Home / 

Podcasts / 

Alon Nachmany: It’s not a CISO’s job to Accept Risk, his job is to Develop a Plan to Reduce or Prevent it!

Alon brings a very unique perspective and some deep insights into the field of compliance and cybersecurity that really captivates and provide some very interesting answers and thought-provoking, content for everyone joining us today. From changing the status quo and looking at how there has been a shift in how we look at compliance and information security, from deciding whether the CISO should report to the CIO or vice versa, we cover it all.

Alon is also a very accomplished speaker, having presented for ABC News, DEF CON, the DOE, Cyber Conference, as well as Secure CISO Miami. And finally, for my list, Alon has also contributed to top articles and publications such as Cyber Defense Magazine, Inc. Magazine, and Healthcare Business Today.

As well as being featured in the Cyber News magazine, 40 under 40 list in December 22, recognizing young leaders in the cybersecurity industry.


Kyle Morris:  

Hi, to everyone and a very warm welcome to another episode of Comply or Die. I am your host Kyle Morris, and I’ve got Alon Nachmany with me today, who is a very exciting guest that we are looking forward to having on the show. Um, a very accomplished person in cybersecurity and compliance, which makes him a real ideal candidate to have on our show.

Alon brings a very unique perspective and some deep insights that I think are going to really captivate and provide some very interesting answers and thought-provoking, content for everyone listening and joining us today. So a quick background just from our side, who is Alon? So, a thought leader in cybersecurity regulation and compliance.

He is a C level executive, visionary information security leader with over five years experience as a CISO at organizations that include two publicly traded financial services organizations. Some more background. Alon has served, and I’m seeing you’re nodding. So we’re on the right page so far, which is good.

Alon Nachmany: 

I think I’m going to start blushing in a second. 

Kyle Morris: 

Amazing. No, the, the resume is incredible, and we can’t leave out some of these. So you, you’ve served on a variety of executive level, IS information security roles, which included administering IT security policies and procedures while serving at senior levels in both corporate and government environments.

At AppviewX, you are a field CISO responsible for developing tailored recommendations and establishing a best of breed security program architecture, – which I’m really looking forward to hearing about just now – architecture model using industry frameworks and standards such as ISO, NIST, SOC2, as well as NIST.

Additionally, to this, Alon is also a very accomplished speaker, having presented for ABC News, DEF CON, the DOE, Cyber Conference, as well as Secure CISO Miami. And finally, for my list, Alon has also contributed to top articles and publications such as Cyber Defense Magazine, Inc. Magazine, and Healthcare Business Today.

As well as being featured in the Cyber News magazine, 40 under 40 list in December 22, recognizing young leaders in the cybersecurity industry. Wow. That’s that. I mean, I think at this point I’m under some pressure to have to keep, keep these questions. 

Alon Nachmany: I’m definitely blushing. So it all works. 

Kyle Morris: Alon, thank you.

Thank you for taking some time out of your schedule to talk to us today. It’s amazing to have someone like you on the show. Um, and I mean, apart from that, that huge background that. I have no doubt, is a very summarized version of your career. Is there anything else you’d like to tell us about you as an introduction before we dive into it?

Alon Nachmany: Uh, yeah, there’s, a few other things that I’ve been doing. 

I’m on the, um, on ISACA’s board for, um, South Florida. I’m on, if you’re familiar with CSA, Cloud Security Alliance. I’m leading the work group under, um, identity and access management. And I’m also working on the zero trust work group where we’re working diligently to, um, put out some best practices and some documentation to kind of help people, um, feel that the noise, if you would, from what, you know, every vendor’s become a me too

I do zero trust, um, when that’s not necessarily the case, so they don’t fully understand what zero trust is. So. That’s kind of where we’re helping and kind of establish the guidelines and best practices there. 

Kyle Morris: Amazing. I have a set of questions, but you’ve, you’ve mentioned a few things that I feel like we have to dive into already.

