May 10, 2024
EP 52 – Built to Last: CyberArk’s 25-Year Innovation Evolution w/ Founder and Executive Chairman Udi Mokady
In this episode of the Trust Issues podcast, host David Puner interviews CyberArk Founder and Executive Chairman Udi Mokady on the occasion of the company’s 25th anniversary. They discuss that milestone and reflect on CyberArk’s growth to becoming the global leader in identity security and the ever-evolving threat landscape – and how the company has scaled to meet it. Udi shares his insights on the company’s culture, values, philosophies and lessons he’s learned. He also dives into the importance of innovation, the role of AI in cybersecurity and his future aspirations for the company.
And, because we say in the episode that we’ll share it here, Mark Knopfler’s new album is entitled ‘One Deep River’ … Udi describes it as great for driving and optimistic.
Enjoy the podcast!
[00:00:20] Here are some milestones from 1999 you’re probably familiar with, even if you don’t recall they happened in 1999: the release of the first Matrix movie, the introduction of the Euro, and the impending clock turn to the year 2000, also known as Y2K. But there’s another 1999 milestone you may not be aware of. In the spring of that year, CyberArk was born in a small sublet office outside Tel Aviv with a digital vault solution and a handful of employees. Since then, CyberArk has pioneered the privilege access management market (PAM), continuously driving its evolution. Then the company established the identity security category centered on PAM, making it easier for organizations to protect themselves against advanced cyberthreats by securing all human and non-human identities as they access all environments.
[00:01:15] It’s an innovation story. Today’s guest has been here since the very beginning: CyberArk founder and executive chairman, Udi Mokady. He’s witnessed the company grow to over 3,000 employees in offices in 16 countries. And on the occasion of CyberArk’s quarter-century milestone, he and I have a wide-ranging discussion that looks back, looks forward, and dips into culture, values, philosophies, and lessons learned. Udi also talks about the ever-evolving threat landscape and how the company has grown and scaled to meet it. This was a fun one for me. Here’s my conversation with Udi Mokady.
[00:01:50] David Puner: Udi Mokady, CyberArk founder and executive chairman, welcome back to Trust Issues. We’re thrilled to have you back.
[00:01:55] Udi Mokady: Great to be back. You waited for a big occasion to invite me back, David.
[00:02:00] David Puner: Yes, we absolutely did. And we’ll get to that in just a moment. The last time you were here was August 22nd, 2022, episode 8 of Trust Issues. Wow. This is somewhere around 52 or so. So, amazing. It’s taken a while, but we’re really excited to have you back.
[00:02:15] Udi Mokady: It’s amazing to see how the podcast is running. I’m excited to hear.
[00:02:20] David Puner: Thank you so much for listening. We really appreciate that. And of course, a lot has changed since August 2022. Like the last time you were here, you were CyberArk CEO, and now you are our Executive Chairman. You, of course, were our founder then too. How’s the first year-plus in the new role been, and what’s the transition been like?
[00:02:40] Udi Mokady: So first of all, it’s been a wild year. I’ve been CEO of CyberArk for more than 18 years and of course founder from the start until we decided to do this transition. While the sky is blue, I turned it over to Matt—who is a superb CEO—so that I don’t have to be CEO forever and I can focus on things that are strategic to CyberArk. And I’m sure we’re going to talk about that. It’s been a transition because I’m used to waking up as CEO and it was more than a 24/7 role. It was, you know, a 25/8 kind of role, but it’s really going great. I think we’re writing a case study of a transition of a founder-CEO to another CEO while the founder stays as connected as I always was to the company, customers, partners, and most importantly, the culture and the employees.
[00:03:35] David Puner: Matt being Matt Cohen, our CEO. So in your new role, what’s been surprising? What have you learned so far?
[00:03:45] Udi Mokady: I think in the new role, I have a little bit more bandwidth to open up, and I’m sure we’ll talk about it. One of the main decisions we said is I will spend time with major customers and major partners and have the opportunity—first of all—they all wanted to ask the same question you asked me, David: “Udi, you’re CEO forever. You’re founder. What are you doing?” And I explained to them that it’s actually part of making CyberArk built to last—the ability where the founder doesn’t have to be the CEO forever. But still, I stay engaged and involved. And so in these meetings, I actually get to hear a lot about how they’re really connected to our customers and really connected to CyberArk. They feel part of this journey of a company that’s going for it—a built-to-last company. And of course, we have deep discussions on cyber and identity. You tell me if you want to dive into that.
[00:04:45] David Puner: Of course. We will get to built to last in just a few minutes because there’s a lot I want to ask you about that. But when you are on the road or wherever you may be talking to customers, what is top of mind for them these days? What are their priorities? What are their concerns? How have security priorities shifted over the last few years?
[00:05:05] Udi Mokady: I think we’re speaking here today where just very recently MITRE itself was attacked by a nation-state. And by the way, I encourage the listeners to go read about it. There’s some good analysis of how that attack happened. And so you have basically a defense-related organization and the one that helps organizations map and track attacks get itself attacked by a sophisticated attack involving zero-days, abuse of privileged access inside, credential theft, and all the things that we protect against. I’m mentioning that because that’s what’s top of mind with customers is that they have a very hard task, and the adversary is only getting more sophisticated, more automated. The conversations have changed where when I walk into the room or when CyberArk walks into the room, they know we are the identity security company. And they talk to us about the role of that in their security strategy and how important this is for them. I would say for both Zero Trust and securing the insides of their organizations and that evolution of, yeah, we understand that we have to protect privileged accounts but also their evolution to—we have to secure all types of identities—human identities, machine identities, especially the proliferation of identities. And we really talk about how CyberArk has taken a platform approach to be their platform of choice for all identities and for identity security.
