Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Ruvi Kitov. He is the co-founder, chairman and CEO of Tufin. Good morning, Ruvi. How are you?
Ruvi Kitov: I am very good. Thank you very much, Michael, for having me on.
Novinson: You're very welcome. It's been a big year for Tufin. Just about two weeks ago, you were acquired by Turn/River Capital for $570 million, taking the company private. What's the significance of that acquisition for your customers and your partners?
Kitov: It's a significant acquisition for the company in general. The company was founded 18 years ago. It was private for a long time and then we went public in April 2019. We were public for about three years and then we got acquired by Turn/River and closing took place about a week ago. For customers and partners, some of the changes that we started making are going to accelerate. The move to subscription announced early 2021, we're going to accelerate that transition. That's important because subscription allows us to have more consistent recurring revenue. But customers have a way with vendors to monitor what's going on. They know, every year when that renewal comes out that vendor needs to make sure that customer success is followed. I think customers like vendors moving to subscription. We're going to focus even more so on customer success than we have before. We need to make sure that we're on top of the game, and that we're delivering all the value that customers expect us to deliver. From the partner perspective, I think partners are happy with where we're going as well. We've gotten very good feedback and update calls that we've had with partners. Probably, there's going to be significant changes there.
Novinson: In terms of some of those priorities you outlined here - the transition to subscription, focus on customer success - why do you feel it'll be easier to do that under the ownership of Turn/River than as a public company?
Kitov: As a public company, the expectations are from quarter to quarter, that you hit certain milestones, and a company that goes through a transition from switching from perpetual license to subscription, a lot of times that carries with it a degree of uncertainty. Being able to predict exactly what your revenue and OpEx is going to be on every single quarter, that's tough to do when you're going through a transition like that, because it's difficult to tell ahead of time what is the pace of the transition? Will customers move? Will customers want to transition immediately or not? Some customers might want to do longer duration deals or shorter deals. There's a lot of unknowns on that kind of a transition. When you're a private company, you don't have that microscope that the public markets put on a company that goes through the transition. It's a lot easier to do as a private company than as a public company.
Novinson: Very interesting. I did want to ask specifically, what the appeal was of Turn/River versus another financial or strategic buyer? I realized that Turn/River historically hasn't done too much in cybersecurity. What's the appeal of them in particular?
Kitov: They've had several acquisitions in cybersecurity, but maybe not a lot of people have heard about it, but they have owned and they own some cybersecurity assets. They're interesting to Tufin from several perspectives. One is they've specialized in transitions from perpetual to subscription. They've done multiple transitions like that very successfully. They focus primarily on software companies. They're very good at it. Their track record is phenomenal. When you look at how they operate, their whole process is different from other piece. They have a lot more people in the operations team. The founders themselves have managed software companies before. They're not necessarily finance people. They come with a lot of knowledge and a lot of best practices. They have playbooks on the transition itself and how to drive growth in the market, how to align go-to-market better. They've honed these tactics over the years, and they're adjusting them with every company that they acquire. That's how they were introduced to us and our process. And now that we've been working with them for a few months, I can tell you that we work well with them. I think Turn/River culture and Tufin culture have a lot of similarities between them. They're very curious. They want to know what the reality is, what's the truth, what is the right thing to do. They're focused on getting that. They don't have big egos, which is super helpful to be working with. We enjoy working with them so far.
Novinson: That's great. Want to ask about this transition from perpetual to subscription revenue model. What are some of the biggest challenges associated with making that transition? What are some of the ways you feel that Turn/River can be helpful in that?
Kitov: One of the things that we did when we started was we still kept some perpetual sales on. We have a mixture of perpetual and subscription. That's difficult to manage. One of the things we're moving towards is stopping new perpetual sales altogether. It's going to help to kind of peel the band aid off, and focus 100% just on subscription business moving forward. That's one change. The other change that we're looking at is aligning what the product portfolio looks like, how are we licensing all of it. We have four main products, but we have marketplace apps as well. It's quite complicated; if you look at our price list, it's very long. Even for our sales team, it takes a while to learn the pricing and licensing and all the nuances. We're simplifying the price list, and making it easier to digest both for the salespeople, for the customers and for the partners.