Zero Trust itself. How do you see the, the industry or, I mean, you sort of jumped into it already, mis common misconceptions around it and how you’re trying to sort of change that, that, that process or mindset. 

Alon Nachmany: So, so my answer is going to be stay tuned on that because we’re going to put out a lot of documentation and I don’t want to give anything kind of away, but I also want everybody to be able to read it and really, um, understand what we’re trying to put together and what we’re trying to do on a best practices standpoint, kind of really get everybody on that same page and just make it easier for everybody to kind of, um, understand and digest what the vendors are putting out there.

Um, where does zero trust start kind of the basics and all of that, that’s all covered in the documentation. So really, I just don’t want to take away from the documentation and all that stuff. I want to say something else. You spoke a lot about architecture. Um, you know, and I know this isn’t mostly, um, centered around compliance, but, you know, architecture is incredibly important and doing things and planning and, and, you know, building it right.

The first time is definitely one of my mottos and something that I stick by. Um, Because nobody wants to go back and fix what was done wrong. It’s a bigger headache and it just, it causes issues. That being said, I think there’s a much larger emphasis in our industry coming up and has been coming and is going to grow, especially giving kind of the, the global economic situations that are progressing, which is around how does, how does information security, um, enable the business and what is the CISO doing, um, on business enablement.

And I think that that ties very closely, in my opinion, at least to compliance. And how do you enable the business to be more compliant through information security? How do you make the chief compliance officer’s life easier? Um, things like that. So that’s also, you know, if we have time, I’d love to cover that stuff as well.

Kyle Morris: 

I mean, the, the stage is all yours. Please feel free. Go for it. 

Let me get myself boxed. One second. Um, no, I, I really think that that’s, that’s kind of the, the, I want to call it a trend, but it’s not a trend. A trend is something temporary. I think this is going to be, you know, mind or kind of shift in the mindset of information security, you know, for, for a very long time and very long time, it was kind of, it was kind of well accepted that the CSO reports to the CIO.

And anybody who is a CISO always had something to say about that. And if they didn’t, they weren’t a good CISO. Now, we’ve come up with some, uh, really good, um, conceptions and, and, and ways of dealing with things. Yes, you can report to the CIO. That doesn’t necessarily mean that you’re limited to his wheelhouse.

You’re just as a reporting structure and makes it easier. Um, there’s been a large movement to reporting to other people, such as the Chief Compliance Officer, the Chief Operating Officer, the CFO. And, and, and my favorite is usually to the board directly. Okay. Um, personally, just because I happen to be talking about reporting structure, my, my favorite is when the CIO reports to the CISO, because it makes accepting risk so much easier from a technological perspective.

You know, in my opinion, the CISO, it’s not IT security, it’s information security, and that covers the entire business, not just the wheelhouse of IT, which is why, where the misconception of reporting to the CIO was. In having the CIO report to the CISO, you know, I go, I’m going back to the real basics here.

We have the CIA triad, the confidentiality, the integrity, and the availability. The CIO’s job is to make sure that everybody can work and be productive. The CISO’s job is to make sure that everything is secure, and you keep that CIA triad together. There’s definitely overlap and there are times, and a good CISO will say, there are times when I accept the risk and I know.

That it’s more important to deliver this to the company in order to do something, even though it’s adding risk. And that’s okay. There’s nothing wrong with that. If you, if you do that, and you acknowledge that you’re adding risk, and you’re doing something to add to, um, the company being able to do some of that, cause that’s where the business, uh, enablement comes from.

You know, you, you’re educated enough to accept that risk, present that risk. And move on. That’s, that’s where having the CIO report to the CISO makes things easier. Again, this is assuming that there’s, you know, nobody’s butting heads and, and nobody has an ego and everybody just wants to really get the job done and do what’s best for the company.

