Cloud security has changed the way IT teams manage risk. Orca Security is the cloud security innovation leader, providing instant-on security and compliance for IaaS platforms like AWS, Microsoft Azure, and Google Cloud. They pioneered a new cloud security category which Gartner calls Cloud-Native Application Protection Platform (CNAPP), without the need to install agents or sidecars.
As part of our ongoing CEO Sync series, Swimm recently sat down with Avi Shua, CEO and Co-Founder of Orca Security, to discuss his unique approach to cybersecurity. Learn how Orca has evolved and adjusted as it rapidly grew from a small startup to a large company employing 320 professionals worldwide.
Swimm’s interview with Avi Shua
Avi Shua has a cybersecurity background spanning 20 years. During our interview, Shua provided a host of insights on cybersecurity in the cloud era.
We’d love to hear about how you got interested in cybersecurity.
I'm slightly the cliche of a cybersecurity entrepreneur because probably everything that I did in my life since the age of 13 was related to cybersecurity in one way or another. When I was a teenager, I got excited about the ways that you can either break or protect a computer system. At the age of 18, I joined the army in intelligence. I spent around a decade there, and then II moved to Check Point and was there for slightly more than a decade in various roles as a team lead, and R&D Director, and serving as the Chief Technologist for four years.
But my interest in cybersecurity began when I was around 12 or 13 years old. In my high school, there was a program that let you essentially volunteer in different areas, and one of those areas was their IT environment. I immediately asked to be the security guy of corporate IT. I held that role until I graduated, in certain senses, and even ended up being hired as a paid employee of the municipality for the few months between finishing my study and starting my military service.
Why is there a need for Orca Security?
We are solving a very fundamental problem with cloud security at Orca. And although it's very simple and fundamental, it hasn’t really been solved before. Our mission is very straightforward. Given a cloud environment – whether it's AWS, GCP, or Azure, private cloud, public cloud, or the environment of the customer – we can connect to it and give you a list of all the issues that you have. We can tell you the risks in the environment and what to do to reduce those risks. And we do it in a way that actually makes sense. And what I mean by that is that we guarantee to cover your entire environment without the need to make huge changes or start huge projects or ask the developer to change the way we work in order to cover it. So we provide frictionless coverage, which is a really comprehensive set of risks, whether it's vulnerabilities or its configuration, active infection, identity issues, and the list goes on.
Plus, we're able to contextualize, so we're not one of these tools that essentially gives you a list of the million alerts and tells you to figure out what to do. We build a graph of the environment, and we can tell you, essentially, that this risk exists. But it's much less important because there is no one way an external attacker can reach it. And even if it takes 30 days, nothing valuable that is protected by this asset will be at risk. This also reduces the number of alerts that you need to see by orders of multiples.
How did you pick the name Orca Security?
An orca is a killer whale. Orcas have some features that make sense in relation to what we’re doing. First, they can swim to things without touching them. So they have the most advanced biosonar that any creature has. Second, they have the ability to go into any of the world’s oceans. Orca can be born in one ocean and live in a different ocean. And this is a great analogy for the coverage our technology provides. The third reason is simply that it's a catchy name.
What’s it like to work at Orca Security? We’d love to know about the company vibe and culture.
One of our belief sets is to empower people. We're no longer a 10-person company - we're 320 people around the globe. Our goal is to empower people to do what they believe, come up with ideas, and not just do what they're being told. And we are a big believer in fail-fast: fail often and anytime to enable people to come up with alternative ways of doing what we need to do. As long as it's both legal and moral, we're very open to new ideas, and our employees know that we’re at the forefront of technology - that they are developing something that no one has done before.
