Q&A: Amit Yoran On Leaving RSA, New CEO Role At Tenable And 2017 Security Predictions

New Role For Yoran

Last week, RSA CEO and industry thought leader Amit Yoran announced he was leaving the Bedford, Mass.-based security vendor to take a role as CEO at Tenable Network Security. The news comes less than four months after Bedford, Mass.-based RSA was acquired by Dell, as part of the EMC Federation. In an interview with CRN, Yoran discussed why he decided to leave RSA and the opportunity he sees at Tenable, which offers a vulnerability assessment and management platform.

"It is a really fantastic opportunity and I am joining the company at a really exciting time. It's awesome," Yoran said. Keep reading for a taste of Yoran's plans at Tenable (both for the technology and the channel), his thoughts on what is next for RSA and some 2017 security predictions.

I'm sure you had a lot of options - why did you decide to jump to Tenable Network Security?

There is no shortage of exciting things happening in the security market. The way I look at it there are three fundamental trends that are impacting the security market, with strategic impact on the market. The first is you have this incredible evolution of the threat and professionalization of the threat… The second trend, and maybe as a result of some of these high profile breaches, is you have senior business executives - non-security and not even IT folks - asking questions about security… The third is you have got organizations really recognizing that, in order to be competitive, they have to embrace and adopt new technologies at a faster pace and more aggressively than they have in the past if they are going to be relevant or even competitive at all… As these things come together, one of the most powerful questions being asked of the security community today, and of CISOs today is: how secure am I? How exposed am I? I think given Tenable's technology base and position, they are almost uniquely capable of answering that question… and helping the CISOs move from a gut feel or a fear, uncertainty and doubt message to something that is metrics driven, and defensible, and approximates reality. It's a really exciting company and an exciting opportunity.

Tenable has already been on a pretty strong growth trajectory – what are your plans for continuing that as CEO?

The company has a really solid strategy. I think job No. 1 is to continue to grow aggressively as they are today in the core threat and vulnerability management market. Tenable, again, is an incredibly strong player there and has a pretty cool set of announcements we will be making early in the near year with new capabilities and exciting capabilities to further the company's lead in that market, which is a sizable and rapidly growing market.

As you come in as CEO, what's the role you see for the channel at Tenable?

The good news is Tenable had a strong history of working successfully with their channel. I'm a firm believer in channel-based distribution models. If you look at some of the aggressive transformation at RSA over the last couple of years, a lot of that has been to re-orient RSA so all of the net-new business and the expansion business was going through a channel-based distribution model. Given that that is already the DNA of Tenable, it is certainly my belief that is the way to go. The channel plays, and will play, an increasingly critical role in Tenable's future.

Are the channel partners the same type of partners that you would have worked with at RSA?

I haven't spent a lot of time looking at it, but I would imagine that there is probably a lot of overlap and similarity. We're obviously bringing different, non-competitive technologies to the table from RSA. But, if they are VARs, resellers, channel partners in the security space who helping their organizations go through technology transformations and business transformations and leveraging new technologies, then I would imagine those are going to be very consistent between Tenable and RSA.

Why the change now from RSA?

I believe very strongly in the RSA vision. We have built a fantastic, world-class leadership team at RSA. I think the company had potential. It wasn’t really a matter of now is the time to leave RSA, as much as meeting with the Tenable team and understanding more about the vision and potential for the company and the investors and believing that this was a great opportunity for the company and what I wanted to take on.

How has the integration with Dell affected RSA to date? Where do you see it fitting under the Dell umbrella going forward?

RSA currently reports to Dell-EMC…So RSA continues to report to Dave Goulden. I would speculate you would have to talk about whether that will change in the future or not. RSA's mission remains what it is, unchanged by the ownership by Dell. The customers have their requirements and the technology steps continue to advance. There really hasn’t been a whole lot of integration efforts. It remains focused on the security market and the security buyer and security capabilities.

I talked to RSA yesterday and they said you would be involved in the transition to the next leader – what will you be looking to emphasize with them?

