Leave a review for our podcast & we'll send you a pack of infosec cards.
Long before cybersecurity and data breaches became mainstream, founder and CEO of SPHERE Technology Solutions, Rita Gurevich built a thriving business on the premise of assisting organizations secure their most sensitive data from within, instead of securing the perimeter from outside attackers.
And because of her multi-faceted experiences interacting with the C-Suite, technology vendors, and others in the business community, we thought listening to her singular perspective would be well worth our time.
What stood out in our podcast interview? When others are concerned about limited security budgets, Gurevich envisioned more hands on deck in the field of information security. The reason is that there are more and varied threats, oversaturated vendors in the marketplace, and a cybersecurity workforce shortage.
“What I see happening is that there’s going to be subject matter CISOs across the company; where there will be many people with that title that become experts in very specific domains.”
Also, now that cybersecurity concerns are not as industry specific, Gurevich does recognize that there are certain industries that are more at risk than others.
She approaches all industries with varying degrees of risk and threats, compliance requirements, and disparate systems all in a strategic way – by giving organizations the visibility into their data and systems, what they need to protect and how they need to protect it.
Cindy Ng: Long before data breaches became mainstream, Rita Gurevich, CEO of SPHERE Technology Solutions built a thriving business on the premise of assisting organizations secure their most sensitive data from within. And because of her multifaceted experiences interacting with the C-Suite, technology vendors and others in the business community, we thought listening to her singular perspective would be well worth our time.
Rita, you founded SPHERE in the wake of the 2008 financial crisis when you were just 25 years old. Can you tell us about the process behind how you started your business and what kind of services you provide.
Rita Gurevich: Absolutely, I started the company, essentially, on the collapse of Lehman Brothers. And after the bankruptcy, there were many different firms that bought different areas of Lehman. And I was put on a team to help figure out how to split apart all the different data and assets they owned.
So if you can imagine, up until that point. Lehman was super centralized. It was operating as one company, with lots of shared services.
And overnight, we essentially had to figure out who gets what.
So Barclay’s Capital bought a part of the business. Numera bought a part of the business. Neuberger bought a part of the business. All these different financial services firm that bought different business units from Lehman Brothers.
And what we had to do, was essentially a crash course on deep data analytics. We had to learn how to get a really quick understanding of who uses what, map that to different business entities, to figure out where it needs to go.
So that required a lot of tools, a lot of metrics. We built all these algorithms. And we had to do it almost overnight.
And soon after, slightly a traumatic time, in the history of our country, I had a bit of an ‘aha’ moment when decided to do some independent consulting.
I quickly built a business, and now we focus on cyber security. We have a niche around data governance, identity, and access management, as well as privilege access management. And a lot of the experience that I gained at Lehman was very relevant for what I do now, because you essentially had to figure out how do I capture the information that’s necessary from my environment to create metrics and analytics that are relevant to making sure my information is secure, understanding who owns what, and even potentially preparing myself for some M&A activities.
Cindy Ng: And so, can you describe your work at Lehman Brothers and how that you made the connection that it was important to start your business.
Rita Gurevich: Sure. So, during that time, during the bankruptcy, it was really all about data analytics. It was really about looking at all the different data, all the different assets that Lehman owned and figuring out, “Okay, who gets what?” So, if Barkley’s bought investment banking, how do you know what data belongs to investment banking? If Neuberger Berman bought investment management, the investment management business, how do you figure out what data belongs to investment management? So, it was all around going really deep into the data, and using the right tools to capture all the metadata, all the activity, so you can gain an understanding of who’s using it? Who owns it? and where does it need to go?
So, at that time, not a lot of companies were doing that, and there wasn’t really a lot of need to do that at the time. But around 2008-2009, there was just so much movement within financial services. And there was so much happening in terms of companies going bankrupt, being acquired by other companies, all these different businesses kind of spinning up, and changing, and moving hands that this concept became a lot more relevant. So, when I started the company, it really was around selling myself and my experience that I learned, which was very unique at the time. But over the course of not a very long amount of time, probably two years or so, the focus definitely shifted.
So, initially I was talking to infrastructure people, I was talking to operations people, and I was talking about data analytics. And while it was definitely a nice to have, and people cared about it. Budgets were really tight. We’re still knee-deep in one of the worst recessions in our country. So where are the budgets, where are people focusing, where are, you know, the executives and the board members, you know, allocating resources? And that was for information security. So around 2009-2010, I think the concept of data breaches became a lot more relevant. It became more, kind of, a commonly used word. Companies were starting to actually hire chief information security officers. They were starting to look at data analytics from a security perspective. They wanted to get a better handle to prevent data getting into the wrong hands, and that’s when I shifted the focus from data analytics to data security. And I think that was monumental for me, because really that’s the premise of what my company does today around the data governance program that we implement.
