Skyhigh Security is a technically a new company. But it is also, in some respects, far from it.
The company’s DNA can be traced back to 2013 with the launch of Skyhigh Networks, a cloud access security broker that aimed to secure enterprise connections to the growing number of cloud apps and services. McAfee acquired Skyhigh in late 2017 in an effort to bolster its cloud security presence.
In early 2021, private equity firm Symphony Technology Group (STG) acquired McAfee’s enterprise business for $4 billion. McAfee’s enterprise products were split into two companies. Skyhigh Security, formed in March, was created as the continuation of McAfee’s enterprise cloud security products. The other, Trellix, is an extended detection and response vendor that combined parts of McAfee with sister STG acquisition FireEye.
From a product standpoint, Skyhigh contains pieces of the McAfee Enterprise Security Service Edge portfolio, including its cloud firewall, cloud-native application protection platform, cloud access security broker, secure web gateway, zero-trust network access, cloud data loss prevention and remote browser isolation technology offerings.
Gee Rittenhouse, CEO of Skyhigh, and Thyaga Vasudevan, vice president of product management, recently discussed the evolution of the company, and why its approach to melding cloud security with network data protection will fit better than melding it with McAfee’s endpoint security business. Rittenhouse previously led Cisco’s cybersecurity business, while Vasudevan previously served at McAfee and Skyhigh Networks.
To start, Gee, how did you become CEO of Skyhigh Security?
Gee Rittenhouse: Let me back up a second because I think it’ll connect the dots. McAfee, being primarily an endpoint protection, wanted to start to protect the data. And, of course, they realized that the data was going into the cloud. They started making the acquisitions with Skyhigh Networks and others to bring all of that together, thinking that from the endpoint perspective and data protection perspective, we’d be able to connect the two together. It turns out that the market looks at those two very differently. So that’s what ended up splitting the two companies.
When I was looking at data protection, I was doing it from Cisco, which took a different slant on it and thought about data protection from a networking perspective. This means looking at the packets, inspecting the packets and trying to route the packets in the most secure way. That is becoming harder and harder to do because those packets are encrypted, the network is going dark, TLS 1.3, all of these things are happening. This meant that if you’re coming at it from the network perspective, that problem is getting harder and harder to solve. So, this realization was happening over a number of years.
I knew of McAfee Enterprise cloud for a long time, and I’ve known [former McAfee senior vice president of cloud Rajiv Gupta] for a long time. But prior to Symphony’s acquisition, there was a reluctance to split the two companies. And so if, from a Cisco perspective, I was to consider acquiring it, I had to acquire everything. And I didn’t want that endpoint side — it was just the cloud side. After I announced that I was leaving Cisco in the fall, that’s when Rajiv and STG approached me and said, ‘Gee, we’d like you to take on this business and lead it into this space.’ I joined STG as an operating partner in December to facilitate the split of Trellix out. We did that in mid-January, and I stayed on with McAfee Enterprise until the Skyhigh launch in March. I wasn’t brought in to be a professional CEO, because when you do that it’s normally around an exit event or from a financial perspective. I was brought in to run the company because of my expertise in networking, in cloud and in data security, and this is the direction that Symphony Technology wants to take the business.
Skyhigh Security is an interesting case, because it’s in some ways a new company and in some ways an old company — McAfee products and the Skyhigh name. What are the challenges of being this hybrid old business-new business type thing?
Rittenhouse: I think there’s three: The first challenge is just defining the company, the brand, what the company stands for and what the company does, because there has been an association with McAfee, which is in a very different space than the space that we participate in.
There’s also job No. 2, around [figuring out] where we’re going and where we fit in to the marketplace. Our technology is rooted in deep technical expertise that takes years to develop, but we’re also new. As a new company coming into the market, where do we fit in amongst the peers? Because the market is forever changing.
And then the third piece of this is to, in some ways, guide the market into this new space, because we’re really combining traditional edge security of proxies and things like that with data security, and the industry still likes to segment things. ‘Oh, you’re a proxy company?’ Or ‘Oh, you’re a data company?’ We’re breaking that apart and saying, no, actually, the future is the cloud and the future is data. That’s where we are. That’s where our history drove us toward.
It sounds like there are a lot of benefits to using the Skyhigh name because, one, Skyhigh is not McAfee. It is also an established cloud security name. It seems like the name fits into pretty much all three of these challenges.
