Olivia Hack
Welcome to Innovators and Ideas, an audio series from RBC Capital Markets where we engage with visionary leaders shaping the future across sectors. Today, we’re coming to you from RBC’s Global TIMT Conference in New York City. Joining us is Matt Cohen, CEO at CyberArk. Matt, we're eager to hear your perspectives on the industry and the trends you believe investors should have on their radar right now. why don't you tell us a little bit about what you do at your company?
Matt Cohen
Sure it's and it's great to be here. So Matt Cohen, I'm the CEO of CyberArk software. CyberArk is the leader in identity security. We've been around for 25 years. We're actually celebrating 25 years this year, 10 years as a public company. And we were founded on this idea of, if you could protect the most critical IT users when they were accessing the most critical IT infrastructures and systems, if you could secure that, you could protect against the total takeover, the what we used to call the taking over, the keys to the kingdom. What's actually happened since, over the last several decades is the very nature of what is a privileged identity has changed. It's moved from it to the workforce, to developers, even to machines, and our vision is to secure every identity with the right level of privilege controls. We call that intelligent privilege controls, so that organizations can actually survive and thrive in this threat landscape.
Hack
Fantastic. So your previous roles at CyberArk gave you an in depth view of the company's operation and sales strategy. How have those experiences helped you scale and expand CyberArk’s capabilities as CEO?
Matt Cohen
Yeah. So I came into CyberArk five years ago as the CRO quickly became the COO, been CEO here for just shy of two years, amazing, but running the go to market organization, by the way, both the sales side and the customer success side allows me to be deeply connected to the customers themselves, right? Understand where their pain points are. Understand not only where they were struggling from a cybersecurity perspective, maybe where they might be struggling from a CyberArk tooling and solution perspective. So it's helped me to be able to shape the product vision, the overall approach we've taken to the platform itself, and ultimately to make sure that we're solving real problems for customers, not just producing product for product sake.
Olivia Hack
Yeah, that makes a lot of sense. How are forces of change… I know you talked about some new environments, new identities, new attack methods, you know, and also the proliferation of AI. How are they reshaping cybersecurity strategies today?
Matt Cohen
So if you think about those forces, and there really are those three that we keep calling out new identities, the very nature of human identity, machine identities that organizations are exploding. You or I might have two or three digital identities, but throughout a typical enterprise, there's hundreds of 1000s, if not more, of overall identities that need to be secured. And the nature of those identities have changed fundamentally, where, as I said at the beginning, it used to be privilege only sat in the IT organization. Now there's developers who have unfettered access to cloud environments to do whatever they want. So the very nature, the size, the scope, the volume of identities has changed. What we mean by new environments is, it used to be an on-prem world you had to protect against and if you could secure your walled garden, you were okay. Now in hybrid and cloud environments, there's multiple environments to secure. And then if you factor in the idea of what happened since COVID and work from home, work from anywhere, of course, now the perimeters disappears. And so new environments, new identities, and as you mentioned, new attack methods. The attackers are innovating at a rate that's exponentially quicker. Each and every year, more and more breaches are happening. So if you take those three elements, then organizations, enterprises, they need to actually rethink their paradigms. The old paradigms of cybersecurity no longer apply to this new world, and we at CyberArk believe that fundamentally, if you can lock down identity and you can secure this broad spectrum of identities, then you can respond to those forces that are out there in the market.
Olivia Hack
Increased complexity 100%. So where do you feel that most companies that you're working with are struggling in terms of their cybersecurity operations today, and how is this dictating where CyberArk is positioning itself?
Matt Cohen 05:52
I think the biggest shift has been in the past in cybersecurity. It was about keeping everybody out. Yeah, and there's large industries that are based upon detecting as people try to penetrate, try to come inside. I think what we've seen is that now you have to assume breach has occurred. So people are in your network. They're actually trying to move laterally or vertically to take over control. And that change, that shift means that you need to go beyond detection and discovery to actually implement core controls, because you have to assume that as they're moving, if you can, if you can fight that off in a meaningful way, if you can stop the lateral and vertical movement, then ultimately you can make organizations more secure. That big shift means that as we, as we've been talking about, people, need to focus on identities.
