Exclusive Interview: Vincent Goh, SVP Sales, CyberArk

Smart cities with IoT products in buildings and high rates of digital financial transactions will require a deep level of cybersecurity integration, which system integrators have to understand. Vincent Goh,   SVP, Sales, APAC & Japan, CyberArk discusses some of the security solutions needs in this interaction with us.

What is your company doing about the smart cities’ evolution in India?          

Generally, we are involved with smart city initiatives across the world.  We found that people look at smart cities in different ways. Automation generally plays a huge role, but the picture varies; some countries are more into transport, others focus on different sectors. But genuinely I think it’s fair to say that what used to be more human-involved and human-oriented, is becoming automated. I went to Estonia last year - a country that is really advancing the smart cities ideal - and eachcitizen has an E-identity card, which can perform multiple services. The government as an entity is driving these policies.

Aside from being involved in smart cities, I’ve been in the industry for 27 years, working for companies like EMC and RSA, and in the last 10 years I’ve been in cybersecurity. And it was really a world apart if I see what we used to do 10 years ago versus now.

Over the years I have been travelling to India regularly as part of my job, and now as with previous companies I’ve had a fairly substantial team in the country. And what I’ve observed is that there’s a lot of innovation going on, in areas like cloud and mobility and, latterly, big data. Now, with smart cities, what is important is that any money invested to support innovation in this area must, ultimately, transform society. That’s the overriding goal. But what we see from the security perspective, from smart TVs to any other ideas and solutions that will be used in smart cities, is that a lot of times the solution provider does not really think about security.

I believe that everyone involved with cybersecurity must raise awareness and raise concern on any kind of innovation to make sure that people keep security in mind. This is Because 10 to 15 years ago people didn’t want to talk about security. They used to say that security’s like the brakes on a Ferrari. It slows down the car. It slows down any innovation because everybody’s thinking about safety. But we learned that if you have a Ferrari and you don’t have brakes, it actually limits how fast you are going to drive. So, realistically, you need to have brakes. In fact, the tables are turned. If you know that your car has brakes you’re willing to push it even faster because you know you have the ability to slow it down. So if you think about innovation, that’s the angle that feeds into the cybersecurity conversation. Rather than seeing it as negative, see it actually as a positive. This is very important for smart city projects.

I look at smart cities in the same way.  We recently did a threat landscape survey that surveyed a thousand respondents across the world. And all of them work in security. We saw that the vast majority of respondents know that the IT environment is not well locked down. Security is just not being controlled. They recognise that and even go into sub-topics like cloud, DevOps, IoT etcetera. It’s good that they see this and are thinking about how to lock down IoT. The kind of work that we are doing with threat landscape surveys and reports raises awareness to users who are in the field building and developing smart cities. They need to understand that most people haven’t really thought about how to lock down IoT. If I’m a government agency and I’m deploying all kinds of IoT for citizens, then the question must be ‘how do you ensure that these services are safe?’ Because citizens are just going to use services in a way that doesn’t really take into account security. It’s the same as when we install an app on our phone, we will click yes to everything, because that’s the easiest way. And in doing so, we give the app all the access that the app is asking for. And we all know that this is not always a good thing.

That’s a big question because frankly, in my years in the industry, even in my previous role, working with organisations and government in this country, I felt that the Indian government is advanced in terms of setting the cybersecurity agenda, establishing cybersecurity agencies that look into how to ensure that security is at the forefront when we think about what technologies are out there and what are the ways that people can address certain problems.

In other countries I’ve worked in I’ve seen that authorities can be a lot less eager to do something about cybersecurity issues. I think in India government agencies are quite forward-looking. In fact, many years back in a previous company, we were part of the project for UID. It was a very big project that involved a lot of work and a lot of thought about how to lock down security and ensure things are safe. So I will say that, India is above average in my experience.

Yes. When you use the online transaction system we have an extra layer of security which even many western countries do not have

We invited the head of the project to speak at the RSA conference in San Francisco in front of 30,000 people. He talked about the UID project and about some of the thoughts and considerations that went into it. The fact that we were part of a project that is really revolutionising the life of citizens of India was quite exciting. It’s easy to look into a customer’s problem and sell them a solution. But it’s another thing to impact people at that level in a smart cities project.

People in rural areas of India had to travel days and nights just to collect some money from the government and they spent almost one third of this money simply to pay the transport fee for travelling back and forth. And now there is UID. This enabled them to get the money from a much closer place, saving travel time and money. This benefited their lives. Such a project shows how cybersecurity can be a real positive to a project.

With the IOT products coming in, there’s a rising concern that since this IOT will connect every product with the internet, the cybersecurity threats are going to rise because the manufacturers are in a hurry to release the products in the market without taking security concerns into consideration. So are you taking some measures? Are you launching any products or solutions for this concern?

