In this episode of the Security Matters podcast, host David Puner sits down with Lior Yaari, CEO and co-founder of Grip Security, for a discussion that covers the concept of identity debt and its implications for modern cybersecurity. Lior shares insights from his experience in Israel’s elite Unit 8200 and explains why identity is now the new security perimeter. They delve into the challenges organizations face in managing SaaS applications, the impact of generative AI on cybersecurity and the importance of proactive identity governance. Tune in for tips on how to protect your organization from within and stay ahead of evolving threats.<\/p>\n
Imagine this: It started with a single signup form. A product marketing manager was working late, prepping for a board presentation. She needed sharper visuals fast, so she found an AI-powered slide tool online and quickly logged in with her corporate email. No approvals. No red tape. She uploaded sensitive financial data and hit generate.<\/p>\n
By morning, security was in crisis mode. That AI tool? Built by a 15-person startup\u2014no security team, no SSO, no offboarding protocols. And no idea it was now holding confidential files from a Fortune 500 company. This wasn\u2019t just a one-off\u2014it was one of many apps quietly adopted across the company. Every click created yet another unmanaged identity\u2014something today\u2019s guest, Lior Yaari, calls identity debt.<\/p>\n
Lior Yaari is the CEO and co-founder of Grip Security, a SaaS identity risk management platform that helps companies regain control of sprawling SaaS environments. He\u2019s also a former officer in Israel\u2019s elite Unit 8200, where he cut his teeth in cybersecurity.<\/p>\n
In our conversation, he affirms why identity is the new security perimeter\u2014and what organizations can do to protect themselves from within.<\/p>\n
Let\u2019s get into it.<\/p>\n
David Puner:
\nCEO and co-founder of Grip Security\u2014welcome to Security Matters. Thanks for coming down to the podcast.<\/p>\n
Lior Yaari:
\nWell, thank you for having me. I’m really happy to be here.<\/p>\n
David Puner:
\nYeah, absolutely. It’s a Friday afternoon in March. It feels a little springlike here in the Boston area. We’re doing deals in real time. Really excited that you\u2019re taking the time to speak with us in the midst of all the excitement.<\/p>\n
Lior Yaari:
\nAlways happy to finish the week and finish it with a good podcast. So I\u2019m really excited for today.<\/p>\n
David Puner:
\nExcellent. So why don\u2019t we get right into things so we can get to the weekend. Grip Security is a SaaS identity risk management platform. To start things off, what does that mean? And how has the market for SaaS identity risk management and SaaS security posture management evolved since you started the company back in January 2021?<\/p>\n
Lior Yaari:
\nSaaS identity risk management\u2014and the SaaS security space in general\u2014is growing. It’s growing because we live in a world now where the barrier to adopting a new app is just a signup form. Every user, every business unit, can go ahead and sign up for any application they want.<\/p>\n
We used to view this as a supply chain problem. All of these apps contain data that belongs to the company. But it\u2019s also an identity problem. When people sign up, they create identities in applications. They create identity debt for the organization. And those identities need to be governed and managed by all our identity tools.<\/p>\n
We founded the company when we saw the entire technology innovation shift to SaaS. If you want to buy new technologies for the business, there\u2019s no real alternative anymore. All of these AI tools are just SaaS apps with AI under the hood. There\u2019s a signup form, there\u2019s an admin panel, and they process sensitive business data.<\/p>\n
Lior Yaari:
\nThe data we\u2019ve seen over the last four years\u2014even before the market caught up\u2014is that every company increased the number of vendors they use by about 30% year over year. Four years at that pace? The problem more than doubles in size.<\/p>\n
And now the market is responding. Whether it\u2019s Gartner reports calling out the issue, major acquisitions by companies like CrowdStrike, or significant investments in the space\u2014including in Grip\u2014there\u2019s growing awareness. Customers are prioritizing SaaS security as a core project for the year ahead. It\u2019s a great time to be working in this space.<\/p>\n
