Cherries - stock.adobe.com

Inside CyberArk’s security strategy

CyberArk CIO Omer Grossman talks up the company’s security-first ethos, the importance of an assumed breach mentality and how the company is addressing threats from the growing use of AI

Omer Grossman, CyberArk’s global chief information officer (CIO), doesn’t mince his words. In a world that increasingly relies on technology, he believes cyber security shouldn’t be an afterthought, but a core tenet woven into the fabric of every organisation.

As the head of IT at CyberArk, an identity security firm known for its privileged access management (PAM) capabilities, Grossman leads with a “security-first” approach that’s embedded in the company’s internal practices and its role as “customer zero” for its own products.

He also advocates for an “assumed breach mentality”, which acknowledges that cyber attacks are inevitable. That means organisations should focus on limiting the blast radius of any potential breach through network segmentation, identity management and hardened endpoints to ensure business continuity despite attacks.

“You don’t need to keep all the bad guys out 100% of the time,” said Grossman. “That's wishful thinking – the CISO’s [chief information security officer’s] job is to make sure the business doesn’t break because of a malicious attack.”

CyberArk adopts a multi-layered defence strategy, starting with identity security. “I really know, not just believe, that identity security is a cornerstone in any security posture,” he said.

CyberArk leverages its own products, such as Privilege Cloud, to manage internal access privileges, ensuring that even if a breach occurs, lateral movement and damage are minimised.

The company is also tapping automation and threat intelligence. By automating about 70% of its security operations, CyberArk ensures it can respond quickly to emerging threats. Its security operations centre (SOC) operates 24/7, constantly monitoring for and mitigating potential risks. Threat intelligence feeds from various sources – including global computer emergency response teams and the dark web – provide early warnings of potential attacks.

Read more about cyber security in APAC

Complementing these measures is a dedicated team focused on threat hunting. This team identifies emerging attack vectors and proactively tests CyberArk’s defences against them. For instance, knowing that support teams are often targeted, the company conducts simulated attacks on its own support team to identify vulnerabilities, enabling them to become more resilient.

“We’re constantly monitoring and bolstering our security posture,” said Grossman. “You just need to be 1% better tomorrow than you are today, and if you keep pushing forward, you are always one step ahead of the attacker.”

CyberArk’s commitment to security extends to being its own harshest critic by rigorously testing its own products internally. “We’re not an easy client, but that’s what makes our products secure and effective for our customers,” he said.

But the cyber security landscape is in constant flux, and new challenges are always emerging. One of the most pressing, according to Grossman, is the rising adoption of artificial intelligence (AI). “AI is the biggest transformation of our lifetime as CIOs,” he said. “But it also presents new and evolving security challenges.”

AI agents

He pointed to the rise of AI agents, which are capable of acting autonomously, as a concern. These agents, while improving efficiency and productivity, also expand the attack surface for threat actors.

“Agents will be everywhere soon,” said Grossman. “And attackers will inevitably find ways to exploit them.”

To mitigate this risk, he called for organisations to adopt AI governance frameworks. “You need to be thinking about responsible AI,” he said. “That means addressing the ethical implications of AI, ensuring legal compliance, and building a security framework that can evolve alongside this rapidly changing technology.”

Unlike other CIOs who may be asked to prove the returns of their security investments, investing in security is non-negotiable for CyberArk. Grossman said budget constraints are not a limiting factor when it comes to securing the company and its customers.

He urged other CIOs and CISOs to prioritise security investments before a breach occurs, noting that the cost of prevention pales in comparison to the potential fallout of a successful attack.

“When companies open their wallets after a breach, CISOs can get whatever they want from the board, but it’s often too late,” said Grossman.

Read more on Identity and access management products