ExtraMile by SecureITWorld is a proclaimed interview series that analyzes the tech and cybersecurity ecosystem to identify trends and practices, driving the actual transformation. In every session, we feature the top voices and thought leaders from the industry to get expert-led insights on the leading advancements in the SecureTech space.
In today’s discussion, we are super excited to feature Erez Tadmor, the Field CTO of the pioneering connectivity governance and security firm, Tufin. The organization offers top-notch network security posture management solutions, assisting organizations gain better visibility into security, manage policy changes, and consistently enhance security across on-premises and hybrid environments.
Erez is a tech and information security veteran with contributions across cloud security, fraud detection, identity and access management, network security, and others. He aligns the customer, marketing, and product teams, as well as stakeholders, as the Field CTO at Tufin, driving advancements in network security and cybersecurity.
In the conversation, Erez will share the key lessons he has learned as a CTO alongside the struggle with fragmented policies. He will specifically highlight how Tufin helps organizations maintain continuous compliance. Our guest will further dive into Tufinnovate 2026 while assessing Tufin’s network security posture management solutions. So, let’s get started.
Welcome, Erez; we’re glad you could join us today!
1. From product management to product marketing and CTO engagements, you have led in diverse sectors. What are the key lessons you have learned along the way?
Erez. "One of the key lessons I’ve learned is that technology leadership is no longer only about building strong products. It is about connecting technology, market direction, customer reality, and business outcomes.
In product management, you learn to think deeply about capabilities, roadmap, architecture, and execution. In customer and CTO engagements, you learn something equally important: technology only matters when it solves a real operational problem and can be clearly connected to business value.
Customers do not buy features in isolation. They buy confidence. They want to know that you understand their environment, their risk, their constraints, and the pressure they are under to move faster without losing control.
Another important lesson is that strategy must stay close to the field. The best product and market direction usually comes from the intersection of customer pain, technical feasibility, and market timing. When those three align, you can create meaningful innovation."
2. As a tech leader, what is the single most common reality gap you see today between what CTOs want and what their network teams can actually deliver?
Erez. "The biggest reality gap is between the speed the business expects, and the level of control network and security teams can realistically maintain.
CTOs want agility. They want faster application delivery, cloud adoption, segmentation, zero trust, and now AI-enabled operations. But the teams responsible for network and security policy are often managing fragmented environments, legacy processes, inconsistent controls, and manual governance models.
The problem is not that network teams are slow. The problem is that they are being asked to operate at cloud speed with tools and processes that were built for a more static world.
That gap is becoming more visible as organizations move across hybrid cloud, multi-cloud, containers, and increasingly AI-driven operations. The business wants continuous change, but security and network governance are still too often periodic, fragmented, and reactive."
3. Many enterprises struggle with fragmented policies across on-prem and multi-cloud environments. How does the concept of a unified control plane help teams maintain a single source of truth without sacrificing agility?
Erez. "A unified control plane gives organizations a consistent way to understand & govern network access posture, and automate security policy across their entire environment. Most large enterprises today do not operate one simple network. They operate a complex mix of traditional data centers, multi-clouds, Kubernetes environments, edge networks, all with multiple operational teams. Without a single source of truth, every change becomes harder to validate, harder to audit, and harder to automate. This is a fragmentation problem.
The value of a unified control plane is that it allows teams to separate security intent from infrastructure complexity. Teams can define what should be allowed, what should be restricted, and what violates policy - regardless of where enforcement actually happens.
Done correctly, this does not slow the business down. It enables agility because teams can automate with confidence. When policy, risk, and compliance are understood continuously, organizations can approve and implement changes faster, with fewer blind spots.
This is where network security posture management is heading: not just visibility, and not just automation, but continuous control across hybrid infrastructure."
4. Compliance is often seen as a check-the-box challenge. How is Tufin helping organizations transition to continuous compliance, so it becomes a competitive advantage rather than a bottleneck?
Erez. "The traditional model of compliance is periodic. Organizations prepare for an audit, collect evidence, clean up policies, and then repeat the same painful cycle months later. That model does not match the speed of modern infrastructure.
Tufin helps organizations move from audit-time compliance to continuous compliance. Policy can be checked as part of the change process. Violations can be identified earlier. Teams can continuously prove that their network and cloud security posture aligns with internal standards and external regulatory requirements.
The real value is not only reducing audit effort. It is making compliance part of daily operations. When compliance becomes continuous, it becomes a guardrail instead of a gate. Application teams can move faster because they are not waiting for lengthy manual reviews. Security teams gain confidence because policy is continuously validated. Executives get better visibility into risk and readiness. That is when compliance becomes a business advantage: when it helps the organization move faster, with greater trust."
