The serial company founder and SC's CEO of the Year tells Paul Fisher
why he knew all along that data-centric security was the future.
We are on the top floor of the Mandarin Oriental hotel in
Knightsbridge. Shlomo Kramer's imposing frame is supported by a sofa in
the middle of the living area of the suite, which seemingly meets his
approval. He likes the view. Looking through the windows and out over
Hyde Park, Kramer asks if there is much fun to be had there - he is
bringing his family over for Passover, he says, and is looking for
activities for the kids. I can only think of horse riding and the
children's playground, probably not what he had in mind. The suggestion
is duly noted - with just an "OK". I feel I should have come up with
some better ideas.
You see, Kramer is one of the industry's
"faces". In 2006 he was named one of the top 20 people who changed
networking by Network World magazine. Together with Gil Shwed and
Marius Nacht he created Check Point and, with them, won the Israeli
Prime Minister's Award for Computer Software when the company they
founded in his grandmother's apartment was only four years old.
years on and Check Point was one of the world's leading security
companies, publicly traded and nicely profitable. But building one
great business was obviously not enough for Kramer and, in 2002, he
left to bring the world his new baby, Imperva. Why not just sit back
and watch Check Point grow further?
"I really like building
things. I enjoy the process of taking an idea I believe in and turning
it into market reality," Kramer says. "The last six years with Imperva
have been fantastic. There are a lot of sacrifices involved, especially
when your family lives in Israel and you travel all around the world,
but it's still worth it. Just the experience of building it and knowing
that you are defining the landscape of security."
entrepreneurial stuff. While most of us can only dream of the fortune
that Kramer has already amassed, like so many other tech creators his
focus is on the creation of companies and the development of products
he believes in. He has interests in several other Israeli startups.
Wealth is, in the end, just a rather pleasant side effect of all this
"Being an entrepreneur is all about, on the one hand,
trusting yourself and saying: 'what's out there is wrong and what I'm
doing is right', but also not being too full of yourself," explains
Kramer. "If you're a young entrepreneur, you don't know everything, and
you can't invent everything, you can't re-invent all the wheels - just
invent one new wheel and accept the others," he says. "So you still
need to be a system person, a bit of a rebel and maintain that balance
to create something powerful." Sounds easy.
Imperva is already a
global company, he says, with 170 employees in 11 countries. The HQ is,
of course, in Israel, with the marketing functions centred on Silicon
Valley. Few would bet against Imperva emulating the success of Check
Point anyway, but this time Kramer is gambling that the world is moving
to Imperva's raison d'etre - data-centric security - and he thinks he's
got a six-year head start on the competition.
"When we started
in 2002, not much of the market understood what we were doing. Data
security was seen as far-fetched because everybody was talking about
worms and broad attacks," he says. "Today data-centric security is
emerging as a recognised category."
Yes, but the information
security business is prone to cyclical shifts in thinking, new
marketing concepts and trends, old technology in new acronyms. What's
really different about the data-centric approach?
PCI to illustrate: "To become PCI-compliant you need to do various
things across the entire data centre. You need to have a database
activity monitoring solution, you need to have a web application
firewall etc. But the bottom line is: 'I've got the credit-card
details, what do I have to do in order to protect them?' We need to
shift from the infrastructure approach.
"PCI compliance is at
the epicentre of what we are doing. It's a total validation of our
mission, but PCI is just the tip of the iceberg," he continues. "You
have to ask yourself: why just protect credit-card data, what's special
about it? There will be other types of security regulation. What you
need to do is not unique to credit cards, you can take that and apply
it to patient information, or financial information, or just general
corporate intellectual property."
In the midst of all this he
mentions the firewall, but isn't he now more famous for saying the
firewall is dead? "No," he insists, "what I'm saying is that the
network firewall is far from being enough. It doesn't address the
really new challenges around security, the targeted attacks on your
data, on your business processes, the fact that your internal
privileged users have a lot of temptation to steal data and sell it on
the black market. And the fact that regulation requires you to have
visibility in controlling two levels of your business has nothing to do
with the network firewall."
He explains that over the past 15
years, security has really moved on from a networking plane, much
closer to the business and to the data itself. Many would agree - so
how far is the customer base buying into the new approach? Kramer
brings out the statistics to make his case.