[00:06:45] David Puner: So obviously, there’s been an evolution, and for there to be evolution, there needs to be innovation. How does innovation and investing in innovation figure into your Executive Chairman role? What do you value most about your transition into your new role if it’s somehow integrated with innovation?
[00:07:05] Udi Mokady: You can’t find me talking about built to last without putting innovation in there. I think you can’t be built to last in cybersecurity without making innovation a major pillar and a major part of your strategy. As an Exec Chair, I really get to play on it because, as I mentioned, the main things I’m focused on are major customers, partners, strategy, and culture. And if I take the last two, strategy, it’s all about continuously extending our solutions to address modern-day attacks. And it’s both organically, how do we continue to innovate, and also inorganically, look at partnering and look at acquisitions. I think we’re very unique in how much we partner in the C³ Alliance that has thousands of integrations with third parties. And that approach of security as a team sport, I view that as another thread of innovation. The culture side, I really like to invest a lot of time in making sure we defend our culture. But part of our culture has in it this “think like an attacker.” And so that every team member at CyberArk approaches their role with, we have to bring the attacker into the room—we don’t necessarily like them—but we have to bring them into the room in everything we do. And that really drives our innovation. We’re not developing in silos. We’re really thinking about defending up against that attacker. I’m finding that those are major fronts where I’m able to drive innovation. The other one is I’m really connected to the startup ecosystem. And as Executive Chairman, I’ve opened up more space to do that. If we twist the camera here and you look into my calendar, you see I’m probably talking to at least one startup a day—often just mentoring—but very often staying connected to the security ecosystem and directing them into the right partnering way to work with CyberArk. And so that connectivity is also brought back into CyberArk’s innovation.
[00:09:00] David Puner: When you talk to those startups, is “built to last” something that’s on their radar at this stage of the game? Or is it something that you kind of have to say, “Hey, maybe you should be thinking about that?”
[00:09:15] Udi Mokady: It’s not on their radar. I think it’s very rare. And in a way, you have to earn the right to talk about “built to last.” I think CyberArk, you know, we were aiming for it, but I think it’s after we went public is when we kind of earned the right to say, “Hey, we’re going to be around for you, Mr. Customer, Mrs. Customer. We’re going to be around because we’re aiming to be built to last.” So a lot of these startups, what I try to do is kind of open their minds to the fact that you don’t just do this in order to sell your company. If you’re onto something real and big, go for it like CyberArk did. And I actually do hear that we’ve inspired other companies to change course. They even share the CyberArk story with their board of directors to say, “Hey, look, they created a category and went for it and built a large company.” So I try to inspire them, but I think it’s early for most companies to use that term.
[00:10:20] David Puner: So, when you launched the company in 1999, and—spoiler for those who probably haven’t seen the title of this episode or heard the introduction when we were alluding to the milestone earlier—it is that April 2024 marks 25 years since the founding of CyberArk.
[00:10:40] Udi Mokady: Yep.
[00:10:42] David Puner: When you launched the company in 1999, were you thinking about “built to last?” And at that time, did you envision that CyberArk would be what it is today, let alone be here in 2024?
[00:10:55] Udi Mokady: Since this is a truth-only episode.
[00:10:57] David Puner: That’s right.
[00:11:00] Udi Mokady: And this is a trust episode. There’s no way in the world I could say that I envisioned to get to where we are today. This would have been a crazy dream at the time when we were in a sublet in a small part of Israel where I even used to look up at the company we were subletting from and thought, “Oh my God, they even have so much space. They must be doing so well.”
[00:11:25] David Puner: Okay.
[00:11:27] Udi Mokady: That company is not around anymore, by the way. We used to beg them for some more space for more tables. So no, I would say the CyberArk approach was very innovative. The world was selling primarily firewalls and antivirus when we founded CyberArk. And we came in with this approach of “Hey, what’s happening beyond your firewalls?” And of course, this is before the world of work from home and perimeters dissolving. And we were early to say, “Hey, at a minimum, you have employees and team members within your network. And how do you secure the keys to the kingdom?” And we came up with the concept of a digital vault, which was very, very unique. The world was selling doors. We were selling digital vaults. And so I think what we were aspiring for was to even get to a point where it’s a recognized category. That was, I think, the biggest milestone. The first office was not far from Israel’s international airport. And we would just hear takeoffs and landings. And it was very clear to us that we wanted to go global. We’re going to build a global company. And very early on in the cycle, I moved to Boston to set up U.S. headquarters. And it was like a first step. We’re going to be global way beyond America’s. And I’m sure we’ll talk about that. But that was the aspiration—to build a category and take it to the world. And of course, today I’m very proud and humbled, and I pinch myself all the time to be standing here with more than 3000 employees around the world, with more than close to 9,000 customers out there, and the deep partnerships we have in the category of leadership. So yeah, it’s been amazing, but I never summarize. I’m always with the feeling of just getting started.
[00:13:00] David Puner: How did you pick Boston when you made the move over here?
[00:13:05] Udi Mokady: That’s a great question, David, because it was very much against the trend. At the time, Israeli startups were, if you had a shot, you went to Silicon Valley. And I think like in almost every step we did along the way, we didn’t follow the herd. There were so many junctions that we didn’t follow the herd, but that was another one. We kind of assessed in those times the concept of the vault and securing the inside appealed the most to financial institutions. So in the early days, banks were kind of the first customers. We figured, where are the banks in the U.S. and the financial services? And it was kind of the East Coast. It was pointing to New York, Boston. We also saw that if you spent time on the West Coast, it was very hard to work with the Research and Development Center in Israel with a 10-hour time difference versus 7 hours from the East Coast. And despite the cold winter visit my first time in Boston, and hey, I’ll tell the audience that unfortunately or fortunately it’s warmed up in Boston since like since that winter. It’s gotten milder, and Boston is a great place. We went against the trend, and we said, “Hey, let’s be a seven-hour time difference. Let’s be close to financial services.” And only a few years later did I discover also the benefits of being close to so many people, institutions, or universities and colleges that we can tap on for talent. So it’s proven out to be one of many good choices that we made that were against the trend.
