Why I Joined Zafran

Welcome To My World:

Last week I left my job at a Fortune 20 company where I managed a team of 30 employees, where I was valued for my thought leadership and where I made a good living. Why in the world would I leave to go somewhere else? I have asked myself that very question, a lot. I want to share what I’ve come up with.

I have been so fortunate to work with some of the most talented practitioners in the world. I have had the opportunity to build some of the best cyber programs and processes in the world.  I have been able to work with, and contribute to, some of the best cybersecurity technologies in the world. That is my passion in a nutshell – People, Process & Technology.

How in the world could I continue to do that or even broaden the impact that I am having within the cybersecurity field?

A Whole New World:

As I contemplated a career move, I re-evaluated what People, Process, and Technology meant to me. I realized I had been viewing these concepts too narrowly. "People" isn't just about managing individuals daily; it's about learning from them every day. "Process" isn't merely a sequence of steps leading to an objective; it's the method we use to solve problems. "Technology" goes beyond implementing tools; it's about leveraging technological advancements to address complex challenges.

This new perspective helped me evaluate opportunities more meaningfully. When I explored an opportunity with Zafran, here's what I found:

People – Zafran is driven by some of the top technologists and practitioners in the industry. The founders have recruited the best minds across various fields, including Marketing, Operations, Engineering, Sales, HR, and Product Management. They've cultivated a culture of accountability where high expectations are the norm, and team members are encouraged to challenge one another. These traits are often found in the most prestigious cybersecurity companies.

Process – Zafran is tackling old cybersecurity problems in new and innovative ways. In our increasingly interconnected world, many cybersecurity tools don't communicate effectively, data is often fragmented, and collaboration amongst teams can be lacking. Zafran aims to address these issues by integrating and managing cybersecurity technologies more cohesively. This approach represents a much-needed shift in our industry.

Technology – The innovation and pace of development at Zafran is unlike anything I have seen to date.  Zafran is regularly delivering new capabilities that are easy to operationalize and have low time to value.  Zafran is listening to customers, partners and industry experts to ensure they are delivering what the customer needs, not what they think you need.  I know this because I experienced this first-hand as a design partner and one of Zafran’s first customers. In Zafran I had a partner and not just a tool.

How in the world could I turn down an opportunity to work with these people at this company?

Worlds Apart:

As I make the shift to the product side from industry I am taking  a lot of flak from my friends, peers and former colleagues (mostly in jest) about ‘joining the dark side’.   I just don’t see it that way. I have the same values I have always held.  I am looking at this as an opportunity to help our customers in a meaningful way. It is important to me that our customers are improving their security posture and realizing real value from their Zafran deployment. It is important to me that we are supporting the people using and administering Zafran so that they can realize gains in both efficiency and effectiveness.  It is important to me that we continue to listen to our customers, that we incorporate their feedback into our platform and roadmap, and that we are there to support our customers when they need it the most. I want to be your trusted partner and I hope you hold me to that.

I am still a security guy after all, why in the world would I change who I am and what I am about?

On Top of the World:

By now you have likely come to realize that joining Zafran was a pretty easy decision for me. I am super excited about this opportunity because I believe in the platform and I believe in the people behind the platform.  I also believe that their ever evolving approach to risk assessment and exposure management is second to none.  Let me tell you just a little bit as to why.

For many of us when we think of exposure risk, we break that risk into three important elements:

1. Asset – What is the system, software and / or data at risk? How critical is that asset to my business?
2. Vulnerability – What is the weakness or technical susceptibility which could potentially impact my asset(s)?
3. Threat – What person or thing is likely to target vulnerabilities affecting my assets?

We can debate the definitions for each of these elements, but I think we can all agree these items are critical to effectively assessing exposure risk.  We can also likely agree that these things are often complex and difficult to incorporate into our assessment of cyber risk.  As a practitioner I worked very hard to incorporate these risk factors into risk methodologies and to weigh the likelihood and impact appropriately.  I also worked to incorporate the amount of risk mitigated by existing or compensating controls to varying degrees of success. In these pursuits I put emphasis on system validated data rather than user input.  After all, do I want Gary in Finance telling me which of his applications are externally-facing or do I want to use the data from my cybersecurity or asset management tools?   

What I had found after years of chasing the perfect risk assessment methodology is that we were still limited in what we can accomplish.  Limited by the fidelity of our data. Limited by incomplete threat information. Limited in our ability to build a methodology that applies uniformly across asset types (e.g., Cloud workload, Laptop, Server etc.). Limited in what we could do to address or remediate the assessed risks. I don’t think we are limited anymore.

Zafran’s risk assessment methodology combines control configurations, runtime data, internet exposures, and threat intelligence to deliver a comprehensive way to measure exposure risk.  This methodology is data driven and incorporates the context from your most important security tools to give you confidence that you know your exposures, you understand your defenses, and most importantly that you know how to easily correct of mitigate those exposures.  I have yet to see another technology platform that is more effectively incorporating compensating controls into their risk methodology and that’s a big deal.  Isn’t it crazy to think that most security programs are spending a ton of money on tools without the ability to understand if they are effectively mitigating risk? I think so.

Do you know what else is crazy? Most security teams are still powerless over patching, remediation and ultimately managing their risk exposure. Within security we take responsibility for detecting, assessing and communicating exposures, but we rely on our partners in IT or the business to actually remediate those exposures. Zafran changes that.  Zafran gives security teams back the power over managing the organization’s exposure risk.  The platform provides prescriptive ways for security teams to mitigate the identified exposure risks and the automation to ensure those risks are addressed in a timely manner.  That is what I call progress and I am happy to now be apart of it.

So what in the world are you waiting on? Let’s talk about how Zafran can change your world!