“The NSO incident does not harm the reputation of Israeli cyber”
CyberArk chief Udi Mokady believes Israel’s position as a cyber powerhouse is safe, and that "our grandchildren will also deal with cybersecurity”
Mokady, who heads CyberArk, a company that operates in the niche of organizational permissions, has seen his company’s share price jump by 25% this year, currently trading at a value of $7.5 billion. Until a few years ago, its numbers were the most impressive of any Israeli technology company, and it was considered one of the great successes of Erel Margalit, head of JVP venture capital. However, cyber newcomer SentinelOne, which went through an IPO a few months ago, is already worth more than double of CyberArk.
How do you explain the current pricing of companies in the cyber industry?
"I am completely calm and congratulating the new companies. Valuation is something built by market forces, and if we are currently looking at the future promise of companies, then this is the situation. There is no bubble in the sense that a small pin could burst everything. Many companies consulted me on whether to go public. CyberArk has been a public company for seven years. Think about how many quarters I have reported on. A company like ours is measured less on promise, and more on real metrics. The young companies will get to this place too. This is also what I say to their executives who come to me: Get ready for the day the board will ask you not only how much you sold, but also about profitability."
Does your field also benefit from the general tide in cyber?
"We invented the field of managing organizations’ permissions, but as time goes on we are expanding in the direction of protecting not only the strong and large users of the organization but also the regular employees. One of the big challenges today in protecting organizations is not how to stop the attack, but how to prevent the enemy from advancing within the organization. This requires more advanced solutions in the field of identity security and in-depth permission management."
Many of the more experienced companies are trying to shorten the path to cloud solutions by acquiring young cyber companies that specialize in that. Do you, too, with $1.2 billion in cash, have plans to make a significant purchase?
"The notion is to build versus to buy. We have an orderly discipline of looking at buying opportunities, but not detached from the value. In many cases, we encounter interesting things, but if the asking price is unrealistic the company goes to the bottom of the list. The idea is let's wait for them to grow and it will be easier to justify the value."
Is the proliferation of cyber startups a good thing for a company like CyberArk or is it another factor that inflates manpower costs and valuations?
"I see it as a positive thing. There are a lot of investments flowing into this realm and there are many innovations and new areas that did not exist before being discovered. We can use these advancements as a good ground for acquisitions. In most cases, we will not rush into buying a start-up and prefer to cooperate first, which is like going out a little before the wedding, a kind of dating phase. This allows us to see what the customers think, how the product works, etc."
How do you explain the huge gap between Israel's excellence in developing world-class cyber solutions and the great vulnerability local institutions and companies seem to have?
"Israel is indeed a cyber power, but as usual, the cobbler's children have no shoes. It is important to note that there is a big gap between the big companies in Israel and the small companies, whether private or public. Banks, insurance companies, and infrastructure companies in Israel are among the best in cyber defense, also because they are regulated and because they understand the risk. The next levels of organizations either do not have the funds or they have an “it will not happen to me” mentality.
"I've seen it all over the world. Even in the U.S., it was only after a few cyberattacks on hospitals, on small organizations, with ransom attacks that even went after schools, that the matter was understood. Today, in every professional conference people say that there is no such thing as "my organization is not of interest to the attackers". This stems from experience and understanding that attackers are looking for the door not necessarily the target itself. Awareness is also beginning to rise in Israel. We see this from inquiries from organizations that were not interested in the past, so I am quite optimistic."
And what about the other side of the story - offensive cyber? Recently, Israeli company NSO made headlines again after being blacklisted by the U.S. administration. To what extent does this damage the reputation of Israeli cyber?
"The NSO incident does not harm the reputation of Israeli cyber. We have worked for decades to build an image of the most advanced defense technologies. However, the Ministry of Defense needs to monitor the export of offensive cyber - and that will protect it from itself."