Olivia Hack
So since your time at the company, CyberArk, has really undertaken some strategic shifts. In 2020 you transitioned your business model to a subscription based platform. In 2024 you acquired Venafi and expanded your partnership with proof point, and you've recently introduced some product innovations within the identity security platform. What advice would you have for successfully integrating new initiatives to keep pace with rapid industry changes?
Matt Cohen
I think it starts with that last phrase you just said, which is understanding the changes that are happening out in the market? Yeah, and that, fundamentally, in our industry, means you have to understand what the attackers are doing when we talk about cyber security. It's a unique industry, because there's three people in the room, it's you, it's the customer, and it's the attacker, and everybody is innovating from all angles, and you need to keep pace with that. And so I think when we think about how we keep pace with everything, it starts with our labs space that we have over in Israel that's dedicated to this idea of making sure we understand the latest and greatest threat landscape. And then it becomes never being complacent with cognitive lock in where we're thinking only about what we've done right. We want to understand where we need to go. And from that perspective, we've been able to broaden to these new populations. You know, a lot of people thought of PAM, privileged access management, where we started as an IT only domain, right? That also, by the way, limits the market of growth. We saw it differently, and said the things we do in PAM that customers trust us for, if applied in the right way, to the workforce, to developers and even to machines. If we do that, then ultimately, we'll be able to expand with this market, and we'll be able to drive the growth that we've been able to see as an enterprise security company.
Olivia Hack
Yeah, it makes sense to be part of the solution from the get go, as opposed to something that's bolted on.
Matt Cohen
Yeah, absolutely and making sure that we innovate from within, right in a world that's constantly innovating around us from an attack perspective.
Olivia Hack
100%. So how do partnerships play a role in supporting cyber arcs, innovation efforts, and what qualities do you look for in a strategic partner to help drive your IT roadmap forward.
Matt Cohen
So I think there's multiple vectors of partners. Of course, we have the partners that we work with every day in the SI community, system integrator community, and they help us understand that threat landscape, and they build large practices around the CyberArk business. We have our reselling channels in the marketplaces that are important. But I think in when you start to think about the technical complexity of securing these enterprises, cyber security, and so it's a little cliche, is a team sport, yeah? And you need to look out and understand, by the way, how you work with your competitors, yeah, you can't be a closed system, but also how you work with other technical innovators out there. So as you mentioned, we launched a partnership with Proofpoint, and proof point is really innovating at the at the level of not just email security, but data security, and it allows us to be able to understand as the attacks come in, a major form of attack still comes in through email. How can use what they're able to detect to then lock down controls on the most privileged identities. We launched very recently a technical partnership with Wiz, and that came about from customers actually saying Wiz is a great platform at actually discovering and observing what's going on in cloud environments. Now I get to see all the things that are wrong and clear, you know, red, yellow and green, yeah. And now I need to figure out, what do I do about it, yeah? And now that's where CyberArk always comes in, because as a control point, yeah, we can actually remove entitlements, remove privileges in cloud environments, and actually implement a least privileged approach. So I think when we look at different technical partnerships, we look at, what are the customers want, yeah, mixed with, where can we actually provide real security value for enterprises as they protect themselves.
Olivia Hack
So CyberArk has been actively investing in growth and innovation in 2020 you launched CyberArk ventures, and you recently announced the acquisition of Venify. What specific areas of innovation are you prioritizing with CyberArk ventures and the Venify acquisition? And how do these enhance value to customers?
Matt Cohen
I think when we look out into the landscape, we look across the identity security view. We define that market for ourselves. We're not interested in going into big, large adjacent markets. We think there's a consolidation and a platform play within identity. Then we looked at where we think that customers need more, as we've talked about, where we think we can develop organically solutions and where inorganic needs to play a role, and as it related to Venafi what we saw is that machine identities were taking off at an even faster rate than human identities as people kind of deploy IoT, devices, applications, even modern microservice based code, the agent workforce, the AI agent workforce that's coming our way, those machine identities needed to be protected, and Venafi played an important role in the ability to be able to secure machine identity. So it really was kind of like think of it as a where do we have gaps? Where can we actually acquire a nice asset, and where can we get accelerated in our vision? And we think about the same thing from a Ventures perspective, but maybe a little bit farther out. Let's invest in other areas that really aren't near term, because in that case, we should be either developing or acquiring it. Now, sure, and let's incubate some of our funds and watch what's happening in some exciting areas of cyber security.
