In this week’s episode of Beyond Consulting, we welcome Mor Levi, former EY consultant, and current Vice President of Product Management at Rezonate. Mor joins us to discuss what cybersecurity is all about and how her consulting experience helped her make the move to industry.
The Beyond Consulting Podcast is hosted by Ken Kanara and co-hosted by Steven Haug .Ken leads this week’s episode.
Ken Kanara: I’m Ken Kanara, and this is Beyond Consulting. Today we have Mor Levi in the studio. Mor is currently working on a stealth mode startup and is a former Ernst & Young consultant with expertise in cybersecurity, which is an area I know absolutely nothing about. We are so excited to have her in the studio.
Before we jump over with Mor, I want to remind our listeners that this show is sponsored by ECA Partners, a specialized project staffing and executive search firm specializing in private equity. If you want to check that out, make sure to go to eca-partners.com.
Mor, thanks so much for joining us.
Mor Levi: Thank you. How are you doing?
Ken Kanara: Doing well. Mor, before we get going, I would love to get an overview on your background and what’s brought you here today.
Mor Levi: Of course. I started my career like many other Israelis in the Israeli military. It’s mandatory service over there, so I’ve been part of one of the technological units, not 8200 like everybody knows, but there are other units over there. Ever since, I’ve been in the cybersecurity industry. At this point, it’s been almost 15 years, so it’s been quite a ride and I love every day. That’s really it in a heartbeat.
Ken Kanara: Well, you’re our first guest that has been part of the Israeli military, so welcome.
Mor Levi: Thank you.
Ken Kanara: Very good. Let’s talk about it. So right out of school, obviously you did the military in Israel, and then you went to E&Y, is that right?
Mor Levi: Let’s roll back a little bit. I finished high school, I went into the military. I’ve been in the military for four and a half years as an officer.
Ken Kanara: Okay.
Mor Levi: That’s where I learned a lot of the basics. After Ernst & Young, I never went to university or college, so I’ll just put it out there already. I went on a big trip to Australia and New Zealand, then came back to Israel where I started to work for an electric vehicle start up, back in the day, in Israel, to build their security operations center. After a year, that’s how I got introduced to Ernst & Young from a consultant perspective. They were consulting to us, I got introduced to the consultants, and a year later I became one of the consultants at Ernst & Young.
Ken Kanara: Oh, wow, that’s great. Specifically focusing on cybersecurity, correct?
Mor Levi: Yes. Specifically, for that team in Israel, Ernst & Young had acquired a company in Israel called Haptics, which was specializing in offensive security, doing simulated attacks, penetration testing, things like that. When I joined, they actually started to build more on the defender’s side, so forensics and operational security, and I was part of that group. In general, for Ernst & Young and other big people or companies, a lot of them are offering cybersecurity consulting services mainly under the risk and assurance categories, or subdivisions, let’s call them. That’s where we were located in the organizational tree back then.
Ken Kanara: Okay. For those of us that don’t know anything about cybersecurity, myself included, tell us what this means. You mentioned penetration testing, you mentioned offensive. It’ll be easy to pretend like I know nothing, because I don’t know this particular topic. Help us a little bit.
Mor Levi: Yes, sure. Many people, reading all the newspapers about the geopolitics and how cybersecurity is impacting our life, everything is connected to the Internet, we’re all working on our computers, we have a lot of data over there, all that stuff. Cybersecurity is a huge domain, huge market, several hundreds of billions of dollars value of the market and there are many, many, many subcategories for that market. But if I need to define it in a very simple way, it’s being on the data, our information, and our network, both from an organizational perspective as well as individuals. It is to better define the technologies, the processes to train the people and to actually do the activities required in order to protect people and data in the cyber security space. That’s the simplification of cyber security.
Ken Kanara: Okay. Let’s talk a little about how attacks happen because I think that’s particularly interesting, and I would say that not everyone has an understanding of how attacks happen and why it is cybersecurity consultants exist.
Mor Levi: Sure. Like anything else, attacks happen because there’s someone with a motive to attack, right? That’s motive could be money, a financial motive, or it could be an agenda-based motive, a geopolitical motive or an activism motive, or just someone that likes to break things or prove a point. It’s really on that spectrum of chains of motives. That’s how attacks will happen. For example, there’s a really huge industry of cybercrime. That’s usually what we hear about in the news. I don’t know if you’ve heard about ransomware and extortion, things like that. There were many, many famous cyberattacks like in the past years, but definitely in the past two years, especially since COVID with everyone working from home.
