Interview with the Ukatemi CEOs
Interview
08/14/2024
For the Hungarian version click here >>
Dr. Boldizsár Bencsáth led the company between 2012 and 2024, and is now succeeded by Roland Kamarás, the former CTO. This change of CEO gave us a great opportunity to talk to the former and new leader about the past and future of the company.
Boldizsár, can you tell us a little bit about the beginning? Why did you start the company? What were the first years like?
BB: Ukatemi was founded in 2012 as a spinoff of the CrySyS Lab at Budapest University of Technology and Economics. The year before we discovered and analysed Duqu (a Stuxnet related malware), we suddenly became known worldwide in professional circles and were asked to consult in a growing number of related projects. It became clear that the IT sector’s existing structures were not suitable for incident management. We had marketable skills and knowledge in that field but the framework we were working in at the time did not enable a market presence. We needed a business entity that was fast, flexible and expandable. Ukatemi was founded by Levente Buttyán, Gábor Pék, Márk Félegyházi and myself. Gábor and Márk later started working on another idea of theirs (Avatao, which provides cybersecurity training for developers). In the first years we mainly tried to continue with incident management, of course with some penetration testing and other gigs. It seemed like a great niche, but there was one problem: incident management was impossible to plan for. Ukatemi’s service portfolio had to adapt to customer needs. Many of the projects from that time are still not public, but they were exciting times.
What were the most important milestones?
BB: In the first few years we stayed in garage company stage with only 3-5 employees, as many of the founders had other focuses: teaching at the university, research in the CrySyS lab, mentoring students, other companies. But even so, we quickly found our first steady clients.
The first major milestone was having a legal and physical infrastructure to work in. Then came a period to lay the foundations: to have the people, structures and partnerships to run a company that could generate profits and is a good place to work. This period was not at all about immediate profit. At that time, for example, we were building our SSL certificate collection platform, our malware database. These investments gave the company a solid base. Several of them are starting to bear fruit today.
A third major change came when we consciously started to focus on business aspects. Customers found us with so many different tasks that it was no longer possible to keep up with the organic growth. The team was expanded with sales and marketing colleagues, which has also led to a visible increase in revenue.
I think we’ve reached the fourth such milestone. It was time for me to give away my daily operational tasks to Roland, has been handling such duties for years now as the CTO. We have a core team, including the new CEO, with whom we can create a more structured and efficient organisation – while retaining our core values, of course.
Roland, when did you join the company and what led you to become CEO of Ukatemi?
RK: I have been working here since my internship, I also wrote my thesis on an ukatemi project, so it was obvious that I should continue to work here after receiving my Master’s degree. When I joined, there were four of us in the company besides the founders: the office manager and 3 technical people, now there are 27 employees (but let’s note that the ratio of engineers to non-engineers is basically the same). Fortunately, I always had a reason to stay: I felt constantly challenged, I had more and more influence on the company’s processes, and I worked in a fantastic team.
A recurring theme at board meetings over the past year has been the need to create enough room for everyone to do what they are best at. We need to move from being an enterprise to being a company, so to speak. It was obvious that this change requires a shift in management practices, but we wanted to keep our core values, as Boldizsar mentioned. During these board discussions I did not participate as a CEO candidate, but when we agreed on the core principles and I was offered the job, I didn’t have to think long. We knew that the head of Ukatemi could only be a technical person, as this was one of our key differentiators in the market, a credibility issue and I have experience in most of the technical things that we offer as a service: incident management, malware analysis, pentesting, testing APT detection tools, training. I was involved in the development and sales of previous versions of our current flagship product, too (Kaibou, an on-premise malware database and laboratory).
I learned a lot from non-typical engineering tasks, such as managing people and maintaining customer relationships, so it wasn’t difficult for me to get to grips with the CTO role. Of course, it helped to have colleagues on the team who could take on important tasks and who wanted to continuously improve the quality of our work. I am a member of the company’s board from 2020 and an owner from 2024. I hope these roles have provided me with enough strategic insight, alongside my existing engineering experience, to successfully run the company. I certainly still have a lot to learn about this role, but on the one hand I trust my colleagues and my fellow owners, and on the other hand I am trying to prepare myself more consciously for this role.
What are these core values that you both refer to?
