About The Guest: Fabrice A. Marie
Fabrice A. Marie is Co-founder and CTO at Evren.
Evren helps enterprises improve productivity by simplifying end-user IT & Security processes for their workforce, so teams can focus on what matters — growing the business and staying competitive.
Fabrice previously worked as CISO of Lazada, CTO of Kibin Labs, and IT Security Director of FMA Risk Management Solutions, with over 20 years of experience in Security Management & Risk management, capacity planning, prioritization of efforts to meet deadlines on budget, building teams from scratch, managing teams of security experts and developers, banking / Telecom / Government / Military agencies security, to name a few.
Fabrice is also a regular speaker at regional IT security technical conferences as well as a regular interviewee on television for IT security matters.
About The Host: Paul Hadjy
Paul Hadjy is the co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Hi everyone. Welcome to another episode of the Ask A CISO podcast, powered by Horangi.
I'm Raphael Peyret, the Vice President of Product here at Horangi, and I'll be sitting in for Paul, our CEO this week. Before I introduce our guest, please don't forget to like and subscribe or follow us on YouTube, Spotify, and Apple Podcasts and help us grow.
With me today is Fabrice Marie, the co-founder and CTO of cybersecurity startup Evren.
Evren helps enterprises improve productivity by simplifying end user IT and security processes for their workforce, so teams can focus on what matters, growing the business and staying competitive.
Fabrice has over 20 years experience in the security and risk management field, and previously worked as CISO at Air Asia and Lazada. Evren isn't his first cybersecurity startup either, as he was co-founder and CTO of Kibin Labs as well.
Hi Fabrice, and welcome to Ask A CISO podcast. Thanks so much for, for joining us today.
A question I'd like to start with, to kinda like get us warmed up is, how did you become interested in information security?
I'm pretty sure most of people would've answered the same as me. A small movie called War Games.
It's everybody of my generation who became a hacker later on was because of this. I was also very interested very early on in programming, and it's something that there was a natural progression, you know, from programming to operating system to understand how they work, to understand how you can bypass them, to hacking, and then to more official security jobs, I would say.
I think it's really interesting this idea of like, hey, you know, there are these moments of like popular culture that can really change the field. You know, and if War Games, that's not, actually, that is the first time I've heard that specific one.
That must be the old man in the lots then, because everybody of my age would say the same story.
War game. Yeah.
Well, that's good. So basically what you're saying is we need one for the current generation to try to help fix kind of the talent shortage that we have, fill in these roles, get more people on board.
Absolutely. I would say hackers tried to do this in the 90s. And then you had more, Swordfish in the 2000s, but that wasn't quite about hacking.
Yes, absolutely. They need to, to be more popular culture to, uh, to bring and to magnet, uh, people around the profession. Definitely.
So you've had a large kind of range of experience across lots of different industries, types of organizations, different sizes.
What are the principles that guide you when you're thinking about security, you know, coming from all of these, these different experiences?
You mean as a CISO, or as a career progression?
I would say in terms of how you think about security as your role as a CISO. Obviously you're gonna have some views on that, but even when you're kind of slightly younger in your career, for those that are listening that aren't CISOs yet and that aspire to be there, right, what are the principles that you should stick to? Those things that shouldn't really evolve in how you think about these problems?
So when I was younger and more on the pure technical of security, my drive was technical correctness and absolute security, which is totally not what you should be doing as a CISO but it is a great learning curve to understand the technology behind security and to understand technology as a whole. Most often people are using technology they do not understand or do not understand fully and therefore make mistakes.
So my guiding principle has always been one of deeper knowledge, or at least trying to get the deepest knowledge possible on any topic before I even speak about it. Otherwise, you can't talk about something you don't know, or at least I wouldn't dare.
So what I'm hearing is that this first one is you need to understand deeply, otherwise, you know, how can you even talk about the subject?
And I understand how that for security is particularly relevant because if you don't understand deeply, then you know, the attackers that are on the other side already have like a leg up, compared to you. But then you mentioned a second one, which is, well, maybe I'm gonna use my own terms for this.
It sounds like, well, at the end of the day, security is a risk management profession. Do you agree with that? Do you agree that everybody sees it that way?
Absolutely. I mean, it is, and it must be, in a way, because if it isn't, and if it is absolute, like what I was thinking when I was 20 years old, people will bypass it.
