Interview"Cyber solutions will have to be reinvented to remain relevant for AI"
"Cyber solutions will have to be reinvented to remain relevant for AI"
Without an academic education or technological background, Emily Heath climbed to the top of the global cyber industry, ultimately joining the Israeli VC firm Cyberstarts as a General Partner. In an in-depth interview with Calcalist, Heath shares how Cyberstarts guides Israeli entrepreneurs before they write a single line of code and discusses the threats and prospects in a field that is undergoing major upheavals
“In my opinion, the best talent in cyber is in Israel,” says Emily Health, General Partner at Israeli VC firm Cyberstarts. “There is an entrepreneurial spirit here that seems to be welded into Israelis during their military service on the one hand, but on the other hand Israeli entrepreneurs know how to listen and learn.”
Heath, who just this year joined Gili Raanan and Lior Simon’s Cyberstarts, surprises with her unusual take on Israelis. "The entrepreneurs here are like sponges and it is not easy to build such a level of humility and openess. Most of the time people are really stuck on their ideas and just want to build, build, build."
Heath does not fit the accepted stereotype when imagining partners in venture capital funds, especially one that specializes in cyber. She is not a man, she is not a graduate of a prestigious university nor, in the Israeli version, an elite technological unit in the IDF, and she is not particularly young either. She is 49 years old, without an academic education or any technological background. She began in a small town in Britain with a difficult family history and ended up going all the way to the most coveted boardrooms in the U.S. business world.
The interview with Heath, her first with the Israeli media, takes place during one of her visits to Israel that have become more and more frequent in the last year as she becomes more and more involved in Cyberstarts. Despite the stagnation in the Israeli high-tech industry, the VC fund recently announced that it managed to raise $480 million, one of the highest amounts raised by an Israeli venture capital fund since the recent judicial reform crisis. The new fund is a leap forward in scope and is intended for investments at advanced stages, compared to three Seed funds totaling approximately $200 million that Cyberstarts has raised since its establishment in 2018.
Its most famous investment is Assaf Rappaport's Wiz, which was valued at $10 billion in its last round, but alongside it there are other companies with a combined value of about $20 billion according to the fund, including the unicorns Transmit Security, Fireblocks, Island, and Noname, young startups Bionic and Axis which were sold to CrowdStrike and HPE respectively, and another series of promising and hot names in the industry such as Dazz.
Heath met Gili Raanan, Cyberstarts’ founder, during her many years as a CISO (chief information security officer) in the U.S., when she served as a consultant to cyber companies and venture capital funds, an acquaintance that turned into a friendship after Heath joined the board of Wiz about a year ago. "I knew all the startups in the Cyberstarts portfolio before they even wrote a single line of code," laughs Heath. And precisely now, at a complex time in the cyber industry that is going through one of the biggest revolutions in its history, Heath is making the leap into venture capital.
Do we even need more cyber startups? Nir Zuk, founder of Palo Alto Networks, said in an interview with Calcalist that Israel needs to find a new story for itself outside of cyber.
"Undoubtedly, we need more cyber companies because this market is still undergoing changes and upheavals. Until five years ago, all cyber startups were built for a world where the security systems sit with the customer (like the products of older players such as Fortinet or Check Point) and it changed completely. Now everything has to be rewritten for the cloud. But when you discover the high costs of the cloud, you suddenly want to return some of them to the ground. We are at the tip of the iceberg when it comes to AI and some of the cyber solutions will have to be reinvented to remain relevant. It's scary to think how deep the threats could be in the world of AI."
However, Heath clarifies, we need to talk about the concept of "CISO fatigue". "I've heard a lot from my colleagues about products that they buy and end up not using a third or even half of them. Sometimes they don't know exactly how to use them and sometimes there's no one to explain how to properly operate them. As a CISO I was very fiscally responsible and I told my team 'if you don't use 80% of the product's capabilities, that means we don't need it, we'll find something else that's more suitable.''
To what extent does the political situation in Israel also affect the local cyber industry?
"For me, as someone who works closely with Israelis, what is happening in the country is obvious and it is sad. But on a business level we don't see an impact, we have several companies that are now in the midst of a recruitment round and in the last three months we have brought three companies out of stealth mode ."
You worked with Wiz, one of the highest valued cyber companies that reached a $10 billion valuation at unprecedented speed. What can you share about that?
"I think that Wiz has earned its valuation with its performance. These are experienced entrepreneurs who have already proven themselves in the past (they founded Adallom, which was sold to Microsoft for $320 million in 2015). At Wiz, they came to the market at an amazing time with amazing products. They listened to the market, what people really needed, and if there wasn't a market for their product, they wouldn't have succeeded at such a level."
When do you think we will see a recovery in investment activity and also an increase in valuations?
"I think in the U.S. we will start to see it very soon based on what I see right now in the activity of raising capital. It's not that people don't want to invest, there is interest, but there is a lot of discussion about valuation levels. But as I said, I'm not in favor of high valuation levels, I think the entrepreneurs need to earn the value over time, it spurs them on to build better products."
From a humble start to Cyberstarts
Heath’s self-built career always took the most unexpected turns, including now, joining Cyberstarts where she works with Israeli cyber entrepreneurs on product formulation. The idea is to understand exactly the problem you want to solve and how to solve it before writing a single line of code, with the aim of not wasting the investors' money on another small feature or product that sounds great in the minds of young entrepreneurs, but in reality turns out to be useless.