Rittenhouse: Yes, well, it was deliberate! But what’s interesting is, if you follow Skyhigh’s history, there’s a subtle difference. It’s not networks — it’s security. So there is a difference between Skyhigh Networks, the former company, and today’s company of Skyhigh Security. We’re taking on that broader mission, that broader ambition. But we’ve adopted this broader mandate of helping to defend the world’s data.
What has the culture been like since the company officially spun out three months ago? Is it business as usual, with the same offices and similar people other than whatever little shifts? Or is it like a new startup culture?
Gee RittenhouseCEO, Skyhigh
Rittenhouse: I don’t know what it was before I got there, but I can tell you what we’re focused on. We focus on embracing learning; the market is changing, and we’ve got to learn and adapt very quickly. We focus on diversity; we bring in all sorts of different people and different perspectives. We focus on simplicity and making it really easy. And so we’re transparent in our language. We’re clear in the way we explain things because we do want to educate, and then we’re transparent. We interact; we work as one team, we raise issues as a team, we solve issues as a team. There’s a level of transparency. Those are the kind of four key elements of our culture that we’re driving today.
Thyaga Vasudevan: I love that. And just to add on to what he said, I’ve seen this culture evolve over the last five years. I just made a trip to our development center in India and I had this really amazing moment of interaction with the developers. They all feel so energized because at the end of the day, everybody comes to comes to work to do the job. But if you just do the job, magic is never going to happen. You need to personally believe that you are doing something good for the organization and for the customers that are leveraging the product. Everybody fundamentally believes in the mission of protecting the world’s data.
I’m guessing there was a bit of an established enterprise energy working in the office day-to-day at McAfee. Being a new company, does Skyhigh still have that enterprise energy? Or would you say there’s more of a new startup energy?
Vasudevan: I definitely feel the vibe of a startup more than it was before. I think part of it is we’ve realized the name Skyhigh brings a lot of positive energy and positive emotions, of being a leader, an innovator a disrupter and a fast mover. And even though there may be people who believe in belonging to the old McAfee enterprise legacy, they themselves are forced to change because they’re seeing changes happening so fast. And I definitely see that there’s still areas in the company where we need to move faster, but every company has areas of improvement, and that’s what we’re trying to focus on.
How has it been transitioning the old McAfee customers into Skyhigh customers?
Rittenhouse: From a terms-and-conditions perspective and a procurement perspective, nothing has changed. We still have the same contractual terms and conditions, the same back office and the same procurement. What has changed, though, is on the front end of being able to talk to them about cloud and getting them on their journey. They’re in this transition as well, and we’re aligning ourselves to take them on that transition. But the way they interact with us, actually, is the same infrastructure that we had before. We make it as easy as possible, because you don’t want to form a new company and then have to renegotiate every deal or renegotiate these things. We’ve kept that consistent for them to make it as easy as possible to deal with Skyhigh.
Vasudevan: The product is the same as well. The product has been branded as Skyhigh, so they log into the console and they see Skyhigh, not McAfee. It has been a very, very smooth transition for all our customers.
What’s next for Skyhigh Security from a product standpoint?
Vasudevan: The first thing that I really liked that Gee did when it came to the company was defining the company’s mission and value statement: to be able to protect your data. Everything that we do within the product today is very data-aware. And in the platform, what we have today is we have our secure web gateway solution, we have our cloud access security broker solution, we have our zero-trust network solution Private Access, and we have our public cloud security solution. All of these have now come together as a unified platform, and this was the big thing that we have been talking about at RSA to different customers, because it’s a hard problem to solve.
If you’re only focusing on the network access, you can’t solve for protecting data across the board. Think about a situation where a user is going to upload some sensitive data to a shadow IT application like Dropbox. If you’re doing it through network layer, you can catch that, right? Now think about if it was uploaded to OneDrive. Now what happens on the cloud [is that] you can’t detect anything through the network layer. You need an API-based layer to be able to detect that. Unless all of this comes together in a unified platform, you can’t deliver the value proposition to the customer.
Now as for the next big thing, I think the first thing that we’re trying to do is make sure that there is consistency in our data protection policies across the platform. Unification is going to be key in many of the things you see from us.
Editor’s note: This interview was edited for clarity and length.
Alexander Culafi is a writer, journalist and podcaster based in Boston.