The goal of security is to be unpassable by attackers, but also by your own users. If your users bypass your own security, then you're in deep trouble. And the learning journey from a, for a technical person like myself, learning more the management part of security and so on, was really to understand that if you make something too difficult, if you have friction or things like this, the user will simply bypass you and shoot himself in the foot.
So this is the, you know, post it with a complex password type workaround that might actually worsen your security posture because you haven't taken into consideration ...
... real humans. Okay.
So earlier on in the career I was mostly focused on finding creative ways, technical creative ways to secure companies.
It was more like a technical challenge, more fun and so on. And as my career grew, it was more of finding a people way of how to fix the situation. What's in it for them, what do the users need? And once you understand this, you have to get creative to cobble it together with the rest of the IT policies and the rest of the existing infrastructures and so on to make it the most secure possible.
But it will, to answer your earlier question, it will remain a game of risk because everything has a cost, be it in time or be it in money, and you have only 24 hours a day. There's so much you can do, even with a large IT security. ,
Which a lot of organizations, unfortunately, don't have, or at least not today.
Great. I feel like this is actually a pretty good segue into learning a little bit more about your new startup Evren. So can you tell us a little bit more about that?
Absolutely. So Gaurav and I founded this company after working together at two different company in Lazada and then Air Asia. We were facing the same problem in both companies and across all the other companies I did consulting for, right?
So, because before Lazada that I did a lot of pen test consulting with a hundred other customers. So I've seen a lot of these issues before and I haven't seen a single proper answer, and only parts of the answer. The main challenge was a challenge of simplifying IT and helping the IT managers do their job, which in turn helps the InfoSec team to help the IT guys doing that job too.
So the main issue was really to integrate everything that an operating system should have, at the baseline, must be built into the OS obviously. And that wasn't the case. So naturally, I went out as a CISO looking for solutions that I could apply right now with the infrastructure we had right then and there was nothing.
All the tools that could find were sometimes good, but poorly integrated with each other. Not following standards. Everybody had an admin interface that they wanted you to use. There was no way to use APIs to pull out the data or to integrate with other tools. There was no way to automate half the things we wanted to automate.
It felt very 90s, you know, when I look at the security solutions out there back in Lazada time. It really felt like very 90s. How are we not doing this in 2015 back then? Yeah. And when we started the company, Gaurav and I, we still felt like, why isn't it like this in 2020?
So we started a company and made it happen.
What's the number one, or actually it sounds like there are two problems that you're kind of solving together. One is an IT perspective, which is gonna be primarily around how is it manageable, how does it scale, and then there's another side, which is the security side, I guess. How do you find the balance between the two?
So, I would say there is no balance, but there is my usual speak. When you get a telephone like this, all you want is a telephone. You did not buy your security product. This is not a security product, but you do expect it to be secure.
You do not care how they do it. You just want it to be secure. Well, an OS is the same. You want your OS to be secure. You don't necessarily want to bother about the security. It doesn't mean you are not security-aware. You want the security. It's just that, one, you don't want to pay for it.
Two, you don't wanna waste your time with it. Three, you expect it to work out of the box, and those three conditions are not met, otherwise. And so our founding principle was security must be built in and transparent. So the user doesn't need to see it. Neither does the admin. It must not create any friction. So in order to be really transparent, you cannot be seen, right?
If you are seen, you create friction, then you're not transparent, so it goes together. So those two were really the guiding principles. And the third one, of course, was to enable scale of management of a large IT fleet, which means automation, automation, automation, and, obviously, centralization
So obviously the operating systems, most people know you're gonna have Windows, you're gonna have Mac OS, for servers and kind of like more niche, you know, consumers. You're gonna have some different variants of Linux. Why do you need a new one? How does it compare to what you're seeing today in the organizations that you've had experienced?
Well, when we started this company, people ask us, why don't you make an agent that does everything that you do?
And I smile and I say, because of experience. Because of experience, I've seen agent that were good at the particular point in time that become completely crippled the minute you have a Windows update, or the same on Mac OS and so on. Mac, Apple changes something in the kernel, suddenly, your IT security tool stops working and the vendor has no control whatsoever over it, because they do not own the code or they don't have access to the code that Apple provides.
So we are built on top of Fedora, which means we are standing on the shoulders of giants. We spin it, as it's called in Fedora parlance, with our own opinionated version of security. It is an OS for the desktop so it's been geared to what the desktop and pre-selected packages and so on for the desktop, not for the server.