Now, I can give a concrete example of something we've done very differently. And it's not an idea that came from me or management. It simply came from one of the employees. RSA is the world's largest cyber security conference, and around two years ago, we were thinking about what we were going to do at RSA. Most startups get a nine-square-foot booth. One of my salespeople came up with the idea to rent a huge limo bus that is usually used for bachelor parties and then wrap it with Orca’s logo. We stocked the limo with nice snacks and drinks and called it the Orca mobile meeting van. Anyone who came for a meeting that was relevant would get a nice giveaway at the end of it.
So everyone walking saw Orca’s limo bus. It cost us probably 20% of what a booth would cost to get the small booth. And I'm pretty sure that the outcome made it well worth it - more than a million dollars return in customer revenue by the end of the year.
Orca has raised $650M - are there a lot of expectations? How do you manage to deal with the challenges in parallel with the love and recognition you are receiving from investors?
At the end of the day, an investment is fuel and, at the same time, a commitment for you to meet expectations. We definitely have very high goals. We’ve had a major mindset shift for a company that a year ago had dozens of customers. We now have a few hundred customers, and that will grow to thousands of customers.
The top thing on our mind is how do we build an organization that maintains the agility and the spirit of a startup but can still serve a four-digit number of customers. And it requires some processes. At the same time, we must continue to innovate and create new capabilities.
You have worked in the cybersecurity industry for 20 years. What is your overall philosophy for leading Orca Security today?
I'm a big believer that companies need to have a simple vision and adhere to that vision. If you're trying to do too many things in terms of the company’s goal, it’s harder to succeed.
We have a very simple vision that hasn't really changed since we started the company: when given a cloud environment, Orca finds security risks and helps prevent them from happening again. At the end of the day, this is what we do, and we’re not trying to do other things or go into other areas in security. Cloud is going tremendously fast, and we need to be laser-focused on specific goals because companies need to have one specific mission and goal, or it's very hard for them to execute.
Secondly, it’s essential to maintain the startup culture as we go, to continue enabling people to succeed, and be allowed to own things - and not be in a situation where people are fighting each other.
How do you prepare for major changes within your company?
Change happens all the time. We grew from eight people to 320 in the last three years. We started in one place in Tel Aviv and now have offices in more than a dozen places across the world. Change is a way of life, and you need to make sure that you have the right team to adjust as needed.
I believe that many times internal promotions are the best ones. At the end of the day, these are the people who fully serve the organization. You also need to maintain good culture across different places and different geographies. We work with people from different cultures. Some of them are in the US, some of them are in Japan, some of them are in the EU. You're always dealing with change. You need to embrace it and do what you can.
With so much growth at Orca, how do you empower a larger team to innovate?
The easiest way is to show by example. In every company meeting, I'm actually pushing people to come up with their own ideas. To do that, we have a process to allow budgets for these experiments that are extremely fast track. Whether that experiment is a success or not, we'll celebrate. It's just about actually conveying the message that we want employees to come up with innovative ideas.
What is the biggest challenge right now with cloud security?
I think the biggest challenge for cloud security around the world is essentially organizational friction and lack of context. The fact is, there's almost inevitable friction between security teams who need to keep things secure and developers who are trying to release that new feature tomorrow. And if you think about that, this culture of the cloud really changed the way organizations expect a threat to be delivered. A decade ago, if we wanted to create an app, it was probably in development for 18 months, with many stages. Today, everyone expects that the app will be in production within the next week, if not the next day, and the cloud has enabled us to do that. But it also requires the security team to make sure that we are able to innovate in a secure manner. So this is the almost inevitable friction.
Currently, security is evolving to be something that can support the business and not something that is just trying to slow things down. And the second is essentially the context–defining the top items that actually matter. You have a million critical issues, and attention needs to be on finding the few that actually matter.
We know that Orca Security has been using Swimm's platform, and we'd love to hear more about your experience.
Swimm’s platform has been instrumental in facilitating Orca’s growth over the last year. Our R&D team’s daily workflow with Swimm has made a huge difference in terms of rapidly onboarding new developers, and improving engineering processes by bringing developers up to speed on our codebase.
