CyberArk CEO Defends Against Insider Knowledge

In another life, Udi Mokady worked in an Israeli military intelligence unit. Understandably, it’s a CV line item that interviewees tend to dance around with some care, but he does disclose one insight: “Even organisations with the ability to spend like a military [organisation] focus on the walls and think they can trust the inside.”

That way of thinking that has been exploded by the Edward Snowden revelations when the IT contractor was able to access and make available information that led to ramifications still reverberating around the White House, the US and the world beyond. IT is still absorbing the lessons, many of which centre on a return to an older philosophy that says the ‘enemy within’ is the biggest opponent of those charged with protecting information. And if we accept that’s the case then the notion of building perimeter defences and firewalls to deter outsiders becomes no longer sufficient.

Mokady couches his thinking in terms of a wealthy householder wanting to protect his or her most precious assets.

“Let’s look at the physical world. You don’t focus on strong doors; you lock up goods in a safe and have motion detectors if people get inside.”

He’s right, even if, as the CEO of US-headquartered security firm CyberArk, he is biased. His 14-year-old company’s unique selling point is digital vault software that lets organisations’ most prized data be cocooned even from perpetrators that have, by invitation or stealth, made it into the inner circles of companies and public institutions. It’s a technology much in demand to protect data and meet tides of regulatory activity that make the need for information governance ever more pressing. And it points to an absurdity in the way many companies continue to think about security.

“Wait a minute, your IT people can do anything with your financials and you’re worried about what the CFO might do?” Mokady asks. “Snowden clearly shed a light on what an insider can do. There’s been a big disruption in advanced threats. Antivirus and firewalls were good for the hacker in pyjamas reusing a virus but they weren’t meant for [defending against] a team in China or another state, or an organised crime gang… and it’s much more rewarding to rob a bank from a nice air-conditioned office rather than using bullets.”

Naturally, security firms like to paint a negative picture where demons lurk behind every curtain but that doesn’t mean they’re not right and Mokady insists his people are not rubbing their hands in glee at the current precarious state of information security at the highest levels.

“We don’t rub our hands because it’s almost like there’s a flu and it’s better the media is talking about it rather than us,” he says. “But if you stay focused you can penetrate any organisation. The rise of social networks is a big change: you can look at LinkedIn and find employees in your circles and send them false mails they trust. You have to defend in depth and even when you’re looking at billions of dollars spent on information security, the organisations involved were focused on the first wall.”

Mokady believes the new face of the modern attacker wears a patient smile and says he has seen cases where persistent attacks have gone months, even years, undetected. Perhaps, I suggest, it’s time to end the libertarian IT era and get back to laying down the law: stop employees using social networks, get rid of softie BYOD plans, think about what DEC’s Ken Olsen would have done…

Mokady isn’t having it, and suggests the genie left the bottle some time ago.

“That war is over. The job of the CIO is to enable [user productivity] and protect what matters. The CISOs have to assume that bad guys can get in and yet still protect.”

Mokady agrees that the US and other countries found to have highly invasive approaches to watching computer users will need to establish new bridgeheads and redraw the lines as to what is an acceptable and sensible eavesdropping policy. But he also believes that arrogant software companies selling suites of software are no cure-all. It’s going to take multiple layers, numerous technologies, educating employees, enforcing policies and more to create best-practice approaches.

What of CyberArk itself? While many security companies tend to pursue an SOS strategy (‘Sell Out to Symantec’), Mokady says he wants to build a long-term company from his current 300-person base. He is comfortable with being a midsized operation that still has the freedom to innovate through smallish teams that are “driven, like a startup”.  

The company has an Israeli R&D and management core but is headquartered in Boston and Mokady resists any idea that it is a transplant.

“You can’t say CyberArk is an Israeli company, it’s a global company,” he says. “A customer requirement in Singapore becomes one in Kansas City or Milan.”

However, he is proud of his company’s Israeli roots, saying that the country has prospered in tech because of a unique boldness in outlook.

“There’s no shame in failure in the Israeli culture, it won’t prevent you raising money the second time. Life’s too short so if you have an idea, go for it — that’s the culture. The military matures you very early so at 21 you’re rushing to do something and people leave the army with a profession. You can say anything in an Israeli company and so you get information feeding up. It could be that bad neighbourhood thing again, but there’s not time [to pussyfoot around], nobody’s royal. There’s no ‘I can’t say that to my boss’.”

In a similar vein, in the post-Snowden world, it’s impossible for the honest CIO to tell the CEO, ‘We’re covered, we’ve blocked all the threats from outside.’” Physically or virtually, the enemy might already be inside.


Martin Veitch is Editorial Director at IDG Connect


« Indian Startups: Big Data and Analytics by Ex-Oracle Staff


Trevor Baylis: The First Shoe Phone Charger… & Practical Patenting »
Martin Veitch

Martin Veitch is Contributing Editor for IDG Connect

  • twt
  • twt
  • Mail


Do you think your smartphone is making you a workaholic?