The NWC Interview: Imperva's Shlomo Kramer

What drives the database security business?

First is the new threat landscape. Today's hackers are motivated by profit. Attacks try to stay under the radar and are targeted against your organization's business processes, your organization's data.

The second driver is the black market for information. That drives not only attacks from outside the organization, like the hacker sitting in Russia, but also the marketing analyst sitting within the organization--with legitimate access--and abusing the privileges because he knows he can sell the data on the black market.

Perhaps the strongest driver of all is the convergence of compliance and security, and the need to control the usage of data for various regulations such as SOX or PCI DSS [Payment Card Industry Data Security Standard]. The latest PCI release spells out database monitoring as a required compensating control.How much attention do you think your market would be getting if it weren't for regulations and laws?

Regulations or not, last year 100 million user records were compromised. There's a real need in the market. It's not just arbitrary government requirements.

What signs did you see signaling a change in the threat landscape that compelled you to start your company?

Security is always a race to run as fast as you can to stay in the same place. After network firewalls came onboard, hackers moved to the application layer, and from there it was simple to assume the data layer would be next. We decided as a start-up to go for the new-new thing and gambled that this would be it.

Are your customers more concerned about external or internal threats?Customers are seeing two sides of the same problem, usually focused around the data. It's not internal or external; it's about "I have a problem to solve," whether the problem is defined by auditors, or whether it's a Web application on behalf of an external user, or an SAP application for an internal user, or directly through the DBA accessing the data.

What steps could regulators take that would have a significant impact on the protection of sensitive data?

Protecting sensitive data is about putting the controls and processes in place and having them work together. When you look at SOX, it started with a focus on the processes, and only recently do more organizations understand there's a need to automate it and put controls in place as part of the infrastructure. I think we are beginning to understanding what is really needed.

There's still a lot work to be done around drawing the landscape of what really provides data security and the granular access control requirements an organization needs. The next few years are going to see new developments there. PCI is ahead of everything else in both understanding the elements of data security and specifying them in a concrete way. Other specifications will follow.

What is your strategy for growth at Imperva?We have a very aggressive growth plan for the company this year. Data transaction security is a big opportunity. Almost every organization that has confidential information in the data center needs a solution.

My philosophy here is, you need to build a good company and a good business model, products that the customers are happy with, and don't concern yourself too much with an IPO or acquisition or whatever.