So I think that my experience at Lehman was definitely a blessing in disguise, but I think that probably anybody that was focusing on data analytics, even tangentially, started to think about data security as well.
Cindy Ng: You were 25 when you first started your business. A lot of your college cohorts they were still on their first, second, or third job. Was that relevant or you looked at the opportunity and ran with it?
Rita Gurevich: I think that my age was probably one of my biggest challenges when it came to starting my business and definitely in the earlier years. And you can only imagine, you know, a 25 year old walking into a managing director’s office, and essentially telling them that they can do a better job than his team can do. That’s a really difficult thing to say, and you gotta prove it. So, once you actually start working for them, you better do a good job, which luckily I did and my team did. But as I compare to my other college cohorts, I actually think that because I went to Stevens Institute of Technology, in Hoboken, New Jersey. My business is in Jersey City. My customers are international, but quite a few of them have headquarters in this kind of tri-state area. A lot of my college peers went on to work at all these different companies that could be potential customers at Sphere. So, I think actually it created an opportunity for me because it opened the door to have the right conversations with people in technology to explain, you know, what I’m working on, and what I’m doing.
And, you know, part of having a successful business is not just a good idea, but it’s having people that you can actually sell to, having a relevant problem that’s gonna help people in their professional careers and their professional lives. So I think that my relationship from school and being not so far off from graduating college helped more than hurt. But also from the Lehman bankruptcy, like I mentioned earlier, it was a time where there was a lot of movement, and a lot of people went to all sorts of different firms on the street. And it was different than how it used to be in the past, where people stayed at the same company for a really long time. That movement essentially for me, created an overnight network, where I was able to kind of leverage people that I knew and had worked with for a handful of years across all sorts of different companies within the demographic that I was targeting. So, yeah, I think that the age was definitely sometimes a challenge, but I actually found ways to have it be a benefit as well.
Cindy Ng: But in terms of age, it’s almost non-relevant as long as you have a value proposition, and people are interested.
Rita Gurevich: That’s a really, really good point. So, there’s kind of two aspects to it, right? So, if you have something interesting to say, that’s great, but the way you communicate that message is almost more important, and there has to be a confidence in the way that you present the problem that you’re solving and your solution that’s going to set you apart from others that are knocking on the same people’s doors, maybe for different areas, but are competing for the attention of the people that you’re trying to get in front of. So, I call that, you know, learn confidence. I can’t honestly say that at 25 I felt like I knew everything. I knew I didn’t, but you have to be able to present yourself in a way where the person on the other side of the table knew that, even if you don’t know the answer, you will figure it out, and the other part of that is perseverance. You have to make sure that you continuously have your goals in mind and push forward.
You know, I mentioned that my company focuses on security, and while that’s still relevant and even in 2008, 2009, 2010, it was also very relevant. You can imagine that the people that are in charge of security at these companies have lots of vendors, and lots of partners, and lots of even internal people, knocking on their door vying for their time. So you have to just make sure that your message comes across strong and that, again, there’s a confidence in your approach, and you will deliver when push comes to shove.
Cindy Ng: And when you talk about your learned confidence, when a meeting didn’t go as planned, or a presentation didn’t go as planned, what was your self-talk like?
Rita Gurevich: That’s a great question. So I’ve learned that you have to listen more than you speak. You’re going to learn a lot through osmosis. Just by being in a room, where the conversation is happening. You’re just going to learn and get better. Sometimes, it’s just echoing a common opinion or a common sentiment that the other person has on the other side of the table, and reaffirming them that you’ve also experienced the same problem that they’re sharing. Or you’ve seen it somewhere else. Or you’ve solved that problem with a peer of theirs. So I think that learned confidence isn’t necessarily about having memorized specific compliance requirement or a specific way of doing some task. It’s more about doing a thing more logically. And if you don’t know, it’s okay not to know. Just make sure your follow up and follow through is there. No one expects experts. Data security and cybersecurity as a whole is a very new area. Everyone is learning as we go. It’s all common knowledge. But it’s can you think of solutions in a creative way and that you’re solving the problems that people are having. And sometimes, it’s not reinventing the wheel. Sometimes it’s solving an existing problem in a smarter and more scalable, and a more efficient way. I’ve learned that by failing sometimes. You don’t have to come up with an idea that no one thought of. You just have to come up with a more practical way of doing things sometimes. And the other bit of advice and something that I really believe in is, is becoming kind of a master of some things. So, instead of the “jack-of-all-trades”, focusing in on something and becoming really good at it, and, you know, that’s what I did. So I call Sphere a cybersecurity company, but we’re actually pretty niche. We focus on internal threats, and we specifically focus on putting controls on your data, your systems, and your assets. So, it’s a very kind of narrow piece of the pie when you look at cybersecurity as a whole, but that allows my team, and that allows me to train new personnel really, really effectively because you can hone in on very specific topics. You can give real world examples of very specific things, and people can really start to grasp, you know, the complicated challenges that we’re solving, but also think of them in a more simplistic, logical way.
