Cyber-Ark Software

Cyber-Ark Software develops and markets digital vaults for securing and managing sensitive information within and across global enterprise networks. The company’s Enterprise Password Vault™ provides a tamper-proof secure repository for storing highly sensitive information, such as administrator or “privileged” user passwords. Privileged passwords are the non-personal, shared passwords that exist in virtually every device or software application in an enterprise, such as Root on a UNIX server, Administrator on a Windows workstation, and an Application ID used by a script to connect to.

The Challenge

While Cyber-Ark had found a way to close a critical information security weakness by securing privileged passwords, many companies were unaware that the improper management of these passwords left them vulnerable. Research by CERT showed that more than 80 percent of insider threats are perpetrated by people with privileged access. Despite this alarming statistic, many analysts and reporters had not heard that this issue was a problem. Thus, there was no specialized category for the Enterprise Password Vault solution in technical publications. Most enterprises recognized identity management as a solution to manage individual passwords, not for assigning IDs and passwords for applications.

Cyber-Ark sought to extend this definition to include the provisioning and management of unique user identities, controlling how individuals use their individual identities to access and utilize information systems – a new market segment called Privileged Password Management.

While Cyber-Ark had a number of enterprise customers that could share first-hand experience with how their security had been breached, most of them did not want to speak with the media because they felt it would compromise their market standing. Thus, we had to “up-level” the discussion and bring to light real-life issues inside these organizations, without revealing their identities.

These issues made it imperative that PAN and Cyber-Ark educate the market and set the stage before embarking on promotion of the Enterprise Password Vault product. To that end, PAN and Cyber-Ark worked together to carve out a strategy to define this unique market called Privileged Password Management for the new, extended identity management solutions.

The Approach

While IT managers knew full well that they were not changing passwords on a regular basis, C-level executives were unaware of this security hole. Cyber-Ark knew that in order to garner some ‘fear’ from the enterprise IT and audit communities, it needed to showcase the real threat that existed inside of organizations from privileged password breaches. To that end, the team made a strategic decision to stay away from discussing the Cyber-Ark product, and focus on the security problem at hand.

To gain validation for this new market category, PAN began conducting briefings with key analysts at Gartner, IDC, and others, as well as technical reporters, sharing pain points that customers (anonymously) had shared. In conjunction with this outreach, the team fed the analyst community information on the market opportunity based on technical integrations and data losses.

Next, PAN initiated a byline program within financial and technical publications to position Cyber-Ark as a thought leader in this newly created market to get business leaders to recognize the nature of these identity management challenges. PAN also decided to execute a grassroots PR campaign to leverage news stories about security violations to gain the attention of those within the audit communities and also those associated with a number of industry organizations such as ISACA.

To raise awareness of the impact that lack of proper management of privileged passwords can have on businesses, the PAN/Cyber-Ark team knew it needed to also raise awareness among individuals in charge of conducting internal audits, educating them about the connection between password management and Sarbanes-Oxley compliance. Since many organizations were failing audits, the team leveraged bylined articles in compliance and financial services publications as well as speaking positions with auditing committees such as ISACA, discussing how Section 404 of Sarbanes-Oxley requires enterprises to verify passwords and change them regularly at the application level.

Simultaneously, the team devised a “road show” campaign in which it would submit Cyber-Ark executives to speak at regional and national events hosted by financial services and audit organizations, to raise awareness of the security and compliance threat posed by the mismanagement of privileged passwords – no small feat, given that Cyber-Ark was a relatively unknown name on the speaking circuit.

