Security Companies and Long Term Success

Interesting thoughts on Crowd, and why its hard to succeed long term.

https://medium.com/@gavin_baker/crowdstrike-s-1-why-cybersec…

1) the threat landscape changes so rapidly that startups with no technical debt almost always have an advantage when it comes to addressing the newest threats from a feature perspective.

2) building a large company is even more difficult for the simple reason that hackers focus upon weaknesses in the cybersecurity companies with the largest market share — success sows the seeds of future failure.

3) pressure to contribute to open source threat databases makes it hard to build a data advantage.

The constantly changing threat landscape and critical nature of cybersecurity make it the easiest area in which to go from 0 to $1b. And it is really hard to get beyond this given above dynamics

-AJ
Long CRWD

The constantly changing threat landscape and critical nature of cybersecurity make it the easiest area in which to go from 0 to $1b. And it is really hard to get beyond this given above dynamics

My reason for caution with security companies. They go up fast, but also fall fast, and not necessarily in a predictable way. But maybe I’ve been too cautious, there is a lot of profit to be gained on the way up, and then just sell after gains with no regret.

Endpoint security is a very crowded space with perpetually heavy VC funding. So it will be a race to see whether the newer companies can build a salesforce/channel faster than Crowdstrike can improve their product. Will Crowdstrike be the one to “break the wheel” or will it “be queen for a time. Then comes another, younger, more beautiful, to cast you down and take all you hold dear."

Interesting to ponder, but I don’t know if I buy that endpoint security is any different than other software markets. I can see how this has been the case for cybersecurity generally (“network cybersecurty?”), but I don’t recall FireEye or CyberArk or any of them ever growing half as fast as CRWD. So what’s different?

Perhaps endpoint is different. Maybe the specificity of endpoint (as opposed to just another “network cybersecurity” option) is a benefit.

Perhaps it’s just CRWD that is different – they are certainly more dominant than any other endpoint solutions I know of (e.g. Endgame, which ESTC acquired – Endgame and Crowdstrike are just in different worlds). And it’s not just CRWD’s growth rate, but the amazing scale they’re at – they’re over $400m in the TTM and run rate is a lot larger.

I’d love to hear what others think, too.

Bear

Bear,
I don’t know if I buy that endpoint security is any different than other software markets. The simple answer is that all cyber security products are different from other software markets. I will elaborate.

From my experience cyber-security is treated differently than most other software products. Though I retired about ten year ago, I suspect this has not changed. I was an enterprise architect with a focus on information management (this is somewhat different from data management, but I’ll forgo an explanation, probably gets into the weeds and would be a launching post for long off topic discussion).

Just for clarification, enterprise software can be pretty much lumped into four broad categories. 1) End-user facing software, like an ERP package or an HR package etc., would be members of one major category. This category tends to be transactional and directly supports vertical business functions within the enterprise. 2) The software that directly interfaces with IT hardware components, often referred to as “system software” are members of another major category. An operating system is probably the best known example of this category. 3) Software that resides in between the user facing applications and the system software is often referred to as “middleware.” This is where database management systems reside. There’s actually quite a lot of middleware but it’s the domain of IT techies. A lot (maybe all?) of cyber security software is in this category. And 4) there’s analytics and reporting software. Alteryx would be a member of this category. Business intelligence, warehouse systems, visualization software all reside in this category. These categories are just a convenient way to segment software. There are no rigid boundaries and there are obvious examples (like Windows) that seem to overlap more than one category.

When it comes to establishing standards, a lot of the heated arguments are about software in the first category. The second category faces the least argument. In most cases, the system software is pre-determined by the hardware decision. If you buy an IBM box to run UNIX, you are going to host AIX on it. If instead you purchase an HP box, you’l host HP-UX on it. There’s nothing to argue about.

At the Fortune 50 company I worked at, the enterprise architects and the cyber-security organization were two separate groups under different management ladders although there was often overlap in our work (I’m pretty sure that this arrangement was not unusual). As such we made efforts to coordinate with one another as much as possible. For the enterprise architects it was a goal to standardize on as few different software packages as feasible. For example, Oracle was the corporate standard for database management systems. We made an exception for DB2 in that we had established Catia as the standard for design software and it would only run on IBM/AIX hardware and DB2 DBMS (at the time, maybe not still true).

