Cylance products proactively prevent, rather than reactively detect, advanced threats and malware.

Lorna Garey

January 23, 2018

11 Min Read
Superhero Businessman


Lorna Garey

Channel Partners recently sat down with Didi Dayton, VP of worldwide channels and alliances at Cylance. Founded in 2012, the endpoint security provider sells exclusively through the channel and posted impressive 283 percent revenue growth over the past year, with year-over-year customer count up 169 percent. Clients include Toyota, GameStop and Panasonic. It was ranked No. 10 on Deloitte’s 2017 Technology Fast 500 list, and its technology is deployed on more than 10 million endpoints.

Cylance and other well-funded security unicorns like Tanium, Crowdstrike, ForeScout and SentinelOne are diverting market share – and partner attention – from more-established endpoint security suppliers. And in fact, Dayton says Cylance CEO and founder Stuart McClure, and founder and chief scientist Ryan Permeh got their starts with McAfee but parted ways when they made the pitch to move beyond signature-based malware detection and were rebuffed.


Cylance’s Didi Dayton

“Stuart came up with this idea and said, ‘Hey, what if we were to apply artificial intelligence towards security instead of writing a signature every time that we see something bad?’” says Dayton. When they got no uptake at McAfee, Permeh and McClure, who is an author of “Hacking Exposed,” struck out on their own.

After several funding rounds, Cylance launched a slate of security services in 2015; it still offers specialized consulting and incident containment. That service background informed the company’s software strategy.

“Based on our knowledge of how the product actually worked out there, we designed some things that would be easy for partners to offer as a services solution,” says Dayton.

Cylance’s technology uses artificial intelligence and machine learning to recognize malware before it can alter an endpoint device. Dayton says it does so without the lag time and performance hit common with signature-based AV.

“It’s silent to the users; they can go about their business,” says Dayton. “They never know security’s running in the background, but it does a dive and catches every time something malicious comes onto their system and just doesn’t allow it to run.”

The company has a wide range of solution-provider, technology, system-integrator and alliance partner opportunities as well as a dedicated cloud partner program offering subscription services to customers. It recently launched a multi-level MSSP program to enable partners to offer Cylance products as managed services. MSSPs may license products on a monthly or annual subscription basis.

Cylance is certified as a PCI-and HIPAA-compliant AV, meaning auditors won’t ding customers for removing legacy antivirus. Its tech is popular with health care, finance and manufacturing firms, and Dayton says it’s starting to …

… do well in life sciences and pharma.

Here’s our Q&A, edited for length and clarity.

Channel Partners: How long have you been with Cylance?

Didi Dayton: I joined the company two years ago to run the channel, and as we’ve built out more functionality within the channel, they’ve asked me to take on managed services, so we’ve built out the MSP program on top of the channel program.

About six months ago, [McLure] asked me also to take on strategic alliances, which is a passion of mine because I consider myself an organizational engineer. I love to find ways for technology companies to work together and come up with something really, really cool, so one plus one equals three.

CP: That’s a lot on your plate. What’s your team structure?

DD: We’ve got folks that run a regional channel; we call them ‘regional partner managers’ — they’re not channel account managers, because they approach it as a regional manager would, like a regional sales director as opposed to an account manager, where they just care about an account. They’re looking at a bigger picture: How does all this stuff interoperate; how do I get my teams to work together?

It’s a much broader role, if that makes sense.

[Editor’s Note: Cylance announced last week that it has named Chris Scanlan SVP of North America sales. Scanlan comes to Cylance after serving as SVP of worldwide sales at Optiv,]

CP: How do partners explain the logic behind proactive versus reactive signatures?

DD: The big difference is that a signature is predicated on known bad, but to know that it’s bad, you have to first see it do something bad, so you have to have Patient Zero — that one system that’s been compromised.

The paradigm shift for the whole industry was ransomware, because with one system compromise, your entire data set is at stake. As a partner pointed out to me, that’s unacceptable. You can’t have a Patient Zero anymore. Partners grasped this concept very quickly, and they helped us create a new message and wave around artificial intelligence.

Before, there were so many permutations, it was like “Oh, OK, well, there’s a sample.” Then, over time, it became more about managing the sample infrastructure and trying to create and produce new samples, rather than just looking at everything that came in and stopping it on the fly.

But now it’s all moving so fast; it’s at machine speed — even attackers are starting to use artificial intelligence. AI can just crunch data much faster. It’s a completely different paradigm.

We disrupted the market when we came on board and we’ve been challenging the status quo ever since, solving a problem that customers have a very difficult time solving on their own. I think it’s been good across the industry — it’s raised the bar.

CP: Tell us about your program structure.

DD: If you look at RSA’s conference last year, everyone was talking about …

… artificial intelligence. What we’ve done differently is, we’ve patented the methodology, so we’ve got 15 patents, but we’ve also taken a pure channel approach. We’re 100-percent channel as a company. We’ve got the traditional tiers within our partner programs, but then we also added some unique identifiers within the program, like access to our executive team.

We have a very close-knit partner advisory community, and we run quarterly meetings so that partners have hands-on access to our execs. They help us with everything from naming our program to identifying features that are relevant to customers to setting the strategy as far as midmarket versus large enterprise. They take a very hands-on approach with how we run our business, and we want to stay very closely aligned with how they run theirs.

CP: Do you work with distributors?

