Application Security , Next-Generation Technologies & Secure Development , Video
Tim Eades of vArmour on Expanding From Banking to Government
CEO Dishes on How Government Has Struggled to See Across Its Application Terrain Michael Novinson (MichaelNovinson) • October 3, 2022
While vArmour has long enjoyed success in banking due to high levels of regulation, the U.S. government is currently the fastest-growing part of its business.
See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases
CEO Tim Eades says much of the government still doesn't understand the relationships and dependencies among vArmour's applications or the consequences of an application going down. In response, he says, vArmour has worked to get the right sales teams and suppliers in place to address the opportunities, ensuring the company has the clearances needed to speak with major stakeholders.
"The greater push from [U.S. Cybersecurity and Infrastructure Security Agency Director] Jen Easterly and CISA to understand and control applications has been exceptional for us," Eades says. "We're seeing that business really take off. It's the fastest-growing part by a mile."
In this video interview with Information Security Media Group, Eades also discusses:
- How vArmour has spent the $58 million it raised in funding in 2021;
- Why financial services is such a good fit for vArmour's technology;
- How he got involved with providing birthday cakes to foster kids.
Eades has deep expertise driving growth for computing, security and enterprise software companies and more than 20 years of leadership experience in sales, marketing and executive management at the CEO level. Prior to joining vArmour in 2013, he served as CEO at Silver Tail Systems from March 2010 until the company was acquired by RSA in late 2012. Previously, he was CEO of Everyone.net, an SMB-focused SaaS company acquired by Proofpoint. He has also worked in sales and marketing executive leadership at BEA Systems, Sana Security, Phoenix Technologies and IBM.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Tim Eades. He is the CEO at vArmour. Good afternoon, Tim. How are you?
Tim Eades: Michael, so great to see you again.
Novinson: Nice having you here as well. I know, early last year vArmour raised $58 million from AllegisCyber and NightDragon security. What did you use the money for over the past 18 months or so.
Eades: Yeah, great question. So we continue to invest in the opportunity. We're in 14 countries now around the world. We've expanded our R&D department quite significantly, we opened up in Calgary a big data and AI group. As we start to look at, you know, understanding data giant scales, scale was quite interesting because in Calgary, you have AI and ML schools, one of the top in the world, because of the oil and gas industry. And they know a lot about graph databases. So we opened up a big department and an office there, we also opened up one in Lithuania for different purpose: to build more connectors out and to ingest more things into the graph. And so largely, it has been R&D investment, we obviously invest into our sales team and corresponding marketing team. But the investment largely has been into R&D.
Novinson: What has this international expansion done for you as a company?
Eades: Yeah, vArmour has always been cut off the bat to be international. Some of our first customers were in Denmark, or the customers were in Japan, and stuff. So we've been international for a while, but our customers are global. We need to be that to service them and look after them and drive those opportunities. So yeah, the investment has taken us global. We're in the Middle East, we're in Germany, we're in Denmark, or in Czech, we're in Singapore, we're in Malaysia, we're in Australia, we're all over the place. But it's largely based on the verticals and the customers that we serve. So the majority of our revenue comes from financial institutions, which are global in nature, and then you go to telco, then you go to governments, and then you go into a long tail of retail, and are now into healthcare and pharma. But the banks took us global very early, and then we just built on that.
Novinson: I'd love to hear a little bit more about that. Why is banking financial services such a good fit for the vArmour technology? And how did their needs differ from some of the other verticals and sectors that you also serve?
Eades: Yeah, so what vArmour does is we look at applications and the relationships and dependencies of those applications to understand risk and understand resiliency on those things. So the sales model that we build and the customer engagement model that we build is very much of you go in and discover what is happening in your environment and then look at what should happen. And then look out how do you take control to reduce your attack surface. So let me give you an example. If workload A is talking to B, and to C to D, if B goes down, A, C and D are affected, they will have relationships or have dependencies. So, you know, if it's Tim and Michael's pizzeria, and we're selling on it, and we're running our application on AWS, our salespeople can sell to you, the product will provide value. But we do really well where the customer is hybrid and the customer is complex. If you look like Frankenstein, where you've got, you know, five fingers probably moving from different hands, it's great. I mean, one of our customers is a big European bank. They have Cisco ACI, they have NSX, they have 100,000 agents, they have Windows Defender, they have Azure, they have AWS. And they need to understand those applications, there's dependencies that run on those things. And so, what do we do is we go in and we understand it. So banks, highly regulated, so they have consequence. If something goes wrong, those regulations drive actions to purchase software and to control that risk. And so that's always been home for us. Then telco has always been a good place for us to learn because again, they're very large with scalable challenges. And so we fit into that market very well. But now, we're doing more and more to governments.