"We have more than
400 customers worldwide. We grew 100 per cent last year. We are
definitely ahead of all the competition. We are the only ones that
provide the broader solution," he claims. Then, in a subtle dig at the
analyst community, and perhaps some of his rivals, he says he wants the
"thought leaders" to catch up with his enlightened customers.
what kind of enlightenment is he talking about? "We monitor the access
to the database, we monitor the access to the data on the network. And,
by monitoring real traffic, we build a model that says you are, for
example, the marketing analyst of the organisation. You access the
database as a user of these applications at these times of day; you use
these areas, these tables in the database, doing these operations. If
one day, in the middle of the night, you go with a different
application and pull all the credit cards off the database, completely
different area of information, then this is a violation of your data
scope, so this will be alerted and probably blocked."
more about control and the flow of data, but what about protecting data
from malware and corruption? I suggest that, at the moment, we seem to
be almost at the point where security professionals are starting to
say, we can't do it; the old approach isn't working anymore. Kramer has
a surprising take on this: yes they're right, he thinks, we've failed
but so what?
He reveals that he is an investor in a company
called Trusteer, which turns accepted anti-malware practice on its
head. Instead of trying to clean up your computer from viruses and
malware you just don't bother. "There are simply too many of them, it's
unmanageable. You're just piling additional negative logic onto
negative logic; it's not going anywhere," he states. "So, there's a new
approach that says: 'we'll assume your computer is contaminated, it has
bad stuff on it and, even though it does, we will enable you to do
secure transactions using that computer.' This then is the positive
logic that ensures you work securely."
But isn't that kind of
like saying the malware writers can do what they like ... Kramer cuts
in: "But this is a secure channel, it's almost like SSL, somebody can
try to tap the network and eavesdrop, but I have a secure channel that
is encrypted and nobody can penetrate that. So I've got this secure
channel between me and my online banking application, so even if there
is malware on the computer it can't penetrate that channel," he says.
of course, is a solution for a specific application; consumers looking
to connect securely with their banks. But how far does this theory
extend into other business applications? In an interview with Red
Herring, a US tech magazine for the VC community, Kramer said that
encryption was only useful at the database layer. What did he mean?
is excellent if your laptop is stolen. But to use it to control access
to data has, over the years, proved to be an ineffective, complex and
very expensive method and, quite simply, we don't see organisations
doing that anymore. Encryption is a nice word; it has this 'if it's
encrypted it's secure and all my problems are solved' feeling attached
to it. But it's not a silver bullet. You really need to understand what
it is good for and what it isn't. And it just so happens that it is not
good for access control," he explains his approach.
that separates the tech men from the boys is a recession; something the
sages of Wall Street say is pretty much underway in the US. Is Kramer
aware that customers are cutting back on spending as belts are
tightened? His answer is not altogether reassuring.
all, there are two things: what people are saying and what they are
doing. We are not feeling any slowdown - a quarter of our business is
in the financial sector and insurance, and that's going very well," he
"Yet, when I talk with IT executives, they all tell me
they are going to cut the IT budget by 15 per cent, back to 2005
levels. But in the same sentence they are saying they need to protect
the infrastructure. So, I'm not sure how much of it really addresses
our category. That said, we are being very careful and continuing to
monitor the market situation. But for now, everything is going great."
Well he would say that, but Kramer's record proves he
is smart enough to know that those who survive a slowdown are those who
think ahead. And smart enough to act on that thinking. And so he is
already looking beyond the data centre and to what he calls the third
element of data protection: outside the organisation and in the cloud.
think data lifecycle management (DLM) got a very bad reputation over
the years," he says. "It was implemented using heavy enterprise
systems, centred within the organisation. But DLM will be the third
generation of security now, with actual securities built into the data
itself." And Kramer does, of course, have "some companies working on
some novel solutions" for the next generation of DLM.
envisage an end to innovation or an end to what he calls the arms race
with the hackers. Unlike many, he does not see much degree of so-called
maturity. Nor do you sense that he would seek such a state of affairs.
Instead he relishes the years ahead.
"This is not the car
industry, right? This is an industry that's constantly being
challenged. It's like the Red Queen's Race, where you have to run as
fast as you can, just to stay in the same place," he says, referring to
the evolutionary and economic theories that take their name from Lewis
Carroll's Alice books.
So it's tough out there and likely to get
tougher. But Kramer's no wallflower. His will be a presence to be
reckoned with. If that means taking on his former partners at Check
Point, then so be it. "I don't know how they feel about it, but I don't
think about us as competitors. We've got hundreds of opportunities in
the pipeline, and almost all of them have a competitor.Some of them are
much bigger companies, F5 or Citrix for example. So, in a very
practical way, I can't call Check Point a competitor. But it's very
subjective; perhaps they view us as a competitor ... " he muses.