David Puner:
\nThese days, you’re based in Boston. From your accent, I\u2019m guessing you were born in Israel?<\/p>\n
Lior Yaari:
\nYes\u2014if anyone hasn\u2019t picked up on it yet. I was born in Israel and moved to Boston about two years ago. I made the move when the company was scaling. Our engineering team is still based in Tel Aviv, but now half of our company is in the U.S.<\/p>\n
I relocated right before our Series B round to help establish and grow our U.S. headquarters. Most of our partners and customers are here in the States, and as CEO, I wanted to be close to the team and lead the go-to-market side of the business with boots on the ground.<\/p>\n
David Puner:
\nYou began your career as an officer in Israel\u2019s Unit 8200\u2014which is kind of like the NSA in the U.S. or the U.K.\u2019s GCHQ, right?<\/p>\n
Lior Yaari:
\nThat\u2019s what Wikipedia would say, yes.<\/p>\n
David Puner:
\nAnd what would you say?<\/p>\n
Lior Yaari:
\nGo with what Wikipedia says.<\/p>\n
David Puner:
\nAlright. So you started there\u2014how did that experience shape your career path and eventually lead to founding a SaaS identity risk management company?<\/p>\n
Lior Yaari:
\nBefore anything, I was surrounded by incredible people. I spent seven years in the military learning a lot about technology, but what had the biggest impact on me was seeing how many of the people I served with went on to become founders and leaders in cybersecurity.<\/p>\n
After I left the army, I worked at a startup, then became CTO at a major cybersecurity investment firm. That was a turning point. I got really interested in SaaS security from an investor’s perspective. It was clear\u2014even in 2020 during COVID\u2014that SaaS wasn\u2019t going anywhere.<\/p>\n
The traditional security solutions couldn\u2019t scale to meet the growing risks. Customers weren\u2019t satisfied with what was on the market\u2014whether it was legacy CASBs or the first generation of SaaS security tools focused solely on misconfigurations or single platforms like Salesforce and Microsoft 365.<\/p>\n
Lior Yaari:
\nSalesforce and Microsoft 365 are probably the two most important SaaS apps a company uses\u2014but they\u2019re just two out of potentially thousands in an enterprise environment. With SaaS adoption growing 30% year over year, that number quickly multiplies. You simply can\u2019t secure these applications one by one.<\/p>\n
That\u2019s where identity comes in. Identity becomes the scalable gateway to securing applications. Our goal with Grip was to bring an identity-first approach to SaaS security.<\/p>\n
David Puner:
\nLet\u2019s talk more about organizations. What are some of the common challenges they face when trying to map, govern, and manage SaaS applications to reduce risk?<\/p>\n
Lior Yaari:
\nGreat question. Let me give you a real-world example. Disney made headlines recently for being breached\u2014twice. In both cases, an ex-employee logged back into an application they previously had access to. They didn\u2019t hack anything. They used the same login, the same credentials, and downloaded the same data\u2014just to a private laptop instead of a corporate one.<\/p>\n
It\u2019s an identity challenge: no offboarding, weak password reliance, no SSO. It\u2019s also a data breach, because that data left the organization\u2019s perimeter. But it\u2019s not some sophisticated attack\u2014it\u2019s something that happens every day across companies. The core challenge is that SaaS moves faster than security does.<\/p>\n
The business units are the ones choosing and adopting these apps. They’re creating new identities, managing configurations, and in doing so, they\u2019re creating identity and security debt. Security teams are left holding the bag\u2014responsible for cleaning up and securing everything after the fact.<\/p>\n
Lior Yaari:
\nAnd that mismatch\u2014between the teams creating the debt and the teams paying for it\u2014is a big part of the problem. Business leaders are under pressure to innovate quickly. You\u2019ve probably heard the quote: \u201cCompanies that don\u2019t use AI are going to die.\u201d So now the CEO, the board, the COO\u2014they\u2019re all pushing to adopt tools fast, and they don\u2019t need IT\u2019s help to do it.<\/p>\n