Novinson: Very interesting. Once you get into a little bit in terms of the vArmour technology here, what are the biggest advancements that you've made from a product or from an R&D standpoint this year?
Eades:Yes, over the last 18 months, we went to early adopter customers with our SaaS offering. We launched that was SOC type 2 and that allowed us to help them. The digital transformation for customers allows us to accelerate our business model and drive more value quicker for our customers. So that has been an endeavor. And some of our customers are, air gapped customers that still require on-prem. It's the same architecture wherever it works. But the SaaS offering that we've rolled out, and some of the clustering and some of the AI and ML-round application behaviors has been something that we've invested that has worked out well.
Novinson: What's the significance of being able to offer this on a SaaS basis to your customers? Why is that important?
Eades: Because I can't go after Tim and Michael's pizzeria. The significance of delivering it as a SaaS offering really accelerates the engagement model of the customer and the simplicity. One of our customers, for example, is a large retail store, very famous retail store. They kicked off testing our software one Sunday afternoon, and they will were completely live, and so all of the application flows by like Monday lunchtime. And then map delegates policies, you know, against in that case is very PCI-orientated and deliver very quickly. So it's a time to value for the customer and accelerate it because it's just easier for us to do it for them.
Novinson: What's the fastest growing part of the vArmour portfolio today and why?
Eades: The fastest part or the growing part of the portfolio of vArmour is government. The government business for us has really started to take off. Parts of the government don't understand what we would refer to as their terrain. If you like the application terrain understanding, the relationships, the dependencies, the consequences if they go down. And with Jen Easterly in the greater position in the CISA to understand that and control that has been exceptional for us. We're seeing that really take off. That's the fastest part by a mile.
Novinson: What investments have you made at vArmour to support this continued growth in the government space? So when you say government, are you referring specifically to the U.S. government or are you also supporting other governments across the globe?
Eades: We do it. We do some European governments, but mainly the U.S. government is our kind of core focus. We are starting to see some stuff in Australia and New Zealand via some of our long-standing investors and partners. But the investments that we're doing there is it's largely people at the moment, it's making sure that we have the right sales teams, the right suppliers in place to service the opportunity. The tech that we have is very portable. So if you have a large bank in Manhattan, or your government institution, it's the same tech. We're not obviously building anything specific. But I do think you have to have the people with the right clearances to get into the right conversations. And we spend a lot of time and investment on that and with the right suppliers to service the opportunity.
Novinson: How do the needs and requirements of the U.S. government differ from your heritage, the customers you've served historically in the banking and financial services arena?
Eades: Truthfully, they don't differ too much. The scale is obviously gigantic for some of the parts of the government. But some of the large banks and the lifestyle business that we service and supply in North America are pretty big too. So we look after some of the largest telcos in the States, and in some of the largest banks in North America, so they look like each other, which is fortunate because you don't want to build things specifically for people. And the U.S. government has its own parts in a slightly different, but generally speaking, you know, the tech that they've been supplied and the applications that they run. It's all the same kind of stuff to us.
Novinson: When you look at the market landscape, if you're in a competitive bid situation, who are you coming up against the most often against vArmour? What do you feel differentiates your approach from your biggest rivals?