Heath exudes a natural leadership that made her the manager of 50 employees, all older than her, when she was only 16 years old. "I was born in a small town called Cheshire in the north of England, not far from Manchester. My parents divorced when I was little and those who actually raised me were my grandparents. When I was 11 my father remarried and his new wife was not a very nice person, so I found myself away from home at the age of 16. It wasn't that I ran away from home or wanted to leave, but that it just wasn't safe for me to stay there."
Heath shares her personal story, in which nothing foreshadowed what was to come. "Since I was already working in a restaurant from the age of 13, its owner took me under his wing and in fact at the age of 16 I was already running the restaurant in practice."
How do you manage a restaurant at the age of 16?
"It was an American diner which was very bizarre because it was the only American restaurant within a 50 square mile radius, but I didn't ask myself many questions at the time. As well as how 50 people who were all older than me, listened to me and did what I said. Today I realize that's where my management career started. I'm still in touch with Roy, the owner of the restaurant. He sent me to courses in management and started building me for the future, even though I could never afford academic studies."
One of the phrases that comes up frequently in a conversation with Heath is "life had other plans for me". But this sentence is always said with a smile, even when it describes a difficult reality. This applies not only to her career, but also to her personal life. She came out of the closet at a young age and has been married for almost two decades to her partner who travels with her around the world following the multitude of offers she couldn't refuse over the years.
"My work environment has always been very masculine and people would automatically ask 'what does your husband do', it took me a long time to be open about my sexual identity in the workplace. On my many business trips, when my partner comes with me, there are states in the U.S. where we do not demonstrate anything in public, no one wants feelings of negativity around them," admits Heath, "but one day, when I was standing on stage in Silicon Valley and was asked to talk about my team and diversity in employment, I spoke for the first time about having a wife. To my surprise, I found that when you express vulnerability with people and open the door to something personal, they are also more open with you. At first it was very scary to open up and be exposed, but I never regretted it. At United Airlines, I also implemented this as an agenda, and when I left for DocuSign, the cyber team was 51% women compared to only 13% when I arrived."
But until she reached the top of the two well-known and large companies, Heath went through more twists and turns in a career that also included working under a false identity in the British police. "Pretty quickly I realized that I didn't want to work in a restaurant all my life, I wanted to go to university but life had other plans," continues Heath. These plans included joining the police, first as a full-fledged police officer, but soon the police also noticed Heath's skills and she was pulled into an undercover role when she was only 21 years old.
"I really wanted it and I was enthusiastic about the work because I was both young and innocent. But I didn't like the adrenaline rush itself, so pretty quickly I was moved into a financial crime unit. There I really starred. I investigated a lot of pyramid schemes and scams in the style of Bernie Madoff, I traveled all over the world in pursuit of money that folks tried to hide or get rid of, especially international laundering attempts".
How do you do it without going to university and studying?
"I think all my life I've been out of my comfort zone, it makes you want to excel. My last case was a $200 million fraud case and it took me three and a half years to solve it, together with the FBI and the U.S. Securities and Exchange Commission."
Later, in an unexpected turn, Heath found herself with a website construction and design business after learning everything through self-study programming books she purchased. A short time later, she received an offer from MGM studios in London to lead a programming project and as part of the role she found herself in Los Angeles, just before she turned 30. At this point she still had no exposure to cyber or venture capital and was involved in the development of software for the management and distribution of DVD movies.
As her career in this world developed, cyber attacks also became common and in one of the companies where she worked, someone remembered that her resume had a line about working in the police force, so she probably knew a little about the law. "They asked me to look a little into the security of corporate information and you can say that's how I started my career in cyber." This was somewhere in 2012 at the AECOM construction company that became famous when it took part in the construction of Burj Khalifa, the tallest tower in the world located in Dubai. "My boss fired the two people who managed the security and appointed me in their place. I told him, 'I can't do it, I've never had a job like this,' and he replied, 'You'll be fine.'"
Heath did so well that five years later, she received an offer she couldn't refuse from United Airlines, one of the largest and best-known companies in the U.S., to manage its cyber defense system. Three years later, in 2019, after dramatically increasing the department there, Heath agreed to take on a bigger role but at a much smaller company that had just gone public on Wall Street called DocuSign. "I took this role knowing it would be the last full-time role of my career."
Since then, Heath sits on the boards of cyber companies that try to use her experience and knowledge about what organizations want from their cyber defense systems. That's how she got on the board of Wiz.
What is the CISO's biggest fear?
"The biggest fear is the paralysis of business activity and it doesn't matter what the reason is, whether it's a ransom demand or an attack for the sake of an attack."
What's the hardest cyber attack you've faced?
"I've seen every type of cyber attack because the nature of a company also dictates the type of attacker - whether it's another country like Russia, China or North Korea, whether it's a private hacker group or ransom demands. I've been in the trenches many times, but luckily they've never been able to halt our activity because we caught everything in time. It did happen that part of the organization was not operational, but it was never paralyzed.".
What is the main difficulty of cyber people within the organizations?
"The most difficult thing about managing security in an organization is that you have to act on both the technological and the business level. A year ago I published an article on LinkedIn addressed to board members who do not come from a technological background and I detailed the five questions that every director should ask the security people. The questions are: What is most important to the organization? For example: safety is most important to United Airlines and customer information is most important to DocuSign. After answering these questions, the next questions are: where is this information, how is it protected, what are the most vulnerable areas and what are the procedures in case something goes wrong. If the organization is able to answer these five questions, it is protected. And we need to come to an understanding that it is impossible to protect everything to the same extent, it is impossible and too expensive."