We're excited to introduce Karim Beldjilali, who just joined Nightfall as our CISO. Karim has over 20 years of experience working at large organizations such as New York Times, Sanofi, UBS and of late with rapidly growing startups such as Rightway. Karim brings deep familiarity with the Nightfall platform having used it in prior roles.

When Karim is not speaking at security conferences and ensuring Nightfall institutes security best practices, you can find him sitting at the piano playing Beethoven or Rachmaninoff, writing music of his own, or outside either in nature hiking, swimming, or exploring the concrete jungle that is New York City.

Thanks for joining us today, Karim You’ve been in security for nearly two decades, how did you get into the field?

I actually started out as an electrical engineer, and after working in solitude in a lab for several months, I realized that I wanted to work with people too. So I pivoted to IT and became a developer, working in regulated organizations with strong security and compliance programs. This way, I could satisfy my desire of doing something technical while having an opportunity to engage with the people I was serving.

Every project has been a learning opportunity in security—not just the technical aspects of what we were doing, but also delving into the why behind the programs and solutions we built, all while navigating constraints. Figuring all this out is often like a puzzle that requires engaging my creativity alongside my technical skills. All of this is done in the spirit of care and protection for an organization and its customers. This is what makes security exciting, and it’s what keeps me passionate and motivated about this line of work.

That’s quite the career. What was it about Nightfall that attracted you?

When I first encountered Nightfall, I was impressed by its cloud integration, how quickly we could get up and running, and its ease of use. We could immediately see value, and I was impressed by the power of Nightfall’s detection engine. I could also inform and train users, which was a huge win for building a security-aware culture and lessening the burden on the security team.

This means that Nightfall is about scale, speed, and security, sitting right at the intersection of what every security professional cares about: practicality and utility, innovative and fast-moving, and serving to educate and raise awareness—not just for security team members, but for entire organizations, so that everyone is empowered to do the right thing.

It’s one thing to empower security professionals to solve a problem, like the issue of data spray in cloud systems. But it’s something else entirely to enable ordinary employees to work towards an organization’s security goals. Nightfall impressively does both of these things well. Practitioners use it daily to find sensitive data they may not have known lived in their systems, all while educating employees about proper data security policy. This is exciting because I think the future of security will require an "all hands on deck" approach; everyone’s going to be responsible for helping keep their organizations secure.

Nightfall is about scale, speed, and security, sitting right at the intersection of what every security professional cares about: practicality and utility, innovative and fast-moving, and serving to educate and raise awareness—not just for security team members, but for entire organizations, so that everyone is empowered to do the right thing.

It is a tough macro environment at present with increasing cyberattacks but decreasing budgets, as a CISO what are the key problems that keep you up at night?

I had a professor that, even with decades of knowledge and experience, reminded us to always ask: “what else is there - what could I be missing?” It was an invitation to push ourselves to not only broaden our perspective, but acknowledge that blind spots always exist, and to seek greater awareness. I find that to be one of the core challenges in security: it’s managing risk in a constantly evolving environment, where we must always be trying to discover our blind spots and put mitigations in place. Add to that the macro pressures and resource constraints that security teams are often operating under, and we have no choice but to work intelligently, nimbly, and enable users to do the right thing while being able to do their jobs. 

Nonetheless, sustainable security operations is something else that keeps me up at night. Teams are burning out with the burgeoning scope of their work. That’s why working at Nightfall is so intriguing to me - we are creating a product that brings awareness, educates users and allows them to be a part of the solution, and alleviates pressure on security teams by helping automate routine, but essential security processes.

I find that to be one of the core challenges in security: it’s managing risk in a constantly evolving environment, where we must always be trying to discover our blind spots and put mitigations in place. Add to that the macro pressures and resource constraints that security teams are often operating under, and we have no choice but to work intelligently, nimbly, and enable users to do the right thing while being able to do their jobs. 

That is super interesting, why do you think Nightfall is uniquely positioned to help address this problem?

As I’ve been saying, awareness is key, and that’s what Nightfall is all about - see what data you have, find out what you don’t know whether it’s the type of data in your environment, how it is used and moves in your organization, and bring that awareness to more than just the security team but educate users and let them be part of the solution.

How do you think technologies like Nightfall will shape the way CISOs like you approach their job in the future?

Nightfall is as much about raising awareness of data use and movement as it is about data protections, and security leaders have needed to become more and more aware of what the business is doing, how data is used, and how it moves throughout their organization. The work of security teams is interdisciplinary and relies heavily on collaboration - the hallmark of every high-functioning organization.

Interesting, I imagine as a CISO you get constantly approached by vendors, how should they cut through this noise and what do you look for when choosing a new solution?

Yes, there are lots of solutions out there, though I always take a little time to check out what’s developing - it’s central to our role that CISOs stay attuned to risks and mitigations. I use a three part mental checklist when it comes to evaluating vendor solutions, where two of the three items must be met:

1. Greater efficiency for our security operations - so whether that’s automation or putting all the information together for people to make the right call, we have to think of sustainability and scalability.
2. More engaging and informative - not just security teams need to be served apprised, but to build an organization’s security-aware culture, informing and educating users is a must. That way we democratize security and develop trust in the organization to empower users to support security best practices.
3. Effective in plugging the risk or vulnerability - while obvious, it has to do the job, and the deal is sealed if the solution scales to provide better coverage than what we currently have.

In the end, vendors are to add value, and that value must be measured beyond the transaction. It must be measured in how security best practices become more embodied in the organization. If a vendor meets the above trifecta, you know as a CISO that you’re building something that will last.