For example, during COVID, there were many cybercrime campaigns associated with sending phishing emails to people regarding COVID-19. If you remember, during 2020, there was this COVID map of how many people were infected in every country. Do you remember that?
Ken Kanara: Yes.
Mor Levi: When it was just launched, within the first few months of COVID, cybercrime gangs used the link to that map. It would look like, “oh I’m clicking on that link, I’ll see the map with the statistics,” but actually you’re falling victim to some sort of a phishing scam. Then, they asked you to submit your username and password, but behind the scenes they’re actually stealing your username and password and you’re redirected to a different website. This is a very simple type of attack leveraging worldwide consensus and events that are happening just to be able to steal people’s credentials.
I can say, “how would that impact you?” You might say, “Okay, I don’t have anything interesting in my e-mail, why am I a target?” Many people have a lot of passwords stored in their browser. They have a lot of information in their e-mail, or even credit cards, Apple Pay, all that stuff. When you’re giving your credentials for the e-mail, for example, you can use the same user and password in other places and that’s how all of those fraud scams and those types things are happening. This is just one bit, when this is targeting individuals. Obviously when it’s targeting organizations and enterprises, it’s much more complex than that.
Ken Kanara: Okay, so there needs to be a motive. You just gave a great example of what you called “a simple attack,” but I can see how that would be a well-executed attack because people are thinking that they’re helping out with a cause when in fact they’re walking into a trap. You also mentioned cybergangs.
Mor Levi: Yes.
Ken Kanara: It’s my understanding that cyberattacks, a lot of the hacking and everything, someone described it to me as, “This has become a team sport, as opposed to an individual one.” That is true. Could you tell our listeners a bit more about what was meant when that was said to me? I’m not too familiar with it.
Mor Levi: Sure. I think when people are not from the industry and they think about hackers and cyberattacks, they have this image of what we see in movies, right? There’s this person in a hoodie, sitting in a dark room, clicking a lot, with a lot of stuff running on their screen, and right away they’re in the Pentagon, or whatever. That’s not the way it works, especially in cybercrime.
If you know technology companies, you know that there are many, many, many people involved in developing a technology product, right? For example, there is an RND department, there’s marketing, there’s sales, there is operations and so and so. For cybercrime gangs, it’s not that different. In recent years, we’ve actually realized that the way threat actor groups are working is very similar to the way technology companies are working. They actually have their own engineers. They have their own release processes, like product release processes. They have people that are scouting for victims, the companies that are going to attack, or the angle that they’re going to attack through.
Ken Kanara: Yeah.
Mor Levi: That’s what I think people were referring to when they were saying it’s a team sport. It’s not one individual clicking on many, many buttons on the keyboard, it’s actually well-executed, like you said. When I gave the example about the attack, it’s a well-executed attack. It’s an operation that there are many people behind. It definitely looks like that.
Ken Kanara: That’s interesting. Even though they’re not necessarily doing a good thing, right? Nobody would dispute that, but a lot of these organizations are surprisingly sophisticated as well.
Mor Levi: Very sophisticated, yes, 100%. We’ve seen an increase in the sophistication of attackers and the techniques that they’re using. With the technology evolving, including cloud computing, it’s not only on the defender side, it’s also on the attacker side. All of those capabilities that exist out there for…We had this big boom of technology companies in the past two, three years because of the digitalization, COVID and everything else. The same is happening on the other side, right? It’s important to remember that.
Ken Kanara: That is very interesting and not many people realize that. Okay. Getting back to the original career discussion, you were doing some of this work at EY and then you went to a company called Cyber Reason, is that right?
Mor Levi: Right. That is correct.
Ken Kanara: Tell us a little bit about what Cybereason is and then about what you did.
Mor Levi: As I mentioned a few minutes ago, the cyber security market–when I say cyber security market, I’m referring to the consulting services that are consumed by organizations and the products that are being bought and acquired by organizations–that is the market. I think, the latest from Gardner, it’s like a $100 billion market, so it’s big. As I said, there are many, many subcategories of areas where vendors and service or consultancy shops are helping customers.
Cybereason as a company, it was a startup company when I joined about seven years ago in Israel. What the company has developed is, today we call it next generation end point protection. Back in the day, there wasn’t even a good definition for it, but at the end of the day, what it means is that this is a product that the company is developing and selling to enterprises across the world to be able to monitor the activity that is happening at the endpoints of the employees like laptops and mobile devices. Based on that activity that we are monitoring, we’re able to identify anomalies or behaviors that look like malicious behaviors, and through that, to identify actual attacks and breaches in organization. It’s pretty interesting.