Olivia Hack
What advice you might have for CEOs and boards that are considering M&A, anything specific you want to say there?
Matt Cohen
I think it goes back to a theme we've been talking about all day, which is, go where your customers want you to go, yes, where they understand and they and they need you to go, yeah. Don't just go while you pursue growth or you pursue profitability. I think that's kind of fundamental. Number one Sure. Number two is make sure that from a m and a perspective, the company you're looking at actually has a similar or a at least amendable culture, right? And I think a lot of acquisitions and M&A fail when we bring in companies that don't look at all like us, yeah? And actually, you lose talent pretty quickly, and you have a little bit of a culture clash So I think culture is an incredibly important second point. And then the third thing is, we're a technology company, yeah? And we're in a technology industry, so don't settle on the tech like when we went out to look for Venify, we were out looking in the market. We were actually surprised that Venify had the best tech, because they also invented that piece of the market. But once we saw that they had the best tech, then we went hard and fast after them, because ultimately, we want to make sure that you're spending your money on the latest and greatest, not on some legacy lift and shift company.
Olivia Hack
Absolutely. So when you think about your ultimate vision for CyberArk’s impact on the future of the security industry, how are you leading the company towards that goal?
Matt Cohen
So we have a mission statement at CyberArk. Everybody does. Yes, ours is to secure the world against cyber threats so we can, together, move fearlessly forward. And I'll just dissect that a little bit, because it guides a little bit of where we want to take CyberArk and what we're trying to do. You know for sure, we're a security company. We're trying to secure the world. Everybody. In the world, big enterprises all the way down, and we're in order to do that, we have to innovate against the cyber threats are out there. It's the second part of the of the statement that's most important, which is so that together us and our customers, the relationship that we built can move fearlessly forward. What's happens in cyber security is the threat landscape stops organizations from digitally innovating, yes, and that becomes an inhibitor to their growth. Where they want to go. What we want to do as an organization is we want to be able to remove that fear, you know, not without some productive paranoia, but remove that fear so that when they launch their growth strategies, their digital innovations, the things that are going to drive them forward. They know they have a partner to help them do that so that they can keep moving forward. And I think when we think about where CyberArk is going as a company, the trusted relationship we have with partners, we use this phrase consolidation of trust in the industry. So it's not a consolidation of spend, it's a consolidation to a partner that they can trust. I think that's how we want to lead in the market, is with that type of relationship, with the with the enterprise, with the with the governments that we serve, and ultimately with the market overall.
Olivia Hack
Fantastic. So what major challenges do you feel are facing cybersecurity CEOs and security operations professionals over the next five years, and what advice would you have for them?
Matt Cohen
So I think the biggest challenge is the rate of innovation. Sure, it's a unique world where you're trying to catch up to a well funded nation state, a well funded cyber criminal organization that actually can, through either blunt attack methods or innovative AI generated attack methods can get into organizations. And so I think when we think about CyberArk and we think about what we're trying to do, it's really to future proof against that. So we have to think about things like post quantum computing. This is an area that's been on everybody's mind for a while, but it's always been a decade out. But the reality is, the ability for the traditional algorithm that supported so much of cybersecurity to actually be compromised is becoming a reality in this world of quantum computing, or in a potential post quantum world. So I think that's one thing that leaders and cybersecurity leaders need to be thinking about. Another maybe more near term threat is in the race fearlessly to go into AI, how do we actually secure all of these new identities that are coming online now when you think about a custom GPT or you think about a AI agent or a bot. It really is like a RPA bot 2.0 or 3.0 they're going to be everywhere, and they're going to be logging into systems. They're going to be talking to each other, they're going to be replacing work, tax and even workers. And how do we get ahead of that curve, and how we deploy security at the same time as we deploy AI? We got to learn from cloud computing, so we moved to cloud computing as fast as we could as an industry, right? And people didn't put in place any security controls when they did it, and now they're playing catch up, same thing they did with the Internet. So hopefully we as cybersecurity practitioners can not only prepare for the future of post quantum computing, but we actually can prepare for the present as we move all our dollars in investment into AI.
Olivia Hack
Amazing. Well, thank you so much for your time today.
Matt Cohen
Yes, that was a great conversation.