[00:14:30] David Puner: Did you have to reverse engineer your driving skills when you moved here to the Boston area?
[00:14:35] Udi Mokady: No, no, no. People always talk about the Boston drivers. I guess Israel kind of prepares you for it. Just like driving in Southern Europe. You kind of have to know how to drive a little bit more aggressively. So there were some things that surprised me here but no. The only problem was the snow but, as I said, it’s been decreasing.
[00:15:00] David Puner: I will keep an eye out for you in the breakdown lane passing me at 120 miles an hour.
[00:15:05] Udi Mokady: Oh no no.
[00:15:07] David Puner: Just kidding. I’m sure you use your signals and all that kind of stuff.
[00:15:10] Udi Mokady: Absolutely.
[00:15:12] David Puner: What has the evolution of CyberArk been in becoming or emerging as the identity security company? How does the evolution reflect CyberArk’s pioneering DNA that you had mentioned just a few minutes ago?
[00:15:30] Udi Mokady: So for many years, we were out there evangelizing that “Hey, while you’re sitting here on the 20th floor of your bank or your airline company or your retail, the folks in IT on floor three or wherever they are, they can access anything—your salary—and yes, you can trust them, but the attackers are going after them.” And so we used to evangelize and explain the role of privilege escalation in major attacks. But at some point, there was a turning point. And of course, it was many years into it, where major breaches like Sony Pictures—and I actually have that here on my desk. I have the Fortune magazine covering the hack in Sony Pictures. It’s called the “hack of the century.” And when you read like the way it was defined at the time is attackers achieved administrative access and therefore were able to take down security controls and even read what the security defenders were sending between themselves—the emails. And so Sony Pictures was that example. Edward Snowden was an example. He went on tape when he escaped to Hong Kong. He went on tape and he said—I remember that quote so vividly. He said, “I was able to steal state secrets because I had privileged access.”
[00:16:50] David Puner: Right.
[00:16:52] Udi Mokady: So you pile that up to these major breaches that were occurring. And whenever you dissected “What was the point of no return in the breach?” Yeah, it’s when the attacker got privileged access, administrative access, was able to turn off security controls, was able to create backdoors. I would say that was the turning point for the privilege access management category where it moved from being applicable to highly regulated or highly paranoid organizations to being applicable to any type of organization because that’s the dangerous point in the kill chain in an attack. And yes, you can put this control in place and you can actually rotate credentials, and they won’t be able to escalate privileges. So when that happened, the PAM category really emerged. Expanding onto that is we saw that in the modern environments and cloud environments and the work from home environments, it’s not enough to put this important control over the IT users and the developers. All types of identities have some kind of privilege that can be abused. And it can be the workforce users. And of course, it can be the machine identities. It can be the secrets that power applications. And so we expanded our platform organically and non-organically. An important piece of that was in March of 2020 when we acquired Idaptive in California and expanded into all identities and in a platform that we call identity security covering all types of identities. And it’s very exciting because I always call it from the makers of PAM, we come to you and go after all identities. So, hey, we started with the most difficult part of identity. These are identities that administrators need to power your organization. And it has to be scalable. It has to be reliable. It has to be secure. We did all of that for enterprises for years. Now we’ve expanded and took the right privilege controls and expanded them to all identities. So it was an important major strategic move of the last couple of years.
[00:18:55] David Puner: And as it turns out, as you had mentioned earlier on, we’re not just commemorating 25 years of CyberArk. 2024 also marks 10 years since the company went public in 2014. What about that milestone, or what did that milestone mean for the company at the time? And what about going public has helped contribute to the company’s success and growth since? What did the IPO enable CyberArk to do?
[00:19:20] Udi Mokady: That’s big for me. I think it’s probably—I dare say—the happiest day of my life, but then I’ll get in trouble with my wife regarding our wedding. So maybe, you know, second or third happiest day of my life. But in the right way, it was all of these years of wanting to go and build something that’s longstanding. And here you are on stage in September 2014, and you’re ringing the bell at NASDAQ, and this company has the shot to be a “built to last” company. So we may have some snippets of how we’re talking now, but you see behind me the nice things we got from the IPO, and they call it tombstones, but it should be a more positive word for that achievement. And I think the way I put it out there is that going public created this platform that we can ride on to build a long-lasting company. Throughout the years, I’ve always had customers, partners, really, it was almost like I could foresee it in these events. Somebody comes to me and they have kind of a sensitive question. They say, “Hey Udi, can I ask you a question?” And it could be in a conference in Paris or it could be in Singapore, it can be in Atlanta, anywhere. And I say “yeah.” And they say, “Look, we really love your company. This is mission critical. We love your team. How do we know you’re going to be around?” And so many customers have been burned by vendors who do something important for them but then go away. And I would always answer with, “Look, we’re privately held, but we want to build a long-lasting company.” Going public allowed me to stand on that stage and say, “Thank you to the customers and partners and team members that asked us to go the long way. This is the first step of that.” Now that’s 2014. To your question, celebrating 10 years of that is even a bigger thing because you have to find your way, you have to find your stride as a public company. You have to find a way to balance the new needs of a public company. And many companies, yeah, they go public and they can last a year or two, but they can’t get into the rhythm. And I think celebrating 10 years is a big thing. I mean, again, pinching myself and knowing how to balance the needs of communication to the investor base with the need to continuously be investing for the long term. And we have a board that really supports that. Like everything we do is like think long term. Think what’s best for CyberArk long term. And it’s showing in the value we created and it’s a big deal to celebrate 10 years of that. It became also a success breeds success. Going public was also for a lot of companies was like “Oh you’re mission critical now that you’re public. We know we can even double down and rely on you for the long term.” So it’s not for everyone. I get a lot of startups asking me “Hey how’s life as a public company CEO?” and “give me advice” and all of those things. And I always say it’s not for everyone. But when it’s a fit, when your company is the right one for it, there’s also a great branding event that comes with it that’s good for business.
