20-Minute Leaders“Every day you do something that you wouldn't believe that you would do”
20-Minute Leaders
“Every day you do something that you wouldn't believe that you would do”
Co-founder and CEO of Valence Security Yoni Shohet believes it would be difficult for him to do anything else other than be an entrepreneur
Since becoming an entrepreneur with his first company, Yoni Shohet says it would be difficult to do anything else. Today, he is the co-founder and CEO of Valence Security, his second cybersecurity venture, and he explains that the thrill and excitement of startups keeps him coming back. Shohet also says he loves the variety in his role and getting to do things that he didn’t expect he would do. He shares that it can be difficult to not attempt to do everything himself as he works on various aspects of the company. Valence is focused on making security for SaaS applications easy for organizations using many third-party vendors. He says today’s security teams don’t just want more visibility; they are aiming to reduce risk over time. Shohet also explains that many attacks now are coming from finding the right account to exploit rather than from sophisticated hacks.
What prompted you into the cybersecurity scene?
I was always looking to challenge myself. I started my bachelor's degree when I was 16, in mathematics, and I finished it right before military service. I joined an elite cyber unit. It took me into the cyber world. Once I finished my military service as a captain, I started my first startup, SCADAfence, focused on industrial IoT cyber security. About 18 months ago, I started Valence, which is focused on SaaS security.
What understandings did you have that led you to focus with Valence?
I always joke that the cybersecurity startups are like mushrooms after the rain. There was a large breach at the end of 2020, which exposed a lot of weaknesses. What, for me, was of the most interest is really the third-party risk element. That really prompted us to focus on what Valence started with, which is how we grant access to third-party vendors. From there, it evolved to: how do we trust these services, how they are configured, and how they are properly managed to use by different business users.
If we are looking at the situation today, what are the different vulnerabilities that have emerged?
About a decade ago, a lot of cyber security attacks and breaches focused on very complex software issues and vulnerabilities. But today, attackers don't really need to hack; all they need to find is find the right account, the right credential, or the right access token, and from there they can eventually perform their malicious action or access data. The ecosystem is really changing because we no longer need to think about just sophisticated attacks leveraging very high-end technology, but how do we protect from our day-to-day misconfigurations in these cloud environments, where we own a very small portion of the infrastructure? The shared responsibility model is shifting all the responsibility to the customer side to properly manage and configure these SaaS applications. This kind of technology is democratizing and decentralizing. We are starting to see more entities within the businesses—developers, marketing, sales, IT, or HR—that are now able to build and configure logic within the organization. You can innovate and run fast, but it also creates a lot of opportunities for these types of misconfigurations that attackers can leverage.
How does Valence counter that?
For most of our customers, the biggest challenge is not to know about more problems. What the security teams care the most today about is how they show effective risk reduction over time. What we understood is that if eventually SaaS is adopted in a democratized manner, it only makes sense to have the proper decentralized remediation workflows within the organization that allow the security teams to collaborate with the different users to remediate risks within your SaaS environment.
Do you have a snowball effect as you are able to understand the different SaaS applications?
One of the core value pillars that we provide is to outsource expertise. We reduce the level of expertise that each security team needs to have within each one of these applications. In a lot of cases, the security team doesn't even have access to these platforms. We simplify their ability to be able to define their desired state in the security language and to help apply it within their environment of SaaS applications.
Where are you at today and how are you evolving right now?
We started with a very narrow focus with the problems that we are trying to solve, and we are adding more capabilities within our platform. What we have today is a SaaS security platform that helps security teams not have to adopt and install multiple different security controls for SaaS applications. This process really allows you to get an end-to-end capability that checks all the boxes. Over time, we will evolve to be more and more of the platform for SaaS application and the one-stop-shop for all the security needs within it.
This requires a lot of trust and engagement from the people that are bringing Valence in. How do you even get there from a relationship perspective?
When we started with just my co-founder and myself, we started working with our early design partners and we asked to access their platforms, they said, "You are just a two-people company; how can we trust you?" We built technology solutions that allowed us to reduce the friction and the level of trust that is needed to prove our value one step at a time until we earn more of their trust and open up the ability for them to enjoy our full benefits. We invested early on in the best practices in terms of security, compliance, privacy, and everything else.
We are already backed by some of the best investors in the industry, which shows that a lot of very respectable corporates and enterprises within the world did their vetting system and said, "Valence is our bet to be the SaaS security platform." We have some of the best CISOs in the world that invested in the company early on, and it really helps to say these people are legit.
What is the relationship that you'll have with businesses as they are preparing to onboard a vendor for this?
A lot of businesses, and especially security teams, when they adopt best-of-breed SaaS applications, they try to block everything. They say, "You can use Microsoft 365, but you cannot share files on OneDrive." It really limits the scope of the value of these platforms.
As organizations are going through the first phase of moving towards SaaS, they will need to start opening up a lot of these limitations. Otherwise, the business will find workarounds. Security teams will have to adjust to how they want to work together with their business users to allow them to feel more secure, to allow them to run fast and to use the platforms, but to ensure there's the proper guard rails.
Why are you so excited and interested in what you do?
I like to build stuff, and I like to feel that I have an influence on my day-to-day. I love to put in the hours and effort to make everybody that is influenced by our company satisfied. We want to make sure that we solve a real pain. We are very customer obsessed in everything that we do. If you listen enough to the ecosystem and to the environment, you can really find the right pain points that you need to tackle.
Still, the leap from being a builder and being satisfied by these new advancements, that's not enough to go on a crazy entrepreneurial journey twice.
Once you go to the entrepreneur side, it's very difficult to do anything else. The level of excitement, thrill, influence; the ability to every day do something that you wouldn't believe that you would do that day and tackle new problems.
Where have you seen the biggest leap in your own leadership?
Every day, you need to assess and understand what is the most influential aspect where you can really help and impact the company. You can't do everything, even though you want to do everything. You need to have a very straight focus on what you are going to work on today. This is a constant challenge. Being able to do this type of balance and to make sure that one day you do this and the other day you do a completely different aspect is something that requires a lot of self-awareness and a lot of continuous measurement across the board.
Michael Matias, Forbes 30 Under 30, is a Venture Fellow at Innovation Endeavors as well as investment Venture Partner at Secret Chord and J-Ventures. He studies Artificial Intelligence and Human-Computer Interaction at Stanford University, and was an engineer at Hippo Insurance. Matias previously served as an officer in the 8200 unit. 20MinuteLeaders is a tech entrepreneurship interview series featuring one-on-one interviews with fascinating founders, innovators and thought leaders sharing their journeys and experiences.
Contributing editors: Michael Matias, Megan Ryan