You know, all these technology challenges from data breaches and around, you know, hackers and all that, it feels very complicated. It really does, but when you break it apart and remove the technical jargon, the problems and the reasons these things are happening are not overly technically challenging problems. A lot of them are profits driven, they’re people driven. They’re not necessarily about, you know, the right configuration of a tool within, you know, this specific domain. It’s a much more kind of systematic issue. So, I think when you start to gain an understanding of this base, you start to figure that out pretty quickly.
Cindy Ng: On top of starting your business at a really young age, there aren’t a whole lot of females in the industry, and we talk a lot about women in tech, but, you know, I wonder how can men join the conversation, because they coexist with us on this planet, and I wanted to hear your perspective in how we can enlist men as allies in our industry?
Rita Gurevich: I definitely get asked a lot about this topic, because, you’re right, there’s not a lot of women in tech, and to be honest there’s not a lot of women CEO’s either, so you kind of merge women, tech, CEO. I guess, I’m a little bit of an anomaly, but I’m hoping that’s not for very long. I think honestly we need to stop caring that the person that’s joining the conversation is a woman, and we know that there’s going to be equality, and we’re not forcing that distinction. And I think more and more women are getting involved in technology early on. And technology is part of nearly every child’s life right now independent of gender, and I think that naturally maybe the next 10 to 20 years. It’s gonna cause dramatic shifts in ratios in the tech workplace.
And I really think that tech is going to be early adopters of inclusiveness of women and inclusiveness across the board. Technology is very interesting because it’s analytical thinking, it’s problem solving, researching. Definitely mixed in sometimes with creativity and out of the box thinking. Maybe I’m partial, but I think these are natural traits of women, and in the end if you work for a big company, managers want successful teams, and their managers want successful orgs, and women will rise through the ranks as there’s just going to be more of them in the running.
Unfortunately, I think that other industries are not as fortunate. And I bring up two specific women whenever I talk about this topic.
One, I met at a panel I was on, “Women In Engineering,” and she’s a civil engineer at a big company, and she works a lot with construction companies. And once she’s on a job site, she’s like they assume that she’s a secretary, and even when she explains herself they just don’t listen to her, and they won’t take direction from her. And she’s expressed how difficult it is for her to advance and these are challenges that have nothing to do with brains, with smarts, with experience. It’s really a people problem, and I don’t envy that. You know, I struggle with even thinking about how do you adjust that mentality.
Another example is a woman that I met as part of the EY Entrepreneur Of The Year Program, which I was on as to be recognized as well there. But she owns a liquor company and half of her job is in a warehouse, and the employees are chain-smoking, they’re, you know, a bunch of old men, no offense to old men, but they kind of act like they’ve never seen a woman with any level of authority before. And it’s sad, and, you know, I’m very fortunate that I work in an industry where technology is definitely going to be on the forefront of diversity and inclusiveness, but you look at some of these other industries, and you hope that they’ll follow suit. You know, hopefully sooner rather than later as more women in general are joining the workforce and taking on careers that aren’t traditionally careers that women participate in.
Cindy Ng: So, let’s go back to the technology, and you work with many different sectors, retail, energy, hospitals, financial. Can you speak to the different industries and what their concerns are regarding security?
Rita Gurevich: I think this is the first time ever that concerns are not as industry specific as they used to be. And I think that’s also due to just the times that we live in. I mean, everybody now cares about cyber security, people are starting to understand how this affects them personally, how it affects them professionally. You know, a year ago, nobody in my family understood what I did for a living, and now, even my grandmother gets it. You know, anytime that there’s like a breach in the news breach or on the front page of the paper, she’ll call me, and she’ll say, “Too bad they didn’t have Sphere”. It’s pretty cute, but I think that just shows that the concept of data breaches and cyber security is part of everybody’s lives. The expectation is that everybody’s going to be involved, and anybody is up for grabs to be affected. And I think the equifax breach is just a prime example. I mean, it was on every news channel we all know that half the country was affected by this. You think about how many people had to, you know, read their credit or react to that event. It’s becoming just common sense that every company, every industry needs to focus on this.