Obviously, that doesn’t always happen. And that’s unfortunate. That’s a different discussion. That’s to me, what’s, what’s important. Um. You know, having, having that ability to enable the business, having the ability to look at what, what are we doing from a company’s perspective? What, what do we manufacture?

Are we, are we, do we make widgets, you know, do we provide a service? What, what are we doing that will help, you know, what can we as information security professionals be doing to help the business? And that could be plain and simple. If we’re a SaaS company, and we’re providing, you know, a SaaS solution.

Introducing redundancy isn’t just about, Hey, if we, if we get hacked, here’s a redundant, we can switch over and it’s hot. And it’s a flip of a switch. It’s automatic. We don’t even have to do that. That could also be, Hey, as a company grows, we don’t actually have to scale because we already have some over here.

And we’ve already done that. That’s to me, that’s business enablement, allowing the business to grow, allowing the business to do more through the solutions that we’ve already implemented. And that makes, quote unquote, selling the solution to the board so much easier. Um, So I’m going to go through a bunch of different topics because I’m, I’m kind of, um, navigating here.

Kyle Morris: 

Please do. I’m here to listen. 

Alon Nachmany:

Yeah, awesome. Now that I brought up the, the, the board, you know, The other thing that, that I’m kind of since I’m on my soapbox here is it’s not the CISO’s job to accept risk. It’s not the board’s job to decide if you need a firewall. And I think that’s also something that’s kind of getting missed right now, if you would.

Um, it seems that CISOs are, or the CISOs that come from more of a technical background seem to feel the need to educate their board as this is a firewall. Here’s how it blocks packets. Here’s how it does stateful inspection. Here’s all of that fun stuff. It’s, it’s great. It’s important. It’s here’s why you need multifactor.

Here’s why. Again, all these things are important. The board member doesn’t care, nor should they care. The board member, in my opinion, needs to look at Okay, here’s our risk. If this and I’m over, I’m incredibly oversimplifying for a second, but here’s a file server. If this file server goes down, we will, it’ll take us two days to recover.

Our data will be two days old. So that’s four business days and it’ll cost us 10, 000. Take the $10,000, you add all of the numbers together, you take the probability of what is, you know, how likely is this to happen if we don’t have security in place? And then how likely is this to happen on an annual basis?

And you take that number and that’s your, that’s your target. R o i. That’s how much money it will cost the company. If you don’t secure, um, that’s your risk number, that that’s how much it’s gonna cost if you don’t secure. That’s that piece of equipment. What, what the CISO’s job is, in my opinion, is to educate the board on here’s all of our different risks.

Here’s how much they are with a dollar amount, and then there are different ways of calculating. I’m just giving one example But here’s the dollar amount of how much it’s going to cost and that that could be you know, easy numbers 10, 000 It’s the board’s job to say, you know what we’re a financial organization.

We have a chief risk officer, We trade all day and all night. We’re very, you know, used to risk we accept risk where we’re comfortable with it, I still sleep great at night. I don’t care, your goal is 80% and that budget will be 80% of the number on the 20%. They’ll roll the dice and that’s, that’s okay.

Because the board accepted that risk. That’s that is where the board comes into play. Not from a we accept the risk of not having a firewall. We accept the risk that we understand that by funding this, by, you know, 80% out of the hundred. We know that we’re not going to fully, um, take advantage of solutions out there that we could be more secure on the flip side, you could be in more of an old school company, maybe a large manufacturer, and they’ll say, you know what, we’re very risk averse.

We want to be able to sleep at night. We want to, we don’t want to have issues with our customers. We understand that there are additional costs. We want to be at 120%. Here’s 12, 000 to go secure it. And that’s, and that’s also great. That’s also acceptable. That’s to me, that’s where a CISO shines and the ability to educate their board and empower their board to make those educated decisions so that they can help set the tone and help, um, navigate the, the, the field.