The Results

This campaign resulted in significant momentum and recognition from analysts and reporters including the following kudos:

• "Cyber-Ark is fulfilling a pressing need in the market for the extension of secure identity management solutions" - Sally Hudson, IDC
• Enterprise Password Vault receives an “A” for Effectiveness – Tom Bowers, Information Security Magazine
• Enterprise Password Vault awarded a Four Star Rating – Justin Peltier, SC Magazine
• “The use of embedded passwords in systems is becoming one of the reasons organizations fail technology audits… Enterprise Password Vault successfully addresses these issues.” – Mark Blowers, The Butler Group

After more than 20 briefings with tier one and two analysts around the topic of Privileged Password Management, both Gartner and IDC wrote the industry’s first notes on the topic, bringing the issue to the forefront. Recent reports titled “Privileged Password Management: Combating the Insider Threat and Meeting Compliance Regulations for the Enterprise” from IDC and “Toolkit: Password Management Tools for Shared Accounts and Service Accounts" from Gartner were issued late in 2006 and early 2007 respectively.

As a result of the PR campaigns, Cyber-Ark dwarfed the competition in terms of PR recognition in 2006 and quadrupled Cyber-Ark’s coverage from the year before with a total of 51 media hits, including 3 product reviews in Information Security, SC Magazine and Network Computing.

• Information Security Magazine– Enterprise Password Vault 4.0 – February 2007
• Security Products – It’s Been a Privilege – February 2007
• CRM Today – Enterprises Losing Millions Due to Mismanagement of Privileged Passwords – Feb. 2, 2007
• SC Magazine – Group Test: Identity Management – February 2007
• Wall Street and Technology – Slacking on Security – Nov. 6, 2006
• IT Audit – Survey Reveals Companies Are Not Updating Their Privileged Passwords – Nov. 10, 2006
• Network Computing – Rollout: Cyber-Ark’s Enterprise Password Vault – Dec. 1, 2006
• Wall Street & Technology – Enhanced Password Security – Nov. 30, 2006
• Network World – “Identity management and its relationship to information management” – November 13
• eWeek – Managing Identities Securely (blog) – October 30
• Sarbanes-Oxley Compliance Journal – Unified View of Privileged Passwords Across an Enterprise – October 26
• Computerworld – Network Security Console Choice Grows – October 20

The team also secured the following speaking opportunities for 2007:

• ISACA New England Breakfast Seminar – March 21, 2007 “Privileged Password Management
• Data Protection Summit 2007 – March 15, 2007 Compliance Track: “Steps to Managing Privileged Passwords”
• IIA Information Technology 2007 – April 23-25, 2007 “Managing Privileged Passwords: Effectively Preparing for Audits and Compliance”
• ITFMA World of IT Financial Management Conference – June 25-29, 2007 “Managing Privileged Passwords for Easier Audits and Compliance”

Once the team had established the fact that privileged passwords were a pressing security problem, they were then able to begin promoting Cyber-Ark’s Enterprise Password Vault, demonstrating how it made IT manager’s lives easier and supported compliance efforts by automating the provisioning and changing of passwords. Further, the company has been able to coax prominent customers such as Children’s Hospital to speak about the success they have achieved with Enterprise Password Vault.

For its work on behalf of Cyber-Ark, PAN won the 2007 Publicity Club of New England Bell Ringer award for Best Hi-tech Business-to-Business Campaign. More importantly, the PR results sparked tremendous growth for Cyber-Ark. The company saw an enormous upturn in business in 2006 and during the second half of the year in particular with a 100 percent increase in its customer base and with revenues increasing three fold. Cyber-Ark also added more than 100 new customers in the US, Israel and Europe, and is seeing a growing demand for its products in the Asia Pacific region. Companies including Bank of England, PCAOB, Capital One, People’s Energy, Temple-Inland, ConAgra Foods and Sentry Insurance are experiencing an immediate return on investment through their use of Enterprise Password Vault.

Today, there is a well recognized market for privileged password management, and the benefits of solutions such as and specifically Cyber-Ark’s Enterprise Password Vault are recognized as a need within the IT community today. In addition to Enterprise Password Vault’s continued success in banking and financial services, a significant number of Fortune 1000 companies across a new range of industries, from energy and retail to telecommunications and pharmaceutical sectors, are investing in Enterprise Password to manage and secure their privileged passwords.