Moreover, our relationship to documentation has changed radically in terms of being confident that our documentation is always up to date with Swimm’s Auto-sync feature and our teams are building up collections of Orca’s code-coupled docs utilizing Swimm’s Playlist feature. What I can say is that there’s simply no going back after you’ve linked your documentation to relevant parts of the code; code-coupled documentation and Continuous Documentation with Swimm’s platform is just like being in another league.
Can you share a bigger dilemma you were facing and the way you tackled it?
Almost two years ago, we created what we call the Cloud Security Punch-Out product comparisons. I'm a big believer that the proof is in the pudding. Everyone can write that a product does something, but in the end, it doesn't work that way. We are a security tool for professionals. Let's show the facts. So we created a lab, and we installed both our tool and competitive tools. And we essentially published figures showing the exact process. They weren’t just marketing videos. It was 20 minutes of technical videos showing how to install the tools, how to operate them, etc. And we did it recording from start to end with Orca products and with competitor products, such as Check Point, Palo Alto Networks, and others in the industry. We published them, and then we received a cease and desist letter from Palo Alto saying that we're not allowed to do that, and we need to take it down. The letter stated that the product is a violation of the user’s rights, a violation of trademarks, etc. It's not. It's a fair use of the trademark, and a EULA that says you're not allowed to publish a review is not enforceable, but we were a very small startup at that time, and the costs of taking it to court would be cutting into our capital.
So we not only decided not to take it down, we made a big fuss about it. And we have analyzed the other security vendors that have clauses in the EULA that claim you are not allowed to publish reviews of them. With that information, we launched an initiative called “Transparency in Cyber.” Essentially, we hired a lawyer, and we published the companies that try to prohibit people from publishing reviews on them.
Removing these clauses from the EULAs created economic changes. I've gotten messages from people who told vendors, “If you're not removing these clauses, I'm not going to buy your solution. I'm not going to buy solutions that are claiming that we are not allowed to publish a review.” It's like buying a car. If you opened the door and there's a sticker that says you agree that you're not allowed to tell anyone your beliefs about this car, no one would want to buy that car! But it was literally something that 30% or 40% of cybersecurity companies did. You're not allowed to publish a review, which is not enforceable, but are you going to actually fight it as a user?
Lots of folks out there have dreams to build something big. What tips do you have for any future entrepreneurs?
The only way to explain why we should use your solution is that your product is orders of magnitude better, and I use this word deliberately. You need to find a way to make your solution orders of magnitudes better, or people will continue to use the old solution because everyone has different priorities. So I always ask entrepreneurs, “Please explain to me in two sentences why your product is so much better than what exists today.” Many times, this is the main reason something will succeed or not.
Because it’s much easier for a customer to go buy a more mature solution from a public company with local distributors. This is the path of least resistance. So when you start a company, if you say, “I'm going to do the same thing, marginally better. I’ll do it 10%, 20%, or 100% better,” it's usually not going to be enough to succeed. Because even if you do it 100% better than the existing alternative, the mature company will still be the rational thing for most customers to use for a variety of reasons. Because you're a startup, and you might not be in business next month.
Launching a startup is something that you know is going to be yours, and you're going to do it for the next few years, if not the rest of your life. You need to be excited about the problem and have the belief that you can do something that is dramatically better than what anyone else has done in that space. If you believe you can do it, definitely do it.
Our team at Swimm appreciates Avi Shua taking time to talk to us, share his insights about what it has been like to build a company from the ground up, and what it’s been like to think out of the box and create space to support and encourage innovation and excellence throughout the entire company. We’re excited to see where Orca Security will go next.
Stay tuned for more interviews in our CEO Sync series. In the meantime, if you’re looking for a solution that will automatically build documentation in real-time, including live snippets of your code, schedule a free demo.
And if you’re looking for a solution to detect and prioritize cloud security risks, Orca Security offers a free cloud security risk assessment.