Because it’s, it’s, it’s not the CISO’s job to accept the risk. That’s, that’s not their job. Their job is, is here’s a plan. Here’s how much that plan is going to cost. Here’s the risk. Here’s how much that’s going to cost. And it might be, you know, Hey, to secure it, it’s a 10, 000 risk. The security is only 5, 000.

Guess what? That’s a great ROI. That’s a 200% ROI here, board. Here’s what we did. Here’s what we were able to do. We actually were able to save costs and get a 200% ROI on this in order to, um, reduce this risk for, for this specific item. Now, obviously they don’t have to delve into exactly what each item is and that is overload for the board members, but they really need to help, you know, look at the board as financial management of the financial health of the company, or they’re really the managers of the company pulling the strings. They look at things in dollars and cents and that’s, and that’s their job. You know, a for-profit company’s number one, um, business is to make money.

That’s what they’re there. That’s what they exist for, otherwise it’d be a nonprofit. So in understanding that and explaining how this can affect the bottom line of the company, I think that’s, that’s how you. Approach a board. That’s how you educate a board. And those are the conversations that you should be having with boards.

Again, not, should we get a fire? Should we get, you know, multifactor? Ooh, let’s look at Octa. No, let’s look at this other solution. Let’s, you know, or it doesn’t care. That’s, that’s none of their business, nor should they care. It’s a waste of their time, in my opinion. So that’s how you do it. And it also gives the, you know, the CISO kind of marching orders, as well as.

Um, the boardroom will respect them when they speak after they give a presentation like that of why they’re asking for that, you know, it’s not an arbitrary number, or at least it doesn’t seem arbitrary to the board because they understand the math behind it. And that’s, that’s a big thing for me. I 

Kyle Morris: 

Don’t even know if I want to ask you questions or if I just want to, I mean, we can continue.

I can tie that to, so I was, I was going to add that to, you know, now that we’re talking about the board, and we’re talking about everything, kind of the SEC is requiring more cyber understanding on a board. That’s really what, what the SEC is trying to get after. The SEC is trying to get people on board, board members, not people to understand that they can’t say, you know, I go back to, you know, the, the 2000 years, 2008.

Actually 2000, um, with, with Enron and WorldCom and all those where the board said, uh, I don’t know how to read a balance sheet. I don’t know what I’m doing. Guess what? Now you have to be, you have to have a financial background or be a former CFO in order to be a board member. Why? So you can tell if they’re cooking the books.

Similarly, you know, it’s got, it’s already happening where you’re going to have some kind of cyber background or some kind of technological understanding to be a board. I mean, this is. We talk about COVID as an epidemic to me, the amount of companies that are getting hacked and information that’s, you know, being breached that’s, that’s almost as large.

So that’s, that’s definitely an issue. Um, and, and I think that’s, that’s kind of where the industry is going. At least that’s, that’s my two cents on it. One thing we’ve 

Kyle Morris: 

You’ve spoken about COVID you’ve mentioned pandemics, you’ve spoken about trends and shifts. I’m going to ask a slightly different question here.

Part of the spec sheet, you were named as the IT psychic of the year at CISO Miami 2020, take us through that. 

Alon Nachmany:

So it was, it was prediction. So that’s funny. Um, it was, I think, April or May, 2020. And it was, I mean, I remember I, I was asked to join an additional panel because they didn’t have like speakers just didn’t show up because of COVID.

This is one of the time we thought COVID was a genie in the air, and it’s going to kidnap you if you, you know, take a wrong breath somewhere. Um, it’s going to wrap its hands around you. And then nobody knew what to expect. Um, and, and at the time, you know, we, we were all asked on the panel, where did we think, What was going to be the biggest issue for that year and cybersecurity and I, you know, based on what I was hearing from my colleagues and my peers, I heard about companies that were spending their entire cybersecurity budget it budget, the entire technological budget, buying laptops, just so people could work from home.

