Transforming Manage-Risk

Sudhindra Kumar , co founder & CEO of Manage

Manage-Risk,
Risk, was looking at the Mumbai traffic from his office window
while thinking about the upcoming meeting with his investors to discuss the roadmap for Manage-Risk.
Manage
He was
wondering on how he can transform Manage
Manage-Risk, a full-fledged Security and Risk Management services company
from an only services company to a services
services-cum-platform/product
platform/product company. He was thinking about the potential
challenges from an external and internal perspective.
The security product industry was highly competitive and dynamic. Internally, Manage-Risk
Risk would have to build
product development & marketing teams and these teams would have to cordially co
co-exist
exist with existing services
teams, which had be instrumental in the companys stellar growth. Additionally, Sudhindra also wanted ManageManage
Risk to have a larger global footprint. Currently, the companys revenues came from India (60%), USA (10%) and
Middle East (30%). Sudhindra wanted the revenue streams to be from different geographies, which would be
better in the long term
erm from a sustainability and revenue
revenue-risk
risk perspective. The investors were looking at a strategic
roadmap for transformation.

Background
Manage-Risk, a Full-fledged
fledged Information Risk services company, was set up in 2010 by Sudhindra and Sam, a bunch
of professionals
fessionals having a rich experience in Technology, Information Security and business development &
marketing in IT industry.
Sudhindra was a MBA graduate from the Indian Institute of Management, Kolkatta, which was one of the premier
management institutes in India. Upon graduation, Sudhindra joined a start
start-up
up building PC based software
products, which was then a small company with 10 employees. After 2.5 years, Sudhindra joined Computer Vision
and began his journey in the Information Technology (IT) sector. In 1992, he joined a leading Network & Systems
Integrator and in 1999 he quit and embarked on an entrepreneurial journey, which was into the network
integration and service business. The worlds largest IT firm acquired the company and Sudhindra joined the
th firm
as a part of takeover agreement. Sudhindra worked at the worlds largest IT firm for the stipulated 18 months and
worked for another 6 months at another Global MNC as Director, Strategy and Operations and the start-up
start
bug bit
him again.
2

During that period JEH Capital ,a US$ 150 million venture capital fund focussed on early
early-stage
stage investments in
technology and technology-enabled
enabled companies, was contemplating on investing in an Information Risk
Management company and since there were not many such inves
investment
tment opportunities, JEH Capital was also
receptive to the idea of providing a seed fund for a start
start-up in this space.
Sudhindra had got in touch with one of the persons from JEH Capital through LinkedIn and after some discussions
Sudhindra submitted a business
siness plan for a start
start-up. JEH Capital provided a seed funding of US$ 3Mn. Sudhindra got
Sam on board as co-founder,
founder, Sudhindra knew Sam professionally. Manage
Manage-Risk
Risk had witnessed over 100% growth
year on year. It today serves more than 100 clients worldwid
worldwide
e with a team of 160 professionals. It had executed
more than 500 projects in 20 countries.

1Names
2Name

have been changed for confidentiality reasons. The case study deals with a current problem for a real firm
changed for confidentiality reasons, this is a leading investment firm in India.
Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Industry Information Security and Risk