So, sometimes I think that the challenges experienced within the individual industries are scarier than others. So, we all know about financial firms. They’ve been the targets and on the front page of papers for a long time. But if we look at hospitals for example, that can be really scary. So, I’ll give you another anecdote, I love these examples. I use a lot of them, but this one specifically that comes to mind was a panel at an event that we sponsored, and we had a group of CISOs in the front of the room. One of them was a woman, and she was the CISO of a big hospital network, and she explained ransomware and how it affects hospitals differently than, you know, a bank or somewhere else. And she explained, “Imagine you’re a patient about to go into surgery, and the hospital has an attack, and your patient files are now locked down, and you have to now pay ransom in order to get them back, and you’re back going to surgery, the doctors need these records”, and this sounds like a very sci-fi example, and you’re like “that doesn’t really happen”, but it really happens, and that’s how it happens. It’s not even that our wallets are being impacted, it’s our health, it’s our lives, it’s how we receive healthcare is affected by cyber crime. It is so close to home for every single person in the world that I think the industry is just going to massively change. And I thing we’re gonna start to see that almost immediately because it’s just such commonplace knowledge. It’s industry wide, it’s not industry specific, and, again, it’s not just our wallets that are affects, it’s our health.
Cindy Ng: A lot of the problem previously and maybe even now that IT pros are having trouble connecting with the C-Suite, and I’m wondering after the breach, after the ransom, where are CEO’s and individuals in the C-Suite getting more involved in cyber security? What are your recommendations when you’re speaking with the C-Suite versus the IT pros, because you’re kind of like a conduit between the two different channels?
Rita Gurevich: I think the C-Suites, primarily the CISO, has a very different job now than maybe they used to. Honestly, I don’t envy CISO’s right now. You have a bad breach, your whole background is going to be on the front page of the paper. It’s not just that your company will get fined. Your background, your history, where you work, what your college major was is going to be out there for everyone to dissect and criticize, okay? That is not a position that most people are comfortable with. So I think CISO’s now more than ever recognize that the job that they chose and the career that they chose has to be proactive. They have to be on the front lines. They have to think about things in smarter ways. So, I think that we’re going to see a shift in CISO’s where it’s going to be the best of the best of the best. I think that a lot of companies took for granted the need for highly skilled leaders within information security, and they’re starting to see companies and what happens to them once a major attack occurs, and I think that is going to change.
Now, the other challenge was, I think with companies is that many of them placed one person at the helm, and they started to build out these teams, and honestly, it’s not enough. There are way too many threats. There are way too many options. There are honestly way too many vendors that are potentially offering options for one person to be making those decisions. So, what I see happening is that there is going to be subject matter CISO’s across the company, where there’s many people with that title that become experts in very specific domains. So, I think that information security is potentially in terms of employee count is going to eventually exceed all of just general IT, because I think that that’s becoming more of a priority than up time and availability of systems is making sure that the internal people aren’t doing things that they shouldn’t be doing, and that you’re doing everything in your power to prevent anybody from the outside getting in that shouldn’t be getting in.
Cindy Ng: It’s been said that information security is really just compliance but not security. Is that ball thrown out the window after people have realized how serious information security is?
Rita Gurevich: That’s a great question. I’m gonna give you another, another story. I was on the phone with a CISO, he’s the CISO of one of the largest manufacturing companies, and we were talking about his agenda for the year. And he recently started at that company and was told that his mandate was compliance, and maybe this is because the company struggled with compliance in the past, but he immediately said if my mandate is compliance, I don’t want the job. You know, that is not what I should be focusing on. And the challenge with focusing solely on compliance as he put it, is that actually leaves you more exposed. Compliance is about a checklist and often that checklist is very subjective, and often the people who are verifying whether you’ve completed that checklist are ranging in levels of expertise. I mean we have customers that are the 1000 person shop all the way to the 100,000 person shop, and we as outsiders can see the difference in caliber of the people that are coming in from the outside from the regulatory bodies checking on them is vastly different. Just because you’ve checked the box, it doesn’t mean that you have good security. And it’s good security that’s going to minimize your risk. And you have to think about security first. If you think good security will drive compliance and not the other way around, you’re still going to achieve the goal of good compliance, but you’re also going put the right preventative controls to minimize a data breach or some other cybercrime.
Cindy Ng: Lets talk more about your company, SPHERE. I wonder what the mission of your company is?