It is to be for the enterprise. So it has to be secured by default, cannot be turned off. So again, a lot of opinionated choices have been made to target specifically the enterprise for the desktop. It is not a new operating system per se, as in if you have any application that works on Linux you will be happy to work on Evren.
But it is a new mentality. It is an OS that is centrally managed. With a few clicks of your mouse on an admin portal that is designed to be simple with yes/no toggles and things like this. You don't need to mess around with GPU, which is super powerful, but you need guys who write script all day and test them and whatnot.
All this work has been done for you.
It sounds like part of what you've done is instead of relying on an operating system, then putting a layer on top and risking things breaking at the interface there, which is not in your control as a vendor, taking that all in and saying like, okay, actually it necessarily needs to be a single piece.
And while we're at it, because you're using, you know, a lot of people when they think of Linux, they're like, Oh, isn't that what, like nerds use and everything's possible and it's super configurable, which means that for IT managers it's a nightmare precisely because of the options. It seems like what you've done is: you've based it off of that, and then in a way, simplified by removing, by making those choices by default for the organization so that then you only have a very limited surface area of configuration that they actually need to handle.
Absolutely. Absolutely. That was exactly what we had in mind. We keep a lot of customization possible, but a lot of it is not within your control as a user, and we will not give it to you. Like the hardest is encrypted and that's final. You don't have to argue about this. It is like this and it's done. You will never be admin on your machine because you don't need to.
Again, the system has been done so that either the admin can push configuration and applications and so on remotely, or you can self-service within the policy using a software that's already pre-installed in the machine.
I mean a lot of advances have been done in IT and management by these guys, you know, by phones and tablets. They simplified IT but this has not been done yet on the OS, on the laptop, sorry, because Android is a good OS. I'm talking about on laptops. Nobody has done it. Today, you buy your Windows or you buy your Mac, and you bought a '90, '95 kind of technology. It is standalone and that's it. Not enterprise.
So are you referring here to kind of manageability by the enterprise? You know, for mobile devices for those that know this area, you're gonna have mobile device management type solutions that help to manage fleets of devices, including more complicated cases, like some are company-owned, some are personal devices, et cetera. Is that kind of what you're trying to bring here to the desktop management space?
Absolutely. Absolutely. So we have mem built in and all of this built-in.
I mean, again, we, first, we stood on shoulders of giants on Fedora, and then we look at what iOS and Android have done, and so on. I mean, nobody has the monopoly of good ideas, right? So we just bring those good ideas to the desktop, OS, full-blown desktop OS where you can run some heavy tasks like video editing if you want to and whatnot.
So there's this concept that I understood at your, you know, thinking of your solution as, which is an enterprise OS for the cloud era. Can you tell me a little bit more about what that means for you, in, like, how does the cloud fit into this at all? If we're talking about, you know, a desktop operating system.
I mean, let's face it, since 2000 operating system should have been controlled centrally from the cloud. It wasn't called cloud back then, but it's the same ideas today. You consume, everything is a SaaS or a PaaS. You still do a lot on your laptop, but a lot of things are online.
And the idea is that it should be completely manageable online. Your IT guys should be remote, if anything, or they should control with simplified toggles and things like this. Gone are the days when you're supposed to write scripts just to configure stuff.
That is our job. That's not your job.
So it sounds like, kind of like, you know, why the cloud piece here? Well, before, on-prem, you needed to manage everything yourself with all of the different details and all of the intricacies for every single organization. And now with the cloud, you know, you flip a switch and it's there.
Is that a good way to see it?
It is absolutely. And the idea is that this is very interesting with the remote working experience as well, since after Covid everybody or during Covid and after Covid, everybody start to work from home a whole lot more. You have the pros and cons of VDI versus directors with Zero Trust and so on. We made the choice of doing a local OS, but it's cloud-ready, Zero Trust-ready by controlling all the aspects of the security of the machine locally.
So how has this Covid pandemic changed things for you? Was it partly due to this that you decided that this was the time to start your company?
What has it meant for your organization?
It was a combination of a lot of things. First is something I wanted to do 20 years ago. Second, Gaurav and I had the same drive to do something now that Covid has hit. We wanted to do something around Zero Trust, but then we realized that not only there is a lot of competition, but they're not focusing on what matters.
