 We are basically interacting with all of those applications that organizations use or employees use today, right? And we make sure that they can still use them the way that they are used to or they are regular of using them, but we put due control guardrails on the sidelines. So make sure that the data is kept in the right way that no one has access to the data that they should not have access to. And we do it in a very sophisticated and pro-employee way that we can interact with the end user without even involving the ITO security team. Hi, this is your host Sapin Bhartiya and welcome to another episode of TFR. Let's talk and today we have with us Omri Weinberg, CRO and co-founder of Due Control. Omri, it's great to have you on the show. Thank you so much. Thank you so much. It's my pleasure to be here. The pleasure is all mine. And since this is the first time you and I are talking on camera and you are also a co-founder. So I would like to know a bit about the history, the origin of the company. You are a, you know, what problem that you saw in the space at that time as you're talking. You know, it was almost three years ago in 2013 that you felt nobody else was solving that you can come and solve. So talk a bit about what was the problem? How you are helping the whole ecosystem and industries. It all started like a little bit over three years ago. I think four years ago, basically. I was living in a city in New York City and then this is where I met my partner, Adam Gavish, who is the CEO of the company. He was working back in the days in Google and I was working in a company that acquired my previous company. And you know, we were both meeting every now and then and talking about what we do in work and what problems we have. And it was fascinating that he was working in a very secret project to compete with AWS. And then he complained every now and then everybody comes to him and say, hey Adam, did you remove those permissions to this and this and this vendor? And I was telling him, you know what happened? You know, I would just, you know, people from my company just shared a bunch of sensitive stuff, documents with me and I didn't have the corporate email in total on my phone because I was logged in with my Gmail account. And then I opened it and basically they saw my name and I requested access and they grant me access just like that. I think that when we started talking about it, this is when we had a harm moment that how can it be in company like Google and the company that acquired my previous company, which is a, you know, high tech company, technology company, it can happen. So we assume that it happens in a lot of other companies. So basically both of us living in the city, we started to interview a lot of CISOs and head of information and IT people, over a hundred companies and everybody were talking about it. Everybody were talking about how DLP and CASBs and all of those tools are just not fitted to nowadays or they have good solution, but it can be better. So this is why we co-founded the control, both of us left to what we've done and we step right into it. When we look at like security in general, it's not black and white as it used to be in the old IT days, especially with the cloud, it is becoming more and more complicated also. Security, what we are trying with the whole shift led movement is that it's not someone else's problem. It is also moving in developers pipeline. At the same time, security is also very specialized it's not a field that anybody can pick and start doing it, there are certain areas where these are specialized area. So when we look at do control, what aspects of security are you folks talking about? So I think you said something which is very accurate. It's not black and white, it's not deterministic. And if you talk to me what happened like 15 years ago, 20 years ago to what's happening today, the worlds have changed and there are a few reasons to that. Obviously technology accelerated dramatically, not and we were talking about pandemic. Pandemic gave it a boost to people to work remotely all over the world and by that also using a lot of collaboration tools and everybody are doing that, everybody are using that and you know, you can't shy away from that, you can't run away from that. You can lock people in boxes and make sure that they're gonna work in a very specific way. If you're gonna close one window, they're gonna open another window. If they're gonna close one door, they're gonna open another door and that's the nature of people. They wanna do their business or they're working the most efficient, fast and convenient when to them. And it's very hard to put guardrails or very strict guardrails on employees, right? So what we see and what we think is that you cannot fight with employees, you need to collaborate with them. You know, it's not IT security against the employee. And what we are trying to solve and the way that we're solving those things today is we are basically interacting with all of those SaaS applications that organizations use or employees use today, right? And we make sure that they can still use them the way that they are used to or they are regular of using them, but we put do control guardrails on the sidelines. So make sure that the data is kept in the right way that no one has access to the data that they should not have access to. And we do it in a very sophisticated and pro employee way that we can interact with the end user without even involving the IT or security team. So I think the approach from the get go is how do we create a security company that does not enable the business, the opposite? How does it enable the business and make them push it even to higher limits without sacrificing the security aspect of it? So that's our approach, that's our fundamental approach. The interesting thing about security is number one, security is not a product, it's a process. The second thing is that as a good guy, you have to be right 101%. Bad guys have to be right only once and they compromise the system. So I want to talk a bit about the process or cultural side of it as well, because when we look at security, just there are a lot of tools, but if the organization does not have that mindset within teams to look at security from a holistic perspective, because the impact is not just on slowing developers own pipeline, it's also when you're compromised, your business brand reputation also is at stake. So it's an industry wide. So talk about how do control, not only of the name, gives more control to them, but also bring this cultural change within organizations. So that's a great segue