Behind the Scenes: A Conversation with Virsec's CTO of the Year

Several weeks ago, we were thrilled to learn that our Founder and Chief Technology Officer, Satya Gupta, was named CTO of the Year in the 2021 Global InfoSec Awards

 For the last nine years, the Cyber Defense Magazine Global InfoSec Awards have recognized companies in the information security space who demonstrate a unique and compelling value proposition for their executives, products, or services. Satya was selected for his work in helping the industry change its thinking about traditional cybersecurity solutions and accept that modern threats demand a more robust and proactive solution.

As a company, we would not be where we are today without Satya's leadership and direction. He is a tireless advocate for advancing cybersecurity innovation, standards, technologies, and education throughout the industry. Beyond that, he drives the basis of our creations and holds 48 patents in complex firmware architecture with products deployed to hundreds of thousands of users.

In honor of Satya receiving this prestigious award, we sat down with him for an in-depth conversation about his vision for cybersecurity, what drove him to create the Virsec Security Platform, and what he sees as the most significant challenges leaders today face.


Can you describe how you came up with the idea for the Virsec security solution?


The seeds for the Virsec Security Platform were planted in my mind when the Slammer Worm first started infecting millions of endpoints every day. At the time, the dominant cybersecurity companies responded by frantically releasing signature updates every 10 minutes. Attempting to fight a polymorphic worm that was rapidly mutating was like taking a fire extinguisher to put out an inferno.

That was when it dawned on me that all those cyber defenders who rely on "profiling" attackers' techniques through the signature of network or system call behavior were in an asymmetric battle that they had zero ability to win. Ever. An attacker can create new malware orders of magnitude faster than defenders can analyze. 

“All those cyber defenders who rely on "profiling" attackers' techniques through the signature of network or system call behavior were in an asymmetric battle that they had zero ability to win. Ever.”

Another significant realization I had at the time was that to succeed, an attacker must be able to either generate or execute code of their choosing on the victim's compute instance. Therefore, one reliable way to stop bad actors in their tracks was to determine whether the executing code came from the application's developer or was influenced or generated by a bad actor. If the answer to that question was someone else, the application could be considered under attack. In today's parlance, this concept can be described as Zero Trust for application workload protection which must take place at runtime.

What has made you successful in the CTO role with Virsec?

It is tough to put my finger on one thing alone. What helped me most, personally, was a lot of listening to potential customers as well as my colleagues at Virsec. They have all helped shape my thinking immensely, and for that, I will be forever thankful. I've also focused on prototyping and not be disheartened if it didn't succeed at first. Also, I've had a lot of support from my family, even as I spent countless hours in front of a computer.

What do you consider your most significant professional achievement?

One very ambitious goal was to deliver security controls that wouldn't drown the end-user in an ocean of false positives and allow the security control to invoke protection actions in real time. I am happy to say that we have come very close to achieving this goal. It has been very gratifying to see how hundreds of highly skilled white hats who worked for extended hours were unable to pierce the defenses of the Virsec Security Platform.

What is the biggest challenge facing CTOs in the high-tech market today?

Thanks to time-to-market deadlines, a startup operates in a highly competitive and dynamic environment in which success must be achieved in impractical timeframes. A startup CTO must keep the team focused and motivated even as the customer's needs and market forces evolve and ensure that a desirable product is delivered on time.

Where do you see the cybersecurity market in five years?

 With each passing day, cybercriminals are upping their game and breaching applications deeper in the runtime. In the next few years, I envision bad actors will attack deeper into the compute pipeline across the web, host, & memory levels and within running container images. We are already beginning to witness CPU flaws (such as Meltdown and Spectre) described in academia. I expect cybercriminals to get into the exploitation act soon.

While workload protection controls are also evolving, the divergence between the attackers' and the defenders' abilities keeps widening with each passing day. Today, CISOs have tried to address this gap in capabilities by embracing a defense-in-depth strategy. But even as that strategy fails increasingly, I see CISOs questioning the wisdom of this approach and starting to eliminate those security controls that cannot demonstrate immediate and precise protection.

For years we have been told that better software development life cycle (SDLC) practices result in better security outcomes. While this may be true and may be a necessity, it certainly isn't sufficient. Vulnerabilities in the code of the very largest independent software vendors (ISVs), who spend billions on secure software development lifecycle (SSDLC), are burgeoning and are successfully exploited more than ever before.

I expect that the software market will not be a sellers' market anymore, and we'll see the attitude of customers and governments worldwide shifting towards Independent Software Vendor (ISVs). Legislation could make it more difficult for ISVs to escape the consequences their end-users suffer. This potential impact is especially pronounced in the critical infrastructure sector, where the ISV doesn't permit their customers to deploy preferred controls outside of what they provide and/or claim to support by dangling the threat that such an action would void the warranty.

I expect to see central processing unit (CPU) vendors plugging gaps in their architectures that facilitate deep CPU cache-based attacks. I also see them building smarter telemetry to facilitate even more runtime efficacy into application-aware workload capabilities that VSP is leading the industry in. . Overall, the future ahead is a massive fight that must be fought together and at multiple levels. 

Learn more about Satya and the Virsec team and our vision for the future of cybersecurity.