Q&A: CyberArk CEO Talks Acquisition Rumors And Up-And-Coming Privileged Account Management Market

The Security Opportunity

Security is shifting and companies are starting to move beyond perimeter protections to adopt a post-breach mindset. That shift puts more emphasis on technologies like privileged account management, CyberArk CEO Udi Mokady said in an interview with CRN, and presents a huge new revenue opportunity for the company's partners. That opportunity is largely untapped, he said. Mokady also discussed recent strong earnings reports for the Israeli company, planned investments in the channel and recent acquisition rumors that said the company could be the target of the next Check Point buy. Take a look at what he had to say.

Tell me about yourself and CyberArk.

I'm the founder and CEO of CyberArk…We're a 15-year overnight success. We basically built a real company all these years and became profitable and fast growing even before going public in Sept. 2014. I started the company in Israel…We founded CyberArk to create a layer on the inside to assume that, at a minimum, an organization will have insiders that can attack it from within. For many years, we did very well on the growing demand for security against the insider threat. In the last three or four years, it's become well understood that attackers are becoming insiders and therefore there is a need for the layer here…Unlike other large channel-oriented Israeli companies, I'm based here [in the U.S.] and many of our executives are here. All of the R&D is based in Israel, but the company is very globalized…We're very big – we're over 650 employees worldwide and more than 2,500 customers. It's very exciting.

What's your 30-second explanation of what privileged account management is?

When we went public, I had to explain it to people maybe 50 times a day. Privileged accounts are the keys to the IT kingdom. They are basically administrative backdoors that are built into every piece of infrastructure because someone needs to administer them…It's a critical junction…Before CyberArk there was an assumption that bad guys would never get to the point where they can get to that access, but that is gone…In every one of [the big] breaches, the way they took over the data in the database, in the healthcare providers or in the network in Sony was grabbing hold of credentials, moving laterally within the organization and, like a Pacman game, moving up the chain to get access to what they needed…What CyberArk does is…allow customers to get a viewpoint of these thousands of unmanaged credential keys and through applying our software and products we secure them…and control access to those keys…and alert you on anomalous behavior.

How many partners do you have?

It's more than 250 worldwide. It's very global. I think the last number we put out was 200, so we've grown. We're very much focused on quality and not just quantity. Those 250 are in more than 65 countries worldwide.

CyberArk posted pretty strong growth numbers in its recent earnings. Can you talk about what's driving that growth?

We had great growth in 2015, with 56 percent growth in revenue…It's really the story of building a real company with a marketing leading product in a category called privileged account security. We worked hard all of these years to be the leader in this space and for many years it was either visionaries or highly regulated industries. In the last couple of years, it really flipped where multi-vertical and all industries are jumping on board. We were very strong in financial services and now we see a lot of healthcare, manufacturing, telco [and] government really taking off...We're unique in our category as a market leader, but we built it very agile and became profitable. We invested proactively in long-term growth.

What is driving more industries to suddenly jump into investing in privileged account security solutions?

I would say growing awareness that it's no longer just a bank that’s going to be vulnerable. Sony woke up basically every vertical because every vertical saw what happens in a [cyberattack] takeover. It doesn't matter what data you have. Anthem really turned the switch for the healthcare verticals and OPM [U.S. Office of Personnel Management] for the government vertical. I think that combination made every chief security officer in every vertical say you have to think with a post-breach kind of scenario. If I am breached, what am I doing to make sure that if I am infected I am not taken over? Privileged accounts are the key that allow a takeover over the infrastructure. They are in every piece of IT and it's how an attacker progresses a post-breach attack. It's also a measurable layer, so it's a technology and a solution that customers can put in place and actually show that they've done something measurable to harden their infrastructure. That's why partners like it – they can really add value.

Why is this type of solution a benefit to partners?

It's the full lifecycle and standalone layer that complements everything else they have in place. That's a benefit for the partners. If the customer bought Check Point or Palo Alto Networks or Splunk or others, we either secure credentials through those systems or can also feed alerts to those systems. It's a software solution, but it's a combination that lends itself to delivering services but it isn't too high on services…We kept it so that it's not very crowded for the channel. They have a good opportunity to make good margins. The over 250 partners we have is worldwide – you don't find a partner on every street corner. We look for enabled partners.

