The following interview is a conversation we had with Sivan Tehila, Founder and CEO of Onyxia, on our podcast Category Visionaries. You can view the full episode here: $5 Million Raised to Build the Future of Cybersecurity Performance Management.
Sivan Tehila
Thanks for having me.
Brett
Not a problem. Super excited to chat. So, to kick things off, can we just start with a quick summary of who you are and a bit more about your background?
Sivan Tehila
Of course. So I started my career in the israeli army. I served for ten years in the IDF as a cybersecurity officer. I was the CISO of the research and analysis division and the head of the information security unit for the intelligence court. Obviously very fascinating career and an opportunity for me to learn about cybersecurity, which back then was a relatively new space. And since then, many things evolved and changed. After I retired in 2015, I worked for other defense industries and critical infrastructures in Israel. I built and designed the security operations center for Israel Railways and worked on other defense projects. And when I moved to the United States about five years ago, I joined Perimeter 81, which recently was acquired by Checkpoint. And I was one of the first employees there. We developed zero trust remote access solution.
Sivan Tehila
And that’s where I realized that I’m really enjoying building products from scratch. And obviously, I had a chance to learn a lot about the market and to understand what it takes to solve a major problem. In parallel to that, I also developed a cybersecurity master’s program for Yu. And I became the program director for the master’s degree at Yu in New York at the Cat school. Obviously another passion of mine, cyber education and preparing the next generation of cybersecurity experts. And about a year and a half ago, I started onyxia, which is my main focus now.
Brett
What did you learn from your time in the IDF? I’m sure there were a ton of life lessons, especially considering you were there for ten years. But if you had to choose one big life lesson, what would that mean?
Sivan Tehila
I think being a resilience to many different situations. And obviously, I remember myself many times waking up in the middle of the night when I got a phone call that something is happening and you just need to act and you need to act fast. And I think I find myself often in different, similar situations when I’m running now, my own company, and obviously any entrepreneur handle a lot of stress and challenges. But I think the fact that I had to handle things that are related to human lives, I guess it puts everything in a different perspective. And I think I have this resilience to handle other things because I just really believe that everything can be solved and it’s just a matter of strategy, focus and thinking a few steps ahead.
Brett
Now, in the back of your head, when you were at the IDF and then when you were working in those various roles after you retired, was in the back of your head that someday I’m going to start my own technology company. Was that like the master plan, or where did that seed and that idea come from for you?
Sivan Tehila
So that never was something I really planned, but I was always leading projects from scratch. And I do think I have this entrepreneur mindset even now within big organizations and even in the IDF. When I had to come up with creative ideas in the division I was part of, and especially in the cybersecurity space, it’s sometimes very hard because security professionals often being considered as those who are not really helping the business, but blocking the business. And when you’re in the army and we ask people in the intelligence force to always think outside of the box, obviously, as a CISO there, we had to come up with many creative ideas on how to allow people to do their job. And I think, again, it wasn’t really the plan, but I got into this because I realized that there is a problem.
Sivan Tehila
And I was very frustrated as a CISO that I need to handle a lot of manual work around measuring security programs and security performance and automate things. And later, when I worked for other companies or with other security leaders, I realized that this is a problem that really needs to be solved. So eventually, I think that what I’ve decided is to solve this pain that I have experienced. And that’s how I really got into building onyxia, which is an emerging product in the cybersecurity performance management space.
Brett
Well, it’s a perfect transition to dive right into the company. So let’s talk a little bit about it. So, at a high level, when it comes to the problem that you solve, how do you articulate the problem?
Sivan Tehila
So cisos and security leaders handle a lot of noise in their day to day job, and recently we see that companies are implementing many different security solutions, and it’s becoming really hard to manage security programs. Often companies bring external consultants to map their environment, and then they leave them with a nice report with all the recommendations, but no one really knows what’s relevant and what to do, and it’s really hard to track that. So I guess the three main aspects we’re addressing is, first, the ability to make decisions based on reliable data. We’re collecting data from different resources in the company to help security leaders understand their security posture, basically. And on top of that, we’re also helping them manage projects end to end, optimize ROI, and communicate their security programming to business outcomes.
Brett
When it comes to the market category, is cybersecurity performance management an established category, or is that a category that you’re really pioneering and creating?