Information Technology had changed the way businesses function and almost every business had some kind of
online presence either due to competition or compliance. Banking industry had been stepping up their IT security
landscape to maintain competitive advantage, building brand image & most importantly meeting statutory
compliance. Similarly insurance industry was also fa
facing
cing a demanding business environment with changing
business, regulatory & technological environment which was making it mandatory for them to address information
risk.
In the technology sector, with the increasing importance of adopting new business mode
models
ls focussed on reducing
time to market, the enterprises need to address information risks that are exacerbated by shorter product
lifecycles. Communication industry is concerned about securing its networks, VAS applications, AppStores and
privileged identities.
ties. Government & Public sectors faces information risks due to their sensitivity, complexities &
scale. Health care industry faces significant risk because of increasing regulatory pressures on security & patient
3
data privacy . Increased usage of IT crea
created new business risk information security.
The phenomenal growth of newer technologies in business has led to increased sophistication of threats &
complexities in IT infrastructure. Gartner, an information technology research and advisory firm, mentions
mention that the
spill over of social network, Google apps, iPhones & other mainstream technology into the enterprise, has led to
what was called as social engineering. Gartner has defined social engineering as the manipulation of people,
rather than machines,, to successfully breach the security systems of an enterprise or a consumer. Simply put, it
was where an attacker would exploit the trust of a social networking user by posing as a friend for example, while
launching a malware attack or stealing creden
credentials.
tials. Analysts agreed that although many businesses today shun
Facebook, MySpace, YouTube, and Twitter at the office, that will soon change as the next generation of employees
4
expects to have access to these tools in the workplace.
Another threat was phishing,
shing, which has become a major concern for businesses around the world. The phishing
attacks have become refined & difficult to identify & avoid. These have huge impact on companies brand,
reputation and causes significant financial losses in the future due to lost customer trust & decline in shareholder
5
value . Yet another example was that of Zombies personal computers in diverse locations controlled by hackers
through files which appear legitimate but which are actually viruses that hijack a firms IT backbone. Targeting
6
specific entities, these Zombie PCs are networked and used to send thousands of messages.
The changing environment has made organizations to consider the security risks to information in a grave manner
and this has given rise to the growing
rowing IT security and risk management market. The global IT security market was
distributed across the continents. The distribution of the security service spending across various markets consists
of North America (US$ 15 billion), Western Europe (US$ 12 billion), Japan (US$ 5 billion) & Asia Pacific (US$ 5
billion) as on 2012. These are expected to grow to US$ 19 billion, US$ 14 billion, US$ 6 billion and US$ 7 billion by
7
2015 respectively (Exhibit 1).
). The key growth driver for the global security indust
industry
ry included data explosion due to
growth in internet, cloud, social media and mobility. Increased compliance requirements and security concerns for
several services such as banking, financial and telecom services will also drive the need information security
securi risk
management. The reality of cyber attacks hampering the functioning of a country such as India has spurred the

3Information

from Company
from Company
5Information from Company
6Keeping a digital vigil, Livemint.co./ the Wall Street Journal14
7Gartner
4Information

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

need for better security and risk management. The overall global security technology and services market was
8
expected to grow to more than US$86 billion in 2016 .
The global IT security market was quite fragmented and several consulting, audit& IT firms compete in this market.
The big names in this space are PwC, Deloitte, E&Y, IBM, Wipro, Accenture & KPMG ((Exhibit
Exhibit 2).
2 In this space
Manage-Risk,
isk, with its 160 consultants, has positioned itself as a medium size, niche security & risk management
company catering to consulting, technical & managed services ((Exhibit 3).This
).This industry poses challenges to new
entrants in terms of scaling for smaller companies& the need to invest highly for sales & marketing.

The security product market

The Security Information & Event Management (SIEM) industry will be driven by the threat of new
security challenges & increased compliance. According to Gartner, the SIEM was a US$ 1.5bn market
which grew 16% during 2013 and expected to grow at 12.4% during 2014. The product industry was
dominated by big companies such as HP, IBM, McAfee, EMC (RSA) and Splunk with around 60% of
market revenue9 (Exhibit4).
). These compani
companies
es have good customer reach which helped their products
dominating in the security markets. This market was also seeing a lot of consolidation with lot of these
companies acquiring security vendors to enhance & obtain security expertise & credibility in the
th market
(Exhibit 5).
). These acquisitions are being done for variety of reasons including meeting increased
demands, building a stronger position or getting cross selling opportunities.
Manage-Risk The Journey So Far
Manage-Risk
Risk started with the aim of hel
helping
ping organizations to manage risk and security. It wanted to create a
differentiated global eco-system
system of people, processes and technology to help customers minimize and mitigate
information risks. Manage-Risk
Risk offered domain
domain-focussed Information Risk Management
ement (IRM) services, which were
based on industry expertise and extensive experience in risk management. It added value to customers by securing
their information and software products. It also helped companies to comply with various regulations.
Customer profile
Manage-Risk
Risk customers included players from industries such as Banking, Insurance, Technology, Communications,
Manufacturing & Retail, Government and Health Care across USA, Middle East and India.
Solutions offered
Manage-Risk helped its clients with its IRM solutions portfolio. Each offering had three components Strategy,
Control Integration and Sustenance. The details of each of its offerings are as detailed below:
Risk Management Frameworks:: Manage
Manage-Risk provides risk & compliance management framework
ramework services to its
clients. Demand drivers of these services are ever growing number of risks to information security & introduction
of newer regulations. Manage-Risk
Risk assists its clients in planning, developing, establishing, implementing,
monitoring and sustaining a comprehensive governance, risk and compliance program.

