By Wallace Witkowski, MarketWatch
An eat or be-eaten business
International Business Machines Corp. /zigman2/quotes/203856914/composite IBM 0.00% is another deep-pocketed Dow Jones Industrial Average /zigman2/quotes/210598065/realtime DJIA +1.24% component which is grooming itself as a security player as it tries to move away from its legacy mainframe business toward services. In its most recent quarterly earnings, IBM reported that security revenue surged 79% from a year ago to $1 billion, its fastest-growing segment, but one that accounted for only 5% of IBM’s sales for the quarter.
For startups and younger public companies seeking to grow their products to scale and compete with Cisco and IBM for customers that want to deal with fewer security vendors, the existential question is to whether to eat or be eaten. All these companies want to be the Salesforce.com Inc. /zigman2/quotes/200515854/composite CRM +2.90% or Workday Inc. /zigman2/quotes/201157610/composite WDAY +2.93% of cybersecurity, a purely cloud-based and engineered software-as-a-service approach that uses add-on widgets for upgrades and system flexibility.
Both Salesforce and Workday were cited as prime models by Zscaler Inc. /zigman2/quotes/203585803/composite ZS +5.42% Chief Executive Jay Chaudhry and CrowdStrike Inc. Chief Executive George Kurtz as what the future of enterprise cybersecurity needs to be. Not surprisingly, both CEOs extol their products as cloud-native approaches as opposed to legacy, moat-based applications retrofitted for the cloud.
Zscaler’s Chaudhry said the need for security has spawned a gold-rush mentality for security startups and the venture capitalists funding them, and that makes a CISO’s job of weeding through the available options very difficult.
“There’s so much noise out there, overfunding of security companies,” Chaudhry told MarketWatch. “How many products does an enterprise really want? There’s too much stuff going on. I think some of this stuff has to get cleared up. There’s no room for all of these companies out there.”
Speaking of funding, privately-held CrowdStrike has been a big beneficiary of it. With $481 million raised to date, including a recent round of $200 million in June, CrowdStrike stands at a valuation of more than $3 billion, according to the company’s CEO.
“Everybody talks about a platform, not everybody has it,” Kurtz told MarketWatch. “You have to have that cloud-native architecture to be a true SaaS platform, so if you look at the investors who came in at a valuation of $3 billion-plus, they’re expecting a return on that.”
At the same time, CrowdStrike doesn’t appear to be grooming itself as an acquisition target. Kurtz said CrowdStrike is currently at a size and scale that they could go public at any time.
“We can go out today if we wanted to go out,” Kurtz said in late July. “This isn’t years out.”
If CrowdStrike were to go public this year, the company would join cybersecurity companies like Zscaler,Carbon Black Inc. and Tenable Holdings Ltd. /zigman2/quotes/203199150/composite TENB +0.61% that have IPOed in 2018.
Investors seem to be pricing in the potential for acquisitions, as the ETFMG Prime Cyber Security ETF /zigman2/quotes/207892345/composite HACK +1.22% has gained 36% in the past 12 months, while the First Trust NASDAQ Cybersecurity ETF /zigman2/quotes/200078153/composite CIBR +0.92% has risen 33%, compared with a 17% advance in the S&P 500 index /zigman2/quotes/210599714/realtime SPX +1.28% and a 26% rise in the tech-heavy Nasdaq Composite /zigman2/quotes/210598365/realtime COMP +1.94%
Why cyberattacks on airports and power grids could be the new reality
Cybersecurity is no longer limited to our digital life but could affect our physical safety - from hijacked security cameras to attacks on airports and power grids. McAfee CEO Chris Young explains what you need to know.
How to stop that 0.1% threat?
Of course, even consolidation is not going to stop the next Equifax, executives said, as data systems can be vulnerable even if everything is being done correctly.
“If you stop 99.9% of something, if it’s a big enough number, 0.1% is still a lot,” SailPoint’s McClain said.
“In some cases I think the industry is starting to get a little bit numb in terms of all these breaches,” CrowdStrike’s Kurtz said. “In general, I think it underscores the fact that the technologies that people are buying, this defense-in-depth kind of approach, is failing because people are still getting breached.”
FireEye’s Mandia painted the struggle of defending against a persistent hacker as even more dire.
“One person has infinite scale on offense on the internet, can create work for millions if there’s one attack that works, [and] it can literally impact every freaking organization on the planet,” Mandia said.
“That asymmetry between offense and defense is more startling than I can explain,” the FireEye CEO continued. “It’s almost like the size of the universe, nobody gets it. The one good hacker is infinitely scalable and every nation we’re up against has that guy.”
Mandia, whose company worked with Equifax following the hack and focuses on state-sponsored hacking threats like Iran , urged that people need to start beating up on the perpetrators rather than the victims of hacking.
“I think we have to step back and start recognizing some of these breaches are done by professionals that if they can go unimpeded with no risk or repercussion, we better start treating the victims differently because we’re setting a bar that’s unreasonable,” Mandia, who declined to discuss Equifax specifically in his interview, said. “We’re beating them up for something that actually the government itself can’t stop.”
Some even used the Equifax hack as a marketing tool. Back in October, Oracle Corp. /zigman2/quotes/202180826/composite ORCL +0.77% Chairman Larry Ellison chided Equifax for not updating their security patches in a timely manner and claimed his new automated cloud security product would be able to protect against such a breach.
When all is said and done, even the most comprehensive security plan is only as good as its weakest link, and for most organizations, that weakest link is people, such as the employee who clicks on that legitimate-looking email link.
In the meantime, for cybersecurity companies that are looking to grow through acquisitions, the price of growth likely became significantly higher over the past year.