Data Loss Prevention (DLP) , Endpoint Security , Video
Rubrik's Bipul Sinha on Surpassing $400M in Subscription ARR
How Rubrik Applies Data Security to Make Recovering from Ransomware Easier Michael Novinson (MichaelNovinson) • September 7, 2022Co-founder and CEO Bipul Sinha has grown Rubrik's business with existing customers by more than 40% thanks to the company's unique take on data observability.
See Also: Ransomware Response Essential: Fixing Initial Access Vector
The Silicon Valley-based data security upstart has passed $400 million of software subscription annual recurring revenue by emphasizing data availability and resiliency in the face of crippling ransomware and extortion-based attacks. Sinha says Rubrik has focused on applying zero trust principles to data security, limiting access to data on the network to improve the chances of recovering from ransomware (see: Safety in the Cloud).
"We are going after observing the core data to understand the security threat," Sinha says. "As a result, our customers are not only doing the initial purchase, but they are also expanding with us rapidly."
In this video interview with Information Security Media Group, Sinha also discusses:
- What makes Rubrik different from other data backup vendors;
- The fastest-growing areas of Rubrik's data security portfolio;
- What Rubrik's new data threat research unit means for clients.
Sinha has more than 18 years of experience in building billion-dollar products and companies from the ground up. Prior to founding Rubrik in 2014, he spent four years as a partner at Lightspeed Venture Partners, where he focused on the software, mobile and internet sectors. Sinha's investments included Nutanix, Pulse News, Bromium, and PernixData. Before Lightspeed, he spent two years at Blumberg Capital, where he was the founding investor/board member of Nutanix and Hootsuite. Prior to that, Sinha worked in engineering positions at Oracle, American Megatrends and IBM. He holds several patents in distributed computing.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined this afternoon by Bipul Sinha. He is the co-founder and CEO of Rubrik. Good afternoon, Bipul. How are you?
Bipul Sinha: Thank you so much, Michael, for this opportunity. I'm doing awesome.
Novinson: You're very welcome. Glad we could do this. Why don't you start off with your announcement from Wednesday, hitting the $400 million milestone in subscription ARR as well as 100% year-over-year growth. What's the significance of that? And why are you seeing so much growth?
Sinha: It's a huge milestone for Rubrik. As you know, Rubrik is a cybersecurity company. We are focused on data security, helping businesses and governments around the world protect and recover from ransomware. And that's what is fueling our business. In fact, we have built unique technology around data observability, observing the core data; as opposed to Syslog and machine log, we are going after observing the core data to understand the security threat and bringing security threat from there. As a result, our customers are not only doing initial purchase, but they are also expanding with us rapidly. Exceeding $400 million subscription ARR and growing 100% year-over-year are a testament of our market velocity right now. And what is also interesting is that over 140% NRR suggests that we not only have customers who love us, but also customers who are rapidly expanding on Rubrik's core capabilities around ransomware.
Novinson: So let's talk a little bit about how you got here. And now when folks think about data security, historically, the foundational technology was DLP or data loss protection. I know you got here by a little bit different path. So take me through how you moved into the cybersecurity market and what the benefit is to how you're taking on data security.
Sinha: Traditional cybersecurity industry focused on infrastructure security and lately on cloud security. And it was all around prevention, detection and investigation of attacks. Their assumption was that data within the four walls of my enterprise or in my cloud account is secure as long as I can secure perimeter and I can have the right controls around it. But what people have come to realize is that the infrastructure security is good and necessary, but it's not 100% foolproof - and breaches are still getting in. And that's why we have so many ransomware attack scenarios. So now, people have to rethink their data security strategy, because data delivers fundamental business resiliency. And if you have access to your data, in spite of an attack, you can reconstitute your business. That's what we are focused on. How to make the customer's core asset, which is data, always be available and drive the security intelligence from the point of view of data in terms of like how far ransomware went, which file/which server got impacted? Like whether you have a double extortion risk in that scenario, because the bad guys got to your sensitive content. Do you have malware in the data stream? How do you quarantine it so that when you recover, you're not getting reinfected and having a Groundhog Day kind of scenario. So what we did was we built a brand new software, and data backup technology sits at the heart of it. But we have built like AI-ML-based data observability engine that drives this fundamental security intelligence.
