Frankly Speaking 9/22/20 - Compliance generates security value
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
I’m writing this week’s newsletter while watching the virtual Emmys. I’m fascinated by the limits we’ve pushed virtual technology and how we have adapted to our current world. The question is what will remain remote in the new normal. Though some of these virtual events do amuse me.
Anyway, I’ve clearly been spending too much time at home and in front of the TV. So, moving on to this week’s Let’s Be Frank.
LET’S BE FRANK
I am regularly asked what the next $1B+ security company will be. As much as I like speculating, the answer lies in the public market and history. Let’s start by looking at the most valuable security companies? Let’s look at the ones with the highest EV/R multiple: Zscaler, Crowdstrike, Okta, Cloudflare, Splunk, Qualys, Fortinet, Cyberark, Sailpoint, Rapid7, and Tenable.
So, what do they all have in common? They all solve compliance issues. To be precise, these valuable companies are not compliance companies, but their products solve a compliance issue:
Splunk (SIEM)
Okta, Sailpoint, Cyberark (IAM)
Qualys, Tenable, Rapid7 (Vulnerability management). Rapid7 also has SIEM, SOAR, etc. That’s why that stock is hot.
Zscaler, Fortinet (Web Proxy)
Crowdstrike (Endpoint/AV)
Why does compliance drive value? Why does it create large security markets and subsequently valuable companies? Let’s take a step back and look at the security market more broadly.
Frankly, it’s crowded. It’s not only VCs who are confused about the market (of course, some are more confused than others.), but CISOs are also confused by it. The threat landscape is always changing especially with cloud and cloud-native, and there are so many products claiming to solve vague use cases. However, there are still critical problems to solve. That’s why it’s a growing market with strong public market comps and exits.
Let’s get back to the CISO and why they care about compliance. The limiting factors for a CISO are time and resources. Ideally, they solve 500 problems to achieve better security posture, but they can reasonably solve only 5-10 a year, which they use to prioritize their buying.
Compliance drives these priorities. I know many people think compliance is boring or outdated. However, in the eyes of a CISO, compliance is important for two reasons. First, compliance exists in certain areas because they try to mitigate or prevent high-risk threats. Second, not being compliant might have serious regulatory consequences, especially when a breach occurs. CISOs want to keep their jobs and reduce liability.
With all that said, I believe CISOs understand datacenter security compliance issues well, but cloud-related compliance problems are still evolving. So, I believe the next big security company will deal with compliance-related issues in the cloud. This shouldn’t come as a surprise given my recent writings about how the cloud is changing the way security operates.
The open questions in my mind are simple but vague:
What is the cloud security strategy for CISOs?
Who are the major stakeholders in this strategy? I’ve talked about more DevOps involvement.
What kinds of security products will be successful in the cloud, e.g. best of breed, platforms, both?
As always, my email (frank.y.wang@dell.com) is open to discuss and debate these issues.
TWEET OF THE WEEK
I get the feeling…