That leaves security teams scrambling to secure what\u2019s already been adopted. The risks range from supply chain and compliance issues\u2014like understanding what vendors you’re actually using\u2014to identity lifecycle challenges, like offboarding users at the right time and enforcing safe credential use. There\u2019s also the risk of misconfigurations or lack of SSO across critical apps.<\/p>\n
And the reality is that managing all of this manually just doesn\u2019t scale. The volume is too high, the pace too fast. That\u2019s why we built Grip\u2014to automate SaaS governance and security at scale.<\/p>\n
David Puner:
\nYou mentioned AI. How do you see generative AI impacting cybersecurity, and what measures can be taken to manage those risks?<\/p>\n
Lior Yaari:
\nAI isn\u2019t fundamentally different from any other SaaS app\u2014it\u2019s just moving faster and is often even more user-driven. These tools market directly to employees. They\u2019re encouraged to sign up, start collaborating, and input data. But there are two key challenges.<\/p>\n
First, the pace of innovation is unprecedented. AI tools are building more AI tools, and they\u2019re coming from tiny startups with no security team, no compliance oversight, and very little time spent hardening their systems.<\/p>\n
Second, the tools are being adopted by the business before security even knows they exist. I was just having breakfast with a friend\u2014a security director at a large company\u2014and she showed me the AI tool she\u2019s using to auto-generate PowerPoint decks. Those decks contain corporate data. She\u2019ll present them to the board. That\u2019s sensitive content being processed by a tool no one vetted.<\/p>\n
Security teams can\u2019t just hope for these tools to get better over time. They need visibility. They need identity governance. And they need to extend their control to these apps\u2014even if the apps themselves don\u2019t support basic security features like SSO.<\/p>\n
Lior Yaari:
\nTake OpenAI, for example\u2014it took them two years to add SSO. And they\u2019re one of the biggest players in the space. Most of the AI startups popping up right now have a fraction of that budget and experience. They definitely don\u2019t support enterprise-level identity controls out of the box.<\/p>\n
So you need a virtual layer\u2014a security layer on top\u2014that helps you implement offboarding, enforce password hygiene, monitor accounts, and extend IGA policies into those tools. That\u2019s where the real risk mitigation happens.<\/p>\n
David Puner:
\nWhat is shadow AI, and how does it tie into the challenges you’re trying to solve?<\/p>\n
Lior Yaari:
\nShadow AI is basically AI tools adopted by the business that are unknown to security. The people who own the risk\u2014security and IT\u2014don\u2019t even know these apps are being used. But of course, the users do\u2014they\u2019re using them daily.<\/p>\n
It\u2019s part of a broader trend. We\u2019ve already been talking about \u201cshadow IT\u201d and \u201cshadow SaaS\u201d\u2014apps adopted outside of IT\u2019s control. Gartner has even renamed these terms. They now refer to \u201cshadow IT\u201d as business-led IT, and \u201cshadow identities\u201d as distributed identities. That\u2019s a shift in thinking. It\u2019s a recognition that the business isn\u2019t trying to be risky or secretive. They\u2019re just trying to get work done.<\/p>\n
So shadow AI? It\u2019s really business-led AI. It\u2019s not something we eliminate\u2014it\u2019s something we have to support safely. These tools are useful. But security has to step in and provide the right visibility, governance, and controls\u2014without blocking productivity.<\/p>\n
David Puner:
\nSpeaking of identities, how are you approaching the increasing complexity of identity management\u2014especially with the rise of machine identities? How do those introduce new layers of risk?<\/p>\n
Lior Yaari:
\nIt\u2019s a huge challenge. We often focus on how users interact with third-party apps, but many of those apps have their own marketplaces now\u2014Salesforce, Slack, Notion, Monday, Zoom, and so on. These marketplaces let you enhance functionality by connecting third-party apps. But behind those integrations are machine identities\u2014apps talking to other apps in the background.<\/p>\n
Once those connections are made, they often operate independently of users. They’re persistent and can be hard to track. That\u2019s where risk comes in.<\/p>\n
