Pathlock-Appsian deal combines application governance and ERP security

Application Security , Governance and Risk Management , Next Generation Technologies and Secure Development

Agreement will help customers secure users and data on SAP and Oracle ERP applications

Michael Novinson (MichaelNovinson) •
May 20, 2022

Piyush Pandey, CEO of Pathlock (Photo: Pathlock)

Pathlock merged with Appsian to form a 500-person behemoth that secures users and data in SAP and Oracle Enterprise Resource Planning applications.

See also: Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents


The combination of Pathlock, Appsian and Security Weaver will allow the company to take a larger share of the $110 billion market focused on compliance testing for business apps, according to CEO Piyush Pandey. Companies rely on ERP applications for things like HR, finance, supply chain management, and business analytics and want to make it easy to secure all the critical information they contain.


“We want our customers to comprehensively manage risk across different applications with one tool, which not only helps automate the process, but also helps with testing,” Pandey told Information Security Media Group. “We want to combine these tools into one platform so people can get a complete view of risk.”


Growth capital firm Vertica Capital Partners combined Pathlock, Appsian and Security Weaver and adopted the Pathlock name for positioning and branding purposes, even though Appsian was the largest of the companies. Pandey was the CEO of Appsian and had worked for over a year to create a platform capable of providing security, compliance, governance and automation around SAP and Oracle (see: Attackers target unpatched SAP applications).


As part of the transaction, Pathlock also raised $200 million from Vertica to expand its application governance and data security capabilities. Pandey says the combined company will continue to invest in and support its existing product portfolio while building an integrated platform that will have a cloud component as well as an improved user interface.


A centralized view of ERP risks


By the end of the year, according to Pandey, customers will be able to manage risk for different ERP applications from a single instance, whether the instance is on-premises or in the cloud or involves SAP or Oracle. Once the integration is complete, he says, customers will be able to purchase the access governance, security control enforcement and vulnerability management features either together or separately.


According to Pandey, Pathlock’s access governance capabilities run the gamut, from segregation of duties and provisioning and deprovisioning to role design and privileged access management. And applying security controls and visibility enables real-time testing, verification and provisioning and stopping transactions when they violate company policy, he says.


Bringing the capabilities of Pathlock, Appsian, and Security Weaver onto a single platform will require some development work with API calls so customers can choose between on-premises and cloud-based versions of the products. Relying on APIs for integration means Pathlock can forego rebuilding everything and instead create procedures and steps to configure and reuse its existing tools.


“It’s about putting things together,” Pandey says. “We have five different doors and five different rooms, and we’ll put the right door in the right place so things can happen.”


According to Pandey, Appsian traditionally sold to more than 300 data security customers with a focus on supporting the human resources department and the Oracle platform, while Pathlock excelled in protecting financial services customers on SAP’s ERP platform. Security Weaver, on the other hand, exclusively supported SAP.


Security needs around SAP tend to be most acute in manufacturing, healthcare, higher education, and government sectors, while Oracle’s ERP offering is generally most popular with large companies. distributed organizations in industries such as healthcare, higher education, and state and federal. agencies, according to Pandey.


The need for scale


Customers who adopt Pathlock typically do not use it to replace a direct competitor and in most cases relied on consultants or attempted to automate manual processes associated with compliance and compliance on their own. audit. The Pathlock portfolio overlaps SecurityBridge for SAP security in Europe as well as SailPoint and Microsoft for access governance.


The combined organization today relies on North America for 60% of its revenue, Europe for 30% and other regions such as Asia, Australia and America Latin for the remaining 10% of revenue, according to Pandey. Much of Pathlock’s growth outside of North America and Western Europe has been opportunistic, and Pandey says the company wants to stay focused on the world’s biggest markets.


Pandey hopes the mega-merger will streamline automation and bring tangible benefits to lines of business outside of CISOs, including human resources, finance and controller. Pathlock now has 1,200 customers, and Pandey would like to see the company quadruple or quintuple its revenue over the next half-decade by selling existing customers or gaining other large customers around the world.


“No one has provided this precise and necessary risk management, compliance and automation tool for business owners,” says Pandey. “It’s not just a solution for CISOs, but gives business owners a way to see how they’re going to secure everything.”

Helen D. Jessen