Novinson: Let's talk a little bit about the market landscape. If you're in a competitive bid scenario, who are you encountering most often? And what differentiates Rubrik from your biggest rivals?
Sinha: The traditional market in data backup and recovery has been focused on infrastructure and storage because they were trying to solve a problem where you have natural flood, fire, natural disaster, or human error or operations error. But the cyber disasters of today in the last several years have changed the landscape. And Rubrik took a unique approach from Day 1, where we said we will build a brand new software focused on data security problem. At the foundational level is zero trust security principle that Rubrik applied, which said that the data will not sit over the network and have anybody over the network with a standard protocol can access it. It will always be a policy-driven, full authentication platform that drives the data security across your enterprise cloud and SaaS. And that vision, that decision based on zero trust principles, based on the natural platform-driven data resiliency plus the data observability engine that we built based on AI-ML have given our customers the full suite of capabilities for them to understand the impact of ransomware and recover from it.
Novinson: So what companies do you see most often in the market, particularly when trying to address security-related challenges?
Sinha: So we typically see like old infrastructure companies such as EMC, Veritas and others, but that industry is changing. What we are doing is we are replacing legacy backup and recovery with a modern data security platform with the resilience, observability engine and remediation capabilities with quarantine built into it.
Novinson: I know you had mentioned earlier that part of what's fueling your growth is expanding wallet share with existing customers. And I was wondering which features and capabilities within the Rubrik portfolio are you seeing the most growth with today as existing customers expand and why?
Sinha: We are seeing a lot of success on our core platform, which has like a data dependency. So as the data grows, as customers want to secure more applications, we grow. And then we layer on top of it the cybersecurity data security services, such as the ransomware monitoring and investigation service, your sensitive data discovery service, threat hunting and monitoring service. So these are all the SaaS attach we do on top of our core platform.
Novinson: I see. I know you'd also disclosed on Wednesday that you were launching Rubrik Zero Labs. How will customers benefit from this threat research unit?
Sinha: So if you look at the market and the traditional threat research, they have been very focused on infrastructure threats, authentication threats, again, around prevention and investigation of issues. Nobody has looked at what your data is experiencing. Well, at the end of the day, you're trying to protect your data. So we are taking a new approach, a pioneering approach, where we are saying that we are going to do a core focus on your data and understand from the data, what threats are being attached to your data. And so understanding of global threat landscape and of emerging data threat issues, we had ransomware, the wipers are the new thing, then something else will come in future; understanding and delivering the latest source of information, and also sharing with broader ecosystem to bring about awareness of data security challenges, data security issues, how folks can understand where the attackers are going, who are the players, whether it's nation state versus individual groups. There is a lot to be done. And we have found a great leader to head this effort. We hired Steve Stone out of Mandiant, where he was the VP and leader of the adversary threat research with like hundreds of researchers under him. And prior to that, he had 15-20 years of experience working in the U.S. government, as well as private companies around cyber and cyberthreat-related issues.
Novinson: Very interesting. So what are you hoping to see this unit do out of the gate? What are some of the things you're hoping to get involved with here in the coming months?
Sinha: It is like a multi-faceted approach. It's both internal and external approach or internally doing threat research, helping with our product and providing product input to our internal team. Externally, we want to publish our point of view, what we are seeing in the marketplace, what is happening, what does the threat landscape look like? Again, we are driving this new vision on data security, which we believe would be a very important, large cybersecurity segment. And we want to create this partnership with ecosystem partners as well as our customers and broader ecosystem to drive data security intelligence and awareness so that folks can protect themselves.
Novinson: I want to talk to you a little bit about how you're using machine learning in the world of data security. What are you finding to be some of the applications of ML, and how's it different than folks who have used it in the industry up until today?
Sinha: It's a very interesting question. If you look at the cybersecurity industry, most of the data that folks talk about or machine learning/artificial intelligence they talked about is mostly around applying artificial intelligence/machine learning into Syslog, into machine log or access log to make inferences on what is happening to the data. But ultimately, everybody's goal is to protect the data. Rubrik has a unique opportunity and position where we have access to the customer data. And we are protecting that data. So what we are doing is we are applying machine learning/artificial intelligence directly on to the customer data to understand the security threat happening to the data from data out. And that is the source of truth. And that's why we believe that we sit at the intersection of the two of the most important trends of today and next 10-15 years is around data and security. And applying machine learning and artificial intelligence to actual data that you are protecting will drive this industry in a whole new direction. We are taking the lead, and we are defining this market.