The point is that keeping the number of software packages to a minimum was a significant cost management tool. The cyber security folks had a different attitude. The cyber security folks had a basic architectural premise of layered defense. There’s absolutely no way they would have purchased all the security software from a single vendor even if there was one that claimed to have a comprehensive solution.

My point is that when we look at an end point solution like Crowdstrike, there’s zero competitive threat from Zscaler or Okta. The security landscape is customarily partitioned and cyber security defenses are purchased (or sometimes built in-house to address special situations like export controls) to address the characteristics of each specific partition. In addition, a lot of attention was paid to “orchestration.” What that means is that the weak points of the overall security system resides at the boundaries of the partitions. Making sure that all the software components worked in concert with one another is critical.

So the question about Crowdstrike will it “be queen for a time. Then comes another, younger, more beautiful, to cast you down and take all you hold dear." fails to consider that Crowdstrike is not evaluated strictly on how well it does its intended job, though that is the most important question, it’s not the only question. How seamlessly it integrates with the software on its boundaries is also of vital importance.

I’m curious to get more insight into this: 3) pressure to contribute to open source threat databases makes it hard to build a data advantage.

The linked article does not go into any further detail. I was going through the Q3 call, and I was a little concerned about the answer that Kurtz gave when asked about Crowdstrike’s Threat Graph, which is what would ostensibly provide CRWD with a data advantage. Here is the relevant exchange:

Q: So George, Threat Graph is now capturing 2.5 trillion events per week. I can only assume that this was a significantly outdated number, but I think the last update from a few months ago was over 1 trillion. So can you give us a sense of how fast this distributed database is growing? And more importantly, you touched on this earlier, but I’m wondering if you can elaborate on how sizable the competitive advantage this brings to CrowdStrike both today as well as over the long term.

A: Absolutely. So yes, I think some of those earlier numbers were just, again, earlier in the year. So we continue to grow the data that we collect. We continue to grow our customer base. And again, we view that as a real strategic weapon. To have a bespoke graph data technology that we’ve built that has a time element, a temporal element to it, we think is very unique in the industry and has really been one of the drivers that continue to help us identify these very advanced breaches and stop them in real time. It’s also used again for our machine learning. So from our perspective, we’ll continue to grow that. And really, what that becomes is a data moat. The more data it consumes, the smarter it gets, and it becomes harder and harder for competitors to capture that level of data and keep up with it. So it’s certainly a crown jewel of our technology stack.

A few things concern me. First, he does not answer the question on how quickly the events per week are growing. That makes me think that they are either growing more slowly than he wants to acknowledge, or at a minimum that he does not have anything specifically positive to say about the growth in the number, or he would be incentivized to share it. Second, look at how qualified his language is about the supposed moat this data provides. “We view that” as a strategic weapon… “We think” it is unique in the industry… “from our perspective” the events will continue to grow. They also only say that it is “one of” the drivers that “help[s]” identify threats, which to me calls into question its overall importance to that process. At a minimum, these qualifiers suggest that they are somewhat less sanguine about the competitive benefits of the Threat Graph than they want to admit.

I probably wouldn’t be too concerned about this based on analyzing the language in the response alone, but if this is one of the specific issues that are common to long-term cybersecurity underperformance, it may be worth exploring further.

Any thoughts?
GettingBetter

Any thoughts?

Yes, it seems to me that all those “we view that” and "we think"s are boilerplate language, cautious, and appropriate, and the opposite of cheerleading and extravagant claims. I find it reassuring.
Saul

Hi Saul,

That’s how I viewed them in isolation, but the point that it is hard to build a data advantage in cybersecurity more generally gave me pause. It made me think that there may be more to that qualified language than merely caution, and that it was more reflective of this broader industry concern.

Something I will keep monitoring, but you’re right that it probably isn’t a huge issue for now. Ultimately, I see competition as the biggest potential issue for CRWD, so the moat is going to be increasingly important as they have to defend more and more business that they have already captured. Hopefully you’re right that it’s just prudence on their part.

GettingBetter