There was a time when the security of computer systems had an elementary answer, antivirus software. Over the years, criminal threats have multiplied and diversified with unexpected sophistication. The name of the subject has changed: it has been called cybersecurity and delimits a large market with too many categories. So many that companies choose to have up to a dozen products to gain peace of mind. It is up to the so-called CISOs (corporate cybersecurity directors) to integrate them. They are reduced to the same expression of wishes: zero trust.
CyberArk is an Israeli company born 25 years ago that employs 3,000 people and whose market niche is identity management. It must be explained: “When I arrived – remembers Roberto Llop, vice president in charge of southern and western Europe – it was expanding from the management of human identities to security in the workplace, which is the first vector of entry for the threats and incidents that companies suffer.” From the first minute, the conversation with a prospective client revolves around how to manage access privileges and how to provide those identities with controlled access, based on corporate security policies and regulatory compliance.
The next step has been to “secure” the workplace, for which “solutions proliferate, leaving areas without sufficient protection.” They are usually assigned privileges when installing applications and then running them. It is common for these privileges to stay there, as if they were natural. But when hundreds or thousands of jobs are at stake, keeping them under control is imperative. It is important that they can be audited and actually be audited.
So far, familiar territory. How to solve the security of third-party access? Organizations have multiple vendors and multiple customers (with their employees) who are given permission to access systems that are not theirs. “This is how today’s world works: if you have to give privileges to third parties for operational reasons, let them be the minimum to do what they have to do and when they are no longer necessary, they are revoked, avoiding the risk that they continue to be valid due to absence of zeal.”
CyberArk’s catalog has evolved with the market: from human identities to a growing weight of non-human identities (robotic software, applications, microservices, etc.). “Enterprises have an inventory of applications that talk to other applications. How to safeguard them involves managing the identity assigned to each of these intangible resources. And I see that the demand is proving us right.” This is one reason – Llop asserts – why CyberArk has a policy of cooperating with other actors in the protean cybersecurity offering. What does the company contribute? “Right now we have about 200 native integrations with cybersecurity solution manufacturers; We are aware that our clients think about the integration of our solution with others that are on the market, it is a key to the business model.”
What CyberArk offers is formally a suite (others would call it a platform). It is marketed under subscription, but not for individual products but rather as sets of solutions to real business problems. An attempt is made to package them so that the client can choose their cloud provider or host them in their own data centers. Everything is sold through the channel, which does not require an exclusive relationship, another quality highlighted by Llop.
The first to adopt identity management were – it is easy to understand why – financial institutions, but they have gradually abandoned that birthright in favor of critical, threatened infrastructures, retail chains and the public sector. “2023 has been a good year: our main focus is on Ibex companies and public administrations; The next challenge is to transfer these successes to sub-Ibex companies. And 2024 looks full, fortunately.”
How to close the conversation without talking about artificial intelligence? It is both a solution to come and a threat that could grow, summarizes the interviewee. CyberArk has established a center of excellence with two missions: to provide its products with AI capabilities and at the same time design specific security controls for its applications “Because the perimeter of risks continues to expand and we need to have learning devices.”