Launched in 1999, CyberArk is one of the very first cybersecurity companies. This is the story of how they grew slowly for 15 years then rose steeply on NASDAQ
Two Israelis meet in high school, go to the army, and eventually launch a startup. While many sentences on our site have begun this way, few stories end with that pair of teenagers eventually leading a public cybersecurity company worth $1.42 billion.
But that is what has happened to CyberArk, which went public last year, raised $80 million for its IPO, and has since skyrocketed from opening at $13 a share to a height of $76.35.
Their road to success is atypical of most Israeli startups. Launched in 1999, Co-Founders Udi Mokady and Alon Cohen aimed to build a large company and resisted getting acquired along the way, pursuing slower, steadier growth instead. They cite Check Point, one of Israel’s most famous and largest security companies, as an early role model.
CyberArk, based in Boston and Israel, is one of the first cybersecurity companies ever. Originally created to protect access to sensitive information against users already within the network (also known as privileged account management), with early customers such as banks and insurance companies, CyberArk eventually expanded its offerings to shield a wider range of companies from outside attacks. Today, they provide automated detection of threats in real-time and ensure that once a hacker has entered a system, their damage won’t spread nor will they be able to gain control.
We had the privilege to speak with CyberArk’s Co-Founder and CEO Udi Mokady about what it’s been like to launch and run a public company, if there were ever moments that he considered selling CyberArk, how CyberArk plans to keep innovating its cybersecurity technology — including its recent acquisitions of CYBERTINEL and Viewfinity — and how he reads CyberArk’s dip in the stock market since their Q3 earnings report on Thursday, which was partially influenced by competitor FireEye’s poor Q3 results.
At this time of reporting, their stock is trading at $40.50, a $10 dollar drop since their Q3 earnings were reported. This occurred despite the fact that their revenue for the quarter was $40.1 million, 43.4% more than Q3 of 2014.
Laura Rosbrow: Were you ever close to exiting?
Udi Mokady: You considered it when you thought the exit was the only way to release investor pressure. There were moments when we were considering, that that was the only way. Some of it is legitimate because funds have their timelines and they need to see their returns. Some of the smaller investors weren’t aligned with us on this long term building.
I say that to CEOs: The ability to bring in mature secondary investments I didn’t know existed. This was the absolute best solution. You bring in investors to buy other investors, even at a phase where the company didn’t need it.
The turning point came in December 2011 when we were able to attract Goldman Sachs as a strategic investor to co-invest with JVP (in which they raised $40 million). JVP was in it for the long run. Any investor that wanted out, they could sell completely or partially. Everyone that stayed signed a pledge to support this management team to build a large company, it was really powerful. It was a recharge event. If anyone had financial reasons to sell they could, and whoever was staying was on the bus for the long run.
That really set the stage in investing in growth, in markets where the payoff would only be a couple of years ahead, in Asia, Europe, Eastern Europe, and our initial presence in Latin America.
Our global approach also helped us going through hard times. You had the meltdown of 2008, and in some crises, we were very balanced globally and between regions, and one region could cover for each other. Now we have staff in 23 countries.
What was it like personally raising the IPO?
It’s a little like a whirlwind tornado. You can’t remember where you were on a certain day. Everything is on steroids.
You don’t see your family or anyone else for two weeks on the road. I was just with my CFO, who’s a great guy, Josh Siegel.
The other effect was we were really greeted with excitement. There was no similar young technology company that was also profitable and showing growth. We achieved profitability more than 4 years ago and we were always striving for profitability in the early times.
We were also very unique in this new security layer, focusing on the inside. Investors loved our story, they loved that it’s profitable, the new approach to security, backed up by many years of building, and meeting after meeting, it dawned on us that it’s going well.
They brought us to 11 cities, from dawn to dusk in terms of the amount of meetings. You don’t look at the scoreboard. I didn’t ask mathematically how things are going until we got to the last night: We were massively oversubscribed with demand. That was very exciting to have that kind of reception.
The launch date was super exciting, one of the most exciting days of my life. It was also exciting seeing the team, my family, everyone else.
Now we’re five quarters as a public company. It’s really important to set off on the right foot. We feel really good about it.