8http://www.gartner.com/newsroom/id/2512215
w.gartner.com/newsroom/id/2512215,

accessed on 10th Jul 2014

9http://cloudtimes.org/2014/07/09/gartner
http://cloudtimes.org/2014/07/09/gartner-report-ibm-recognizes-as-the-leader-in-information
information-

security/, accessed on 11th Jul2014

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Data protection: Manage-Risk

Risk provides comprehensive data protection services that works across the data
lifecycle. This framework provides a complete offering that includes designing of data-centric
centric policies, data
classification, data flow analysis, fine-tuning,
tuning, consequence management and tools like data loss prevention (DLP),
information rights management (IRM/ERM) etc. to ensure effective data protection.
In addition to this, Manage-Risk
Risk also offers a few accelerators including an automated data flow analysis and
repository, a health check assessment tool and data classification tool to help clients with comprehensive data
protection. It had enabled several clients to implement data protection services frameworks to ensure regulatory
compliance and prevent any negative impact to business due to data loss.
Identity Management: Manage-Risk
Risk provides services to its clients across all phases of an Identity and Access
Management (IAM) initiative - covering planning, implementation and sustenance. It leverages its domain
expertise in both identity management and access management. Importantly, Manage
Manage-Risk
Risk Identity and Access
Management (IAM) solutions are vendor
vendor-agnostic - ensuring that the clients get best-in-breed
breed solutions across all
leading IAM solutions.
Privileged Identity Management: Manage
Manage-Risk
Risk facilitates business by providing secure & easy to use solutions to
the requirements of management of unrestricted admin access through privi
privileged
leged IDs. It focuses on the special
requirements of powerful accounts within the IT infrastructure of an organization. Privileged Identity Management
(PIM) was composed of password vault, provisioning and user account life cycle management, access management
managem
and auditing. It's used primarily for managing administrator activity in sensitive environments, such as production
servers, network equipments, application and databases.
Threat Management: Manage-Risk
Risk had been working with global clients to improve tthe
he security posture of their
software's. Ithad transformed development lifecycle to secure development lifecycle, conducted code reviews,
penetration testing and also had been involved right from the inception stage of the software development.
Manage-Risk also provides specific solutions for different industries. For example, it provides Phishing services to
banking sector clients, it also provides other solutions such as Virtual Security Office, EE-factory,
factory, AppSeconDemand
and RSA Archer CoE (for RSA Archer which an eGRC Automation technology)
Partners
Risk had partnered with various companies to provide value
value-added
added services to clients and reach a larger
Manage-Risk
client base. Manage-Risk
Risk had partnered with Amazon Web Services to enable clients to build, release
rele
and sustain
security elements and controls in software on Amazon's cloud. Manage
Manage-Risk
Risk was an advanced IBM partner and it
complements IBMs Security Systems product portfolio by providing a robust set of services for Planning,
Deploying and Sustaining IBM
BM security solutions.
It had also partnered with RSA Security to offer advanced security solutions, comprising of RSA security products
and full-cycle
cycle professional service from Manage
Manage-Risk,
Risk, to clients across North America, West Asia, South Asia and
Asia Pacific
acific regions. These partnerships have enabled Manage
Manage-Risk
Risk to provide clients with portfolio of products
and services, required over the businesss lifecycle. The partnerships have also enabledManage-Risk
enabledManage
to cater to
clients across geographies.

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Organization structure
The existing organization structure of Manage
Manage-Risk
Risk was a functional structure consisting of Sales, Business
Management, Delivery and Operations. The structure was poised to transform to a metric structure wherein there
will be region heads, function heads & corporate teams, which will include a product development team (Exhibit6).
(
Investors
10

JEH Capital had been with Manage-Risk

Risk since its inception. BlackHat and State Venture Capital Fund alongwith
JEH participated in the Series B funding in 2013. This funding would be used towards strengthening global
operations and development of a unique security platform. Investors have been supportive and have been
enabling the team to reach its potential.
ial.