The missing piece of Zero Trust is how secure is your endpoint before allowing you to cross zones and so on. And that bar is not done right. The bar is done by myriad of vendors who focus on their little thing very well. They do it very well, but they don't look at the overall health of the OS.
Because otherwise there's an agent that will break every time there's an OS upgrade. So that is the same story. Now with Covid heating, we realize that is even more the time to do it. So the Linux desktop now is a lot more mature. It's very usable. I'm using our OS right now. It has all the bells and whistles and so on that you would expect.
It wasn't the case 20 years ago, you know, 20 years ago to install Linux, you had to know the frequency of your monitor. And if you screwed that up, it would blow up if you change the mud line wrongly. Now you can install ours by just clicking on the web UI, generate an ISO, put it on a USB stick. Put your USB stick in USB mode and enter your wifi password. Then go for a coffee. It will take 20 minutes and install without asking you single other question.
So how's that for simple?
So this is tremendous for remote workers, for we even looking at it now for in case there's disaster recovery needed.
So you can use an OVA image with our OS on it. The user simply double-click on it on his home machine, ensure it's running in a VM, but it's running a secure OS that talks back to your main infrastructure and so on, in a controlled way. So we have quite a few versions of the product that makes it interesting and fitting, I would say, the times.
What does your competition look like today?
So our main competition, I would say, would be Chrome OS, even though it is slightly different because it took a different gambit. That gambit has paid very well. Most of the apps now web-based, so if you need only web-based, they have a very compelling offering.
We come from the point of view that a computer should do more than run a browser. But we do have a lot in common with Google Chrome OS. Otherwise, there's also a product called IGEL. The folks about IGEL have done a great job at doing an OS for thin clients. They originally focused a lot on VDI. I think now they're trying to make a play for the rest as well.
So I would say those are the two main competitors for us. Yes.
And why Singapore?
Why Singapore? Singapore was historical for me as a student. I did, I told everyone I would do an internship in security on Linux, and overseas.
Everybody laughed at my face and six months later I sent them a postcard from Thailand where I was developing a payment gateway system to accept credit card in 1999. So one of the first, I think the first in Thailand, and after this, wanted to move to a faster-paced city, so immediately moved to Singapore.
So Linux, then Security and Linux, and then pure pen-testing company I started in 2002. So I stayed in Singapore now 23 years.
How do you think Singapore differs from maybe, let's say, how do you think Asia, because Singapore is often seen as kind of a regional hub for many organizations. How does Asia differ from other parts of the world with regards to how they approach security?
I would say it's mostly a matter of risk appetites and also creativity. So in Asia, for risk appetite, there is unfortunately a bad trend, which is, let's see how it happens in US and Europe, and then we'll take it later on. And the risk appetite is also, they're not very willing to take risks to have their, you know, they have their head on a chopping board if something goes wrong.
So this is changing. Luckily the last 20 years it has changed a lot, but in some more, in some older and more traditional companies here, it's still like this, where people don't dare to make changes, don't dare to take and by taking risk, I mean, I'm talking about using a different approach for security or buying different products or testing new methodologies, you know, this kind of things.
And I think this is the part where Singapore and the rest of Asia can enhance.
Obviously, traditional organizations, vary different from the tech new players like Lazada. Are you seeing similar kinds of things there? Do they take more risks? Do they have more appetite to try different things?
So yeah, some startups are taking crazy risks. Some of the unicorns including Lazada were taking, crazy, crazy risks, I mean, as far as a CISO is concerned. Of course, compared to other startups of their generation, there was a lot of security built in and whatnot. The engineers that worked there were smart and security conscious. So it's not like the company was naked.
But yeah, I think that the startups of today take a lot more risks, but sometimes without thinking about the consequences. You always need a measured approach. I mean, it's the same within our own company, right? I mean, we come from a security background, so we want to put security everywhere within our own corporation, but we can't be doing too much of this at our stage.
Otherwise, it would completely stifle creativity and the pace of releasing a new product. So, now, of course, the product itself is very secure because it's the center of excellence and that's the target that the product's trying to achieve. But can we announce the internal security in terms of the people-centric part of it?
Of course, we can, and we will when the time is right.
How do you think, and particularly organizations that are either new, so this is gonna be obviously all of the startups that are still very new to cybersecurity and might not have a lot of the processes that more established organizations have.
But also, you know, obviously, in our field, we're seeing a lot of organizations migrating to the cloud and the cloud is very new and so I take a lot of parallels there because I feel like it's kind of the same. You're starting from zero in a way, in that field. How would you suggest people approach that?