Novinson: In terms of the transition over to subscription, what's the significance for customers? How are customers impacted or how do they potentially benefit from procuring Tufin on a subscription basis, rather than on a perpetual basis?
Kitov: For us, it's part of a bear change. Moving forward, we're only going to sell subscription licenses. But also, we're changing the way that we're packaging the products. If previously, you could buy all sorts of different elements; for example, SecureTrack and SecureChange, and provisioning in SecureChange and SecureApp, and then the various marketplace apps, high availability was different. There's dozens of different licenses. We standardized on three tiers now and each tier has certain things that are part of that tier. People that used to buy SecureTrack, they're now in a certain tier, and they get all sorts of apps that they didn't have before. People that had SecureChange previously or were going to buy SecureChange, now there's a tier that aligns with that - SecureChange plus a lot more things. People that were buying additional things, we have a tier called Enterprise, where we're bundling a lot more things into the Enterprise, like high availability, and a lot more different licenses that people used to buy separately. It's a lot simpler. It's simpler to manage. There's also more flexibility that we're building into the licensing. I think for customers, there's a lot of benefits in making it simpler, easier to understand what they're buying, how that's going to expand and having the flexibility as they're growing their network.
Novinson: In terms of the Tufin product portfolio, what I know you've mentioned there being four products. What product or what technology are you seeing the fastest growth in or the highest increase in demand in right now and why?
Kitov: Automation has always been the main reason people buy Tufin. In our market, we're clearly the leader in automation, especially when you get to the high end in terms of large organizations. I would say the fastest growth that we're seeing right now is in the cloud, both in TOS cloud and cloud-native applications. People are buying a lot more firewalls in the cloud, and they're expanding to the cloud, much faster than before.
Novinson: I see. I know we've talked quite a bit about your strategy, your focus in terms of the go-to-market, this shift to the subscription-based licensing. Want to hear a little bit about your R&D or your technology roadmap. What are some of the key landmarks and milestones coming up there under Turn/River's ownership?
Kitov: We're continuing to invest a lot in technology. We're probably investing more than any other company in our space. The cloud is a major investment area for us. Also, SASE and the SD-WAN are major investment areas. I'd say one area of focus for us is extending visibility and automation into the cloud, even more so than before. That means understanding the cloud network and topology in depth, and understanding all the different elements in the cloud, and all the different layers of segmentation. That's one area. The other one is advanced automation for next-generation networks. We have a lot of work around that, a lot of customer demand from different scenarios of next-gen firewalls and their automation. The third, I would say, is the ability to add new platforms more rapidly. Building the infrastructure to be able to add new vendors, primarily in the cloud and SD-WAN and SASE space, because there's many vendors and want to be able to have those capabilities faster than before.
Novinson: A lot of security vendors are investing in the cloud right now. What do you feel is different about what you're doing at Tufin around cloud security than what some of your peers in the industry are doing?
Kitov: I think a lot of people are focused just in general on trying to secure workloads and the environment. We've always been focused on access policies and connectivity. For us, the fundamental question is who owns access control end-to-end, both on the cloud and the on-prem and how can you bring the two together? Our thesis is that you need a single control plan, where you'll be able to manage the connectivity both for the on-premise, the cloud hub and the edge. The question is, who gets to define and enforce that security policy? We have built a single pane of glass, in terms of policy, to be able to define a policy, both for the on-prem and the cloud, including CI/CD pipelines, and how all of that work in tandem. That is the difference, to be able to define who can talk to whom and what can talk to what, both on-prem and in the cloud, and have that in a single platform.
