Every week, CEO Casey Cammilleri interviews an expert leading the charge on empowering security experts and practitioners with the knowledge and insights needed to excel in the future of cybersecurity.

We recently spoke with Nir Rothenberg, CISO/CIO at Rapyd. Here are the top takeaways from the interview.

#1: Recognize the True Cost of Advanced Security Research

“A tool like Pegasus is so expensive to develop because you need the smartest people working on it nonstop. And again, think about what they're hacking: they're hacking iPhones and Androids. These are the best companies in the world. Apple and Google. you know what I mean? They got the best quality — when's the last time you saw a good 10 for 10 bug bounty report on Chrome? It never happens. You know why? Because they sell for a million dollars so they don't report it.

“So you need the best researchers researching iOS, researching Chrome browser, researching WhatsApp, researching whatever, finding ways to get into the phone. It's so expensive to use, even the richest governments can't use more than a select amount of very, very important targets. And again, intelligence is a messy game.”

Actionable Takeaway: Understanding the economics of security research helps organizations better allocate resources and set realistic expectations. Top-tier vulnerabilities command premium prices in the market, which means organizations must focus on practical defense strategies rather than chasing theoretical perfect security. Consider this reality when building security programs and determining research investments.

#2: Embrace Modern Security Architecture Over Legacy Defense Patterns

“A lot of companies are afraid of the cloud because, “What happens?” And yeah, it could happen, but what could also happen is that it lets you focus and have a lot of better security.

“And if you look at the companies with the best security in the world, the companies that are hardest to hack, they're giant companies that are cloud friendly and are very progressive minded and they're not focusing on chaining together edge firewalls or doing all this wacky stuff. Instead they're focusing on stuff like when Google did BeyondCorp and gave everybody a Yubikey to log in, that did more for security than chaining a million.”

Actionable Takeaway: Instead of maintaining complex networks of traditional security controls, focus on implementing proven modern security architectures. Study how leading organizations like Google approach security through initiatives like BeyondCorp. Prioritize strong identity management, zero trust principles, and cloud-native security controls over traditional perimeter-based defensive strategies that create unnecessary complexity.

#3: Transform Security Testing from Annual Event to Continuous Process

“I also found the constant friction is what makes the — friction is what you need to go faster. So again, too much friction, you can't move. But you just gotta get it right. And with continuous testing — and it could be bug bounty, it could be a tool — it should be both, honestly.

“But with continuous testing you get continuous friction and then the organization feels you and you're not some CISO goes to the board once a year and you're just some nuisance, you're a technical colleague that helps improve quality constantly. And then the R&D team appreciates you because they know that when you come, it's legit and it's constant. It's not like once a year in the pen test.”

Actionable Takeaway: Implement a comprehensive continuous testing program that combines automated tools with bug bounty initiatives to create productive security friction. This approach transforms security from an annual compliance exercise into an integral part of the development process, building credibility with engineering teams while consistently improving product quality and security posture.

Listen on Apple

Listen on Spotify

Watch on YouTube