Eades: That's a great question. So, the market is maturing significantly. So let's talk about the market for a second. Gartner would refer to as exposure management. So you break exposure management into two. Exposure management is divided into EASM (external attack surface management), which great companies like Synack and CyCognito and some great companies out there tried to understand the external attack surface. Then you look at the internal attack surface. First it was CAASM (cyber asset attack surface management), and in that space, that space is maturing quite significantly. It started off with just the devices people, the manage and unmanaged devices people. So think of Axonius, Forescout. There's clarity in that space doing IT and OT kind of understanding. Those devices are fantastic, the companies are fantastic. But they don't understand the business context. And they don't have any knowledge of the applications that are running on those devices. So that market ... that attack surface is playing out and that's a great market. On top of that now, to understand how attack surface goes into applications, the application knowledge kind of gets broken down into, you know, do you understand your application, you're working on a A goes to B to C to D. So that's what we do. Axonius and people say, "Well, that's a device," but they don't know that that device is communicating to a billing application, or the cafeteria, they can't tell the difference. So that's why that market to understand your attack surface has to include not just devices managed and unmanaged, but it has to include application knowledge, because that way you actually have the business context to the risk that you're trying to control. So the competitors that we see in that space, you see some of the observability people, right? But observability people that don't understand policy, and that can't take control of it, because you also have to enforce the policy won't actually win because nobody actually wants to be a system of insight anymore. They want to be a system of action. Otherwise, you're just another screen - a noisy screen. No, you have to do something about it, which means you have to take your knowledge and do something with it. So, I mean, we do see some of the segmentation people around the world. So there's an Illumio company that's out there. They do micro-segmentation. But they leverage agents, right? So it's a great company, but they put agents down inside the infrastructure. We try and use and we do use the infrastructure that you've already bought. So like CrowdStrike or VMware, NSX, or Cisco ACI, we don't want to put more tech down, we want to leverage the things that you've already bought, and still provide the same value or discover what is happening, look at what should, and then take control. So then, we will see them a little bit, we would - mostly, the alternatives that the customers have is its people, like 70% of the way that they try and understand their attack surface is actually manual right now. So the discoverability, observability people are out there, but then you need to turn it into action. So it's a massive market and maturing really quickly. Some of the pharmaceuticals and healthcare companies, because of the regulations coming out from the U.S. government, are really moving very fast to try and understand and control attacks.
Novinson: Very interesting. So when you fear to gaze into the crystal ball here, what do you see coming down the pipe in 2023, in terms of R&D roadmap, a product roadmap, what should customers and prospects be watching for from vArmour in the coming year?
Eades: That's a great question. So we look at the world like this. 10 years ago, we looked at workload, we looked at application security. Over the last five years, everybody's talked about workload security, and you will continue to talk about workload security but by far, the investment model now needs to move toward data security. Data security is broken down through loads of different ways, obviously, data and news, data in motion, your data at rest from an encryption perspective, then you look at data classification, data cataloging from that kind of model. But also, you're going to look at data traversing the infrastructure. As data traverses the infrastructure, extremely fragile as it does. So when you look from us, over the next 18 months, in particular, we've been working with design partners to understand resiliency as it relates to data, data lineage, data traverse, all of the data kind of model. So let me give an example. As an application with eyes on data, it will pull the information across from the repository to serve it, right? But as it goes through middleware and file systems, it loses some of its headers. So when there's an outage, or when there's an attack, you know, you can't see where it came from. Think of it like Spaghetti Junction, a piece of data will come into a piece of middleware, and it will go in five different directions. But if there's an outage, you don't know where it came from, or what caused it. So that's an area that we've been investing in with some design partners over the last year or so. We've been writing blogs about it every now and again, but as soon as it comes to market, that's something we're going to bring to market.
Novinson: Very interesting. Let me ask you here, Tim, finally. I've been very intrigued by your background in this conversation. What are we looking at? What's its significance?
Eades: So this actually is a cake. Believe it or not. My wife and I are on the board of a non-profit called Cake for Kids. She's been running it for 10 years. She's currently president of it. And so Cake for Kids is an organization started in in Northern California, where we deliver, we bake and deliver birthday cakes to children at risk, and children in foster homes. This is a cake made for a young lady who likes to read, and it's actually called bookworm. Every child will get a cake that's tailored to them. So it's Tim and he lives in Oakland, and he's a Liverpool fan, he'll get on his 14th birthday or whatever, in Liverpool, a birthday cake delivered to his home. This year, we'll deliver about 11,000 birthday cakes across the states. And it's been one of those interesting things. It was growing fast prior to the pandemic, but during the pandemic, it just took off like a rocket. Because you even turn on the TV and get extremely depressed by looking at the news. All you wanted to do something positive. And so prior to the pandemic, I think we would do like two and a half to 3000 birthday cakes, you know. This year, 11,000. All across the states we're just opening up. I think this week in Raleigh, Durham, North Carolina, but it's gone everywhere from Boston to Chicago to Oregon to Arizona. And it's really taken off but yeah, this year, 11,000 birthday cakes to children in foster homes. Many of those have never had a birthday cake, and you're trying to deliver smiles and to try to deliver self-esteem. It's something that I'm extremely passionate about, as you could probably tell.
Novinson: It's very powerful stuff. Tim, thank you for sharing a little bit more about that. Of course for telling us a little bit about what's going on at vArmour. We really appreciate it.
Eades: Yeah, it's been fantastic. Really appreciate your time.
Novinson: Absolutely. We've been speaking with Tim Eades. He is the CEO at vArmour. For Information Security Media Group, this is Michael Novinson. Have a nice day.
