Connect with us

Hi, what are you looking for?


Application Security

Security Startups: Interview with CipherPoint CEO Mike Fleck

Security Startups Feature on CipherPoint

Security Startups Feature on CipherPoint

Company: CipherPoint  |  Who: Mike Fleck, CEO

SecurityWeek: How did you start out in the computer field and in particular, security?

Mike: I’ve always been a generalist. I took some computer classes at high school since my dad told me that when I’ll graduate everything will be about computers. He was right. I started out doing database programming, and from there I moved to server operations. When you’re in server operations you’re monitoring and troubleshooting those environments – thinking how to configure them as well as how they break. Pretty soon you learn also how to secure the environment. It led me to doing network security for ISPs and Wall Street firms. In 2002 I moved over to the software side doing event correlation – basically the early days of SIEM. In time, I migrated more towards the information aspect of security, instead of networking and infrastructure.

Photo of Mike Fleck of CipherPointSecurityWeek: Why was CipherPoint founded?

Mike: The catalyst for starting the company was the understanding that enterprises are doing security in the storage and infrastructure level, even though they’re trying to get security to the more granular pieces of information. For example, 5-6 years ago the information you cared for was in databases. All the security tools available for you allowed securing the database, the operating system and the storage. But that was not really what needed to be secured. What you wanted was to get more control, and securing the access at the application level.

We saw the level of anxiety rise for SharePoint, the Cloud and user-empowered type platforms where the enterprises had significantly less control because of the Consumerization of IT. We started in 2010, and launched the product in mid-2011.

SecurityWeek: What does CipherPoint do?

Mike: CipherPoint identifies, secures and audits any application or Web application.

Advertisement. Scroll to continue reading.

The identify portion is an awareness component. This component looks into various platforms – SharePoint, shared drives, Office 365 – and locates sensitive and regulated information that a company has and where it resides. For example, I might have 8 TBs of data in there, but I have no idea where that sensitive information is.

The security piece is at-rest encryption. What we heard from enterprise accounts pertaining to the Cloud is that the enterprise wants to keep control around that information. They don’t necessarily want the provider to do the encryption as they want to own the encryption and the encryption key. Even on the on-premise solutions, such as in healthcare, there’s always the challenge of trust such as IT admins that should not see the data. The point is that enterprises are going to eventually put stuff in the Cloud and they don’t want to their providers to have access to it. The encryption really is there for blinding the infrastructure.

At the application level you want to control who accesses this data. That also drives the decryption, and from there, the logging and reporting.

We started to secure SharePoint and from there to Office 365, and then generically shared drives. The technology is generic and we decided that the first market to go to would be the Microsoft products.

SecurityWeek: What are common use-cases for your product?

Mike: We have two types of customers in terms of need: departmental and enterprise-wide.

Departments need a lot of security to modernize. The example I tend to use is the HR dept. They want to move away from FedEx, file cabinets and fax machines. However, there’s comfort in that process, as inefficient as it is. They see the locks; they know the fax is locked in a certain office; that the letters are sealed and shipped. We help customers modernize the HR flow – apps, docs, workflow – and do it in a way to secure the information so that only the HR sees it. The IT folks can see the infrastructure but they can’t see the info that HR is dealing with. In this case we’re enabling the business to save money which is unique in the security space.

Enterprises need the right amount of control – but very broadly. An example would be healthcare systems. These organizations might have SharePoint, they probably have users using Dropbox, Google Drive, and file shares. The IT department isn’t saying they shouldn’t necessarily stop it but to recognize that there’s a lot of risk. We allow them to move to a single platform such as Office 365, or to a few small platforms, that help people collaborate and share. They can do all of that sharing without IT getting involved, while IT gets to manage the risk in the enterprise.

SecurityWeek: What were your first steps starting out?

Mike: We patterned ourselves more like the companies in the SharePoint eco-system than security companies. In that industry there are lots of companies adding apps to SharePoint so it’s more transactional. We expected to do that too, but the biggest change for us was getting into very large accounts and dealing with a much overall solution. These accounts weren’t looking to add more budget, but recognized that they have a lot of unmanaged risk that they need to take control of and need a host of systems to secure it.

SecurityWeek: At what stage is CipherPoint now?

Mike: We’ve been shipping products for about two years. We’re also through our first round of equity funding. We have about 30 customers across the globe – mainly in North America, and some in EMEA.

SecurityWeek: What’s your business model?

Mike: We sell either by user or per server, depending on cloud versus on-premise. We’re primarily focused on channel and partnering with the people who are migrating enterprises to the Cloud or to document management systems.

SecurityWeek: Who are your biggest competitors?

Mike: The competitive field is split for us. We tend to see a company out of Sweden called CryptZone – they’ve recently changed direction, or increased their focus on the SharePoint segment, and have expanded to North America. On the Office 365 end, we really have that segment to ourselves. There are folks like CipherCloud but they really deal with the email component.  

SecurityWeek: Are you hiring and if so, what do you look for when you hire?

Mike: Currently, we’re looking for a senior software developer and a junior salesperson. Going into the first half of 2014 there’ll be a new big phase of hiring.

I look for three things: cultural fit, skill set and location. I specify location since in the earlier stages of the company life it’s easier for people to be in the office since so many important decisions happen dynamically. As you grow older you exhaust the local resources and have to open additional offices.

SecurityWeek: Any tips for other entrepreneurs starting out?

Mike: Know your limits. Being part of a founding team, and especially as a CEO of the startup, is going to expose every single one of your weaknesses – but also your strengths. You should know what you don’t know well, or shy away from, and build your team accordingly. For example, if you’re not too detail-oriented, surround yourself by people who are. If you don’t like cold-calling, hire someone who does. Also, you need to know that it’s not going to be necessarily glamorous. You do a lot of things you don’t want your team to spend time doing. At the early stage, CEO stands for Chief Everything Officer – I stole that from someone else – but it’s very indicative.

SecurityWeek: Other than yours, what is your favorite startup – whether it is in security or not?

Mike: Pairin. They do candidate screening. The way it works is they’ll take a profile of your top performers and then take candidates to fill in 10-minute forms. With that, they can benchmark those candidates against your top performers. No matter what stage at your company – getting hiring right is the most important part, and these guys have a good take at it. There’s great initial traction that what it does works.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.