Novinson: The days leading up to the Turn/River acquisition closer, you had disclosed layoffs, affecting roughly 10% of your workforce or roughly 55 employees. How are those job reductions affect your strategy and your roadmap going forward?
Kitov: They don't affect the strategy and the roadmap in a significant way. For us, when we were a public company, we were losing money. We had a budget where we're expecting losses this year, and also next year. As the market is headed likely towards the recession, we need to make sure that we're working towards profitable growth. Making that change is something that many public companies and private companies have done. We needed to make sure that we're losing less, and we're moving towards being a cash-positive company, as we made those changes.
Novinson: What areas within the organization were most affected by the layoffs? What's the impact for customers?
Kitov: It's across the board, so different departments. But most of it was in sales and marketing, and R&D. But those are just the two biggest parts of the organization. But even after the changes, I think if you look at technology, we are the biggest R&D organization than any of the vendors in our space. We're the biggest vendors. I don't think it's going to impact our technology and roadmap moving forward.
Novinson: Wanted to talk a little bit about industry trends. What are some of the biggest things that you're keeping an eye on in the broader industry, threat landscape, etc., this year?
Kitov: From our perspective, we're very focused on access, and especially as people adopt more SD-WAN and SASE, we're seeing how SD-WAN, SASE and firewalls are blurring the edges between each other. There's SASE vendors that are adding firewall capabilities, which is interesting and firewall vendors that are adding SASE capabilities. We see them as merging into single platforms. The other trend that we're seeing is that there's now firewall as a service in the cloud. AWS and Azure have their own firewalls. I'm not sure they're at the level of the enterprise firewalls, but some people will use them as well. We're seeing more and more segmentation technology being used. There's even more complexity. So we're seeing even further increase in complexity of enterprise networks, as they're straddling on-prem and the cloud, and the cloud is changing. Those are some of the trends that we find interesting and that we're seeing in customer networks.
Novinson: One of those developments made for Tufin in terms of firewall vendors moving into SASE, SASE or SD-WAN vendors developing firewalls of their own, I know Tufin's focused on that network management space. What a lot of these departments mean for you?
Kitov: To us, it means that customers have additional things they need to manage. They're asking us to do that. We added support for Zscaler. They're asking for support for more SD-WAN and SASE vendors. We want to support whatever networks and cloud platforms that customers have. There's more and more platforms. Hence what I mentioned earlier, some of our focus is on adding some of those platforms faster to Tufin. That's an important trend that we're carefully monitoring. We're adding more and more capabilities. We want to help customers manage everything on their entire enterprise network, whether it's on-premise, and let's say SD-WAN or the cloud. That's a major focus area for us.
Novinson: From the standpoint of the chief information security officer, what do you feel is the biggest thing they're overlooking right now? Where do they need to invest more time, more energy than they are today?
Kitov: It's a good question. I think that they're running around and trying to do everything. It's one of the toughest jobs out there to be a CISO because you're inundated both with threats and with different solutions to those threats. I think one of the things that people are overlooking is that they might have too many vendors. We have some CISOs that we speak with that have already 50 different vendors for different solutions, that I think it becomes almost unmanageable for the security team. I think one of the things that we're seeing is that with the economic challenges that we're seeing for the global economy, I have a feeling that some of the small vendors might not survive. When you're thinking of a solution for a certain challenge, and you're looking at vendors, I would say one of the things being overlooked is vendor viability. Who's going to survive three or four or five years from now? You might be buying a solution that ends up being vaporware, not because of the product, but just because the company no longer exists three years from now. I would say that is an area that CISOs should be looking at as they're thinking of criteria when they're buying solutions.
Novinson: Very interesting. Ruvi, thank you so much for the time.
Kitov: Thank you very much. Really appreciate it.
Novinson: You're very welcome. We've been speaking with Ruvi Kitov. He is co-founder, chairman and CEO of Tufin. For Information Security Media Group, this is Michael Novinson. Have a nice day.