It’s also important to tell employees that this is just the beginning, so if you weren’t around last IPO, don’t worry, it’s just the beginning. We have 2,000 customers, and now we’re aiming for 10,000 and beyond. There’s the feeling that this is a platform to really keep going.
What are the challenges of building a big company in Israel? How did you overcome them?
When we saw the post ICQ mentality, build it to sell it, that was the default. We were never infected by it. I think some of it was that we looked up to Check Point at the time. We saw that it can be done, just like other companies talk to us today. We weren’t asking for advice, but we looked at this as a possibility.
The second is the focus on customers. When the customers say to you, “Hey, we want you there for the long run,” that influences you.
Where you disappointed by the dip in your shares because of the FireEye announcement?
I talk to the team and myself: Don’t look at the share price on a certain day. It was odd this time and everyone was talking about the FireEye phenomenon, and we’re so very different and that will come out in the coming months and years. The big difference is that we’re a proactive security layer, we don’t need to respond to specific security or seasonality. There is some concern about seasonality and security.
FireEye was explaining that there was a decrease in attacks. We don’t need attacks to happen. We’re a system to put into place proactively beforehand so that when it does happen, it doesn’t cause a lot of damage. We know we’ll have ample opportunities to show how we stand out.
How has your IPO been so successful in a year in which most IPOs have not performed well?
We stood out as high growth and profitable. That was very contrary and unique. Investors always comment that they love that combination.
In security, the amount of awareness has sky rocketed. CyberArk stands out as a new approach to security but with the execution capabilities of a mature company.
Tell me more about your acquisitions: What influenced your decision to start buying other companies?
We told investors to take pride in our organic innovation, where we have launched growth innovation every 18-24 months. But then I told our team to step out of your regular, organic routines and see around if there are assets and technologies that make sense and create value for the customer bases. I advise that to CEOs, as a private company start doing “what if” drills, start looking at startups in adjacent security spaces.
I was pleasantly surprised that R&D was very embracing. They were curious, happy to meet other companies, even answered, “if we had that, we could do this.”
CYBERTINEL is entirely engineers, highly innovative and very familiar with how advanced attacks work. We wanted to infuse ourselves with that talent. They did early detection credential theft. That was our first. They were a younger company, with mostly engineering talent and advanced technology.
With Viewfinity, it was a more serious acquisition. They add a net of about 300 customers and not just engineering talent, but also operational, and sales and marketing. Geographically they were a no-brainer: They are also Boston-Israel based. We want to get it right, to make the first acquisitions really smooth, reducing integration risk and unite employees in both places.
From tech, they help us expand layer protection, from data centers and servers, to desktops, to laptops, to regular business users.
What key trends in cybersecurity are you seeing?
One of the things, looking at Israel, there’s a little bit of an over creation of early startups that aren’t going to make it on their own. Some are very innovative, but a customer can’t handle so many vendors. This creates an opportunity for someone like CyberArk to pick up more technologies over the years as well as developing our own organic innovation. We think we’re poised to benefit.
The other trend is understanding that protection against attacks is no longer to keep them out, which has been the top strategy for last 20 years. Actually, it’s proactive protection, and fine tuning detection capabilities and stopping an attack quickly.
The last big trend is continued adoption of cloud by enterprises. A lot of mid sized companies have adopted cloud, and enterprises have begun to expand into cloud. I think that’s going to continue. Some companies won’t move completely — banks won’t have their information on Amazon Web Services — but more of their assets will be moving there. Businesses will expect cloud providers and security vendors like us.
Are you of the opinion that you can’t prevent cyber attacks, just detect and ameliorate them quickly?
We are in the preventative space, but not in the sense that you’ll keep yourself from being attacked. Still hide those doors — why make it easy? If it keeps non-sophisticated intruders out of your system, why not?
But we are proactive protection from a post-infection. Assume someone will click on an infected email, and that someone will put in an infected USB. For example, when you fly on airplanes, others will sneeze, but it doesn’t have to knock you down. You can contain it and detect it so that you can [address it].
We are about advanced detection and amelioration. If you look at trends, there is a lot more to do there. You can help companies pin point the attack. We need to do all of that while their assets are changing, mobile is growing, they are expanding into cloud — that’s what makes this space very exciting. We are helping customers carry on their business while they change their ways.
Featured Image Credit: Facebook