CyberArk, the information security company, recently launched its new logo. The logo does not just represent a cosmetic change for the company, founded in 1999, rather it signals the revolution that is underway in the information security world. CEO Udi Mokady, who founded the company along with Alon Cohen, wasn’t paying attention and was photographed beneath the old logo that is on their office building in Petah Tikva. Afterwards, he asked that the photos be scrapped, indicating that CyberArk is no longer the start-up it was more than a decade ago.
The new logo joins another, no less significant, milestone - the deal in which IBM acquired Israeli company Trusteer two months ago. Mokady has no connection to the exit, and his company serves a different market niche in the information security world, but the big acquisition lends added credibility to the possibility of another Israeli security company reaching the top.
“I am convinced that the problem of information security is substantial, and therefore I am not surprised,” says Mokady talking to “Globes,” commenting on the recent blossoming of the information security industry. “It is in keeping with the attitudes toward the problem. There are not many industries in the world about which you can say that that the entire industry has been rebooted and needs a fresh start. To say that after all the investments, amounting to billions of dollars, enterprises still do not feel secure is a revolution. There aren’t many industries undergoing revolutions.”
CyberArk’s own revolution, according to Mokady, began as early as 2005. At that time, the company shifted its strategic focus and decided to concentrate on monitoring and neutralizing privileged accounts in enterprise’s computing networks. These accounts - through which people who should not be exposed to sensitive information can access files and processes that they are not meant to see on the networks - are part of operating systems’ defaults, and they have played a role in a significant number of cyber-attacks during recent years.
Fourteen years ago, when CyberArk started out, the name of the company was taken from the manner in which it worked - creating a sort of a virtual safe that was intended to protect information that the enterprise shares with parties outside the enterprise’s computer network. Mokady explained their strategic shift: “We succeeded in that world, but our clients pulled us in a different direction. They said that they were troubled by the fact that employees in their computing departments could do whatever they wanted, with no oversight. At the same time, regulation grew, and stories about inside personnel leaking sensitive material were publicized, and they decided that it was negligent to operate in such a manner.”
The Chinese military attacks
Over the past year, which Mokady describes as “the year of the great revolution in the security industry,” there have been two dramas that dominated the headlines, and along the way provided a tremendous boost to CyberArk’s public relations. The first was a report by US information security company Mandiant, published in February 2013, which, for the first time, clearly identified a unit of the Chinese military - with details including geographic location and identities of participants - as responsible for hundreds of cyber-attacks on business targets in the US.
The report is quite frightening - it points to many years of intensive work, on the parts of thousands of soldiers working in computing, towards developing methodologies and tools for attack, all funded by the Chinese government. On page 34 of the report, one of the stages in the unit’s work strategy is detailed, and it is based on “enhanced” use of privileged account permissions - the very mechanism that CyberArk is trying to control - in order to infiltrate resources on the computing network under attack.
The second media drama was supplied by Edward Snowden, who exposed US government surveillance techniques employed for tracking its citizens. Snowden, who worked as a network security administrator at the NSA, said in a video that was released to the press that, in this role, he was exposed to many things he shouldn’t have seen. This was possible because of the privileged account used by the network administrator. According to Mokady, the Snowden story, in a roundabout way, turned into a promotion for their company, because it made explaining the importance of the product almost completely unnecessary.
These dramas turned clients’ attention towards more advanced solutions in the security realm, but there are also claims that the values that we are seeing in the capital markets and in private companies already indicate the beginning of a bubble. “I don’t agree that the high values indicate a bubble,” says Mokady, “These are real companies with clients, and clients who are in panic. The companies are receiving these premiums because the problem is real.”
There are quite a few new solutions in security; to what degree are clients willing to continue chasing the “next new thing” in the field?
“I think we can explain Check Point’s breakout in the mid-‘90s scientifically. It had to happen according to the timelines of developments in the computing world. The next changing point was in 2011, when it was proven that firewalls were not enough. Right now, we are experiencing seismic changes, because enterprises are realizing that the bad guys are leading in innovation. There will be an evening out of demand, but right now, the situation favors the bad guys, and there will never be complete calm.” Darwinism in the security industry
CyberArk’s numbers support Mokady’s analysis of market activity. According to estimates, this past year the company had sales of $60-70 million, with growth of 30%-40% in each of the past few years. The company is profitable, with 1,400 customers, among them some of the biggest businesses in the world. The company employs 300 people, roughly half of them in their R&D center in Israel, managed by Chen Bitan, and it is in the process of recruiting an additional 50 employees.
If we take into account the multiples in the Trusteer deal, or the market cap of listed company Imperva (NYSE: IMPV) (8-9 time sales), then CyberArk could reach Wall Street in 2014 with a respectable valuation of $600-700 million. “We are building a big company, and, after Trusteer, we can say that we are the biggest privately-held information security company in Israel,” says Mokady, “An IPO is a likely milestone going forward. The timetable has not yet been set, and it is not urgent to us. We will approach it from a position of power.”
As for the investors, of course, after 14 years, an exit would be good news. Two years ago there was a financing round in which $40 million was raised from Goldman Sachs and JVP, most of which was used to buy out the original investors, a sort of a “mini-exit.” Up until that round, in which the company was valued at $200 million, CyberArk had raised $30 million, and had received a loan of a few million dollars from Plenus.
Today, the primary shareholders are JVP and Vertex funds, and Goldman Sachs. “Goldman came to us when they were looking to invest in very profitable companies, and they were very impressed,” said Mokady, “I highly recommend to my colleagues who believe in a company and want to grow, to take long-term investors.” Along with Imperva, Trusteer, and Varonis, which is on its way to an IPO, CyberArk is on a very short list of Israeli IT security companies that “made it,” aside from Check Point, of course.
According to Mokady, “There were many companies in the field that did not make it, Mokady says. It’s important to remember that there have been two financial crises in the middle, and we had to be very flexible in terms of solving problems for clients, and not believing that only what we thought of in the lab would work. It was a kind of Darwinism.”
Published by Globes [online], Israel business news - www.globes-online.com - on November 4, 2013
© Copyright of Globes Publisher Itonut (1983) Ltd. 2013