DD: We do. Outside of the U.S., we’re exclusively two-tier. In the U.S., we’re two tier exclusively for two segments, and that is with CDW because they needed a predictable turnaround time on quotes and orders, and then also with our federal space. For our federal partners, our GSA schedule holder is FedResults with Carahsoft.

Globally we leverage Westcon and a number of other really great value-added distributors. They help us get the reach that we need.

CP: What are partners hearing from customers?

DD: We had one multimillion-dollar deal come in last quarter because we had a customer that was in a breach situation, and the two CISOs knew one another, and the CISO that we had helped out – we actually went on-site and helped them out of a huge problem – he called his buddy and was like, “You need this. This is definitely the right way to go.”

CP: You can’t buy the sort of advertising of one CISO calling another and saying, “They came out to help me.”

DD: I know. And it’s a tight-knit community, because they have so many vendors to deal with. Look at how many vendors are in the market — I think it’s like 1,600. A lot of our customers have come to us and said, “Within my ELA there [are] 30 products, but we only use five, maybe six of them.” So now they’re doing this rationalization process where they’re going through line item by line item – and procurement teams are doing this as well – picking out the technology that they don’t want to pay for anymore.

The partner has a pivotal role in helping the customer identify what still works and what’s relevant.

CP: Are you secure that Cylance makes that cut?

DD: Our customers are at 86 percent utilization. They actually use us in blocking mode, and that’s such a huge differentiator. They trust that our artificial intelligence can make the right decision in the blink of an eye.

We might miss one sample out of 100, but everyone else so far has been missing like 50 samples out of 100, or if it’s optimized, maybe they get to 70. But when those systems go offline and all those other security controls are cloud-dependent, now they plummet down to …

… 17 percent or 20 percent efficacy. (Here’s our take on security product testing.)

So that’s where our customers are: “Let the AI do its thing, and take out the old agents that no one wants to use anymore.”

We run a tiny microagent, and we interoperate across every operating system, so we’ve been helping partners build out a story around protecting their Microsoft environment, or protecting their hybrid Mac OS environment, Linux environment and Windows. A huge differentiator for us is our ability to seamlessly plug into a variety of different environments.

CP: The skills shortage is another huge challenge partners and customers face. Does Cylance help with that?

DD: I just read on CSO Online that it’s only getting narrower, the number of people that have security expertise. And you know, and this has always been really sad thing for me to watch, they take really smart people that have years of hands-on experience with security, and they put them in a security operation center where they sit and watch a screen full of alerts and triggers that may or may not be a problem, and they’re expected to just sit there for hours a day.

We help them get out of that mode. We’re all about demonstrable results: Looking more at business outcomes, reducing help desk tickets, preventing having to re-image a system that’s been compromised, or limiting the scope of an incident by containing it. All that, seamlessly integrated into the architecture — that’s what we’ve been able to bring to the table.

CP: I know we’ve gotten past prediction season, but what new threats are you seeing, or are your partners starting to see?

DD: There are some very big vulnerabilities that have come across. Spectre is a great example. We’re seeing some advanced techniques around fileless malware. It’s difficult to pick it up because it’s not even a fully formed file.

We’re seeing masked identities, even tricks like attackers using a Word document that they send into an HR organization and while that Word document is opening – it takes 20, 30 seconds – in the background there’s a dropper that has a piece of malware and ransomware. The HR person clicks on that file and they go, “Oh, nice resume — wait, it’s having a hard time opening and loading.”

Before they know it, they’ve been ransomed.

In terms of the predictions, a couple of things are starting to happen. One is this convergence that Gartner has pointed out between the EPP [endpoint protection platform] vendors and the EDR [endpoint detection and response] space.

Second is consolidation of the market overall. It’s still a fairly crowded security market, and I’m seeing a huge uptick in …

… the volume of partners that are offering managed services, so it’s not just service, installation and deployment, it’s monitoring services and someone assuming the day-to-day risks and eyes on keyboard to make sure that those operations are actually running.

CP: Where do you go from here? You have unicorn status, so what’s next for the company?

DD: A couple of things. One, we’re branching out into more of a platform direction. Customers want simplicity in not only their procurement but also in the deployment and management of systems.

Customers – especially large enterprises – are leveraging SIEM solutions, they’re leveraging orchestration, automation systems, just to reduce the amount of tasks that humans have to do, and so a big push for us is leveraging the power of the architecture itself and creating more of a defensible architecture.

Cylance is also expanding across not only our traditional prevention, but we just added an amazing EDR solution, and we’ll also be adding identity and making sure that users are who they say they are.

Longer-term strategies will incorporate both regulatory management and partners being able to offer extended contracts and services. We’re going deeper into international markets, expanding across Europe, and we’ll be adding more distribution support for our smaller partners here in the U.S.

CP: What else should we know?

DD: We’re all about community building, so there are two things that we’ve done in our channel program. One is that we allow partners to give a subscription for one year to the nonprofit customer of their choice. That’s because we recognize that nonprofits are vulnerable, and also because we want partners to be the hero.

We also give partners access to the technology for internal use. We have 204 partners today, rapidly expanding to 250, that use Cylance technology to protect their internal systems.

And we look at sales, technical and financial capacity, so we’ve been building out a $2 billion financial capacity. And then in terms of technical reach, we have 500 architects that are fully trained and certified.

Read more about:


About the Author(s)

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like