because you mentioned earlier like bad guys or bad actors, you know, we see the data today. In most cases, it's not even about the bad guys, it's like human mistakes, people are not even aware of what they do. And if you think about it, you know, people come, people go, you hire people, you fire people, it's like a never ending cycle, right? And you always try to educate them about what's the right thing to do, how to operate, how to act, what tools to use, but it's inevitable that people will still do mistakes without even, I'm not even putting out the bad actors, I'm putting them on the side. So we have a client that actually has, I think like 7,000 employees and obviously we are a security company, right? We are categorizing by gardener is top security here, top insider threat and DLP, but they, this company basically, they consider us as education tool for their employees because everything that their employees are doing, basically we monitor that. And if we see that there are any kind of anomalies or things that needs to be alert about, we send a notification to the end user, employee number 6,000 and no employee number 7,000. If you think about it, even if you have a security team of like a hundred people, the 200 people, they will never know why the security, the salespeople or the salesperson from California just send an MNDA or like a, or a budget or whatever to a Gmail account, because they will capture is at this PII and then they will block it immediately, right? And then the sales guy will need to reach out next week and say, hey, can you release it? And then you lost the momentum of a deal because you just postpone it. Why not giving the enablement or give the authority to the end user to decide? And if they are bad actors, obviously we can revoke that immediately because we capture, we catch it, right? So I think the entire concept is how do we involve the entire workforce to make sure that they're more educated on their actions, basically. And they need to know because at most of the time they're not even aware of the consequences of sharing your intellectual property, whether it's Slack or Zoom or GitHub or Google or SharePoint, it doesn't really matter. So this is where we come in, this is where we educate, we surface, we give the visibility and we bring them and we embrace the end users to be part of this journey. Since you mentioned Slack, can you also talk about how do you folks kind of integrate with some of those tools because these are, in many cases, the internal backbone for all the communication that happens? So Slack can be like teams, can be other tools out there, right? It's the same same. What happens basically is the functionality and the way that people are working in those environments. If you think about it, all of those tools are becoming more of like a clipboard, right? Everybody just pasting and throwing stuff at those platforms, they were meant to be a communication platform, but now suddenly you have dozens and dozens of assets that are being thrown. Like it's not just need to be like files, it can be passwords, it can be SSN numbers. And then how do you even track who's putting what and where, in which time and how do you block and how do you prevent that? Again, people are not even aware of the consequences and we've heard about companies that were hacked by someone just leaving an encryption file in one of the mutual stack channels and then someone just logged in, saw the encryption file and then from there it's game over. So basically it's the awareness and the understanding about what are the tricks that are involved when using those tools because those tools by nature, they were not built to secure, they were built to collaborate, to push the business. Obviously some of them have like layers and they have like security elements within it, so you can buy and upgrade, you can do that, but would you do that in Slack and Teams and SharePoint and Box and Zoom? It's like very different from each other. So how do you put everything in one place and you control everything? And that's a main problem for a lot of organizations. What are the disturbing trends that you are seeing that you're like, hey, these are some big security issue for organizations and those are some of the issues that you try to mitigate through integration with channels like Slack? Absolutely, you know, I think one of the, for organization that we work with, whether they are clients or future to be clients, there is always the element of insider threat. Who is the risky user within our organization? Whether if we are 500 or 5,000 doesn't really matter. And today with all of the tools and the signals and the APIs that we are connected to, it's very easy to, it's not easy, but it's easier to track them down because it's think about like as a user behavior, you track a trend, because I'll give you a good example. We are also connected to HIR IS systems, like a workday, like a bamboo HR and so, right? What if, you know, and this is what we do today, but what if we can connect your workday and tell you that, hey, employee number Y is just about to leave the company because we know it that it comes from your workday, we got a signal, it's a business context. But on the other hand, we also got a signal from SharePoint or from Google Drive and from Box that this employee have just shared the financials of your company publicly. But we also know from OCTA of HumorAD that this user is your CFO because he's in a finance group and we have the title. So if you match all of those things together, you have a puzzle, you understand a complete puzzle about where the risk. Unlike a user that is not a high risk because we didn't get any notification from your HR system, we know that this user is a sales guy, he's not a CFO, he's not from the finance team and he's just sharing something that is like a random file. So by default, the level of tolerance or the risk that you have changes by the signals that do control brings to the table from the other tools that you already have in your ecosystem. So it's not just about the one SaaS tool that you're trying to monitor, but it's the complete picture that other tools enrich the data and give you a better story about this individual that is leaking data outside of your company. Where we are in terms of security, maturity in the SaaS industry, where we still need a lot of education or you're like, no, everybody knows about it, we just have to provide them with right tools. That's a question that we ask ourselves every day. In the timeline, where we are. I think if you asked me like three years ago and when we started, when