You’re not going to be able to do anything else. You’re buying, literally they were buying laptops from Best Buy, Amazon, wherever they could get them, they were getting them, not provisioning them, not putting any protections on them, let’s just put it out there and at least they can work for now, we’ll call back and we’ll clean it.

Um, and it turned out that, that, that’s kind of what happened. And here we are, you know, three years later and, uh, we haven’t really cleaned it up yet, or we’ve been trying, um, and, and, and that’s kind of, you know, eventually we’re just going to go through that. I think at this point. The normal refresh cycle of like, ah, you know what, it’s time for a new laptop.

This time we’re going to do it right. And, and that kind of old, um, devices are going to be deprecated. Um, there’s also something to be said about, you know, now nobody knows where their data is. I think data security companies are definitely going to be a hit this year and next year. Just because I mean, there’s, I’ve dealt with breaches where I didn’t even know where my data was.

It’s, it’s a problem. It’s definitely a really big problem. I mean, I can tell you that my, my daughter’s information, her health information from her birth was compromised a hundred percent. I promise you, the CISO at that company did not know large company publicly traded. Did not know where the data was.

They did not, they had no idea of the process of what was going on. And that’s part of business enablement is understanding how you’re not, not just what does your company do or manufacture, but how does it do it, and how does it get done? So I think, I think part of this COVID is, you know, it’s okay for, I mean, I’ve been working remote for eight years.

It’s okay to be remote. It’s important for everybody around to understand where the data sits. How are people connecting? How are they using their devices? In order to, it’s not a matter of securing it further to matter at first just mapping out what is where 

Kyle Morris: 

Sure, and maybe on to that point. Let’s talk a little bit about hacking and about AI as well So I think your last point you mentioned there about actually just knowing where your data is It’s probably a huge part that plays into this, but I mean if we talk about tools and password managers and these SSO tools that We know, and we trust and they reputable that have had many instances of hacks and data breaches recently.

What, what are sort of your guidelines or best practices you go by to try to minimize that as far as possible? What do you recommend? 

Alon Nachmany:

I think, unfortunately, that it really is each case on its own. I don’t think there’s a one, one answer fits kind of one size fits all answer. Um, I, I really think it depends on the organization, what they’re doing, how they’re doing it, um, cause everybody’s different.

Everybody uses different tools, everybody uses different devices, everybody uses different technology. So it’s really, uh, I think on a case by case basis.

Kyle Morris:


Alon Nachmany:Yeah. Sorry. 

Kyle Morris: Fair enough. No, fair enough. And let’s talk from an AI perspective. I mean, everyone, it’s, it’s, it’s the trend. 

Alon Nachmany:Everybody loves AI  right now.

Kyle Morris: Yep. Absolutely. 

Alon Nachmany:

And, and the Zero Trust was last year, AI is this year, 

Kyle Morris: 

And it can do no wrong. Everyone is jumping on, building it in. They want to use it in their tools and products. How do you see this contributing to, to the security domain of businesses, good and bad? 

Alon Nachmany:So, yeah, I was going to say, I have a little bit of a different opinion.

I think it’s good. I think I see a lot of positivity. I see AI. I think AI itself, like the ChatGPT needs to be a little more secure and a little more private. And I think that’ll come together with, you know, as, as it matures and as it, um, grows into a proper business model, I think that that’ll happen, um, just to make sure that the, the information is kept confidential.

But I think, um, I think it’s going to help. I really do. I think it’s going to provide, you know, somebody said to me the other day, it’s going to replace, it’s going to replace a lot of developers. It’s going to place a lot of developers. If you have mundane developers that don’t know what they’re doing, if you, you know, it, it doesn’t think it, it kind of takes a very basic template of what it’s learned, and it shoves everything into that template.

So it’s important. It does a great job, but it doesn’t really, to me, at least get the job done, um, from the larger perspective. So I think it’ll help with. You know, maybe SOCs that are digesting too much information. AI can be very useful there to point out trends and things that people aren’t seeing, um, but I don’t see it replacing anybody.

