Security Experts:

Security Startups: Interview with CipherPoint CEO Mike Fleck

Security Startups Feature on CipherPoint

Company: CipherPoint  |  Who: Mike Fleck, CEO

SecurityWeek: How did you start out in the computer field and in particular, security?

Mike: I’ve always been a generalist. I took some computer classes at high school since my dad told me that when I’ll graduate everything will be about computers. He was right. I started out doing database programming, and from there I moved to server operations. When you’re in server operations you’re monitoring and troubleshooting those environments - thinking how to configure them as well as how they break. Pretty soon you learn also how to secure the environment. It led me to doing network security for ISPs and Wall Street firms. In 2002 I moved over to the software side doing event correlation – basically the early days of SIEM. In time, I migrated more towards the information aspect of security, instead of networking and infrastructure.

Photo of Mike Fleck of CipherPointSecurityWeek: Why was CipherPoint founded?

Mike: The catalyst for starting the company was the understanding that enterprises are doing security in the storage and infrastructure level, even though they’re trying to get security to the more granular pieces of information. For example, 5-6 years ago the information you cared for was in databases. All the security tools available for you allowed securing the database, the operating system and the storage. But that was not really what needed to be secured. What you wanted was to get more control, and securing the access at the application level.

We saw the level of anxiety rise for SharePoint, the Cloud and user-empowered type platforms where the enterprises had significantly less control because of the Consumerization of IT. We started in 2010, and launched the product in mid-2011.

SecurityWeek: What does CipherPoint do?

Mike: CipherPoint identifies, secures and audits any application or Web application.

The identify portion is an awareness component. This component looks into various platforms – SharePoint, shared drives, Office 365 - and locates sensitive and regulated information that a company has and where it resides. For example, I might have 8 TBs of data in there, but I have no idea where that sensitive information is.

The security piece is at-rest encryption. What we heard from enterprise accounts pertaining to the Cloud is that the enterprise wants to keep control around that information. They don’t necessarily want the provider to do the encryption as they want to own the encryption and the encryption key. Even on the on-premise solutions, such as in healthcare, there’s always the challenge of trust such as IT admins that should not see the data. The point is that enterprises are going to eventually put stuff in the Cloud and they don’t want to their providers to have access to it. The encryption really is there for blinding the infrastructure.

At the application level you want to control who accesses this data. That also drives the decryption, and from there, the logging and reporting.

We started to secure SharePoint and from there to Office 365, and then generically shared drives. The technology is generic and we decided that the first market to go to would be the Microsoft products.

SecurityWeek: What are common use-cases for your product?

Mike: We have two types of customers in terms of need: departmental and enterprise-wide.

Departments need a lot of security to modernize. The example I tend to use is the HR dept. They want to move away from FedEx, file cabinets and fax machines. However, there’s comfort in that process, as inefficient as it is. They see the locks; they know the fax is locked in a certain office; that the letters are sealed and shipped. We help customers modernize the HR flow – apps, docs, workflow - and do it in a way to secure the information so that only the HR sees it. The IT folks can see the infrastructure but they can’t see the info that HR is dealing with. In this case we’re enabling the business to save money which is unique in the security space.

Enterprises need the right amount of control - but very broadly. An example would be healthcare systems. These organizations might have SharePoint, they probably have users using Dropbox, Google Drive, and file shares. The IT department isn’t saying they shouldn’t necessarily stop it but to recognize that there’s a lot of risk. We allow them to move to a single platform such as Office 365, or to a few small platforms, that help people collaborate and share. They can do all of that sharing without IT getting involved, while IT gets to manage the risk in the enterprise.

SecurityWeek: What were your first steps starting out?

Mike: We patterned ourselves more like the companies in the SharePoint eco-system than security companies. In that industry there are lots of companies adding apps to SharePoint so it’s more transactional. We expected to do that too, but the biggest change for us was getting into very large accounts and dealing with a much overall solution. These accounts weren’t looking to add more budget, but recognized that they have a lot of unmanaged risk that they need to take control of and need a host of systems to secure it.

SecurityWeek: At what stage is CipherPoint now?

Mike: We’ve been shipping products for about two years. We’re also through our first round of equity funding. We have about 30 customers across the globe – mainly in North America, and some in EMEA.

SecurityWeek: What’s your business model?

Mike: We sell either by user or per server, depending on cloud versus on-premise. We’re primarily focused on channel and partnering with the people who are migrating enterprises to the Cloud or to document management systems.

SecurityWeek: Who are your biggest competitors?

Mike: The competitive field is split for us. We tend to see a company out of Sweden called CryptZone – they’ve recently changed direction, or increased their focus on the SharePoint segment, and have expanded to North America. On the Office 365 end, we really have that segment to ourselves. There are folks like CipherCloud but they really deal with the email component.  

SecurityWeek: Are you hiring and if so, what do you look for when you hire?

Mike: Currently, we’re looking for a senior software developer and a junior salesperson. Going into the first half of 2014 there’ll be a new big phase of hiring.

I look for three things: cultural fit, skill set and location. I specify location since in the earlier stages of the company life it’s easier for people to be in the office since so many important decisions happen dynamically. As you grow older you exhaust the local resources and have to open additional offices.

SecurityWeek: Any tips for other entrepreneurs starting out?

Mike: Know your limits. Being part of a founding team, and especially as a CEO of the startup, is going to expose every single one of your weaknesses - but also your strengths. You should know what you don’t know well, or shy away from, and build your team accordingly. For example, if you’re not too detail-oriented, surround yourself by people who are. If you don’t like cold-calling, hire someone who does. Also, you need to know that it’s not going to be necessarily glamorous. You do a lot of things you don’t want your team to spend time doing. At the early stage, CEO stands for Chief Everything Officer - I stole that from someone else - but it’s very indicative.

SecurityWeek: Other than yours, what is your favorite startup – whether it is in security or not?

Mike: Pairin. They do candidate screening. The way it works is they’ll take a profile of your top performers and then take candidates to fill in 10-minute forms. With that, they can benchmark those candidates against your top performers. No matter what stage at your company – getting hiring right is the most important part, and these guys have a good take at it. There’s great initial traction that what it does works.

view counter
Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.