Sivan Tehila
It is a new category, and I guess that was one of the main challenges, because when I started, no one was talking about security performance at all. Most of the products in this space were related to GLC governance, risk and compliance, and those more of a traditional risk quantification products. And the way we’re looking at risk is really in a way that by helping you improve your security performance, we’re automatically reducing the risks. So when I started the company, it was very hard to raise money since this wasn’t very familiar in the industry. It was a new term, and I think about a year ago, Galat came up for the first time with this term, silo performance management. And I think it helped a little bit. The industry understand that this is really an established one. But I think that the challenge was there.
Sivan Tehila
It’s just about defining it and coming up with a relevant solution that can address those specific challenges and look at the overall picture and provide systems with the ability to have this sense of control in the chaos they’re living in.
Brett
Are you actively working with firms like Gartner to shape and really define what this category is going to look like?
Sivan Tehila
Well, I’ll be very honest here. We’re working with our customers to solve a problem. Obviously, Gartner and similar firms can really help with boosting awareness around specific categories. But on the other end, it sometimes can be very tricky because we don’t want to build a product that is aligned necessarily with what Gartner’s defined category. We want to solve a problem. So I feel like sometimes it’s a fine line, and I guess this is why we often see that many companies can really fit in multiple categories. So I think obviously, we’re working closely with Gartner we have good relationship and we learn a lot from those partnerships. But we’re trying to stay very focused on our mission to solve this specific problem and not to necessarily build a product that is aligned with someone’s specific definition of a specific category.
Brett
Can you share any numbers that just highlight some of the growth and adoption that the platform is seeing today?
Sivan Tehila
Yeah, sure. So first we’re focusing on mid sized companies and enterprises. The way the product works is really by integrating with the existing security stack. So companies that are less mature usually don’t have enough security products, so we can’t give them the value they need. So basically, that’s where we’re focusing. And as long as the company is mature enough and big enough, they usually have more and more challenges to address. And that’s where we see most of the demand and challenge. It was very fascinating to me when we did the research to talk to cisos, and almost any Fortune 500 CISo I spoke with showed me an Excel sheet that they’re managing since they started their position as a CISO in any company. And I remember myself managing Excel sheets as well.
Sivan Tehila
But it’s just unbelievable that in 2023, Fortune 500 companies, sea level people, still need to manage all their efforts in an excel sheet. And what they do there is basically to have their security KPIs mapped, and they’re trying to feed this Excel sheet all the time with the data they aggregate from different resources and do the calculation and metrics to see how they are basically aligned with our KPIs comparing to their slas. And it’s a lot of work. So I think nowadays, because everything else is being automated, we definitely see more demand for such a platform that automate the manual processes and give this extra layer of actionable insights. And it saves a lot of time and money for companies.
Brett
This show is brought to you by Front Lines Media, a podcast production studio that helps B2B founders launch, manage, and grow their own podcast. Now, if you’re a founder, you may be thinking, I don’t have time to host a podcast. I’ve got a company to build. Well, that’s exactly what we’ve built our service to do. You show up and host, and we handle literally everything else. To set up a call to discuss launching your own podcast, visit frontlines.ioslash podcast. Now back today’s episode in the cybersecurity space. There’s a lot of noise. Every year. I go to RSA, I go to black hat, and when I’m walking around, I’m thinking, wow, everyone’s essentially saying the same thing, and it just seems like a very noisy world with just a lot of vendors.
Brett
What are you doing to rise above all of that noise and connect with customers in the way that you have been to achieve this type of growth?
Sivan Tehila
Well, we’re still in a very early stage, so we’re doing our best to invest our time and resources in the right places. I definitely think that when you define a new category, there is a lot to do when it comes to educate the market. Even though the problem is very easy to explain and the product is relatively easy to understand. When you don’t have this line in the budget of the CISO, you need to work hard on making this something that makes security performance part of their plan. I think what happened recently is also that we saw the new FCC regulation that came up.
Sivan Tehila
So what we’re trying is to basically stay connected to the regulation, to what we hear from the field, to stay connected to customers, to meet them one one in conferences, to really understand their needs and based on that, to create a plan to be more focused with our offerings, and to also come up with ideas to help them address some issues. And again, the reason why I brought up the SEC is because many companies I spoke with a while ago got back to me recently and they told me, hey, Sival, we’re thinking about your product with their relation to the SEC regulation. Maybe you can help us with that. I’ll give you a little bit of context. What the SEC cybersecurity risk management tool says is that companies need to disclose security incidents in four days.