When you start from zero a company, I would say the most important advice I can give you is keep in a file somewhere, the list of things that you have the list of accounts you open with the various SaaS and PaaS, because before you know it, you have 20 and six months later you don't remember which account you have on which PaaS.
And those will come bite you later on, you know, so it is very basic, but asset management to me is still the number one problem in every organization, large or small.
You know, when I was CISO at Lazada, I was struggling with asset management because we were really, really, deployed everywhere in six countries and in big and large locations in those countries. It was really a challenge, but at the same time, I discussed with my friend from the large established banks, and apparently they, too, had some servers they were not aware of and so on. So, I had a little bit of a grin on my face, feeling a little bit better, but I wish that onto no one. So, obviously asset management to me is the most important.
And the second part is the people. So if you start a new company now, remember security is a PPT people process, and technology. The T is last. Let's make no mistake on that. If the people are more security conscious, the T can come last, but it says if you want to do a full circle, it will be people, process, and technology.
And always start with simple things that have a high value, the so-called low-hanging fruits, there are plenty. So key assets management, be tidy in how you code, even if you're not a good security coder. If you code properly, it will be more secure than if you don't, and so on. So it's, it's all little things at the beginning of a company that makes a big difference later, I think.
So it sounds, start with the basics. Start with the hygiene, think people first. If you don't have, like, get people that are thinking about security rather than getting tools to try to help fix a gap of people that are doing all the wrong things. Okay. Cool. I think that's very much in line with how we think of things, which is don't bite off more than you can chew. Take it easy.
And keep it simple as well. The case principle is still key in security. Absolutely.
Yeah. One thing that we sometimes see is some organizations that want everything so customized, you know, and I imagine that you might see this in my past history, had people asking for very specific combinations of password complexity requirements.
It needed to be very specific, you know, nine characters, not eight or 10, nine, with these specific characters considered special characters, and we couldn't convince them by any means that they could just accept the eight or 10 that we currently have. So hopefully, you know, people will be a little more understanding in the future about the fundamental pieces rather than the details that we sometimes get a little too focused on.
Absolutely. But talking about detail for this particular problem, what a vendor can do is to offer more API and callbacks. So for this, you could have a callback back to the customer for them to validate the password. And, often when making APIs, people forget about callback, where you can let the customer decide how they want it by just calling back their code when big, when, signature, I would say that, that I imposed on Lazada was automating everything as much as possible because we were a very small team for very large organization.
And so the more we automate, the more we can do. Right? And to automate, we had to query from APIs. We had to even use Selenium to get to web UIs that didn't have any APIs.
So you should develop a product today, if your listeners are developing a product today, yeah, think about the APIs. The product, as you said, will never be alone in a company. There will always be an existing ecosystem and you can't be thinking about how to integrate with everything. Of course, you should and do the most, but the customer knows better.
So let the customer do it themself through an API.
And we've even seen like, some, the emergence over the last few years of some companies that are kind of API only. It's like their whole product is an API. So it's definitely a nice area that we're seeing.
Well, thank you so much for being with us today. Before we end, is there something that you would like to tell our listeners today, if there's one thing that they should be focusing on in their career and information security, what should it be?
To me, if you wanna do info information security, you have to know how to code. Across my career, I've seen a lot of InfoSec people that do not know how to code.
It's okay if you don't code anymore, but if you've never coded, get to it. Even if you will not use it every day, it will make you understand a lot of things. Like I said, it's PPT, but the T part now is overgrown, you know, and it's over already complex. And so everybody now focused on the T, the PPT.
And to really understand the T part of PPT, you have to have some coding experience. You have to understand how an OS boots even. People don't even know that. So focus a bit on that. That'll be my advice. Yes.
Perfect. And there's a little bit of like coming full circle here compared to earlier in our conversation, which is, you know, understand things deeply.
Because without that, you know, you're kind of scratching the surface and you're gonna be beaten by any other adversary that has ...
Hackers don't scratch the surface. Hackers know a surface inside out. Exactly. So if you only scratch the surface, Yeah. It'd be an easy target.
Cool. Well, once again, thanks for coming on to the podcast, Fabrice. I thoroughly enjoyed our conversation and I hope you did too, to those listening in,
Thanks for tuning in once again, this is the Ask A CISO podcast, and this is Raphael Peyret signing off. Thank you.