He spent eight years arguing on the RSA Conference keynote stage that the human element is the asset, not the liability, in cybersecurity. Now he is running Barracuda, and we get to see if the argument scales.
Press portrait, September 2025 - the day the announcement broke
In September 2025, Barracuda Networks announced that Hatem Naguib was stepping down and Rohit Ghai was stepping in. The press release used the word "transition." The cybersecurity industry, which deals in subtler signals, read it as something else: an identity-security thinker being handed the keys to a network-security house.
Ghai had just finished nearly eight years at RSA, the company whose conference is the closest thing cybersecurity has to a high holy day. He had taken RSA out of Dell Technologies in a $2.1 billion 2020 spin-out, repositioned it as an identity pure-play, and given five RSAC keynotes in a row that quoted Brene Brown more often than they quoted Mitre ATT&CK.
Then he turned 50-something, joined Pegasystems' board in January 2025, and presumably had a moment of feet-on-the-coffee-table calm. It lasted eight months.
Barracuda is roughly 2,200 people and around $650 million in revenue, with a customer base measured not in Fortune 500 logos but in the long tail of MSPs and mid-market shops that actually run small-business email and small-business firewalls. It is the unsexy middle of cybersecurity, which is also the most-attacked middle of cybersecurity. Ghai's bet is that the same identity-and-platform thinking he applied at RSA travels downmarket and outward.
Ghai's first real job inside a global software giant was, technically, an accident of M&A. He was at Cheyenne Software, a backup and data-protection startup, when Computer Associates bought it in the mid-1990s. He didn't pick CA; CA picked him.
This is a more common origin story for enterprise software CEOs than the press releases let on. You join a small thing, the small thing gets bought, and suddenly your career is set inside a building you have never walked into. What separates the careers that survive from the ones that stall is whether the new mothership lets the acquired kid actually run anything. Ghai got to run CA India as CTO, which is the version of "lets you actually run anything" that involves a flight to Hyderabad.
He left CA for Symantec. He left Symantec for EMC in December 2009. At EMC he was given a difficult brief: take the Enterprise Content Division, with the Documentum franchise inside it, and figure out what to do with a business that had been quietly stranded by the cloud. The answer turned out to be: turn it around, then sell it. In 2016 the unit went to OpenText for $1.62 billion.
And that is the work that put him on Michael Dell's radar. When Dell bought EMC, RSA came along in the package. Dell needed a president for RSA. Dell called Ghai. In January 2017, he took the job.
For five years he opened RSA Conference - the industry's annual gathering of roughly 40,000 practitioners, vendors and journalists - with a keynote. The talks were unusual for the format. They were short on threat-statistic theatre and long on something closer to narrative philosophy. Read them in order and you can see him assembling an argument.
Stop waiting for humans or machines to get better at things they are terrible at. Humans asking questions; machines hunting answers.RSAC keynote, on human-machine teaming
Resilience isn't just about getting up when you fall. To be good at it, we must fall less often, withstand the fall better, and rise up stronger every time.RSAC keynote, 2022
We need to pay attention not just to the technology of defense, but the psychology of defense. The spirit of the defender matters as much as the shield she or he wields.RSAC keynote, on the human element
We don't have to win for the attackers to lose. When we deny the attackers financial gain, they lose - 70 percent of them are financially motivated.Interview with BankInfoSecurity
Zero trust was always important, but in the post-COVID, work-from-anywhere, always-on world, it is an imperative.RSAC keynote preview
If you don't have visibility, then you don't know what to defend.Interview, RSA
Ghai's early Barracuda interviews emphasize a "true platform" approach to security for managed service providers - the sales motion that already powers most of Barracuda's growth. Translation: fewer point products, more glue.
His RSA years gave him a strong opinion that identity is the actual perimeter. Watch how Barracuda's email and access stories tilt over the next 18 months.
In an April 2026 Barracuda blog post on empathy, AI and channel partners, he kept the AI talk grounded in partner economics. Unusual for a cybersecurity CEO in 2026.
He sits on D-Wave's board. The quietest reason for a cybersecurity CEO to sit on a quantum board is that the next encryption war started years ago.
An AI / workflow company picked him eight months before Barracuda did. Reads, in retrospect, like a market-confidence signal.
CRN named the Ghai-to-Barracuda jump one of the year's ten biggest IT CEO moves. They count.
South Carolina. His master's in computer science is from the University of South Carolina - one of the rarer alma maters among top cybersecurity CEOs, who tend to cluster around Carnegie Mellon and Stanford.
IIT Roorkee. The undergrad. One of the older IITs, traditionally strong in civil and computer engineering. The shape of an IIT-Roorkee career often skips the venture-capital track entirely in favor of building things that other people sell.
Chaos monkeys. He has used the Netflix engineering metaphor on a security keynote stage to argue for proactively inflicting failure on your own defenses. Very few CEOs of cybersecurity companies will tell you to break your own things on purpose.
Everbridge. Before D-Wave and Pega, he served on the board of Everbridge - critical event management. The throughline across his board seats is "what do you do when something goes wrong."
Documentum exit. The OpenText sale at EMC is the credential most often left off his biographies. It is also the credential that earned him the call from Michael Dell.
Saratoga, not San Francisco. Barracuda lists his city as Saratoga - the quieter end of the Valley. Tracks with the person.
Barracuda has been through three owners in twenty years: founders, then Thoma Bravo, then KKR. Each pass cleaned something up - public float, product sprawl, MSP focus - and each pass put another bet on the table. The bet KKR is making now is that the email-security-plus-network-security-plus-data-protection sprawl can be threaded into a single platform story aimed at the people who keep the lights on at small and mid-sized businesses.
That is a thesis that needs a CEO with platform experience, identity instincts and a habit of speaking to channel partners in their own dialect. Ghai's resume reads suspiciously like the answer key. RSA was, by the end of his tenure, a platform with a clear identity center. Documentum, before that, was a product portfolio rationalization. CA India, before that, was an early lesson in running global engineering across continents and time zones. The work he has done is the work the work in front of him requires.
Whether the bet pays off is a different question. Cybersecurity is increasingly a winner-take-most market at the platform layer; Microsoft, Palo Alto, CrowdStrike and Cisco eat the named-account end of the budget. Barracuda lives in the long tail, where margins are thinner, churn is higher, and the customer is more often a one-person IT department buying through a partner.
Ghai's RSAC arguments translate uncomfortably well to this market. The line about humans asking questions and machines hunting answers is what every MSP wants to be able to tell their customer. The line about denying attackers financial gain is what every mid-market CFO wants to hear before signing a renewal. The line about the spirit of the defender is, when you think about it, a sales-enablement haiku for a partner channel.
There is also the quieter reading. Ghai is not, by reputation, a swing-for-the-fences operator. He is a turnaround-and-transition operator. The Documentum work was a transition. The RSA spin-out was a transition. The Barracuda mandate, reading the tea leaves, is another transition - this time toward an integrated platform brand that can defend its slice of the long tail against the giants above and the startups below.
If he pulls it off, the lesson will be a familiar one: the company that learns to tell the better story wins. He has been making that argument from the keynote stage for half a decade. The interesting part is that he now has to make it from inside an actual company, with an actual P&L, in front of an actual board.
The first chapters drop, by quarter, starting now.
Joined the board January 21, 2025. AI-powered workflow and CRM, a heavy enterprise customer base. Ghai's seat reads as the AI-and-security expertise hire.
Independent director at a quantum computing pioneer. The least obvious board seat, and the most strategically interesting one for a cybersecurity executive.
Accounts payable automation and customer communications management. The unglamorous back-office of enterprise IT.