At the beginning of February, ThycoticCentrify, the privileged access management (PAM) specialist created in April 2021 from the merger of Thycotic and Centrify, announced a change of name to Delinea. To find out more about the new brand and how its integrated solutions help enterprises operating in today’s hybrid, perimeter-less world to protect their critical data, devices, code and cloud infrastructure, James Goulding spoke to Delinea Chief Marketing Officer Chris Smith
Technology Reseller (TR): Why have you rebranded and what is the significance of the name Delinea?
Chris Smith (CS): We didn’t have to rebrand. We had two perfectly good brands for companies that had been leaders in the PAM market for years. So, it wasn’t absolutely necessary, but each company brand stood for a particular thing and was known for a particular thing and we wanted to merge those and offer the best of both worlds.
Thycotic was known for targeting smaller, less sophisticated customers – small enterprises – with easy-to-use products that delivered rapid time to value. And Centrify was known for more sophisticated products catering to much larger organisations and for being the pioneer of a PAM built-as-a-service model delivered from the cloud. We wanted to merge those two identities – easy to use, rapid time to value from Thycotic and a cloud platform that caters to big, sophisticated customers from Centrify – and create a brand new story and a brand new company name.
So we came up with Delinea. It took us four or five months of research and focus groups with customers. We started with a list of 40 names we thought could work and boiled it down to 10 and then two. We did international trademark vetting to make sure it was a name we could own digitally. We did what they call linguistic checks in something like 12 languages to make sure the name doesn’t mean anything offensive. So, it’s been thoroughly vetted.
We also wanted a name that meant something, that hinted at what we do, so that we can build a story around it that was relevant to our technology. Delinea derives from the word delineate and the story we have built around it is that we help to define or delineate levels of access.
TR: The name change is just one part of the story. Before we look at your product plans, please could you tell me a little about PAM and its value for businesses.
CS: Gartner rated PAM as the number one cybersecurity technology CIOs need to deploy to stay safe for a few years in a row – 2018, 2019 and 2020. I think they stopped doing those rankings in 2021. And the reason they ranked it Number 1 is because most security breaches involve the compromise of privileged accounts that have access to critical infrastructure, critical applications, critical data. They’re kind of the keys to the kingdom. If you lock down access to those accounts, you can eliminate 80% of serious security breaches, so PAM is critical security technology.
Historically, the PAM market has grown at about 14% to 20% a year, and over the past few years, and since the merger, ThycoticCentrify has been growing at about twice that rate.
That’s because of our innovative products and because we’re helping customer address problems that have been exacerbated by the pandemic and people working from home, where they don’t have the security perimeter of corporate headquarters to protect them and have been using cloud applications and cloud infrastructure. This has accelerated digital transformation and cloud adoption by five years and because of that cybersecurity has become a lot more complicated. Protecting those privileged accounts is more important, but also trickier and more difficult than ever, so the PAM market has actually accelerated over the past couple of years.
TR: What are your key differentiators compared to other vendors in the PAM space?
CS: As I mentioned before, our products are very popular on the Thycotic side because they’re very easy to deploy – we hear that from our users over and over again – and Centrify was really good at addressing very large very sophisticated customer needs with their cloud platform. And now we’ve married the two.
Last quarter, in Q1, we announced our first significant integration milestone after the merger, which was that Thycotic’s best-selling product, Secret Server, had achieved its first stage of integration with Centrify’s cloud platform. This is the best of both worlds scenario I was talking about, where the Thycotic ease-of-use products merge onto the unified Certify cloud platform, so everything is in one spot. You can manage that one pane of glass and all those capabilities are on one single platform. Thycotic had popular products, Centrify had popular products. Merge them together and we think they’re going to be even more popular than before.
TR: In your marketing you state that one of the areas Delinea focuses on is removing complexity. How does it do that?
CS: In two main ways. One is we engineer simplicity into our products. That was what Thycotic was famous for: easy to use products. And second, they’re cloudbased, so you don’t have to worry about infrastructure, servers, databases, any of that stuff. We make sure our products are easy to use and easy to get up and running and, because of our cloud platform, you don’t have to worry about all the infrastructure you would normally have to deploy and manage. Those are the two things that make it very easy.
TR: I have seen it stated that your mission is to provide security that’s invisible to the user, while simultaneously providing IT and security teams with the control they require.
