Frankly Speaking 10/20/20 - Datacenter security is dead!
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
I don’t plan to write another newsletter until after the election. I think it’s best to keep the conversations focused on important issues. With that said, please go vote!
LET’S BE FRANK
Since this will be my last newsletter for the next few weeks, I’m taking a stronger position. As many of you know, I’ve written extensively about cloud security and the developer’s role in the digital transformation. I believe that cloud security companies will generate outsized returns for VCs — only if we really figure out what it means. In other words, cloud security is killing datacenter security.
With that said, people ask me “What about innovation in datacenter security products? Why do I think only cloud security is the future?” Well… datacenter security is dead! Ok, it’s not that dramatic, but I do think a datacenter-focused security company (one without a strong cloud story) is a bad VC investment, i.e. it will not generate strong VC returns. To be clear, I do think there needs to be innovation in datacenter security products, but they will just be high risk and result in low returns. Here are some reasons why:
Market. More organizations are moving to the cloud than from the cloud. Cloud security is more of an urgent issue. As described in my last post, urgency is key for differentiation and fast growth in a security product. Otherwise, a company will get stuck with long sales cycles. I’m not denying the hybrid/multi-cloud world will exist, but more organizations will need help in the cloud vs. datacenter. Just look at cloud vs. datacenter growth. Hint: One is shrinking and one is growing rapidly.
Organizations are too opinionated about datacenter security products. Organizations already have programs around many of the key datacenter issues like identity, vulnerability management, network security, etc. They have teams who run these programs and have established rubrics that represent feature requirements and product expectations. As a result, it’s hard to sell them a new approach, and second, any new product that you sell has to have a large set of features in the first version to be competitive with legacy or incumbent solutions.
GTM is too expensive, so it’ll require large amounts of capital. Since organizations are so opinionated, you will need to fight against the marketing of legacy solutions for a new product or approach. Also, it’ll be difficult to sell a competitive product unless it has close to feature parity with existing solutions. A company will need to burn a lot of money before the first sale and burn substantial cash on marketing to be part of the conversation.
Datacenter security companies don’t hold a lot of strategic value, so multiples on acquisition/exit will be low. There is also less interest from acquirers. Finally, even if companies manage to overcome all the above, the return on acquisition or exit might be low. Just look at the data around cloud security multiples. The reason is that existing security companies feel they need to enter the cloud security market quickly based on customer demand. So, they need to do it inorganically through acquisitions. There’s less demand for datacenter security products because the market is not growing as fast, and they have the ability to organically develop products in a reasonable timeframe.
Of course, you can disagree with me on all of this, but with all things there are exceptions. The one major exception is if the company can find an efficient GTM motion. Ultimately, in a crowded market, it comes down to GTM. Security is no different. If you can be efficient on GTM, you will be capital efficient overall and not need to raise as much money. The best public market companies in security blow the rule of 40 out of the water, and they’ve gotten there with efficient GTM motions.
However, I’m happy to be wrong, and VCs look for exceptions. Free to yell at me on Twitter or through email.
TWEET OF THE WEEK
Wow… this is my nightmare in so many ways…