[00:22:45] David Puner: That’s really interesting. And along the way there you had mentioned of course the team having an integral role in helping to get the company there. And I know that culture, as you had mentioned, is something that’s near and dear to your heart. When it comes to culture, what is one trait that every CyberArk hire should have?
[00:23:05] Udi Mokady: I’ll keep it between us, David, here in this podcast, right?
[00:23:10] David Puner: Yeah.
[00:23:12] Udi Mokady: But at CyberArk, because we took a long journey, the beauty is that when we talk about our culture and our values, it’s not like somebody in marketing had to say, “Hey, we need to create a value chart. Let’s pop something on a we have to put something on the website.” This is a longstanding company. So in our case, values are values. Like a lot of it were like feedback that we got from what customers say about us, what partners say about it. And one of them is called “smart, bold but humble.” And we have it here on the wall in the office where I am now. And that’s my favorite. Maybe I’ll dissect it here for a second, even though I think it’s a secret formula, but smart, bold but humble. You need smarts in the cybersecurity industry for all the obvious reasons. Your customers are smart. The adversary is innovating and smart, and we’ll talk about the adversary, but it’s no longer just the high school hacker. It’s nation-states, it’s criminal organizations—they’re smart. And the bold drives innovation, the bold drives being a trusted partner to your customer, be able to talk, and I say that to our team all the time: Tell the customer what they need, not what they want to hear. Like give them the prescription they need, not the prescription they want to get. And customers appreciate that but it takes confidence to say, “You know what? Okay, we analyzed your environment. You actually have to start here. You recently acquired this new company. Those accounts are totally mismatched. You have to start there.” You know, give the advice they need. And that takes bold. And of course, bold applies to every department in the company. And so there’s smart. But humble—that’s one you don’t usually see. I believe you can’t really buy humble. You can’t train humble. It’s very much how people grew up. It’s people who influenced them in their life. It could be their parents. It could be a mentor. It could be their friends. Could be something that they were part of, but this when you’re humble it means you’re not full of yourselves. It means you’re going to listen. It’s super powerful in any customer setting—the ability to listen to the customer. You’re going to listen to your colleagues. You’re not going to walk into a room as a know-it-all. And I think it’s what drove us. There’ve been so many ideas in the CyberArk journey that were not driven by the hierarchy of yeah, the executive came in and just got off the plane with the idea of this brilliant new product. No, it’s people came back from a customer and they said, “What if we extended this product to also do this? What if we adjusted the pricing to make it simpler for the customer when they’re renewing?” You know, multiply that by 25 years, there’s just thousands of internal innovations that came from our team members because they felt comfortable to talk to anyone regardless of hierarchy and because no one is full of themselves. So that’s the humility, and I love it. I think customers really love it. Again, combined with the smart—a smart CyberArker walks in, gives them great advice but also listens. Also takes feedback and says, “You know what? That’s a great idea. Let me come back to you.” So I gave you a long answer to that, but that’s what every CyberArk hire should possess. And that is how we hire. And it’s also how we retain. You see these people thrive in CyberArk.
[00:26:20] David Puner: It’s really cool to hear that actually, thank you because I’d never heard the longer story and I do think that humble is really a super powerful one.
[00:26:35] Udi Mokady: Money can’t buy it. I think it’s super powerful.
[00:26:40] David Puner: Absolutely. So if I can spin that your way for a moment and have you talk about yourself a little bit, which is kind of inherently not humble, but we’ll try to keep it humble.
[00:26:50] Udi Mokady: Yeah, exactly.
[00:26:52] David Puner: How do you live CyberArk’s values in your personal life?
[00:26:55] Udi Mokady: It’s hard for me to speak about myself, but I think what kept me sane and very much like the same guy—like when people say “Oh Udi, can I take a picture with you?” I’m like “Yeah, but I’m just Udi from the block.” And it’s inherent—you can wake me up in the middle of the night and you say, “Hey, your company is valued for more than $10 billion. And it’s celebrating 10 years as a public company.” I’d be like “Oh my God. Wow. That’s great.” But I don’t feel full of myself. I just don’t. And how does it translate in my personal life? Is that I’m a regular guy in social settings. I’m a regular guy with family and in the airport, in the school, or whatever. And it keeps me happy and sane. It means I don’t have extravagant hobbies, I’m not money-driven, and I’m much more mission-driven, purpose-driven, and it’s like a healthy hunger that keeps you grounded.
[00:27:55] David Puner: Are there any notable leaders that you’ve modeled your leadership after, or has it mostly been just sort of guided by your gut?
[00:28:05] Udi Mokady: I really do read and definitely with the evolution of podcasts and how you can combine it with exercise—for all of those exercising—now that’s a plug for you—or a good walk with the dogs.
[00:28:20] David Puner: Yep.
[00:28:22] Udi Mokady: I do listen to successful leaders, innovators, CEOs on various things. I don’t think there’s anything that I’ve modeled by. I think it’s more of the upbringing. My dad was a diplomat. We traveled a lot. I had to move a lot of schools, languages, and adjust. And so I think a lot of that is upbringing. Military service really taught me to lead by example, which I’m a big believer in. If you want your team to go and be available for a customer at 10:30 P.M., you need to be available for the customer. And I do weekends and take the way we flew here in the early days in CyberArk was amazing. We wanted to ride out our cash as long as we could. So we took these multiple connection flights that we joke about now. We used to fly West to get back East, but I was with the team doing the same thing. Whatever you expect the team to do. So a lot of these things were kind of formed as I would say as I’ve grown up, and in the company, I just saw that it works and it’s a force multiplier.