Ken Kanara: Wow. Okay. Was the aim with Cybereason to be an end-to-end solution for companies from a services and product point of view? Am I understanding that right?
Mor Levi: Initially, no. The company wanted to be strictly a product company, meaning I’m selling you a software and then you as the customer can operate the software or hire a service company to manage that software for you. As the company evolved, I was actually responsible for building the services organization in the company.
Ken Kanara: Oh, interesting. Okay.
Mor Levi: This is another angle where my consultancy background really helped me, and we’ll probably talk about it, but the company evolved, and you know, the more customers we gained, and the more regions that we had access to, we saw how the needs were shifting. According to that, we shifted the product in our go-to markets.
Ken Kanara: Oh, Okay. Got it. That makes sense. We see this happen a lot.
Mori Levi: Of course, yes.
Ken Kanara: Like even outside of cyber, right?
Mor Levi: Yes.
Ken Kanara: I think it’s an interesting phenomenon, in general. You see a lot of everything from machine learning, artificial intelligence, platforms, everything like that, where the original aim of the company is to provide a product. For many reasons, whether it be complexity, whether it be integration, there’s a strong case for a services-led organization to either coexist or even in some cases, lead.
Mor Levi: Yes.
Ken Kanara: Or, in other cases, because companies need services revenues to grow, and to meet targets. That’s really interesting, and you mentioned it yourself, more in terms of the experience that you brought from EY, but what were some of the things you saw coming from a consulting firm to a product-led cybersecurity firm?
Mor Levi: First of all, I think that the thing that I really took with me from my work at EY was being the trusted advisor to the customer. I think this is something that really led me in my career, but especially after my time at EY and during the last seven years. I know that many times customers see vendors as, “They’re trying to sell me something….” If you’re a trusted, advisor, especially as a consultant, you’re coming as an objective person trying to find the best fit for your customer. I really wanted to try and break that friction, even though I was coming from the vendor side, and to be able to make sure that our customers feel like we’re trusted advisors for them. This is, again, something that has really led me all across my career, so I think that would be number one.
Number two, obviously is the access to the type of customers that a company like EY has. I got to work with some of the largest organizations in Israel and in the US. I got exposed to the way they’re doing cybersecurity, their processes, helping them improve their processes, which technology they’re using, and what are their challenges. This was the perfect preparation when you’re entering or shifting into a product area because that’s one of the initial things that a product company is doing–trying to understand what are the customer needs, what are the challenges, how are they operating, and where my technology can actually fit in their stack and help them.
Ken Kanara: Excellent. So you were coming from a completely services-led organization to now a product first, services probably second organization.
Mor Levi: It wasn’t even second, it was zero. No services. That was very deterministic.
Ken Kanara: Okay. What was that like and where did you feel like you weren’t as well equipped as you could have been?
Mor Levi: The main challenges were in understanding the operational rhythm of the organization.
Ken Kanara: Okay.
Mor Levi: The business model is also completely different. When you’re working for a consulting firm, it’s billable, billable, billable hours, right? It’s always billable hours and you have utilization, and all that stuff. When you’re working for a software company, and specifically a SaaS company, the business model is based on subscriptions. It’s not based on the individual utilization of each and every one of the employees, but at the end of the day, all of us are working as a group in order to create a product that the end customer would buy. I would say the analogy, again, is probably that working for a product company is really a team sport, where being a consultant could be very much an individual type of sport. Even though you’re part of a department or a bigger group, there are many times as a consultant that you have the hours or the project that you’re managing. You run with it end-to-end and it’s on you. This account budget is on you, that type of thing. With a vendor company or a product company, it’s definitely not like that. Also, the hierarchy and the functions are completely different. Engineering, operations, all of the groups are completely different than what I was familiar with coming from a consulting firm.
Ken Kanara: Very interesting. What advice would you give to someone, say they’re coming from consulting into a product or a SaaS company…the reason I ask is, specifically, your role, which is to stand up a services organization, is not that atypical, right? A lot of software companies realize the value of either adding services or creating a services business. What advice would you give to someone that’s maybe considering a role like that?