I’d like to share with you a bit of background from my perspective. In the 80s and 90s it began with viruses that disrupted networks because the networks were connected to the Internet. This demolished the defences put in place by the network security guys. And then when you have a VPN in the corporate network you are safer, because they allow a secure connection to the Internet. But with mobile phones, for the most part we don’t have VPN. We just access the network using an agent on Outlook and bypass the VPN. And if you think of IOT, I think we just took that to the next level. Because you can take a smart monitor, or a temperature detector in a meeting room that connects to the internet and understands the environment – all these devices are connected to the Internet to receive information. Trying to lock down every single device is impossible, even if you are trying to do this, which most people don’t. There’s no way to enforce all these devices, even if manufacturers have made an effort to allow this. You can try setting the cybersecurity standards or law, but you can’t enforce it. How are you going to go out and check one million devices? Even if you managed that, they run on software, software gets upgraded, and then we’re back at square one.

There’s no way you can actually secure these devices effectively. So what we do is provide a solution that instead looks at what the devices try to do.  To get anywhere important within an organisation you need the right credentials, and CyberArk manages and secures these. Using an example, in times gone by, armies attacked the castle and to defend the castle, there’s a strong perimeter – walls, a moat, soldiers. But once these were breached, it was game over, the crown jewels are gone.

That’s how organisations used to treat cybersecurity.  But now we’re finding that organisations are starting to realise that it doesn’t work – the perimeter as we knew it doesn’t exist, especially with mobile workers, the cloud and so on. So CyberArk have always said to customers that we only care about what’s inside. We don’t want to think about perimeter, that’s someone else’s job. That’s Checkpoint’s job. That’s Palo Alto’s job. We look at what’s inside because we believe that it doesn’t matter what you do at the perimeter, ultimately attackers will get in. We protect the credentials that guard access to the crown jewels. We stop people or devices that shouldn’t be able to from accessing the crown jewels.

So as we go around seeing government customers, banking customers and many of the Indian SIs who are international players, they have completely bought into this, they understand it’s so hard to protect the perimeter in the old way anymore. And that plays right into our strength.

So you are working with the Government enterprises and also System Integrators?

Yes. system integrators use us themselves and also implement CyberArk for the clients that they serve.

And if the System Integrator wants to work with you, what is the way? Is there any standardisation?

In fact most, if not all the system integrators in India already either are our clients or our contacts. We have been doing business with them for years now. The way we work with them is no different from how we work with other partners. First of all, they register their interest either by sending us an email on our website or they talk to one of our distributors or partners to get a contact directly with us. Sometimes they are our customers who use our solution to protect themselves, which is the case for many of them in India. And they are also using our solution to protect their clients. But primarily many of them are managed service providers, using CyberArk to protect privileged credentials.

And do you give any incentives or do you have some sharing system with them?

Of course. Number one, we have a global partner programme. What it takes to achieve incentives is written in the agreement we have between us. The other thing that we’ve done that is a little bit unique is that we are very focused on the training of clients. In fact, for the last few years we have been providing free training.

Free training?

Yes. Most vendors will charge for training. We provide free training to partners and it comes online and also in classroom mode, where we have trainers coming in to do the training. And in the end, our partners will have you take your certification test in order to be qualified as a trained engineer or a presales engineer. And we do not have services to compete with them, unlike certain vendors that have their own services that compete with the partners’ services.

After sometime they try to avoid the partners

Right. That’s very natural because everybody loves to get service from the source; that’s the reality. So we have intentionally not developed services that are identical or compete with what partners are offering. That is because we wanted our partners to be confident that whatever investment they give in training, they are going to get the benefit. We want to avoid training a person and then he or she never actually gets used because customers always go to the vendor. We have to first make sure that we don’t compete with our partners. And second is, we have to show them that we’re committed to giving the training, so that there’s really no reason for them to feel apprehensive.

As this technology is evolving, how are you going to upgrade security to keep pace with it?

That’s a very good question. As a company, we sit down every three months and we spend time talking about how the outside world has evolved and how’s it going to affect us. We have a department of people who look into the development of the company. And every year we need to present to the board directors about some of the things that we’re going to do. So, every year we will see each other every quarter, we will meet once, but there’s a team that is responsible for this every day.

Are you also investing in R&D?

Oh, actually we publicly announced that we invest 14% of our earnings into R&D.

Where are your R&D centres?

It’s mainly in Israel where our headquarters is. In Israel there are, I think, probably 700-800 companies right now involved in cybersecurity. Every year in February-March, there’s an event called CyberTech and it’s usually held in Tel Aviv. It’s one of the most well-attended cybersecurity events today in the world.

Without a doubt, we want to make India an R&D centre. In fact, in my previous company, we had a centre of excellence here; we had approximately 600-700 employees here. And a lot of these are doing R&D. I think personally, I have no doubt that it’s a plan. When you have 1.3 billion people, that’s an awful lot of R&D expertise to potentially choose from.