Lior is the CEO and Co-Founder of Grip Security, one of the fastest-growing SaaS security startups today. He started his security career as an Officer in the Israeli Intelligence 8200 unit, after which he gained expertise in automotive security at Cymotive.
In this exclusive Cyber Talk interview, CEO and Co-Founder Lior Yaari shares insights into securing SaaS applications and describes why visibility is so crucial.
Tell us about the Grip Security story
Grip’s mission is to empower every organization to secure modern work and business-led IT by serving as their foundation for protecting people and SaaS technology— anywhere, everywhere, and on-demand.
Grip was founded in 2020, and is led by former elite intelligence officers in the Israeli Defense Corps. Our initial funding ($25 million, series A) started with YL Ventures. In early 2021, Grip began to grow outside Israel and established leadership in sales, marketing, and customer success, along with growing our engineering team to continue our innovation.
Grip is a global company, led by our 3 co-founders, acclaimed by Forbes’ 30 Under 30 list. Grip’s research and engineering is run from Tel-Aviv, with most go-to-market and customer-facing functions coming from the US teams.
What are the biggest problems when it comes to securing SaaS applications?
In 2021, 83% of organizations reported the value of business-led IT strategies—characterized by business teams identifying and sourcing technology, especially SaaS. And in 2022, 36% of SaaS spending will be outside core IT budgets, selection, procurement, support, and security oversight. Existing solutions fail to realize security for business-led SaaS and the growing number of SaaS apps in an organization’s attack surface.
There are two interconnected problems with SaaS security—1) the exponential growth and change of SaaS, especially when driven by business-led IT, and 2) there are no real solutions that can unify SaaS security and orchestrate the SaaS security lifecycle for both core-IT and business-led SaaS. The challenge for today’s enterprise is to unify SaaS security—core-IT and business-led IT—to make SaaS safe for everyone, anywhere, and on-demand.
Tell us about the innovation behind the product?
Grip’s award-winning platform enables security teams to safeguard their SaaS estate through the four critical capabilities—discover, prioritize, secure, and orchestrate—with personalized visibility and protection for any user, to any app, from any device, in any location, at any time.
What makes Grip unique
-No disruptions: Agentless zero-touch deployment
-No exceptions: Unified SaaS security across core-IT and business-led
-No guesswork: Relevant, actionable SaaS risk insights from real-world observations
-No waiting: Automated, intelligent SaaS security workflows and orchestration
Unlike other solutions, only Grip takes an identity-based approach (not infrastructure-based like CASB, EDR, Identity Providers, SSO or configuration managers. This allows Grip’s customers to ensure global protection for the SaaS attack surface, without exceptions and without a patchwork of proxies (CASB), agents (CASB/EDR), SSO tax (IdP/SSO) or APIs (SSPM).
Why is visibility so crucial?
It is cliché to say you can’t protect what you can’t see. But that is overly reductionistic. The real value with visibility is knowledge. Knowing is more important than merely seeing. That’s why, at Grip, we focus on helping customers interpret the meaning in their visibility, the priorities that matter for risk, and the threats they must mitigate—and what to do about it. This is crucial knowledge. It is a kind of security intelligence for SaaS; allowing customers to avoid guesswork when taming their SaaS risks.
So, the question is “What do you want to make visible?” SaaS apps? SaaS users? Sure, of course. But what’s more important is identifying relevant, actionable knowledge and the intelligence embedded in a guided response to scale security to every app and user without exception.
Are there any myths about SaaS security that you’d like to clarify for security leaders?
If the CASB playbook would have worked, then the CASB playbook would have worked. CASB has failed, but no one really wants to talk about it. Not because of feature loss, consolidation or innovation (well, until Grip). The reason it failed is because the game changed. So, if you’re going to play in the game of SaaS security, you need to re-think CASB—they’re still designed, built, and deployed for an environment that is evaporating. And functionally speaking, it is antithetical to shared risk and business-led IT generally. CASB is focused on seek and destroy. Grip is focused on find, check for safety, apply safeguards, keep them in place.
What key principles do you think about in protecting your users’ data?
The growth of SaaS applications outside of IT budgets and protections leaves most organizations with their longest unguarded border—and it isn’t going to be solved by routing users or blacklisting URLs. It is solved by infusing each user with protections they carry with them, regardless of the SaaS they choose. Corralling every app for security teams to scrutinize and maintain is impractical and goes against the larger business strategy. Take the security to the apps, channel that protection through the users themselves.
Other actionable insights for security leaders?
- Identify and embrace what you intend for SaaS security
- Baseline where your security outcomes are relative to where you want them (for SaaS)
- Prioritize based on real-world observations and activity, not SOC2 reports or ‘credit’ ratings
- Push security controls and protections through the user for SaaS today and SaaS yet to be deployed
- Orchestrate SaaS security through automated workflows and responses from discovery to justification to controls to decommissioning
Your perspectives on the future of SaaS security?
By 2030, 80-85% of SaaS will be what we once called ‘shadow SaaS’. Business-led IT and the proliferation of SaaS changes the game. As such, we need a new approach—one that embraces that the internet is the new network and the user is the new perimeter. The transition from SaaS being something to find and eliminate to something to care and safeguard is a radically different notion to many people, but it’s here and it’s here to stay.
SaaS security will depend on fresh thinking, unfettered by old thinking, architecture, and methods. It will evolve, we will change. Because that’s what security professionals do—adapt, serve, and protect.
To receive more timely cyber security best practices, news, reports and analyses, please sign up for the cybertalk.org newsletter.