Mor Levi: I think that the best choice, or if you’re making a move from consulting to a product-led company, is to first-of-all, aim for a company that focuses on or is building a product in the area you were consulting in. For example, if you’re a financial advisor, or if you’re doing some strategic advisory, or you’re doing some organizational advisory, look for companies that are building solutions in those market categories. As an advisor, you have an amazing perspective to, at the end of the day, end up as a product manager in one of those companies because you know a lot of customers, you know their needs, you actually built for them processes, best practices, strategy and whatnot. This is the best way to equip product managers, eventually, in those product companies.
Obviously, the second thing is, if they’re planning to build some sort of a service offering, that’s definitely an added value for people coming from a consulting firm, but again, for those that really want to make the shift, I would say look for tech companies that are building products in those areas of expertise because those are the exact requirements for product management, the knowledge and the skills that consultants have.
Ken Kanara: That’s really interesting. Okay. So you’ve recently left Cybereason.
Mor Levi: Yes, that is correct.
Ken Kanara: You’re working on something interesting.
Mor Levi: Yes.
Ken Kanara: You mentioned the word stealth.
Mor Levi: Yes.
Ken Kanara: Can you share anything with our audience on that?
Mor Levi: Of course. I recently left. Cybereason. It’s been seven years, so it’s definitely a long period in my life and it’s been very transformational. I started a new job in a startup that is in stealth mode. Stealth mode meaning that the startup has not officially launched its logo, what we’re doing, and all that stuff. The role that I’m doing there is VP of Product. As I said, I feel like I’m very well-equipped to build the cybersecurity product, so yet again, of course it’s cybersecurity, focusing mainly on cybersecurity in Cloud environments, which is a huge, huge market that keeps growing. The idea is to really build something new, innovative, groundbreaking, but also that generates a lot of value to the end customer and multiple personas and organizations. We’re not only aiming to build a product for those large Fortune 500 enterprises, but actually to make sure we’re building a solution that can also help smaller businesses. As a lot of tech companies are starting as smaller organizations they don’t really have the time or the resources to invest in security. Many of them are building their products in the cloud, but they’re not really investing in security and their infrastructure. That’s kind of the idea, to try and help them in those areas. It’s really exciting.
Ken Kanara: That’s great. We see this in a lot of markets, advanced analytics, cyber security, the long tail is really, I don’t want to say being forgotten, but it makes sense that early on, even companies like Cybereason, they’re going to go after the big Fortune 500 clients because enterprise clients make, you know…
Mor Levi: good revenue.
Ken Kanara: Yes, exactly. That’s really interesting. If you think about, I guess that long tail, of smaller companies, you’ve got a mix of technology companies and startups, then you’ve got a lot of lower middle market, middle market, boring businesses that do make money and make our economy run. What advice I guess would you have for companies like that, that maybe, the CEO of a 20 to 100 person company, that doesn’t know anything about cybersecurity, and doesn’t even really know what to do?
Mor Levi: I think the best solution for them is really to go to a service provider, to be honest.
Ken Kanara: Okay.
Mor Levi: It’s so difficult to get the people with the right expertise and the knowledge, so having a service provider to at least manage the security for you, is going to be easier, and probably going to be cheaper for the short term. If the company is growing, they definitely need to build those capabilities in-house, but for the time being, at least have some sort of a service provider or a vendor that offers you many services in addition to the product. I think you also mentioned this early on that in many cases, product companies find themselves hitting a wall because their product is either too complex, the integration level is too difficult, and so on. Then they end up building that managed part to enter some areas of the market. That’s also one of the things that we are thinking about, how to, from the get-go, make sure that we have this enhanced support for those customers and some sort of eyes on glass for them because they don’t really have the resources. It’s definitely something top-of-mind for us.
Ken Kanara: That makes a lot of sense that it would be top-o-mind for you, especially given that your average business owner, or CEO in the US for a small or medium sized business, we don’t even know what we don’t know about cybersecurity, right?
Mor Levi: Exactly. Until you get hit.
Ken Kanara: Until you get hit, or you’re preparing for an interview with Mor, and you watch as many YouTube videos as you can so that you don’t sound like an idiot, which was my approach. That’s really good advice.
What advice would you give to that business leader to tell their people, their employees? For example, the only thing I know right now is to tell people, “Hey, don’t click on any suspicious links.” That’s it. That’s the extent of my knowledge. What else should I be telling my team?
