differences. In the military, the focus is on working towards a more secure nation, whereas in the private sector, the emphasis lies in maximising revenue. Consequently, the tasks, objectives, and mindsets differ significantly. On the other hand, given my recent years, particularly my last decade and leadership position, spent in a highly technical environment, and due to my interactions with various vendors, private sector entities, and different sectors in Israel and worldwide, the transition was not entirely unfamiliar. I am well-versed in the language and familiar with the processes, making the shift relatively seamless from that perspective.

Moving on to CyberArk, what’s the most exciting thing cooking at your lab at the moment?

In general, we’re entering the age of AI and CyberArk is actively investing in research within this field. So you can expect AI-enabled capabilities in our products and platform.

For a long time, identity access management used to be very rules-based, linear, and predictable. Are we at that inflection point where AI is basically going to take over, because there’s so much of user behaviour that is not rules-based and is not so easy to predict?

Let’s begin by discussing AI in general, and then we’ll delve into the realm of identity security.  Yes, we’re in the age of AI. Just a couple of years ago, I might have needed to convince you about its potential, but thanks to platforms like ChatGPT, the work has been done for all of us. AI has become commoditised and democratised, making it accessible to the masses. Recently, I came across a blog post by Bill Gates, Gates Notes, where he mentioned that he hadn’t experienced a similar sensation since the 1980s when he was introduced to the graphical user interface, which drastically changed the way people interacted and collaborated with computers. The second time he felt this way was with the advent of open AI capabilities, which greatly simplified the usage of AI even for individuals like my grandmother.

Now, considering cybersecurity and specifically identity security, there exists immense potential in the integration of AI. It is undeniable that we will witness an increasing number of security capabilities powered by AI. This shift means that security measures will become more behavioural-based rather than solely relying on signatures. It is likely that a baseline will be established, and any anomalies identified by AI will be recommended for investigation. Perhaps in the future, we may even witness automatic remediation. However, we have not yet reached that point, primarily because security serves as an enabler for businesses. It is crucial to ensure that no critical business processes are compromised. Therefore, at least for the foreseeable future, a human presence will be involved in the decision-making process. Nevertheless, as we progress and the future unfolds, what we currently define as automation will evolve into hyper-automation, with AI playing a vital role in this hybrid automation approach.

In addition to the AI capabilities, it is imperative to remain vigilant against adversaries and attackers because tools like ChatGPT can also be powerful resources for malicious purposes. Phishing campaigns, for example, should have been a thing of the past. I still remember an email from ten years ago about an African astronaut in need of funds to facilitate their return from the International Space Station. It was a rather amusing attempt, and people didn’t fall for it back then.

However, in the present day, we face the challenge of highly targeted spear-phishing campaigns crafted by ChatGPT. These campaigns are tailored specifically to deceive individuals, and there is a higher chance of falling for the scheme. We have already seen more sophisticated phishing campaigns utilising ChatGPT’s capabilities as the initial attack vector. Therefore, it is important to understand that AI, despite its potential benefits, can also be employed by malicious actors. We’ve already seen the integration of AI capabilities in security tools. It becomes a race—a competition between the attackers and defenders.

With the advent of automation, coupled with the democratisation of AI, and the internet altogether, now we have state-sponsored cyberattacks. Do you see more of these state-sponsored cyber warfare being conducted already, or do you think we’re heading for that? How can companies balance that asymmetry, where a small company, for example, faces an attacker that might be much bigger, and might have a lot more resources behind it?

We’re in an isometric situation, globally. Expanding on this point, I believe there are three primary challenges in the global cyber domain. Firstly, we lack the appropriate rules, norms, and regulations to establish a common set of rules for the game. Each player operates under different principles, which can lead to conflicts, particularly when some nations share similar mindsets while others do not. It is essential for nations and governments to establish the necessary rules of engagement.

The second challenge that demands resolution pertains to the technical aspects. We must address the complexities and vulnerabilities within our systems. In the US cybersecurity strategy, for instance, they are shifting accountability to the vendors, particularly major tech companies. In this regard, I feel confident because CyberArk not only manages identity but also secures it. Consequently, part of our focus lies in developing secure products. When considering vulnerabilities, it is crucial to have the ability to automatically update servers and environments without requiring restarts.  I don’t need to be thinking about collaborating downtime with different services.

The last challenge is identity security, and this is partly why I ultimately chose to join CyberArk. I believe that CyberArk’s platform has the capacity to effectively solve this challenge. In the past, the focus was primarily on protecting the perimeter with a firewall, where the inside was considered safe and the outside was seen as risky. However, with the shift to cloud-based environments and the rise of hybrid work setups, distinguishing between good actors and malicious ones has become more difficult. The new perimeter extends beyond the firewall—it revolves around identity. Regardless of location, safeguarding identity has become a crucial task.

A lot of discussion revolves around the concept of a passwordless future, where identity is tied to biometrics. How do you see that pan out?

First and foremost, the primary objective of identity security is to enforce privileges and enable a zero-trust model. To achieve this, it is essential to authenticate credentials appropriately and authorise individuals or machines with the necessary permissions. This ensures access to privileged assets in a structured manner that allows for auditing and accountability. Protecting the workforce is critical as attackers may target regular employees without specific administrative privileges. By deploying ransomware on an endpoint and utilising lateral movement and privilege escalation, attackers can gain access and do damage. Therefore, a comprehensive approach to identity security is required, extending beyond IT admins to encompass the entire organisation, including machines, applications, regular employees, and IT admins across the board.

In a nutshell, the mission of identity security vendors is to deliver a seamless user experience while making it as effortless as possible for employees. Globally, there are approximately 921 password attacks per second, underscoring the need to transition towards a passwordless future. The implementation may vary, ranging from biometrics-based solutions to user behaviour-based approaches. But as a whole, the common criteria is that you don’t need to remember passwords anymore. While we’re not there yet, we anticipate a shift once the technology matures adequately.