On your recent earnings call, you talked about how this is a largely greenfield opportunity. Is the market mostly untapped?

When we talk about the opportunity, we say it's the second inning. The first inning was the financial services and educating them and making that happen. We feel that we're in the second inning of this market, where almost every deal that we walk into, they have no solution in place. It's not because they're negligent, but because the market was investing in keeping the bad guys out and not in an assumption of a post-breach. They're just soft on the inside and that makes it a greenfield opportunity. In some cases, there may be some homegrown solutions or some legacy solutions, but in the vast majority of prospects and customers that we walk into we see that it is greenfield. If you multiply that by the diversity of the industries, it's really a wide opportunity.

A lot of big vendors are moving to this idea of being an end-to-end platform player – do you buy into the idea that a niche player can't make it?

I'll give you the middle ground. I think in the extremes. If you're really small and a point solution, the customer can't consume it that way anymore. If you're an all-in-one and you have it all, they know that in security you can't have that and you need that innovation because the hackers are innovating. I won't name them, but you know the legacy security players that are not innovating today when security really is the need: the classic former anti-virus companies and such. At some point, when you're doing it soup to nuts you're not focusing and you're losing it. I think we're right in that middle ground…We take a platform approach but we're not an all security. I don't believe in that – I believe in the middle ground and to be very friendly with your ecosystem.

Is an acquisition on the horizon for CyberArk? There's been some Check Point acquisition rumors.

I'll tell you what we've said formally, but I'll give you some fun color around it. Formally, we said we don't respond to rumors and naturally as a public company we can't. The nice fun color is that I attended the Cybertech Conference, which is a very big security conference in Israel, two weeks ago. I had a keynote session and two speakers after me was Gil Shwed [president] of Check Point. When he went up on the stage he nodded on his way up and said "Thank you Udi for the warm words. By the way, I can tell all of you that it is the first time that I've met Udi." That was some color that was given there. I've been talking about how we're building a large company. We're really on an exciting journey. That's what we're showing every day and every quarter.

What's your philosophy for approaching partners? Has that evolved in recent years?

I'll talk about the evolution. We really found that it's about a quality and mutual investment. Since we became profitable early, we've been able to show that if you invest we will invest…We're working to really make sure [partners] have better margins, more active deals and they will invest in enablement. We keep our share by giving them the leads but also co-marketing. We now have a global channel marketing function that's really getting a lot of attention and budget. Under that same paradigm is really to do more with the channel and reward those who invest more. Once they start, they see that it's a differentiated offering and doesn't compete with the other [big names] that they are carrying and allows them to combine and come as a trusted expert to their customers. In terms of investment, we've also put more feet on the street from a channel management perspective to really make sure we have regional access to connect between the sales forces and into our inside sales organizations.

What's on the roadmap for the year with investment? Any focus areas?

This is a year of investment. Unlike others that have to show a path to profitability, CyberArk has been profitable and with really high operating margins. On the other hand, we told the world that given that it's a greenfield opportunity, we're seeing that we want to continue to invest in R&D and continued innovation, but with access, to have more and more of our global reach with our feet on the street to support the channel and be close to the customers. We'll also be continuously releasing new products. Not all in 2016, but we have a history of really stepping up on our innovation. That's something that I'm really proud of. That comes from making the most of top, talented information security professionals.

Any trends in the security market that you're seeing that are interesting?

I would say definitely the biggest shift I've seen is people telling their bosses that they will be breached but the CISO [Chief Information Security Officer] saying it can be contained. Two years ago, [in that case] the next meeting would be with HR…That's a big shift in security. I think the other one is that there is a little bit of fatigue with detection for the sake of detection. There are a lot of alarms ringing…But what about securing? What about making your customer better off? I think there's a bit of fatigue on that…There will be a little bit more attention to the ability to respond and to block.