Mor Levi: There is a sentence that we say in the industry, “Trust, but verify.” You can get phone calls or you can get text messages, or even an e-mail from someone that can identify as the CEO. I think it’s important for the company to reinforce the normal communication methods. For example, you’re CEO of a company, you would say, “If I want to have a one-on-one conversation with one of you, I’m going to schedule a meeting with you, or maybe I’ll call your phone,” or maybe not, I don’t know, it depends on the culture, “but I’m never, ever going to send you a text message or send you an e-mail asking you to click on something.” It’s really to reinforce the normal patterns of communication within the company so people will have an understanding and know what to expect.
As I said, trust, but verify. It’s really important not to create this sense of fear and paranoia because it’s really bad. I hate that it’s being used a lot in cybersecurity marketing, videos and all that, but it’s important to think twice before you do some sort of an action. Think twice. “Why is this prompting me to enter my username and password? Why is the CEO sending me this awkward e-mail?” Those types of things. Stop for a second, don’t act immediately, and think about it. If you don’t know, just ask IT or someone else, right? There’s no shame in asking questions. That’s fine.
Ken Kanara: I’m glad that you mentioned that the paranoia type of marketing approach. Actually, I was watching an infomercial late last night because I fell asleep to the TV, and it was something around some business that was set up around like the deed to people’s houses, right? They shared these two stories of people that somehow lost the title to their house or something like that. At the end of the day, I view it as more like preying upon the ill-informed as anything else, and I have seen a bit of that in the cybersecurity space.
Mor Levi: Yes, oh, there’s a lot of that, trust me. I have a lot of criticism on the marketing tactics of the cybersecurity industry. It’s like a whole discussion.
Ken Kanara: A whole ‘nother podcast, huh?
Mor Levi: Yes.
Ken Kanara: Okay. Can you give us like the 10 second “what to watch out for” from a pure marketing messaging?
Mor Levi: From marketing messaging, I think the scaring techniques, it’s too much. There could be a lot of fluff and stories around the company and our CEO’s and blah blah blah. At the end of the day, what’s important is if the product is working or the service is working and if you’re happy. If you’re able to have a good relationship with them. Be very careful of the fluff. I don’t like when companies are dissing each other, or saying bad stuff about each other, because I think it’s going to hurt the purpose, and it’s a lot of ego. I would say watch for that. I think that’s the top three.
Ken Kanara: Excellent. Alright, very good. That’s super helpful. Thanks for the general explanation because to me, cybersecurity is such a black box for a lot of us, right?
Mor Levi: For many people.
Ken Kanara: It’s just such a mystery. Excellent. Mor, as we wrap things up, we would love to hear a bit about any books, podcasts or blogs that you might recommend to our listeners that might benefit those who may be in consulting and have never even worked for a technology company, or learned anything about cybersecurity. Any advice?
Mor Levi: Sure. So there are few books that I’m reading, or actually listening to, right now. I think the one from a professional perspective that had a lot of impact on me from as a leader was No Rules Rules. It’s basically the story behind funding Netflix and the cultural environment over there, and the decisions that needed to be made since the end of like 90s until, almost now, around 2016 when they got to their peak. So I highly recommend the book to those of you that want to understand a little bit more about technology companies, since it is one of the largest and the fastest growing technology companies in the past few decades, plus leadership and making, not necessarily, popular decisions. It’s a really good book.
Ken Kanara: Awesome. We will add it to the list. Very good. If folks were interested in learning more about you or this stealth startup you’re working on, is there any information that you could share or we could drop the link into the podcast description?
Mor Levi: Unfortunately not yet, but you’re more than welcome to follow me on LinkedIn. I’m definitely going to publish some stuff when we get out of stealth. We’re going to have a few teasers next week. Next week there is a huge cyber security conference called Black Hat, it’s in Vegas. As I said, the marketing industry in cybersecurity is huge, so we’re going to drop some teasers next week and afterwards, probably in the coming few months, there are going to be some more. You can start by following me on LinkedIn and afterwards following the company. That would be awesome for us.
Ken Kanara: Okay, awesome. We might even publish this episode a little later, so if we do that, we can even update the description to include the relevant links below.
Mor Levi: Perfect.
Ken Kanara: For those of you listening for the first time, thank you so much. Make sure to click subscribe on Spotify, Apple or Amazon so we can notify you of future episodes. Also, be sure to check out our YouTube channel. We recently launched Beyond Consulting YouTube channel, where we not only share episodes like this, but we also share opportunities our firm, ECA Partners, is working on. Lastly, if you want to get in touch with me or anybody else that ECA, it’s going to be eca-partners.com. For everybody else, we look forward to talking with you next week. Thanks so much.