A great example is the CircleCI breach from a few years ago. CircleCI is deeply integrated into many organizations\u2019 CI\/CD pipelines and cloud environments. When attackers compromised CircleCI, they gained programmatic access to tools like GitHub, AWS, and others. Suddenly, one app becomes the gateway to many more. That\u2019s what we call application hopping\u2014jumping between apps through machine-to-machine tokens.<\/p>\n
And here\u2019s the kicker: even if you secure user access to Salesforce with least privilege and identity controls, a single third-party integration\u2014like a BI tool connected to Salesforce\u2014can expose all of that data. That one small app can bypass all your hard work.<\/p>\n
So machine identities need to be monitored, secured, and governed just like human ones. Otherwise, you\u2019ve got serious gaps in your perimeter.<\/p>\n
David Puner:
\nYou make it sound so easy.<\/p>\n
Lior Yaari:
\nI wish it were easy. But then again, if it were, we probably wouldn\u2019t have a business.<\/p>\n
David Puner:
\nZooming out a bit\u2014what do you see as the most significant cyberthreats today? And how do you think that may shift in the near future?<\/p>\n
Lior Yaari:
\nRight now, there are a lot of great opportunities\u2014for both attackers and defenders. That\u2019s what makes cybersecurity so dynamic. But attackers are often the first to adopt new technologies. Not necessarily faster than startups, but definitely faster than enterprises trying to integrate those technologies into their existing security stacks.<\/p>\n
With AI, for example, attackers are already finding ways to exploit it. Traditional phishing detection relies on things like spotting spelling errors. That doesn\u2019t work anymore. Attackers can use AI to generate thousands of well-written phishing emails at once. They can run massive campaigns with just a script and an LLM.<\/p>\n
The second big concern for me is trust\u2014trust in voice, video, and even identity itself. With a few minutes of audio from this podcast, someone could generate a fake call that sounds just like me. Sure, maybe my accent might throw them off a little, but it\u2019s possible. You could fake a conversation, make it sound legit. That\u2019s going to require a whole new layer of verification and awareness inside companies.<\/p>\n
Lior Yaari:
\nIf phishing messages can trick people through text, imagine how effective they\u2019ll be when delivered through a convincing voice or video. Most people aren\u2019t trained to question what sounds real. That\u2019s going to make social engineering even more dangerous.<\/p>\n
Then there\u2019s the broader shift: we\u2019ve moved infrastructure from on-prem to the cloud. We\u2019ve moved identity from being something contained within a local network to something that lives across the internet. That fundamentally changes the nature of the security perimeter.<\/p>\n
David Puner:
\nIs there really even such a thing as a perimeter anymore? How do you define it now?<\/p>\n
Lior Yaari:
\nIt\u2019s all about identity. Gartner calls it the cybersecurity mesh architecture. In a world where access can come from anywhere and data is everywhere, identity and context become your ultimate control points. So yes, there is a perimeter\u2014but it\u2019s identity-centric. And everything needs to move in that direction.<\/p>\n
David Puner:
\nHow can organizations stay ahead of evolving threats like ransomware, zero-day attacks, and supply chain vulnerabilities?<\/p>\n
Lior Yaari:
\nThere\u2019s no one-size-fits-all solution. But the first step is knowing what the problems are. I feel for CISOs. Their threat list is long\u2014and it keeps growing. It\u2019s tough for smaller organizations with lean teams. And even for large organizations, the variety of threats they face is overwhelming.<\/p>\n
Cybersecurity is one of the few spaces where there\u2019s an active adversary. If we slow down, they\u2019ll get ahead. So we need to keep evolving\u2014how we think, how we plan, and how we prioritize.<\/p>\n
Lior Yaari:
\nWe sometimes assume cybersecurity used to be easier, but that\u2019s just because we didn\u2019t have the tools or understanding we do now. Attackers have become more sophisticated. So we need to stay informed about new problems, but also be open to new solutions.<\/p>\n