Manage-Risk Transforming
Transforming from Services to Platforms and Going Global
The profitability & revenue of a service company depends directly with the resources deployed. This makes it very
difficult for service companies to scale exponentially in a short time. This was referred to as linearity of IT service
companies. This was also affected by the attrition rates, rising salary levels and shortage of skilled manpower. The
very nature of business model of Manage
Manage-Risk as a service company was leading it to face
ace the linearity problem
where their revenues are in tandem with the resources employed. Additionally, customers are also looking for
more value from the service providers rather than just time & material billing. Under these circumstances,
sustainable growth
owth had become very challenging. As Sudhindra pointed out:

We would like to enter the platform market. That will provide us with the ammunition to
continue with our high growth. However, platforms have their own challenges they are binary
these may orr may not click with the consumers and if they dont, we would have spent a lot of
resources by then. We are trying to avoid this by developing products which will complement
our services.
Manage-Risk
Risk had been trying to break this linearity trap by forayi
foraying
ng into product development. Apart
from this, product development will help Manage
Manage-Risk to offer end-to-end
end solutions to its customers.
This will also give very positive signals to its existing & future customers about Manage-Risks
Manage
willingness
to add more values. A product offering will also help Manage
Manage-Risk
Risk in differentiating itself from the other
competitors. To make this happen, Manage
Manage-Risk
Risk had recently received series B funding for development
of unique security platform. It had established a security platform development group consisting of
around 20 resources. Manage-Risk
Risk had already launched a Phishing Solution which proactively measures
employees phishing awareness & helps fortify overall data security of an organization11.
Moving from services to product comes with its own unique challenges. The product companies face the
issues of longer gestation period with higher capital investment on conceptualization to final delivery of
the product. This was also associated with the risk of failure to sell tthe
he product. Hence, voice of the
customer for developing the product was very critical to understand the real need of the customers and

10Name

of investors have been changed for confidentiality reasons.

from Company

11Information

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

other stakeholders which the product will satisfy. The products are also subjected to demand
fluctuations and product lifee cycles as compared to service business.
Apart from the external challenges, the development & sustainability of products would also depend
upon whether it was fitting with the overall strategy of the firm, internal structure of the Manage-Risk
Manage
and development
opment of resources& capabilities for product development. It was also important to note that
performance metrics for product development may not fit well with the companys current reporting &
performance metrics. Hence it had to come up with new performa
performance
nce metrics for the products. The
recruitment of people, both fresh & experienced, capable of product development was the key to team
building.
Because of their intangibility, even more puzzling questions were how leadership in Manage-Risk
Manage
would
give a boost to sustained product development. The management must understand that its a game of
patience & returns may take time to come. The next question was how the Manage-Risk
Manage
could be
infused with the culture of innovation, which was essential for the prod
product
uct development.
In its quest of strengthening global operations, Manage
Manage-Risk
Risk was contemplating on its global strategy.
Manage-Risks
Risks came from India (60%), USA (10%) and Middle East (30%). It had 150, 45 and 35 clients in
India, USA and Middle East respec
respectively. Manage-Risk
Risk wanted to increase its revenues from USA and
Middle East and Sudhindra was wondering on its strategy in mature markets. Sudhindra was also
wondering on whether Manage-Risk
Risk should enter any new market and if they decide to do that which
market should they enter into.
Sudhindra wanted to create a strategic roadmap for Manage
Manage-Risk
Risk from a twin perspective of foray into
products and scaling globally.

Instructions for Submission:

1. Submit the case study in the format of the case study sample ppt. provided on the website
2. Submissions will be judged based on identification of key challenges, innovativeness and practicality
of solution, clarity and thoroughness of recommendation, identification of risks and mitigation.

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Exhibit 1: IT Security Service Spending

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Exhibit 2: Size of Industry Players

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Exhibit 3: Positioning of Manage-Risk

Manage-Risk

Manage-Risk
Risk

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Exhibit 4: Gartner Magic Quadrant

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Exhibit 5: Recent Security acquisitions

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com

Exhibit 6: Proposed organization structure

CEO

Copyright 2014 IvyCap Ventures Advisors Pvt. Ltd., All rights reserved.
Our mailing address is:
G-2,
2, Spectra Building
Building, Hiranandani Business Park, Powai, Mumbai - 400076
www.ivycapventures.com