Rita Gurevich: The mission of SPHERE is to help companies take control of their data, their systems, and their assets. What that means is to give them visibility that they need, understanding what they have, what they need to protect, and how they need to protect it. Along with giving them a SWOT team approach, helping them remediate issues that they have. And also put tooling in place to allow them to manage their environments effectively, in house. A lot of companies have no idea where to start, in terms of looking at data governance. They have no idea what needs to be remediated or fixed or how IAM workflows work. Or they have no idea what threats privileged accounts are posing for their organizations because they don’t have threat level visibility. And once we get them the visibility. A lot of times, they need a one time SWOT team approach to clean up the environment. And it’s something that we also do. And we also partnered with different vendors, and obviously Varonis is one of the most strategic partners we’ve partnered with. We offer tooling to help people manage their environment on their own with their own resources long-term. We also have our own solution called, “Sphereboard”, which integrates with Varonis, along with a handful of other best of technologies to provide a single pane of glass to your data, your system, and your assets.
Cindy Ng: So, you don’t curate a list of vendors for your different clientele to meet their needs? It’s more like here’s what we know all companies need. Here’s what we can provide for you. Because sometimes your clients don’t know that certain technologies might exist, you’re essentially giving them one panel of “here’s everything you need to know.”
Rita Gurevich: Yeah, that’s exactly right, and we’re by no means a VAR where we have a portfolio of, you know, 100 different products, and then we switch them out as we need to. We really invest in the relationship that we built with our partner network, and with the companies that we’ve integrated our solution with, and that’s important because you need to have consistency. And if you want a solution to be sticky, it has to be relevant, and it has to answer the right, the right questions, and there has to be a history of that company doing things the right way. There’s going to be a lot of disruptions within this industry, and there’s going to be a lot of companies that are coming into the space. They’re offering really cool widgets and gadgets and all that good stuff that probably aren’t going to be around in a year or two. That’s just the nature of entrepreneurship and innovation, but they’re are going to be plenty of those that come around and stick around, but the relationship that we formed and the partners that we’ve worked with are ones that we’ve been working with now for a really long time, way before anyone even thought something like Equifax could happen. So, we’ve been solving this problem way before it was cool, and we’re gonna continue to offer that, and be more innovative, and continue to solve problems for our customers.
Cindy Ng: Have you ever figured out in speaking with, say like, after 10 vendors, you realize, “Oh, we’re missing X, Y, and Z products, and I’m gonna go find a vendor to see if there’s anyone I can work with?”
Rita Gurevich: Yeah, at times, but I think it happens a little bit more naturally than that. I think that it’s first about the problem statement, so I’ll give you an example. The last area that we’ve added to our portfolio more officially is privileged access management, and, you know, our focus was, of course, on the traditional challenges with password vaulting and the such, but really from a Sphere perspective, we were noticing challenges of deploying those solutions in terms of understanding what privileged accounts exist in my environment, whether it’s in my Unix environment, on my Window server, my databases, etc., and who owns those accounts, and who do I need to educate on a new way of working? So, it’s not necessarily about the products that will, you know, do password vaulting, or record recessions, or whatever the tools may do, it’s more about kind of the people on the process, and all the work that needs to be done ahead of that. So, I think out expertise comes with that. Now, there’s no doubt in my mind that CyberArk isn’t the leader in that space, and we decided to partner with CyberArk because of that. But, that being said, our solution for privileged access management is not just to recommend a tool, it’s to create a process, to create an end-to-end solution that includes a one time remediation effort. That maybe includes process change that maybe includes training that maybe includes, you know, health checks, and then, of course, there’s also the software element of this. Most companies cannot manage this manually. You need the right tooling, so there’s definitely tooling recommendations. So, I think looking at the problem end-to-end, the products and the vendors who we decide to work with for specific initiatives naturally fall into place.
Cindy Ng: What are upcoming plans for Sphere?
Rita Gurevich: Definitely growth in mind. I get bored easily, so, so growth strategy is always on the forefront of my mind. so, what we’re focusing on is a couple different areas. The first is geographical expansion. We opened up our London office this year. That’s going really well, and essentially just replicating the message here out there. There’s all sorts of requirements out there in terms of GDPR, and just overall data security that companies out there need just as much as they need here. Also, our products, so SPHEREboard is our baby. We came out with our product about two years ago, and it’s a culmination of just years of experience of being in the field from a services perspective, so just building more connectors, having more tools feed into that, and pumping out all sorts of really cool analytics for our customers to leverage. So, those are the two areas that we’re focusing on, and you’re gonna see a lot about Sphere in the next year.
Cindy Ng: Sounds great. Thanks Rita.