Yes, it can be tiring. There are a lot of new companies out there solving specific problems, and it\u2019s hard to evaluate them all. But the only way to address complex and evolving threats is to partner with people who are dedicating their entire day to solving that one thing you haven\u2019t had time to fully explore yet.<\/p>\n
David Puner:
\nIn such a rapidly changing landscape, how do you personally stay on top of it all?<\/p>\n
Lior Yaari:
\nI\u2019m lucky that I get to focus deeply on a problem I care about. I go to a lot of conferences. I talk to a lot of people. And I spend time with early-stage founders. They\u2019re on the ground, building the next wave of cybersecurity tools. They have insights into problems that aren\u2019t even mainstream yet. Talking with them\u2014and VCs, and staying active on platforms like LinkedIn\u2014is how I stay current.<\/p>\n
David Puner:
\nI\u2019d read somewhere that you had a focus on automotive at one point. What about that industry stood out to you as relevant to the broader cybersecurity landscape?<\/p>\n
Lior Yaari:
\nYeah, back in the day, one of my parents\u2019 old friends asked what I did for a living, and I told him I was breaking into cars. He looked pretty disappointed\u2014thought I\u2019d end up doing something more respectable. But it was all virtual. I was working in automotive security, helping major car manufacturers secure their vehicles.<\/p>\n
Cars today are essentially rolling networks of IoT devices. There\u2019s a great quote I love: \u201cThe \u2018S\u2019 in IoT stands for security.\u201d Of course, there\u2019s no \u201cS\u201d in IoT\u2014because security is often missing.<\/p>\n
That work taught me a lot. Cars are incredibly complex systems. And when you\u2019re building something that intricate, security often takes a backseat. It\u2019s the same with corporate networks. Even in something like a marketing org, the systems are layered and sophisticated. People don\u2019t think someone will exploit what they\u2019re building. They\u2019re just trying to do their jobs.<\/p>\n
Professionals\u2014from engineers to CFOs\u2014don\u2019t ignore security because they\u2019re malicious. They ignore it because they don\u2019t think about the bad things that can happen. That means it\u2019s on us, the security professionals, to be proactive\u2014not just in stopping breaches, but in helping people understand risk before they make decisions.<\/p>\n
David Puner:
\nThat ties into what you\u2019re doing now\u2014supporting safer SaaS adoption.<\/p>\n
Lior Yaari:
\nExactly. Whether it\u2019s phishing education or identity governance, the goal is the same: support people before mistakes happen\u2014not after.<\/p>\n
David Puner:
\nOne last thing\u2014our research team came across a story about you doing NYU students\u2019 homework when you were 16. True?<\/p>\n
Lior Yaari:
\nCan\u2019t believe that made it into the notes! Yeah, when I was in high school, I got connected with a NYU student who didn\u2019t want to do his intro to computer science homework. He\u2019d message me a couple days before a deadline and offer $70 an hour to finish it. For a 16-year-old, that was incredible money.<\/p>\n
I started doing Java assignments, then got into security coursework. I was learning Linux and writing reports on securing operating systems before I even really knew what cybersecurity was. It wasn\u2019t what launched my career, but it was definitely the first step in that direction.<\/p>\n
David Puner:
\nAnd how did he do on those assignments?<\/p>\n
Lior Yaari:
\nHe did very well. We haven\u2019t stayed in touch, and I don\u2019t think he\u2019d pass the Grip interview process today.<\/p>\n
David Puner:
\nLior Yaari, thank you so much for joining us on Security Matters. This was fantastic.<\/p>\n
Lior Yaari:
\nThank you, David. I had a lot of fun.<\/p>\n
David Puner:
\nThere you have it. Thanks for listening to Security Matters. If you liked this episode, please follow us wherever you get your podcasts so you don\u2019t miss future episodes. And if you\u2019re feeling generous, leave us a review\u2014it helps more than you\u2019d think.<\/p>\n
Have a question, a comment, or an idea for an episode? Reach out to us at securitymatterspodcast@cyberark.com.<\/p>\n
We\u2019ll see you next time.<\/p><\/div>\n","protected":false},"featured_media":213801,"template":"","class_list":["post-207564","podcast","type-podcast","status-publish","has-post-thumbnail","hentry"],"acf":[],"yoast_head":"\n