RK: We want to deliver high quality engineering services. If it’s in a traditional office IT area, fine, if it’s in a completely specialized cyber-physical area, fine. This is partly a natural result of our academic background, partly an expectation of our staff to work to high standards, and partly our unique selling point on the market that makes our clients work with us on the long run.
Another of our core values is that we want to create a company where it’s good to work, a company that employees can rely on. We try to listen to all feedback and ideas, deal with conflicts in a human and honest way, give talented people the chance to prove themselves, and create space for work-life balance. We don’t always succeed, but we try to learn from the experience. We’ve been in a recession for practically 4 years, yet we’ve managed to operate without having to lay off anyone. Some people have left us during this time, but for other reasons, such as a partner who got a job abroad and moved away together. There were also some that wanted to try themselves in multinational companies. Such events happen. We keep ourselves informed about how others are navigating in such circumstances, and we see that many IT companies have not managed to give their employees such security. We have a few additional plans that fall within this principle, such as broadening the scope of the ownership of the company among other employees or creating an employee housing program – we will communicate these in due course.
BB: We are also independent, in many ways. The word has different meanings in different contexts, but let’s just say that we are vendor independent and we don’t have an investor behind us. Our industry is based on trust, where the main asset is credibility, and not only with clients but also globally in professional circles – which comes in handy when following up on an incident management or malware analysis job.
What do you think of the Hungarian IT security market?
BB: It has come a long way in recent years and the upcoming EU regulations will also bring positive changes (DORA, NIS 2 etc.). Companies’ attitudes to information security – especially if they are multinationals or large companies – are generally OK. But it is clear that much more work needs to be done en masse, and that very few companies are delivering quality work. In the case of Pentest, for example, there are unfortunately very few reliable providers in Hungary.
Another feature of the Hungarian market is that services are quite underpriced, not only compared to international levels or Western Europe, but also at regional level. This cost is a problem because it can only be overcome by reducing the quality of the work. Certain specializations, such as forensics and incident response, remain underdeveloped, also partly as a result of the macroeconomic environment and recession. When the economy is back in a developing phase, companies will need to start spending in these areas. We understand that many companies cannot afford to do so now, but they cannot afford not to address IT security when they can do it. We have seen exactly what has happened in the last few years: incidents happen on a daily basis that could have been avoided, but someone in the decision-making chain just shrugged the warnings off and said “it can’t happen to us”.
RK: I have to agree with Boldizsár, unfortunately, cost is mostly the top priority. It would be nice if we could compete in terms of quality, because we do not want to compromise the level of our services, and right now we are in the top3 cybersecurity companies in Hungary. Fortunately, more and more of our customers confirm that our commitment to quality is worth the price, because once someone starts working with us, they come back. Although we want to address this difficulty of the Hungarian market in part by gaining more international clients.
What are the main challenges facing Ukatemi today? Roland, how do you want to shape the company and Boldizsár, what advice would you give him?
BB: The spread of certain technologies and their regulation must be taken into account when rethinking our business model. One thing is for sure, AI is a major challenge, it is not yet clear how we should respond as a cybersecurity company: should we immediately try to automate everything, solve it with AI, or should we do what AI cannot do, or integrate the two? Today, it is not at all clear how far automation should go in a malware analysis, incident management or pentest process and what should be a human driven one. This is not only a quality and technology question, but also a legal, data security and business issue. Another similar dilemma is the question of the cloud: are we going in the direction of the cloud or do we need to step back a little bit in order to have security? At the moment it is impossible to say, because there are good examples, bad examples, believers and critics in both approaches. And we haven’t even talked about the impact these technologies will have on wages – not just for us, but internationally, across many industries. The next CEO will have to set the stage so that he ends up on the right side.
RK: First, I want to improve internal efficiency. We have a jointly developed and approved strategy for the coming years – growth, customer portfolio, number of product sales, etc. We want to apply the existing engineering approach and academic rigour to our internal processes to make this strategy a reality. The technology issues that Boldizsár mentioned will indeed frame our profession and our business, and what I would like to achieve is to create the capacity within the company to deal with them, not to waste expert energy and enthusiasm on what does not create value.
What I also see as important is to add more senior colleagues to the team, preferably people who can bring more business experience to the company. For the existing core team we want to provide a career path that will continue to inspire them, and to expand circle of owners with them.
Last but not least, we want to continue working on exciting engineering problems. After all, we are ‘Driven by challenges’.