I don’t see it. I don’t see it replacing a lot of individuals. I see replacing maybe, you know, like a tier one SOC person, which the only bad I can think about that is to become a tier two SOC person, you need to first be a tier one SOC person. So I think, I think experience might be a problem, but we can also use it as a learning tool and, and, and use here’s how AI did it now it’s your job to think after AI.

Has done all of these steps. How do you do the next steps? And similarly, if you’re developing software and there’s a lot of code, I think from a code inspection, you know, perspective, it could be very useful. Things like that really um, but I don’t see it, you know, taking over the world yet. Maybe. You know, that’s something in maybe a decade or so, so I’ll worry about that in a decade, future me will worry about that.

Um, but for now, I think it’s a great tool, and it’s a great way to use things. I don’t think it’s gotten to the point of, I think people are giving it way too much credit than it deserves at this point. And 

Kyle Morris:

If we talk about the, I mean, you’ve obviously mentioned huge positives and efficiency gains from it, tying that back into compliance.

I mean, we spoke a bit about the development side, compliance specifically, what do you see as, as challenges or just how the future looks tying AI and considerations from that into still maintaining compliance with different frameworks. You see challenges there? 

Alon Nachmany:

You mean AI and compliance? 

Kyle Morris: Yeah. Replacing your traditional controls with where AI processes could replace that.

Alon Nachmany:

I don’t think so. I think it’s more, um, I would look at it as helping investigate, or you know, doing the testing to make sure that you’re compliant. I could see AI playing a role there of, you know, and if you’ve sat at the audit table and I will know in your eyes in two seconds, you know, if you’ve sat at the audit table, you know what I’m talking about, where, you know, an auditor will randomly select, okay, give me these three files to randomly check that you’re compliant, and you’re doing what you say you’re doing.

Um, I see AI being able to do that and maybe be able to, you know, potentially I see a system with compliance where you allow AI. Access and it’s constantly monitoring so that it can flag here’s instances that you weren’t compliant that I see. And that’s to me, that’s, that’s just data processing. Um, so I do see that happening.

I do see AI helping write policies and procedures, um, and potentially enforcing them, but I don’t see AI, you know, replacing a chief compliance officer or even a compliance organization. Where, you know, they’re asked for their opinions on things all the time, where AI might not be able to opine in a, you know, look at both sides equally.

Kyle Morris: 


Yeah. And I, I think very, really important. I mean, from that efficiency side, like you’ve made mention of, if you take what the, the, the audit approach of trust, but verify and selecting random samples. And I suppose lack of the jaw sometimes, like you said, those three files could be. Randomly sampled, and they could be really good examples, but there could be really bad ones that are overlooked.

And I suppose using tools that could potentially assess 100% of a population instead of sampling is giving you better compliance because it’s giving the auditor better insights, giving you better coverage over what you’re doing and assessing. Yeah, no, 

Alon Nachmany:

I would fully agree with that. 

Kyle Morris:

Let’s talk. Let’s talk a little bit.

I wanted to say about you, but let’s talk a little bit about your projects. Um, so, I mean, you, you’ve obviously experienced, uh, some different challenges along the way from a compliance perspective in your various roles. Um, specific to, to your experience and what you’ve gone through. Any, anything that really stood out as, as challenges, how you were able to sort of remediate that.

Alon Nachmany:

I’ve sat at the audit table. That’s, that’s, that’s a challenge within itself. Um, you know, I have, I have a love hate relationship with compliance. Um, I, I think it’s a necessary, it’s incredibly necessary. Um, I hate, I’ll put it this way. I hate to have to make sure compliance are happening. I hate to have to write the policy because to me, a lot of it shouldn’t make sense to people.

And it should be second nature. Unfortunately, that’s not always the case. And not, not only is it important to, um, you know, make sure we have the policies and procedures, but to make sure that they’re followed. And it’s not always a fun, it’s not always a fun job to do that. It’s, it’s tiring. It’s mundane.