CS: The whole premise behind PAM technology is that it controls what any user can access. There’s a concept called least privilege, which means you only have access to the things you need to do your job and nothing more – the least amount of privilege that you require to do your job. We want to give people access to what they need to do their job and no more, but at the same time we don’t want it to feel constraining. People should get access to everything they need without something blocking them or telling them they’re not supposed to access it. That should be completely invisible to the end user. There’s this duality; it should be invisible to the user and give them access only to what they need but at the same time be easy for the IT team to control and manage what someone has access to. That’s the win-win scenario we’re shooting for. One of our brand promises is digital freedom. To you it feels like digital freedom and to the IT team it feels like ultimate control.
TR: What’s the penetration of PAM in enterprises? Shouldn’t they all have it?
CS: That’s a great question. We are continuously surprised by the growth of the market and the number of companies that don’t have PAM, because this has been widely acknowledged and openly embraced and recommended technology for 10 years. I think the growth is highest in the middle part of the market, because PAM products, but not ours, have historically been difficult to implement, so mid-sized companies haven’t embraced PAM to the same extent as big enterprises. Growth is higher in the middle part of the market, but we’re still surprised by how fast it continues to grow with big enterprises.
TR: Delinea talks about the PAM maturity journey. What is the start point for companies and how does their PAM adoption evolve?
CS: There are two base technologies in the PAM market. One is called vaulting – that’s putting your passwords in an encrypted secure vault. If somebody can’t get access to something without a password and the password’s in a vault, you can control access. That centralised password vault is one of the key technologies in PAM. The other is what’s called distributed or endpoint technology for a laptop, for a server, for a workstation. It controls what you log into the system and what you can access in that system.
The natural journey for most PAM buyers is to put their passwords in a vault, as step one; and step two is to secure the endpoints. That’s the most natural journey and that’s the most natural sequence because centralised password vaulting gives the biggest reduction in risk for the least amount of effort. Most people who have a PAM challenge say ‘How can I reduce my risk and reduce my breaches as much as possible with the lowest investment, the least amount of effort?’ Usually, the answer is to centralise your passwords in a vault. Later on they do endpoint security technology. Then there are other more sophisticated things like analytics and reporting and some other technologies, but vaulting and then Endpoint Protection are usually the first two steps.
TR: Has the pandemic and the move to working from home and hybrid working changed that journey? Do people now want to secure their endpoints as a first step?
CS: That comes up a lot. Now that there are endpoints and home workers distributed all over the place, not behind the perimeter, people are more worried about endpoints than they have ever been. But centralising and securing passwords still gives the most bang for your buck because you will still have centralised systems, in the cloud even, and you will want to secure those systems first, because that’s where your most critical data and applications are. Password vaulting is still usually the first step, even post-pandemic with all the distributed endpoints and all the risk that that involves.
TR: What’s your route to market? Do you have a partner network?
CS: We do. In the US, about half our business is sold direct and half through partners. Outside the United States, especially in Europe, we go primarily through partners. So we have both routes to market. We also have big reseller partners that resell our technology embedded in their solutions.
TR: Do you have managed services too?
CS: We don’t have directly managed services, but we do have partners who deliver managed services. So that’s an element of our model as well.
TR: What are your plans for 2022?
CS: One is the continued integration of our Thycotic and Centrify product families. As I’ve mentioned, we announced a significant integration milestone last quarter and we’re going to announce another in a few months. We’re 80% integrated now and our next announcement will get us above 90%. Then there’s a bunch of small piece parts after that to get to 100% integrated when every product that we sell will be integrated on that unified cloud platform. The other priority for 2022 is continued growth and execution. The last time we announced company results, last quarter, our growth was 35%. If we execute well, I think we will continue to grow at twice the market rate.
TR: What are some of the challenges partners face in selling PAM?
CS: They’re the same things we face. Not everybody has deployed PAM. Not everybody, despite all the evidence, is convinced they need PAM. It’s usually not that difficult a sell when most breaches involve privileged accounts and when consultants like Gartner say it’s one of the first things you need to do, but there’s still resistance in some areas. So that’s one. And then it’s fighting against and beating the competition; we’re not the only provider in the market. It’s the usual obstacles when it comes to selling technology to IT buyers.
TR: Is cost a big factor?
CS: It is. There are hundreds of security technologies and every vendor is always positioning themselves as the security technology people need to deploy, so there are choices, there are costs and there’s effort. It’s not free and it’s not instantaneous; it’s always a project that requires resources, so companies are sometimes hesitant to go down that road. That’s all.