Imperva CEO talks security strategy for today’s enterprise

The average attack surface has grown exponentially among enterprises, as organisations hastened their digital transformation during the pandemic, and people began working from anywhere. This resulted in a rise in the number of data breaches, particularly ransomware, which kept a lot of CISOs up at night.

Therefore, plenty of business decisions were made hurriedly, with enterprises engaging multiple vendors to secure their assets. Now that the smoke has cleared, many are hoping to consolidate their security solutions and reduce the complexity across their IT infrastructure.

This is where cybersecurity firm Imperva comes in: They’ve set out to solve complexity issues across verticals.

According to Pam Murphy, Imperva’s CEO, common among the customers she has spoken to is the difficulty in managing multiple security vendors and solutions.

“They cannot get the talent today from the market to help them cope with this wide array of security tools. What they’re looking for is fewer security vendors, but they want those fewer security vendors to be more strategic. To be more strategic, you have to have a broader array of assets that cover for all the threat vectors in that space,” Murphy said.

“Since I’ve come on board, our focus has been creating an application security platform that has a complete set of security solutions dealing with the different types of attack formats that are out there. Our application security portfolio not only has a web application firewall, we also have a solution for online fraud. We have advanced bot protection to protect against bots, and client-side protection to protect against formjacking,” she added.

Security expertise

Murphy joined Imperva as its CEO in January 2020, just two months shy of the COVID-19 lockdowns. Before that, she was with Oracle for 10 years, and later became the COO of Infor for almost a decade.

Pam Murphy, Chief Executive Officer, Imperva. Image courtesy of Imperva.

“One of the key things we did there (at Infor) was to move it to be 100% cloud, and industry cloud. I ran DevOps, I ran cloud ops, basically, my team has built the infrastructure of a cloud company today. So cloud is in my DNA; it’s obviously what I’ve done before. But in that role, I was a consumer of security. As part of delivering enterprise industry cloud solutions to our customers, I had to make sure that those solutions were secure. What I loved about going to Imperva, was that it allowed me to move from being a consumer of security, to being able to lead strategy for security. I feel that as a consumer of security for so long, I felt I knew what I really would like to have as a consumer. I was able to affect that as part of my role in Imperva,” the executive shared.

Murphy’s start at Imperva coincided with businesses’ accelerated digital transformation, hence it was a busy time from the get-go.

“In an already accelerated basis before the pandemic, which became vastly more accelerated during the pandemic, we helped our customers as they moved those applications and data stores to the cloud, and made sure that they were safely securing them as part of the process,” she said.

From the frontlines, Murphy saw the rapid rise of cyberthreats during the time, and how it affected organisations of all shapes and sizes.

“We do see an increase in state-sponsored attacks, as well as greater monetisation coming out. Like a number of years ago, there would have been lots of hacking going on. But it was not necessarily for the same return as what hackers and bad actors are getting now in terms of ransomware, and their ability to extract real financial gain from the equation,” she explained.

To respond to existing and emerging threats, Imperva has a threat research team that regularly surveys the landscape, looking for new threat vectors, attack patterns, and their points of origin.

“We make sure that all that intelligence that we are gaining from what’s going on out there is basically put back into our products to strengthen the security posture of our tools. We’re investing not only in the products today and making sure that they do the right blocking, and the right protection, but we’re also giving intelligence and insights to our customers, to give them greater information about who’s attacking them, why they’re being attacked, and how they’re different to the way in which they’re being dealt with versus their peers,” Murphy said.

Strategising against cyberthreats

The Imperva CEO has some advice for enterprises seeking to bake security into their IT infrastructure.

“Make sure you bake security into the software development lifecycle, and build it in as early as possible, and have the necessary gates in place to make sure that it is effective in terms of its implementation. It’s also important to make sure that you have the solutions that can validate and check, because with the best will of the world, mistakes can happen, and errors can happen,” she suggested.

With Imperva serving organisations of different sizes across several industries, the needs vary from customer to customer, especially that their data and applications do not usually reside 100% on-prem or 100% on cloud.

“What was important to us is that we solve for the actual reality of the customer today. The actual reality of the customer is that they have applications and they have data everywhere, and they have it in different form factors. They basically needed help to have a single pane of glass, and a single solution to be able to look across that entire spectrum of assets, and be able to identify where their data was, whether it was sensitive or not, and who was accessing that data,” Murphy said.

Another point to consider is strengthening API security, which CXOs consider as one of the top issues in their business, said Murphy.

“The problem is that they often don’t know how many APIs they have. They don’t know what all those APIs are doing out there in the wild,” Murphy noted.

Some CISOs, she said, would make a guess as to the number of APIs they have, and as soon as Imperva turns on its API discovery tool, the estimate would be off by a multiple of 10.

“The developer community had to move fast to deliver what they needed to deliver for the business. But obviously, it’s a great example of how letting teams go wild and free, and build and develop and release can result in areas which pose risks for the business,” Murphy said.

“Part of the challenge today is how do you continue to let groups have the tools and resources to push the envelope forward, but at the same time, make sure you’re doing that by securing the assets and resources along the way. That’s something that as an industry, we continue to need to work on to improve. Because DevOps and DevSecOps are not going anywhere. It’s going to continue to become more relevant and important. We’ve got to continue to work out how we do not alienate anybody, and how we can make those two groups work together,” the CEO concluded.