CyberArk CEO: Military-style hackers need collaborative vendors

It’s a beautiful sunny May morning, as I meet Udi Mokady, President and CEO of CyberArk, at the company’s London offices in Southwark. This is the day after the release of its Q1 2016 financial results and despite being up till 3am the previous night, Mokady and his team are in buoyant spirits. 

“It was a great result,” Mokady says grinning. In fact, the figures show that total revenue was $46.9 million – up 43% on the first quarter of 2015.

CyberArk launched in 1999 (“nobody used the word cyber then,” says Mokady) and went public in 2014. Despite a fluctuating share price the company has seen a lot of positivity from the investor community and this is largely down to the fact it holds such an important a niche amongst security firms.

Its focus is privileged account security – so locking down the admin passwords that underpin any business – while around two years ago it also added detection to its arsenal. This makes its solution supplementary to standard Firewalls – someone has to control the passwords to those too, after all – and means it is not competitive with all those security companies that monitor everything.

“We only alert you when something super meaningful happens… and when they have the keys to the safe,” explains Mokady.

This is particularly pertinent because over the last few months’ security has finally begun to move from a shadowy background activity to centre stage. The CISO has achieved greater strategic importance within the enterprise than ever before. And cybercriminals have become increasingly professionalised.

“Military grade weapons are making it to the streets,” says Mokady. “Nation state style cyber weapons are [now] available on the black market.” And all the high end threats are “trickling down into the crime arena”.

This arms race is unlikely to end any time soon and Mokady believes “our grandchildren will be able to work and invest in cybersecurity”. Yet he also feels that companies are still missing a trick to defend themselves and lists the top three mistakes they make as: failure to defend themselves on the assumption of a breach (although this is changing); failure to cover the absolute basics; and (more broadly) that “there are not enough partnerships between [security] vendors”.

To help promote these partnerships CyberArk launched the C3 Alliance at the end of April where 14 initial vendors – including security companies ForeScout and FireEye – integrated CyberArk into their systems.

“You need to make the systems talk to each other,” explains Mokady.

It is, of course, very easy to see how a company with a niche, top of the range solution, might take this view and an alliance of this kind certainly helps promote its solution. Yet it is also true that as the cybercriminals become more militant and breaches become more mainstream this viewpoint is extremely sensible.  

After all, the issue of security has stretched to become far broader than merely security itself. Now it also feeds into numerous other related areas – like the big thorny area of privacy. In fact, as Nok Nok Labs CEO and PGP Corporation founder, Phil Dunkelberger, succinctly told me recently: “This [whole] problem is too big for any one company to solve.”

At present there is also a serious issue with “security breach shaming”. However, Mokady does feel this is improving, in the US at least, where they have a slightly more moderate response. As he puts it they have “a little more understanding that a focused hacker is going to make it in”.

There is also a tendency to take compliance regulations to the letter rather than thinking about what they really mean in practice. Mokady describes some ludicrous situations where large companies are audited and yet only ensure they are compliant in specific geographies without thinking how other points of access might prove equally weak to the entire organisation.

But where else are there chinks?

“Nobody has written enough about how millions of documents were leaked in the Panama papers,” he says. He adds that law firms are very far behind in security “compared to a corporations”.

While another underinvested area is healthcare. “That vertical doubled [for CyberArk] in the last year,” he says.

This may not come as too much of a surprise as there have been a number of very high profile reports around hospital breaches recently. And as Mokady points out personal details are “more valuable to a hacker than credit card details” because they are truly linked to identity.

In fact, while the initial batch of data might be sold as a job lot by a hacker on the black market this information can easily be bought by a secondary party who then profiles the data – like a marketer might – from LinkedIn and Facebook to sell a more compete identity.

The security stories talked about are usually the sensational ones, concludes Mokady. There “should be more on the day-to-day stuff too”.


Further reading:

CyberArk CEO defends against insider knowledge

Emotion, graft and focus: Inside a tech IPO

What will be the single biggest security threat of 2016?


« Toptal: A new "machine assisted" frontier for management consultants?


New reality allows visits to Mars »


Do you think your smartphone is making you a workaholic?