It’s a lot of work. Like, you know, like we just said, it could be a good example, bad example of what you randomly select to look at. And if you, you know, have the time, you’re looking at more, which is even, you know, even better. Um, it’s given me the opportunity to work with a lot of interesting people and a lot of very smart people.

So I think from a, you know, from a, uh, reputation perspective, I think compliance gets a bad rap. Um, because I think. You really have to be fairly smart in order to work in compliance and know what you’re doing and be able to do it really well. Um, you know, being able to look at things in different ways, um, there are quite a few attorneys that, you know, can interpret compliance in different ways and make sure that, you know, you’re still compliant with the law or the act or whatever it is, the rule, um, within what you’re trying to accomplish.

So I think. To me that that’s always that’s kind of the fun side of things is being able to interpret different ways and looking at it and discussing it and even debating it a little bit. Um, the hate is sitting honestly sitting at the audit table to me that’s that’s just, it’s, it’s so painful.

Um, you feel like you’re being cross-examined on an injury trial on the stand. Um, And, and those are audits that I passed very successfully in flying colors, by the way. Um, it doesn’t mean that, you know, it’s any easier when you’re passing them and when you’re, where you could be doing everything perfect.

And there’s that one, one, you know, one policy that one person didn’t follow. And that happens to be the one that they ask for. And that, you know, it’s, it’s a problem. Um, and you’re right. It somehow always is the one that they ask for. I don’t know how they don’t ask for that one, but that’s the one. Yep.

Yep. Somehow. Um, So again, but, but it is, I don’t want to call it a necessary evil because I think it’s, it’s not an evil, but it’s very necessary. And I think, you know, we, we, we’ve seen what happens when you don’t have it. So, so these are all to me, it’s very similar, you know, to, to a firing range where you say these rules were written in blood.

You know, you file the rules at a firing range because people have been shot when they didn’t follow the rules. Hey, don’t go to the targets. All people are shooting. Makes sense. Yet people still did it. Now it’s a rule, you know, to me, these, these rules are very similar, written not in blood, but in losses.

And, and, you know, if it, if it’s somebody, if it’s a publicly traded company and somebody’s life savings are invested in the company, it could be in blood. So you’re understanding that, you know, when you’re, when you’re working for a company, especially one that’s publicly traded, your people need to understand that it’s not their money that’s running the company.

It’s not the owner’s money. It’s, it’s the public’s money. And that could be somebody’s life, you know, life savings. So that’s, that’s to me, just important, just as important. Making sure that that’s kind of kept safe and done right. Um, and the other part is, you know, there’s a lot of fraud that we’re all trying to prevent.

So again, people have done things and that’s why we’re here. Um, so I think, I think again, and not, not a necessary evil, but definitely a necessary. 

Kyle Morris:

Absolutely. And let’s, let’s talk maybe one or two final questions. We might get into specifics tied together however you want from, from your perspective. You obviously have worked with different organizations and we obviously, the examples you’ve just made mention of now, by the point you publicly, you publicly listed, and you’re trading, you’re a pretty big, pretty big deal as an organization, a startup sort of medium size.

And before you get into sort of that enterprise level. Do you see any approaches to having that compliance in mind and building things from the ground up? And at those three different levels, what do you see as the significant differences or challenges with them? So I see 

Alon Nachmany:

Both ways. I see it. So I’ll, I’ll give you my first example.

When I was at WeWork, I was employee number 200, very much at the beginning. We were already starting to follow SOX compliance and, and, and doing things like that because we knew we were going to eventually IPO, and we knew it would be easier a for before the IPO to already be compliant and B for after we IPO, there would not have to be no re-education and re way of doing things now that we’re publicly traded, because we got everybody used to kind of the, the quote, the right way of doing things.