we asked VC for money, everybody were, most of them were sure that, hey, there are solutions out there and pretty much everything should be bulletproof and everything should be working because they have the tools. So we raise the money, we build a product from inception, now making millions of dollars, working with top brands out there. So obviously, I don't wanna say they were wrong and we were right, but obviously the way that the organization are doing their business today, it's fundamentally different than what they've done like five or 10 years ago. It's different. And I think everybody that we are talking to, even new prospects, everybody is aware of the problem. I'm not sure if they are jumping on the grenade right now to solve it because maybe they have some other stuff, but the more time that we are into it, I see the demand is growing, the education is growing, the awareness is growing. And we see that by people that are coming to us and say, hey, we need to solve one, two, three, we don't have good visibility around our Google Drive or our Slack or Google or GitHub or Zoom and we need better visibility, we need better control and the tools and the platforms that we have today are not capable enough to help us with it. The way that we have built our technology is to be able to tackle the enormous amount of data that is running in those SaaS API, SaaS pipes, whatever. And the entire infrastructure is prepared to tackle this enormous, enormous amount of information that as I mentioned earlier, it can come from your HIRIS system, it can come from your IDP, it can come from even from your EDR and from the SaaS application themselves. And then think about how complex it is to normalize all of those events, to get all of the users in the right place, to make sure that you find the needle in the hashtag that you don't make a lot of false positive. So I think this is what companies are looking for, they are tired of legacy tools, legacy companies and they want something which is more modern that is fitted to 2023, very soon to be 2024. I think the market is coming to us, it's not running away. So I think there gonna be some kind of an inflection point in the next year or so that it's gonna be mandatory. And we see like Forester and Gardner and everybody is starting to talk about it. The garden just started to write about due control and they mentioned SaaS ecosystem security. So it's not just one element with it's SaaS, it's a much broader problem because within SaaS you have a CASB, you have DLP, you have SSPM, you have shared apps, you have access reviews, you have so many things that you need to tackle, it's not one niche problem. And this is what we're trying to do, basically, be the platform that can answer most of the questions. When we look at Geniti UI, I wanna talk about what does security mean for it? Looking at Geniti UI as a workload to secure Geniti UI at the same time using Geniti UI to enhance security, how do you look at it? Absolutely, that's a great question because I'll give an example, when we started to raise money for this company, for due control, we tried to shy away from words like machine learning and big data and those kind of things and cause we don't want to use words that are not like the main core of what we do. And obviously now a lot of people are asking about us, hey, LLM, Geniti, AI, Chet, GPT, what are you doing with those things? To tell you if we are 100% dedicated focus around that? No, but are we taking leverage and advantage of those technologies? Absolutely. Everything that has to do with learning about our users, about the way that they are handling their day-to-day tasks, the way that they are integrating new SaaS application into their environment. What we can clearly see is that that's across all of the organization that works for us, we see a spike with all of the apps that users installed when it comes to JetGDP and similar apps. And if you think about it from their risk perspective, those apps that are installed on your environment, they have a lot of excessive permission that they're asking for. So that's another threat model that we are helping our clients identifying and eliminating, right? We are, again, we are here to support the business and enable the business. It's not up to us to say to any business what's right or what's wrong. We are surfacing that, we're showing them the risk, we're showing them the exposure and it's up to them whether they want to eliminate that risk automatically with the help of due control. Manually, periodically, it's up to them. We are definitely using those tools internally. We're using it in a safe way to make sure that nothing obviously is leaked out or is compromising our data that we are using and so on. But that's something definitely that we're gonna increase and we're gonna do more and more moving forward in the future. What advice do you have for developers, organizations, CISOs to ensure that they have right practices in place to ensure security of their workload and environments? My only advice, and I have a lot of things that I think about and I can share. From my experience at my third startup, I grew up into a family business. So I grew up and I was born in Israel. I've been living here in the States for 10 years. So I've seen a lot of different approaches, different companies, all sizes. I think you always need to challenge yourself and say, what can we do better? How can we do better? Because maybe there's a company that just striped to deal with a company for one of their services, right? But maybe it's not the best fit for your company. Maybe there's another solution because the word, as I mentioned, we live in a dynamic world. What was right two years ago is obviously not the same thing that was five years ago. And it can be that it's not the same thing that was one year ago. So I'm not saying to do drastic changes, but always doubt about how you can do things better, more efficient, cost-effective. And the most important thing at the end of the day is how you do things that do not disable your business, the opposite. How do you enable the business? Because this is what pays the lights and your salary and our salaries is the business. And the more you slow them down, it's harder to grow and to move in a fast pace. So that's my little take. Omri, thank you so much for taking time out today and talk about due control. Thanks for sharing all those insights about security. And I would love to chat with you folks again. Thank you. Absolutely, thanks for having me. It was a pleasure talking to you and I hope it will be enjoyable for the audience. Take care.