[00:29:35] David Puner: As CyberArk has grown, how did you determine how to adapt and handle organizational growth? Was there a particular time when you needed to shift and approach some sort of significant organizational change? Or maybe it was a shift or a challenge that’s helped to shape a fundamental way that the company has operated ever since?
[00:29:55] Udi Mokady: Again, you asked me earlier, “Did you know that you were going to be built to last?” No, but we were doing things that you don’t do as a company. We definitely were doing things that you don’t do as a startup that’s just trying to pick up momentum and get sold. For example, and I think the main one is how global we were, and it’s related to the structure you’re talking about. So like I mentioned, I moved to Boston early on, and so for a while we were a strong presence in the U.S. with a strong R&D center in Israel. And there was so much market to go after in the U.S., but something was itching me. As the sales organizations were ramping up, and we’re talking early 2000s here, I began to pack my passport and fly economy to various European destinations. And I’m not talking about the easy ones like, “Hey, go to London, speak English to them.” My passport was stamped with Italy, Sweden, Germany, France, you name it. And of course, a lot of time in the UK, and we began to globalize like really inch by inch to find those first resellers that want to build a new category. It was exciting. A lot of them made a killing when they were the first to carry a firewall. And so there were these resellers that were the first to adopt Checkpoint or others. Take the firewall category and we talked to them about privileged access management. This is a must-have layer, critical layer, and you have the opportunity to be the first. And so I was there personally. And then whenever we got some traction in a country, we added CyberArk team members and expanded and set forth. So we began that and then later on did the same thing for Asia even though we still had a huge market still building up in America. And fast forward that really played off. You had a global company with global sources of revenue, and that balanced out each other where team gatherings looked like a United Nations gathering in terms of representations across the world. And it created this in one way hedging, but also this strength. And one thing I, you know, for a long period of time I was actually managing those global functions myself and especially on the sales front. And I think towards the IPO we kind of went in terms of central management and later on having a Chief Revenue Officer and all of that. But I think maybe part of the advantage is that I held that a bit too long, but I was directly connected to those regions. So Europe had a say, Asia had a say, and of course, America had a say, but in the management room, they were all present because I was very connected to the globe.
[00:32:55] David Puner: To grab a hold of the Israeli thread for just a moment. As far as obviously geopolitical tensions go, CyberArk is obviously…
[00:33:00] Udi Mokady: What geopolitical?
[00:33:05] David Puner: Yeah, I don’t know, I’ve been hearing a couple of things. The news that I get, you know, everybody gets different kinds of news these days, but CyberArk is obviously an Israeli company and was founded in Israel and not to get too deep into it, but how has the conflict impacted CyberArk’s resilience and the cybersecurity market in general? And then what does business as usual—if there is even such a thing—mean in this moment?
[00:33:35] Udi Mokady: So first of all, I’m very proud of our Israel roots, and I’m very proud, with that same sentence, I’m very proud of how global the organization is. So any team member can really feel that they’re part of a global company. I think we, first of all, these are challenging times in Israel and the October 7 atrocities, you know, kept us all awake for many nights. It was amazing for me to see the resilience of the team in Israel. To the point that when we spoke about it in our first quarter earnings this year, we actually, you know, we talked about the great results when we announced and all of that, but I can even talk about increased productivity and one would say, wait a minute, you had 8 percent of your Israeli team out in reserve duty and out there, something happened where people huddled and covered for each other. Like if somebody was out in reserve duty, people covered for the other, and the output both in R&D and delivery and support and anything was greater than 100%. Like they overachieved in milestones. And I think it was this cultural covering for each other, not just in Israel. People around the world covered for people who were absent. And then people felt like this is a unique time and we have to give them the backup. And it happened. And thankfully all of our employees came back from reserve duty, and I’m hoping that stays and that there’s no further escalation, but it was actually proof of resilience both in Israel and in that global fabric that we have. And I felt blessed, and I actually felt like, you know what, this is another source of pride of how the innovation came from Israel and resilience came from Israel, and we translated it to global innovation, global resilience.
[00:35:10] David Puner: That’s really nice to hear. And obviously, we’ve been on calls with folks who have seen reserve duty, and there have been times when they haven’t been around, and it’s been a time to say the least. And obviously, outside of geopolitical tensions, it’s been a turbulent last few years with COVID and the cyber world in general. But as it turns out, COVID and the resulting acceleration to digital was good news for a large part of the tech world, including CyberArk. And since then, while other companies pursued approaches that maybe haven’t worked out in the long run like over-hiring, there’s been no downsizing, mass layoffs, or anything like that. So in addition to “built to survive,” it seems like CyberArk is built to survive—not to jinx things, of course. So looking back at the last few years, why was COVID and all of that followed problematic for other cybersecurity players and why has it been different here?
[00:36:10] Udi Mokady: You remember I talked about how we don’t follow the trend in many cases?
[00:36:15] David Puner: Yeah.
[00:36:17] Udi Mokady: That was another example. And I’ll talk about some of the drivers, but business was looking great and accelerating and just like with massive digital transformation. And we were hiring. We were definitely hiring in 2020, 2021, but we never over-hired. You never saw CyberArk put up billboards on highways of wanted ads. You saw CyberArk hiring but hiring in a sane way. And I think it’s part of the DNA of a long-lasting company is that we’ve seen crises before. We were around in the dot-com crisis of the early 2000s. We were around in the 2008 financial crisis, and we knew that part of the strength is to kind of have the right size team and to not have to do layoffs. And we never did. We didn’t in 2008. And it’s strength when you’re able to overcome a crisis and retain your entire team. You have the advantage to further leap forward. That’s what happened post-2008. People were shocked that we, you know, when people were announcing freezes in 2022 and 2023, people were announcing hiring freezes. We kept on hiring, and we still are, always in a sane fashion. I think that’s the CyberArk DNA. I think Matt Cohen and I are super aligned on that. We want to grow, we want to scale, but we want to do the things that drive a long-lasting company and not blips. And customers appreciate that too. Partners appreciate that too. We work so well with major resellers around the world—with Accenture, PwC, Deloitte, Optiv, KPMG. Again, I’m naming just a few. Computer Centers in Europe, many partners around the world—more than 500 partners. They also look at you and they say, “Hey, we’re building a practice around CyberArk. How is it managing its business? How is it going through these crazy cycles?” And when they look, they see we’re going continuous growth, stable growth, never going crazy. You can build a business practice around this kind of a partner. And so I think it’s really beneficial, this kind of responsible behavior that we have and it’s kind of built in. To your point about COVID, I think what did happen is the digital transformation drove the explosion of digital identities. I think for us it was really the right time and place to do that expansion. We talked about earlier from securing privileged accounts to securing all identities because that exactly—the work from home—nobody can argue anymore that the person working from home is not an identity that’s valuable for the attacker and if they’re able to hijack their session. And I think that really brought that home. And we also made that transition to a SaaS-centric solution for all identities right as the world was really digitizing. And I could see it. I mean, I could see food companies doing digital initiatives. I could see the airlines, manufacturing, and it’s all staying. I mean, as you see some side benefits, you know, there are countries that I visit—like Greece, for example—and you go and people tell you, “Yeah, you can pay with a credit card everywhere now. It wasn’t the case. You can buy a sandwich with a credit card now in Greece.”
[00:39:50] David Puner: Right.
[00:39:52] Udi Mokady: It wasn’t the case. That’s digital. And I think it’s a benefit to the world and it’s definitely created a bigger attack surface and CyberArk is part of securing that.
[00:40:10] David Puner: As far as the adversary goes, we’ve talked about them from time to time in this conversation, but the threat landscape has obviously changed drastically since 1999 and continues to evolve rapidly. If you were to look at today’s threat landscape through your 1999 lens, what would surprise you most and what about how CyberArk was built to last from the beginning really or just how CyberArk was built has allowed it to grow to address today’s threat landscape?
[00:40:35] Udi Mokady: Just like I would pinch myself in terms of imagining CyberArk as this huge global company back in the day and of course it was a good dream we had. Similarly, I am pinching myself the other way to just think about how some things that evolved in the attacker landscape are the makings of science fiction movies if we were to play it in the early 2000s. Like to think about—and I’ll just throw in a few—to think about nation-states innovating and their tools are leaked and used by non-nations by criminal organizations or nation-states collaborating with criminal organizations. “You take the ransom. I want to disrupt that organization.” And then kind of season it all with ransomware and with cryptocurrency. Who would have imagined that “Hey you’re going to have an ability for criminals to encrypt organizations.” You know, that’s something we could fathom in 1999. But, the extortion is not going to be in cash dollars that they have to deliver in a briefcase. You can actually deliver a Bitcoin and it’s going to be untraceable and they’re going to be sitting in their air-conditioned rooms and getting a massage while the Bitcoin is coming in like no one would imagine. I remember that I was on Mad Money CNBC—just to give a sense of how recent this is but we can fact-check this—but I want to say six years ago, not that long when I’m talking about ransomware and he pauses the show and he says “Udi can you explain to the audience what’s ransomware? What is that?” Maybe that was six, seven years ago. Now you can ask your grandma on the street who would know what ransomware is.
[00:42:15] David Puner: Wow.
[00:42:17] Udi Mokady: So that evolution of a way to monetize without any risk. And the fact that you have organizations that are safely asylumed in nation-states is something we couldn’t have imagined. Flipping it to CyberArk, I think we always stayed close to that. We always had this, I would say, sense of mission to deliver. I mean, we even call our conferences CyberArk IMPACT. It was always like, what are we doing here? Why are we here? Well, we’re here to make a true impact on our customers’ security. That was always our mission statement. And so how do you make an impact? You have to be aware of their challenges, not just their audit challenges and regulatory challenges. You have to be aware of what the attacker is doing. And so we always have been investing in a team and it’s not a team that translates to products, right? It’s the labs team. I always tease them that they have a dream job because they’re allowed to go off and research. What are attackers doing—the most sophisticated ones—and what will attackers do next and how? And that’s how we got into these major breakthrough researches around AI before everybody understood what was about to hit. And so we stayed close to it. So it didn’t catch us by surprise. We always stayed close to the evolution of the attacker and we always brought it back to say, “Okay, what else can we do? How do we play a significant role?” Oftentimes we just find that no matter what and how they got in, it’s that privilege escalation that is the point where they were able to go wild in an organization. So what we do is really the most impactful, but of course to make sure we cover more and more types of identities, cover more and more environments like modern cloud environments, and always keep a watch on what they’re doing and what they may be doing.
[00:43:50] David Puner: And generative AI and AI like you just mentioned, maybe now—or maybe a year, a little more than a year ago—somewhat like ransomware was for Kramer six-ish years ago. Nobody really knew what that was, and here it is changing the threat landscape. So how can we stay ahead of threat actors when they have access to something increasingly sophisticated and easy to use like generative AI?
[00:44:15] Udi Mokady: Yeah, it’s going to be this pendulum swing. That’s how we approach it. We think AI is going to serve the defender. It’s going to serve the attacker at the same time. We have to assume that way. It’s going to make it easier for them to write very sophisticated phishing emails that David, you and I with our human brain would not think that it was generated by a machine. It’s going to refer to a friend we talked about two days ago. It’s going to refer to something that is personal to us that was captured somewhere else, and it’s going to go through that human. So it further increases the need for a defense that assumes breach.
[00:45:00] David Puner: Mhm.
[00:45:02] Udi Mokady: The defense that assumes that the human will be social-engineered and that you have to really defend on the later stages of the attack chain. And of course, everything to do with credentials and identities is a major role there. At CyberArk, you know, as you know David, we took a major initiative to create a center of excellence around AI that actually has two flavors. One is how do we use AI for our day to day and make our employees more productive—R&D, marketing, finance, you name it—and jump on the bandwagon? And let’s adopt it and use it for us. Number two, the most important is how do we introduce solutions that make our customers more secure and even make their lives easier, which translates to more security. One of our products, EPM, for example, our Endpoint Privilege Manager now has the ability to auto-recommend policies for implementation for a customer. That saves time, that leads to deeper implementation, which leads to more security. There’s going to be a lot of elements of how we detect threats related to identities within our solutions. So we’re going to really make it so that we make AI work for us to make our customers more secure, introduce new solutions, but always keep an eye on the attackers. I mean, we’ve released research around deep fakes we’ve talked about in the past. We’ve released research on how attackers can write malware without having to code, and the defenders are going to have to work harder but also again embrace these new tools to move faster.
[00:46:40] David Puner: Before we discuss that, you had mentioned CyberArk Impact, and CyberArk Impact 2024 is right around the corner. It is in May, late May. This episode’s coming out in early May, and it’s our big annual identity security conference and it’ll be in Nashville, which I just said. What are you looking most forward to when it comes to IMPACT, and I presume you’ll be going?
[00:47:05] Udi Mokady: I am going and I’m so excited to be in Nashville. And I talked about my love for music in the past.
[00:47:10] David Puner: Yes.
[00:47:12] Udi Mokady: And I’m sure music is going to be thematic around the event. Look, for me, the CyberArk IMPACT event is the biggest opportunity in the year to meet our customers and major partners. We have great demand for this one, as you know, and people are really signing up and I have the opportunity to meet them together. And we also have the opportunity to introduce to them the wide identity security approach that we’ve taken, new innovations that are coming out, general availability of innovations we spoke about a year ago—like our secure browser that basically brings identity security all the way into the endpoint so that the beginning of the session is already secure. So it was an idea, an innovative idea that we announced last year. Now it’s generally available and to show it in action like many other things. So it’s going to be very exciting. I know we have some major, even famous customers and partners that are going to be on stage with us, but I’m going to keep that for when it’s formally released because we can’t control the timing. But I think customers love hearing from customers and we’ve seen that in many of our major events before. So there’s going to be a lot of customer interaction and customers sharing their identity security journey. So it’s a big one for me. And of course, you’ve got CyberArkers from all over and customers from all over and partners. So it’s exciting. And then after Nashville, like we’ve done last year, we’re going to take IMPACT on the road and show up in major cities around the world.
[00:48:40] David Puner: So two questions from Nashville or related to Nashville. The first one would be, are you taking a nonstop flight to Nashville from Boston? And the other is, will you be checking your guitar or will you just be bringing it on board?
[00:48:55] Udi Mokady: There’s a direct, which is great. There’s a direct flight. I think when I referred to those days, I think some of it was nonproductive like fly West to go East and all of that. But I love that we have it in our DNA. We kind of remember that, you know, investors’ money is something you put to good use and no, not bringing my guitar but we’re definitely going to include that in the program. Not an Udi guitar, but some music and that’s going to be exciting. I was amazed to see how customers from around the country and some from around the world are excited to go to Nashville.
[00:49:35] David Puner: Last time you were here we talked about your guitar playing. What are you up to outside of work these days? Have you been practicing the guitar more than when we last talked to you about it on the podcast?
[00:49:45] Udi Mokady: So David, since we’re in a trust podcast, it’s all the truth serum.
[00:49:50] David Puner: That’s right.
[00:49:52] Udi Mokady: I should have had more time to play my guitar but not enough. I think incrementally more since we last met and it’s still my unfulfilled passion but this is a good reminder. This is like a note to self, Udi. This is your second time. David is asking you about this. You got to get better and do more. I’ve been studying some riffs, some comfortably numb solo from the wall that David Gilmour plays so well. That’s one of my favorites but not ready for live streaming yet.
[00:50:25] David Puner: All right, well maybe IMPACT 2025, see what happens.
[00:50:30] Udi Mokady: Yeah maybe. No promises. And in one of our internal events, I caught the band by surprise here. You remember we did our internal kickoff and there was a band and they said, “What do you want to go up with?” And I said, “Ziggy Stardust.”
[00:50:45] David Puner: Right.
[00:50:47] Udi Mokady: And it’s a very nice opening and they jumped on their feet and they made it happen. It was really exciting.
[00:50:55] David Puner: Yeah that was great. High energy. Liked it a lot.
[00:51:00] Udi Mokady: Yeah.
[00:51:02] David Puner: What’s on your playlist these days?
[00:51:05] Udi Mokady: I’m still very much classic rock. There is a new album by Mark Knopfler that I always loved him as a guitarist and Dire Straits. He just came out with a new album. Every time he touches the guitar it’s beautiful. The name of the record just left me but we can probably put it somewhere in the notes.
[00:51:25] David Puner: We will.
[00:51:27] Udi Mokady: It’s great for driving. It’s optimistic. A little bit more mellow than the solos in Dire Straits but he’s a fabulous guitarist.
[00:51:35] David Puner: Yeah he’s excellent and I was surprised to see or maybe disappointed to see recently that he no longer wears the headband, the sweatband.
[00:51:42] Udi Mokady: Oh yeah. Well, that’s a hair thing that we all have to kind of handle.
[00:51:47] David Puner: Well, sweat and hair, a combination of the two but yeah.
[00:51:50] Udi Mokady: Okay, it’s called One Deep River.
[00:51:55] David Puner: Nice. So to get back to aspirations and dreams and all that kind of stuff, what is your ultimate dream for CyberArk beyond where we are now?
[00:52:05] Udi Mokady: I think we have so much to go in terms of scale and global coverage. I think it’s important for a cybersecurity player to not become a supermarket of everything. I think it’s important to have platform companies that focus on what they’re good at and collaborate with each other. So no, I don’t have a dream of doing everything security. And I think those who do that are making an error. And we’ve seen the demise of companies who become like a supermarket of security. But I do want us to continue to grow beyond a mid-cap company to be a large-cap company out there with CyberArk logos in the Manhattan skyline, in the Tokyo skyline. That’s one of my big dreams. We’re 3,000 employees. I want to see us at 10,000 and beyond. But all while keeping the culture—that’s always my caveat. I want us to keep scaling, protect this brand of people who—everybody likes the CyberArk people. I protect that. Customers always, you know, they may have an issue, you know, nothing is perfect. You have a support call or whatever and you’re fixing it. And people always say, “Yeah, we had a support call. We fixed it. By the way, love your people.” That’s the ingredient to always protect. So we scaled it and protected the culture. I think we’ve done it so far with 3,000-plus employees but scaled it and protected this unique culture.
[00:53:40] David Puner: And is culture ultimately what you’re most proud of when it comes to the company?
[00:53:45] Udi Mokady: Yeah, it’s amazing. I had the opportunity this week to raise some toasts around the 25th anniversary and I genuinely, I’m most proud of the people. It’s very clear to me that it gets the highest grade. I’m most proud of the people and the culture multiplied by global. Like that’s kind of my formula. The CyberArk people multiplied by global. You didn’t do that. Like we didn’t do that in just very formal way-focused environments. Yeah, you got it in Boston, Israel. No, you pick a CyberArk person from anywhere around the world in more than a hundred countries and you’ll say, “Oh wow, they hired amazing people.” So that’s kind of how I view that. High-quality people, highly empathetic people with a sense of mission.
[00:54:30] David Puner: We have a people reputation, like a good people reputation.
[00:54:35] Udi Mokady: Yes, exactly.
[00:54:37] David Puner: And then what about you? What’s next for you as far as your own innovation? What’s next for you in your role?
[00:54:45] Udi Mokady: So again, I always say I’m not a serial entrepreneur. This is my baby. This is the company I founded, so I’m gonna stay active at CyberArk. And I’m able to also contribute more to the ecosystem. Like we talked earlier, like really mentor more and more startups. Some in cybersecurity but some not because I think it’s beneficial to CyberArk and the CyberArk customers that I’m able to get exposed to other things. Like I got some good exposure to companies dealing with other facets of AI and analytics and others and bring some of the learnings back. So yeah, be closely in touch with innovation. I would say give people the inspiration to go long, to build big but to always defend culture like fight arrogance with humility. And on top of that, I’m very passionate in how do we educate the younger generation to read real news sources and not get their news from TikTok and kind of reduce hate around the world? Get back a little bit to normalcy around what are facts? And all of these things. There’s a relationship to cybersecurity if you think about it. Like cybersecurity kind of protects the keys and assets. You know, we need to protect the truths of some things and I think it’s going to be a challenge for all of us to educate youngsters to not just get their news from TikTok.
[00:56:10] David Puner: That’s a really, really big one. I’m glad you mentioned that. But looking ahead to when you’re back on the podcast and not back on the podcast six months from now, which we’re going to try to do as opposed to waiting over a year, but when you’re back on the podcast 25 years from now in 2049 to commemorate CyberArk’s 50th anniversary.
[00:56:30] Udi Mokady: What episode would that be?
[00:56:35] David Puner: You know, that’ll go just like that as well. What kind of position would you like to see the company in and what would you like to be doing at that point other than hosting this yourself?
[00:56:50] Udi Mokady: No, no. I want to be here with you. And I wonder what the episode number would be. It’s kind of similar. I would really wish then, in some way, that we kind of predicted it today that we stuck to our values, that a lot of things have changed. Like we’re going to be talking, we’re going to have robots serving us that Greek sandwich that I talked about because they saw me think about the Greek sandwich and they’re already serving it here with an espresso which I’m also thinking about, you know I’m big on espresso, but a lot of things will change around us. But I want us to still, we as in CyberArk, be that well that that’s the trusted company. I talked to my board about they’re securing us against these challenges and the challenges may have changed and other things happened, but I want to be the one that you mentioned to the board of like “Yeah, we have CyberArk.” “Oh, do you have CyberArk?” “Yes, I have CyberArk.” “Okay, great.” You know, be that kind of company. And we’re working hard and innovating to continue to be that. And like we said earlier, “Oh, their people are amazing.” And maybe it’s 20,000, maybe it’s 50,000 people. I can’t do the math but “Oh, their people are amazing.” And so I want us to be able to talk about that. And me personally, yeah, hopefully staying energetic like I am, curious—curiosity is so important—having a growth mindset and yeah, always learning. I think that’s a big thing. Always be learning.
[00:58:00] David Puner: Udi Mokady. I think it’s espresso time. Thanks so much for coming back onto the podcast. Really appreciate it. It’s been great.
[00:58:10] Udi Mokady: A pleasure, David.
[00:58:12] David Puner: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And let’s see. Oh yeah. Drop us a line if you feel so inclined: questions, comments, suggestions—which come to think of it are kind of like comments. Our email address is trustissues, all one word, at cyberark.com. See you next time.