RSA is one of the largest security companies. It has lots of customers and operates in many different market segments. It really is just ensuring we have a strong continuity from a leadership perspective. RSA has built a great management team and I don't anticipate this to be very disruptive to RSA's efforts and momentum.

Will you still be speaking at the RSA Conference this year?

I will definitely be at the Conference! I would imagine RSA will probably have a different speaker open up, but I don't know if that decision has been made yet or not… It is a time consuming and stressful opening. I think last year we had 40,000 attendees. I'll be happy to kick back, have a beer and talk about security, rather than having to go through the keynote prep.

How do you plan to keep Tenable ahead of the curve as the market for vulnerability assessment and management matures?

People, people, people. You have to have the right team of folks talking to security research on what are the emerging trends and what are the latest security capabilities and vulnerabilities and how do you search for them and evaluate risk and exposure to those vulnerabilities. But also, [you need to look to] the customer base. Tenable is one of the largest security companies with over $100 million in annual revenue and thousands and thousands of customers… Keeping an intimate relationship with those customers [is key] - [finding out] what's working for them, what's not, and how their technology and usage of technology is evolving. [We want] to make sure we are helping customers, not only in their traditional enterprise use cases, but also helping them…when it comes to how they embrace cloud platforms and/or how they embrace containers and making sure the DevOps activities are done in an extremely tight-risk managed way.

As you look forward for Tenable, do you have any particular short term or long term goals?

There's a lot of opportunity. I would say agenda item No. 1 at Tenable is to keep the momentum that we've got going. It is one of the few security companies that I would say have achieved great scale, with thousands of customers and over $100 million in revenue, a great business and is also growing very aggressively. We will want to make sure that anything we do is not disruptive there… There are also a number of really exciting ways the company is already evolving. There will be a couple of announcements early in the year. That is a really exciting thing. As customers' use of technology is evolving, giving people an appreciation for how exposed they are and at risk needs to evolve… We need to make sure Tenable remains on the leading edge of those changes and bring that risk perspective to the CISO and the business leadership. That is going to be critical to the company's success going forward.

What do you think has allowed Tenable to gain that scale and success to date? I feel like a lot of startups struggle to get to that next level in the security space.

I think one of the key things is knowing who they are and staying true to that and not chasing so many different markets and so many opportunities. There's so much happening in the security space, but being focused and deliberate has absolutely been key to success for Tenable and will be key to success going forward. As the company expands and grows, we have to ensure the things that we do are true to who we are and how our customers use of technology is evolving to make sure we stay on the leading edge of delivering those answers to the core fundamental question that we're dealing with, which is: how exposed are we? How vulnerable are we? How at risk are we? That question is just one of the primary questions for security teams today. That is the question that Tenable answers.

What other startup areas do you find interesting right now, other than Tenable and vulnerability management?

I think there is a lot of exciting things happening in the security space. The real question from my perspective is where do you find the security companies that can achieve the scale that a Tenable has been able to achieve. From that perspective, a lot of the security startups are going to fail to become attractive businesses. That’s why I believe in 2017 and 2018 we will see tremendous shakeout and consolidation because they will have a difficult time getting funding as the financial markets have changed and public companies have changed significantly in the security space… A lot of security startups are really interesting features or component features but they really aren’t companies, they are technology sets that are attached to or should be attached to a feature of a different product. In my mind, things like [the user behavior analytics] space are a great example of this… My perspective is really that there are few companies, like Tenable, which have built great businesses in their scale and remain incredibly high-growth companies that are sustainable over an extended period of time.

Any predictions for 2017?

I feel like we're living the 2017 prediction watching the Yahoo [security breach reports] and the election accusations play themselves out.

The only other one I would add to that is: we saw a little bit in 2016 with IoT and the attacks on Dyn and the Krebs on Security site. I think what we will see is increasingly compelling examples of real failure occurring between the physical world of IoT, whether it's industrial or consumer, and the cyber domain. If IoT infrastructure was used to attack the cyber world, I would say you will also see the inverse of that, with cyber infrastructure being used to take out physical devices and physical systems causing significant harm. The industry has been talking about this stuff for a long time, but I think these days are upon us.