Sivan Tehila
But the other two things they mentioned there is that companies need to disclose their security programs and strategies, and to have at least one board member with cybersecurity expertise. And obviously, the regulation is relevant for public companies. But we do see that other large enterprises and then mid sized companies always willing to align with SEC requirements. And I think that’s another thing that brings more awareness and that makes the product even more relevant to any company nowadays.
Brett
As I mentioned there in the intro, you’ve raised $5 million to date. What have you learned about fundraising throughout this journey?
Sivan Tehila
I think I learned, well, basically, I didn’t know anything. It’s the first time I’m raising money, so I didn’t know what I should exactly do. I think I was very lucky to be surrounded by people who believed in me since day one. And they really helped me during the process, understanding how I need to present the story, to present the problem. And they made relevant intros what I learned. And again, I don’t want that to sound like, I’m sure everyone else always say that, but I really felt that I need to build a relationship with my investors. So it took me a little bit of time to establish those relationships. And I think eventually it worked out, because I really feel that now any investor in my cup table brings value to the company that is not just the money they were putting in.
Sivan Tehila
So I really learned that was something that helped me back then, but also now when we’re getting ready for our next round, and all those investors are very involved and helpful and knowledgeable and very well connected, I think that’s something that now I realized that was a very smart thing to do.
Brett
What would be the number one piece of advice that you’d give to a cybersecurity founder who’s just starting their company today?
Sivan Tehila
I think because cybersecurity is a very overwhelming space. There is a solution for everything. There are many niche solutions, and I think really doing your research around the problem and define the solution in a very clear way could be very helpful, because otherwise, often when investors hear your pitch, they really feel like they heard that 100 times before you showed up. Because when we’re talking about cybersecurity and risks, we tend to use the same terms. And what I learned is that it’s always very helpful to be able to crisply explain and define why you’re different, what is the specific thing you’re solving, why no one else did it before. And even though it might sound as obvious, I think that was the way for me to eventually stand out and to be able to raise money to solve this very specific problem.
Brett
Final question for you. Let’s zoom out into the future. So let’s say maybe three, five years from today, what’s the big picture vision that you’re building?
Sivan Tehila
So were talking about performance, or performance management, but the way I see Nixai is really becoming a platform that combines different solutions for security leaders to manage all their security efforts in one place. End to end, to be this single panel glass, to lost cisos, to make decisions, to wake up in the morning, and to go to this one place to understand the bigger picture, but also to communicate with their teams, with other business stakeholders. And I really see that’s the vision, that’s what we’re building. We want anxiet to become the first thing or the first platform. Cisos are opening in the morning. I didn’t mention it before. One unique thing that we did, and we don’t often see that in security products, is that we built everything not only as a web app, but as a mobile app.
Sivan Tehila
So my dream to say so was to be able to wake up in the morning. Like I’m asking Alexa. Hey, Alexa, how’s the weather today? To be able to go to one place and ask Alexia, hey, Alexia. What are the top three things I should be afraid of today? What are the top three things I should focus on today to get all the high level insights I need to be able to manage everything as I go and to have this sense of control. And that’s where I see the platform going.
Brett
Amazing. Well, I love the vision, and I love everything that you’re doing. We are up on time, so we’ll have to wrap here. Before we do, if any founder listening in just wants to follow along from a company building perspective, where should they go?
Sivan Tehila
Well, they can just connect me on LinkedIn, and I’m always happy to connect with any founder. I know how hard it could be, especially at the beginning with everything feels very chaotic. So LinkedIn, I guess it’s the best way to reach out.
Brett
Amazing. Well, thank you so much for taking the time to chat. I’ve really enjoyed this conversation. I know the audience is going to love it as well. So really appreciate you taking the time.
Sivan Tehila
Thank you so much for having me. That was fun.
Brett
All right, keep in touch. This episode of category Visionaries is brought to you by Front Lines Media, Silicon Valley’s leading podcast production studio. If you’re a B2B founder looking for help launching and growing your own podcast, visit Frontlines.io podcast. And for the latest episode, search for category visionaries on your podcast platform of choice.
Twitter
facebook
linkedin