It’s been a tough year—especially for technology and cybersecurity companies. There have been massive layoffs at Meta (Facebook), Twitter, and Amazon, as well as a number of high-profile startups like Lacework and Cybereason. Despite the challenging economic and market conditions, though, companies like CyberArk continue to thrive and grow.
In early November, CyberArk shared its quarterly performance results for Q3 and they were impressive—especially considering the cutbacks and layoffs at other tech companies.
Subscription revenue was $74.2 million for the third quarter of 2022—a 110% increase from Q3 2021. CyberArk also had a strong quarter in terms of growing its customer base with nearly 230 new customers added.
CyberArk’s annual recurring revenue (ARR) increased 49% year-over-year to more than half a billion ($512 million). $301 million of that figure is from subscription revenue, which was 117% more than 2021, and $211 million is from maintenance revenue—a modest increase over last year.
“Strong demand for our Identity Security platform centered on intelligent privilege controls continues to fuel our growth and demonstrates the durability of demand for our solutions,” said Udi Mokady, CyberArk Chairman and CEO, in a CyberArk press release. “Digital transformation, the adoption of Zero Trust strategies, and the heightened threat landscape are pushing identity security to the top of priority lists for Chief Information Security Officers.”
To underscore the strong performance and momentum, CyberArk was named a Leader in the newly released 2022 Gartner® Magic Quadrant™ for Access Management. CyberArk is also recognized as a Leader in the 2022 Gartner® Magic Quadrant™ for Privileged Access Management, making it the only company to be recognized as a Leader in both reports.
Identity Security is Crucial
The thing that drives CyberArk’s success is that identity is the very foundation of cybersecurity, and identity security is getting a lot of attention. Threat actors have a diverse array of tools and tactics at their disposal, but where the rubber meets the road identity is almost always involved in some way. An organization that can maintain identity hygiene and identity security can significantly reduce its exposed attack surface and improve its overall security posture.
Having an accurate inventory of accounts and which have privileged access, and being able to prevent unauthorized access to those identities is essential for effective protection. Attacks like the Colonial Pipeline attack in the summer of 2021, and the Uber attack in September of this year used compromised VPN accounts to gain initial access.
Uber made headlines again recently with a second breach in just the last few months. According to a report from Dark Reading, “Uber has suffered yet another high-profile data leak that exposed sensitive employee and company data. This time, attackers breached the company by compromising an Amazon Web Services (AWS) cloud server used by a third party that provides Uber with asset management and tracking services.
Overcoming MFA Fatigue
I spoke with Mokady about CyberArk’s momentum. We talked about the increased relevance and importance of identity security, as well as some of the challenges, like MFA fatigue.
Many—perhaps most—organizations have adopted some variation of two-factor or multi-factor authentication as a means of improving identity security. However, just as security analysts are sometimes overwhelmed by alerts, MFA fatigue is becoming an issue as well. With so many devices, applications, and services asking for additional authentication, some users are inclined to just click without thinking—and threat actors are aware of this behavior and starting to take advantage of it.
Mokady explained, “We want there to be like processes where you’re not just creating lists of to-dos but prioritizing based on reducing the most amount of risk and the least amount of time. Customers love that because they’re getting so much noise from so many places.”
He also shared, “There’s going to be a continuous movement where the attackers try to go through the front door and we have to assume they may succeed. That’s why it’s important to have that assume breach mindset and defense in depth.”
The Road Ahead
As we head into 2023, identity security will continue to play a central role in defending against attacks.
Mokady noted the increased geopolitical tension around the world and cautioned that CyberArk is seeing a heightened threat based on those conditions. “There’s no country that feels that it is isolated from it. There’s no vertical that feels isolated from it.”
He also stressed that ransomware attacks will continue to be a primary threat.
The threat landscape will continue to expand and threat actors will continue to adapt and evolve, but Mokady believes CyberArk is up for the challenge. “We think we are going to be able to minimize the risk and impact for customers.”