With the threat vectors looming large in the cyber-security space, there has been a need to address the concerns with advanced mechanisms. In an interaction with CRN, Rohan Vaidya, Regional Director of Sales – India, CyberArk shares about these solutions and how the company is leveraging upon them as services.
Could you elaborate your views on cyber-security and how CyberArk fits in as a solution provider?
Considering the past 10 years, cyber-security has slowly started coming in. Over the last two-three years, cyber attacks have become a viable business. According to estimates, globally there is a loss of about a trillion dollars due to cyber attacks. When looked at the last two-three years, most of the breaches were announced from the US organizations. In most of these breaches, they have published forensic results – things like why and how the breaches happened. Typically, the common underlying factor is that the Privilege Accounts or Domain Accounts have compromised. There are two types of accounts you would envisage as a normal user – user account and administrator account. If the administrator password is compromised, one can easily cause breaches. We at CyberArk, protect these accounts.
With numerous new technologies – such as cloud and Internet of Things (IoT) – coming in, any device having an IP address is going to be susceptible for a cyber attack, thereby increasing the scope for cyber security day-by-day. This makes it easier for the attacker to look at open areas and start penetrating. Traditionally, it was more of a perimeter security that we had created; we had formed a server and put network devices and a firewall around it, but then we got a lot of technologies which kept building on those pieces. Even after all this, there are still breaches. At the end of the day, if I look at the endpoint, the senior management – which travels a lot – becomes soft target for attackers. In the ransomware cases, the attacks were more on the endpoints, because these are easy ways. These are the areas pose a challenge from a cyber security perspective.
CyberArk started around 19 years ago as a startup in Israel. The founders came from a military background and started something for storing sensitive information. Over a period of time, we started building on the different parts of IT. Now the newest part is DevOps which is largely used by e-commerce companies.
We also work with most of the security vendors to align with them, in terms of integration. You have to be one step ahead of the attacker. It is now a team game, rather than just vendors. When we integrate with different vendors, the security posture becomes much stronger. We have something known as C3 Alliance, wherein we work with about 50 security vendors, and we have pre-defined templates which can be used for out-of-the-box integrations.
How is CyberArk positioned in the Indian market?
We have been in India for about four years. In 2014, we went public on NASDAQ, prior to which there was a smaller enagement from Israel as a normal startup – we had limited visibility. In early 2016, we created three theatres – North-end Latin America, EMEA and APJ. We re-started building our APJ organization and we have now five regions in APJ among which is the India-SAARC region. In India we started with a few customers.
In the last six quarters, the low-hanging fruits for us have been the IT and ITES verticals. The telecom space has been quite exciting for us, becaus that’s where there have been a lot of regulations and needs. Banking has been more mandated because of RBI regulations – we have public and private sector customers. Recently, we have had a lot of conversations with power and manufacturing companies.
The latest that we have approached is the e-payment space. We have about 45 active customers in India across these segments, of which few are critical in nature from the national perspective. Most of the Supervisory Control and Data Acquisition (SCADA) systems that are used by the power companies have been built on old Microsoft OS. Many SCADA systems are going on the IoT space. These are two of the areas we are focusing on. About 15-16 per cent of our customers have associated with us over the last 18 months.
How significant has been the role of channel partners in your growth story?
We have a 100 per cent channels-model, wherein we have a distributor and reseller network. Over the last 18 months, we have tried to create different capabilities from a partner perspective. One is that we have a value-added distributor who is able to more span out from all-India and SAARC perspective. The other is that we looked at certain partners that are good on the implementation and services part. This is still a very niche technology and understanding the IT and security landscape is more important, than understanding our products.
To a certain extent, we have been able to build these partners on the geographical level and verticalization. We have realised that some partners are good at the BFSI segment, whereas some are good at IT, ITES. The current space we are working is more on the geographical side. We have one layer of boutique partners who are focused on CyberArk services rather than the licence part. We also have the likes of HCL or Wipro who are our partners – particularly for large enterprise accounts. Then we have consulting partners working with us, more from the implementation perspective. Our professional services more towards creating a partner environment. We spend a lot of out time and energy for the enablement of our partners. Currently, we have about five boutique partners, three large SIS which are active with us. Three of the consulting firms are actively working with us on different opportunities.
Has this also called for getting onboard more opportunities for Managed Security Service Providers (MSSP)?
Till date the MSSP model we were offering, was like a half-hearted model. However, we realised this model doesn’t work in long term, so now we have an MSSP model on a beta stage right now. This allows us to do multi-tenancies. This provides flexibity in pricing and working on two MSSP models. We are in the proces with a few of our partners, in the beta testing phase right now.
Since you have a limited set of partners, are you looking at expansion?
Rather than the quantity, we are more focused on the quality of our partners. The technology is fairly unknown in the entire market place, so there is a lot of learning involved. It is also a machine-critical technology. We have been very selective in terms of partners. The enablement process is fairly cumbersome and requires a lot of investment from the partners in terms of time and people. If we have a case where the partner can’t support our customer, we have a critical problem. All the enterprises work round the clock and the first and second level support is provided by the partner. If the partner is not adequately trained, our customers will face a huge problem. That’s the reason we have been selective in nature. We will be choosing partners who are able to expand within their organizations.
Is the government piece missing in this entire gameplan of CyberArk?
In the first two quarters, we didn’t focus on the government. However over the last three quarters, we have bagged three large and significant national level projects from the government. This has given us the confidence in terms of our place in the government space. We have also witnessed a lot of co-operation from the government.
What is roadmap set by the company?
In 2018, we would work a lot on awareness, because in India it still is believed that this is a perimeter security-driven market. We have to amplify our message and work on those lines. There seems to be a lot of conversations on cloud integration, where everybody is going to move to cloud. We have come up with a solution, called Application Identity Manager, which is in the maturity phase. Going by our conversations in the industry, this would be an area of focus for us alongside end-point offerings.