Novinson: Interesting. Why don't you talk a little bit about public-private sector collaboration. I was wondering - a two parter for you - first, what do you see as the biggest challenges or obstacles in getting the government and industry to work together? And what are some of the things you're looking at Rubrik to try to help bridge that divide?
Sinha: So if you look at cybersecurity landscape, it's not the old world where some bored teenager is sitting in the basement and trying to prank some big company saying, "Look, I can get in and show you how I can backtrack your defenses." Today's cybersecurity is about cybercrime; it's about financial crime. Today's cyber is about nation-state cyber warfare, industrial espionage, IP issues. So government is playing and has to play a bigger role in today's cyber. And if you look at White House, they had directives around the disclosure of attacks. They had the cybersecurity summit. Again, they are creating cyber taskforce. The private industry and government have to come together because this is a national security issue. It is a national economic security issue. Ransomware, if you just look at one instance of this, it's a largest threat to our economy. So what we are doing is we are building expertise in Rubrik to help bridge this private-public. We got Chris Krebs to set up a CISO Advisory Board to think through like what are the data security challenges? How do we drive what we are learning and contributing back to the ecosystem, the government and other entities who are interested in learning what's going on. We also got Mike Mestrovich to join Rubrik as Rubrik CISO. His prior job was CISO of CIA, and he ran a large organization with lots of adversaries that you can imagine. So we are taking a broader look at the space. We are taking a look at it not just from inside out of Rubrik but also outside in and figuring out how do we create a coalition of willing partners who can take on this threat in a broader way, and help our fellow companies, businesses as well as government and work together.
Novinson: I want to speak specifically about Chris and Mike, with Chris Krebs joining to chair the CISO Advisory Board and Mike joining as your chief information security officer, how will your customer community benefit from their knowledge and expertise of having them working closely with Rubrik?
Sinha: See, the thing is that we are sharing best practices that we are implementing internally with our broader ecosystem. That's one of the things that Mike would do, where he would share his thoughts of running large organization, organization that is always under threat. How he did it? What are the best practices? How Rubrik thinks about data security? Because we are giving a new vision to this market. Our vision is company has to think about everything else is compromised, and how do you protect your data? How do you think inside-out security? So that's where Mike is focused on. In terms of Krebs, we are again thinking about this newest phase that is going to emerge, which is data security. We don't have this bravado that we know it all. We need to learn from experts; we have to learn from broader industry. So having the CISO Advisory Board would help us bring experts to give us perspective from outside in as we are thinking about product vision and ideas from inside out. With the two coming together will be the new vision that we're going to drive in this marketplace.
Novinson: Very interesting. Let me ask you here finally, I want to talk a little bit about the roadmap at Rubrik. So what are some of the key milestones, some of the key landmarks that customers should be watching for as we head into late 2022 and early 2023?
Sinha: Look, I'm not discussing actual roadmaps on this call. But overall, if you can imagine, we sit at the intersection of two of the most important trends of today and going to be in the next decade, data and security. And if you think about application of machine learning/artificial intelligence to drive data security, it's going to be a key question that our customers or partners will be asking. My own perspective is that the cybersecurity today - the volume, variety and velocity of attack have gone beyond human comprehension. So we have to aid human comprehension with machine learning and artificial intelligence, to be smart about these attacks, to understand the adversary, to understand how do we protect ourselves and recover from it, and continue to operate the business in spite of attack scenarios that are happening all over us. Also, we have to realize that every organization has a toehold of bad guys. It's just a matter of time and attack happens. So if the folks are prepared to continue to operate in spite of an attack, that's the need of today.
Novinson: Good talk, Bipul. Thank you so much for the time.
Sinha: Thank you so much for this opportunity, Michael. Really appreciate it.
Novinson: You're very welcome. We've been speaking with Bipul Sinha. He is the co-founder and CEO at Rubrik. For Information Security Media Group, this is Michael Novinson. Have a nice day.