5. You have brought significant growth in Tufin’s automation products over the last decade. Beyond just speed, how is automation fundamentally changing how organizations handle network and cloud security policy automation optimization?
Erez. "Speed is important, but it is only part of the story. The bigger shift is that automation moves organizations from manual task execution to policy-driven operations. It’s the agility. In the past, network changes were often handled ticket by ticket. Someone requested access, someone reviewed the path, someone checked policy, someone implemented the change, and someone later verified whether it was done correctly.
Automation changes that operating model. It allows teams to understand the intent of a request, evaluate risk, check compliance, design the right change, implement it, and verify the outcome.
That is much more than doing the same work faster. It changes the role of network and security teams. They move from manual approvers to designers of governance, policy, and safe automation frameworks.
The most mature organizations are now using automation not only to accelerate change, but also to continuously optimize their policy environment - removing unnecessary access, reducing complexity, eliminating risky rules, and improving security posture over time. That is where automation becomes strategic. It becomes a way to manage risk, agility, and scale together."
6. Tufin’s recent focus is on “Network Security in the Agentic Era.” How do you define Agentic AI in the context of network security, and why is it a game-changer for reconnaissance and defense?
Erez. "In network security, Agentic AI means AI that can reason over enterprise context, plan actions, and assist in executing security workflows - not just generate answers. That distinction is important. Traditional analytics can surface insights. Agentic AI can help move from insight to action.
For example, an AI agent in network security could analyze application connectivity, understand policy intent, identify exposure, recommend changes, validate compliance, and guide the operator toward remediation. Over time, some of these workflows can become increasingly automated, with the right human oversight and governance.
This matters because both attackers and defenders are entering a new phase. Attackers can use AI to accelerate reconnaissance - mapping environments, identifying exposed services, understanding paths, and finding weak points faster. Defenders need comparable speed and intelligence, yet, grounded in trusted enterprise context.
The opportunity is not to replace security teams. It is to give them leverage. Security teams need to see faster, understand faster, and respond faster - without losing governance or control.
That is why Agentic AI is so significant for network security. It can make security operations more proactive, more contextual, and eventually more autonomous - but only if it is built on a strong foundation of policy, visibility, and trust."
7. Tufinnovate 2026 is set to take place across North America, Europe, the Middle East, and the Asia Pacific in May. What are the key focuses of the event this year, and why should audiences consider attending it?
Erez. "Tufinnovate 2026 is focused on helping security, network, cloud, and compliance leaders prepare for the next stage of network security: hybrid complexity, cloud acceleration, automation at scale, continuous compliance, and security in the Agentic AI era.
The value of the event is that it brings together practitioners and executives who are dealing with the same operational reality. These are not theoretical challenges. Teams are trying to reduce risk, modernize policy operations, support cloud adoption, and prove compliance while the business continues to demand speed.
Audiences should attend because they will hear practical strategies, customer experiences, product innovation, and forward-looking perspectives on where network security is heading. It is an opportunity to learn how leading organizations are moving from fragmented policy management to a more unified, automated, and posture-driven approach."
8. As we look toward the 2026 innovation agenda, what is the one technology or trend that is not on everyone’s radar yet but will be a top priority for CTOs by 2027?
Erez. "The trend I expect to become much more important by 2027 is trust architecture for AI-driven operations. Right now, most of the attention is on AI capability: agents, copilots, automation, code generation, and autonomous workflows. But the more important enterprise question is not what AI can do. It is what organizations can safely trust AI to do.
That distinction matters. As AI systems move from analysis and recommendation into operational action, trust can no longer be based on user confidence or vendor claims. It has to be engineered into the environment. Enterprises will need to know what an AI system is allowed to see, what it is allowed to change, what context it used, which policies constrained it, who authorized it, and how its decisions can be verified after the fact.
By 2027, I think CTOs and CISOs will treat trust as the core design principle for AI adoption. Not trust in the abstract, but operational trust: identity, authorization, policy enforcement, explainability, auditability, and rollback. Without that, AI may accelerate decisions faster than organizations can validate them, creating a new kind of enterprise risk: high-speed action without sufficient accountability.
The next wave of innovation will therefore be less about autonomous AI in isolation and more about trusted autonomy. AI will need to operate within defined boundaries, with clear evidence, controls, and accountability. The organizations that get this right will move faster because they can trust the system. The ones that do not will either over-restrict AI and lose its value, or deploy it too broadly and inherit unmanaged risk.
So, the real priority will not be simply “AI-powered operations.” It will be building the trust layer that makes AI-driven operations safe, explainable, and governable at enterprise scale."
Discover More In-depth Interviews:


