Um, it was a little bit easier because we didn’t get audited and all that fun stuff, but we still definitely. Thought about those things beforehand. So Medium company that, that definitely did it before and wanted to make sure because they knew we, we knew where the growth was. Um, and we saw it, we saw it firsthand and that’s what we were basing it off of that also has the flip side.

If you’re slowly growing, and you don’t realize how fast you’re growing, and you don’t realize, um, that you may IPO and you may do things. And these are requirements for when you do that. Or if you’re in an industry that, you know, even if you’re in financials, and you’re not publicly traded, and you’re under, it’s an example of a NYDFS rule.

You know, once you get to a certain size, you have to be compliant with that. You don’t get to that size and then decide to be compliant. You have to prepare. And I think that’s, that’s unfortunately not always do people prepare for that. So that’s definitely something that I think people need to think about.

Kyle Morris: 

Okay, and wrapping it up with someone listening to this and thinking they want to have a future in compliance, 

Alon Nachmany:

Maybe go down, go find another career. I’m kidding. 

Kyle Morris: 

You can’t say that, because I even, I wanted to ask you what, what sparked your interest in it? And then you told me you have a love hate relationship, and I understood it perfectly from that moment on.

There was nothing more I needed to deep dive. But for, for someone wanting to go down this compliance path, what, what would, what are your insights for them? 

Alon Nachmany:

Be prepared for a lot of very interesting, but very hard and very smart conversations. Um, come prepared to meetings. Come, you know, do your background, read, read the actual law, read the actual act.

I’ve, I’ve read just an example because I’ve dealt with it recently. The New York DFS one, I’ve probably read that 150 times. I’m not even exaggerating. I have gotten line by line through that document over and over. Even, even though I’ve read it a hundred times, I still read it before meeting to make sure I know what I’m talking about and I remember.

And, and, and every single time you, you remind yourself, you may find something different, you may find something else. So that’s, to me, that that’s always important. Come prepared, know what you’re getting yourself into. Um, again, like I said before, there’s a lot of very smart people in compliance and there’s a reason for that.

Um, and it’s not just to make sure that you’re compliant, but it’s to make sure that everything aligns with the business and the goals of the business. Um, understand what the company does that that’s probably equally important, not just what they do, but how they do it is also important. Um, because you may go from one company to another making this up.

You may go from AWS to GCP. They do things very, very differently. Their offering is different. Their pricing is different. The way they manage it is different. So understanding all of those is, is incredibly important to be able to ensure that you can be successful, um, and look at another career. Um, because, because it’s a pain, it’s a fun pain.

And if you, I’m very lucky that I got to turn my hobby into my career. Um, I always love technology. Statute of limitations is definitely out, but you know, I’ve done fun things when I was younger, I had, uh, for those who know what a Captain Crunch whistle is, I had a Captain Crunch whistle, um, and I remember all the different things that, you know, we used to be able to do that we can’t do today, like a tape recorder up to a payphone and all of those fun things.

Um, so I, I think I’m very fortunate to be able to do something that I enjoy. So a lot of times these meetings to me don’t seem like work. They seem like really fun, theoretical conversations. Um, but if, if you don’t enjoy that, then it might not be the right path. And that’s, and that’s okay. There are multiple things for multiple people.

So if you do enjoy that, you’re definitely in the right place. Awesome. 

Kyle Morris:

Alon, I’m going to mark that as our closing point for today because I’d love to pick this up again once these publications we spoke about earlier are out there, and we can maybe deep dive into, into the documentation and that in, in, in a bit of time to come.

But for, for what you have shared today and the journey you’ve taken us through for everyone listening, thank you. It’s been, it’s been really, really awesome to chat to you today. It’s been insightful. It’s been fun, clearly I’m also in a compliance space to enjoy those conversations, but thank you for taking some time out of your day.

Alon Nachmany: 

Thank you for having me, I really appreciate it. 

Kyle Morris: