Israeli Cyber Security Company Is Enjoying Double-digit Growth

Backed by the JVP Fund and a dot-com bust survivor, the network security company is enjoying double-digit growth.

The people at Jerusalem Venture Partners had good reason to smile earlier this month when Avago Technologies announced its $400 million buyout of CyOptics. JVP had a role in establishing CyOptics in 1999 and was the only investor nurturing the company all the way to its exit.

Cyber-Ark Software, also founded in 1999, weathered the dot-com crisis, too − with the help of JVP − and is another of its companies exhibiting signs of success. Will JVP’s persistence pay off again?

One of Israel’s largest data security companies, Cyber-Ark was cofounded by Alon Cohen and Ehud “Udi” Mokady. At the outset, the company developed software for interorganizational transfer of sensitive information, i.e., it ensures that only the right people have access to certain information and applications. Revenues grew, but not at a quick enough pace.

In 2006, the company accepted a $4 million loan from the Plenus Fund and changed its business focus. Using its homegrown technology, Cyber-Ark developed a system for managing organizational network access. Seven years later, the company is growing at an annual 30% to 40% clip with 1,300 clients, including about 40 of the Fortune 100 companies. Cyber-Ark projects its 2013 revenues as exceeding $100 million.

“The subject that concerned organizations in 2006 was privileged accounts − accounts given access to all types of information,” explains CEO Mokady. “These accounts uprooted the organizational hierarchy. An IT person with such privileges had access to all servers at all administrative levels. That created a problem, particularly in light of recently developed regulations like the Sarbanes-Oxley Act.”

Within several years Cyber-Ark achieved market leadership in the field of system-administrative account management against rivals like M-Tech, which was acquired by Hitachi; BeyondIT; and CA Technologies. Its big breakthrough, though, occurred more recently.

“Changes in the cyberspace arena overturned our business environment,” says Mokady. “The system we developed became very relevant to the type of attacks taking place nowadays. Whereas the market we operated in was worth $500 million, the cyber world is a market worth billions.”

One prominent example of the process Mokady describes is the breach of servers belonging to the data security company RSA through emails directed at certain employers. By infiltrating company computers with relatively low security clearance, the hackers were able to reach higher levels of authorization through administrative accounts that, in many cases, allowed access to all the organization’s systems.

“The moment you hold this type of authorization, the entire organization is effectively at your disposal,” Mokady notes. “For example, you can change the set of rules controlling privileges securing entry to organizational systems.”

With 270 employees − including 150 in Israel − and 14 years in business, Cyber-Ark can no longer be considered a startup.

The company is now looking toward rapid growth, including through acquisitions. In the past the company was said to have plans to go public, but Mokady says a share offering doesn’t currently rank high on its agenda.

Breathing room

A $40 million round of investment in 2011 changed the map of shareholders and gave Cyber-Ark room to breathe − although it was already profitable, according to Mokady. More than half the sum was used to buy out earlier investors, including some of its founders. JVP now owns over 40% of the company. “The significance of this round of raising capital is that the company doesn’t need to pursue an exit under pressure from shareholders,” he adds.

“In 2011, tension was building up in a considerable number of companies that went through the 2008-2009 crisis,” says Gadi Tirosh, a managing partner at JVP and appointed chairman of Cyber-Ark when the 2011 round of funding led by Goldman Sachs was completed.

“Some investors grew tired and wanted out. At this stage, private equity firms usually enter the picture. From our perspective the investment creates a healthy working platform. It’s important to allow initiators to come in contact with the money before an exit. It provides the breathing room needed for building the company.

“It isn’t easy creating a company in the area of cyberspace, or even information security in general, because of the consolidation in this field and sensitivity in large organizations,” Tirosh elaborates. “Cyber-Ark has now reached a size that allows it to also become a platform for distributing additional products. In our view, it is now on the verge of taking off.”

Shattering of paradigms

Cyber-Ark is the largest information security company in JVP’s investment portfolio, but the firm has concrete plans to considerably expand its investment in this field. JVP, one of the winners of the Chief Scientist’s tender for incubators that closed six months ago, is setting up a cyberspace incubator together with Ben-Gurion University of the Negev, Be’er Sheva, with the aim of investing in four companies every year.

Unlike the normal investment under the Chief Scientist’s incubator program − NIS 2 million in a company for two years − JVP is investing about $1.5 million in its companies, in addition to NIS 1.6 million from the chief scientist’s office.

As part of its efforts to further its cyberspace activity, JVP recently recruited Nimrod Kozlovski as partner for its cyber incubator. Kozlovski serves as head of the cyber program at the Tel Aviv University School of Business Administration.

“For 15 years we have seen more of the same in the field of information security,” says Kozlovski. “Information security companies focused on protecting the outer boundaries of the organization in order to prevent entry by undesirable elements and outbound leakage of information. The idea was to establish heuristics − sets of rules to identify an attack or illegal action based on similar occurrences in the past.

“Such approaches were suited to an environment where organizational computing services were self-contained,” says Kozlovski. “The change in the technological environment − the smartphone and mobile device revolution, cloud-based services, the use of employee-owned computers, tablets and smartphones for work, and the need to unlock the systems − shattered these paradigms. Whereas a user who sent himself files to an outside account once constituted a security threat, today this is often a daily occurrence.”

Many startups have stepped in to plug the resulting void in organizational security needs. After years of little activity, in the past 18 months 45 new companies sprung up in Israel in the cyber field.

Investing in incubator companies requires JVP’s partners to locate companies in their infancy, usually when the company is nothing but an idea held by its creators. “The interesting part is identifying groups of entrepreneurs flying under the radar,” says Yoav Tzruya, JVP’s incubator partner at Be’er Sheva. “This is a major part of the work: Meeting with entrepreneurs even before they know about establishing a company − in the academic world, for instance.”

Emil Salman
Ofer Vaknin