How Microsoft security succeeds
Similar to their cloud strategy, they should focus on their strengths
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Since my subscription promotion was so popular, I’ve extended it for another week until Friday 1/12 for those out the first week of January. Especially for those whose professional development budget has reset, this is a great time to support me!
Another plug! I am excited to see that my friend Ross Haleliuk’s book, ‘Cyber for Builders’, the essential guide to building a cybersecurity startup, is now live on Amazon! I wrote a short excerpt about security engineering too!
Most cybersecurity books are written for hackers, security leaders and practitioners, and a general audience. This book is different as it is intended first and foremost for builders - startup founders, security engineers, marketing and sales teams, product managers, VCs, angel investors, software developers, investor relations and analyst relations professionals, and others who are building the future of cybersecurity.
Go grab a copy!
Last week, I discussed why Microsoft’s security business will struggle and argued that it was focusing too much on working with its existing IT/cloud offerings, which placed it into a niche rather than having a broader and subsequently more competitive security offering. You can read the article here (and if you can use the discount above to get access!).
Some potential changes
The question now is what can Microsoft do to become more competitive in the security market (if they want to, this is). I think there are three changes that they can make to allow them to have a broader security offering with their current capabilities:
Change the GitHub security offering and build from there
Double down on IT security through acquisitions
Focus on the identity market with Microsoft AD
I’m not sure what path is the best, and in my mind, Microsoft likely won’t take any of these paths because they don’t have leaders with enough experience and understanding of the security market. As a result, pursuing any of these with their current capabilities seems like too much of a risk with not enough of a reward. For perspective, Microsoft has about ~200B in annual revenue compared to Palo Alto Networks posts ~8B in revenue, and Crowdstrike posts about ~4B.
Even if Microsoft were to grow aggressively in the segments that Palo Alto Networks and Crowdstrike operate in, let’s say they got to ~15B in revenue, which I do think is unlikely. That’s less than ~10% of their revenue. At this scale, adding 10% would be impressive, but it comes at a substantial risk to their earnings, which Wall Street has been known to punish large tech companies for, e.g. Meta and their VR pursuit. Although this is more a well-established market, this seems like an unnecessary risk at a time when the Microsoft business is doing well organically. I can see them potentially doing this when some of their current organic growth slows, and they need to expand into other markets.
Changing GitHub’s security offering
Let’s be honest. It wasn’t until recently that GitHub focused on the enterprise. Unfortunately, this has allowed companies like GitLab and Snyk to take valuable market share. However, I do think that GitHub having a more enterprise focus, especially around pricing and GTM, will make its offering and product more competitive.
I’ve stated before that I believe GitHub can uniquely capture the application security market because it’s a popular platform where security is a logical feature. It has visibility into a whole company’s codebase typically, so as a result, it can easily build the security applications on top rather than allowing others to capture value. That is, it could make Snyk irrelevant.
However, to do this, it needs to make two changes in my opinion. First, it needs to improve its product, and second, it needs to break out its Advanced Security offering.
Let’s start with the Advanced Security offering. It seems to be a bundle of multiple products on the market right now because it contains SCA, secret scanning, SAST, etc. The price tag (~$49 per user/month) reflects that. However, Snyk and others offer these piecewise. It needs to break out this offering into different SKUs, so it’s easier for companies to switch over without committing to such a large, upfront price tag.
Second, part of the reason for needing to break it out is that some of the features are better than others. Its SCA feature is lagging behind Snyk, and this is a feature that people want a high-quality product. However, I believe the secret scanning product is mediocre, but maybe companies don’t need such a good product. Either way, it allows GitHub to chip away at the more mature incumbents with lower switching costs.
Using GitHub, Microsoft can find a way into the security engineering market. The product is popular among developers, and it’s in a growing market with few incumbents. They can do with existing capabilities and not need to invest heavily into GTM since it would be an upsell on its current platform. On top of that, the various products exist already, albeit they need improvement.
Growing security through acquisitions
Another path Microsoft can take to augment its security business is through acquisitions. They can run these businesses more or less separately like they have done with other acquisitions like GitHub and LinkedIn, so they have that integration track record and strategy. Microsoft has the cash and capabilities to do the acquisitions.
What should they acquire?
There are two strategies here. First, it can continue to operate in its Azure and Windows niche, but it can accelerate the switching from other legacy security companies over to its product. Second, it can acquire a completely separate business that gives it more market share in the broader security market. I believe that the second strategy will be too risky for Microsoft and require more resources and a much riskier acquisition.
For the first strategy, I believe it has a few options. First, it can acquire some IT capabilities to simplify its customers’ adoption of its security offerings. For example, one target could be to acquire Tanium to make it easier to deploy their endpoint technology. They seem to have an existing partnership. What also helps is that it’s likely that Tanium and Microsoft have the same buyer, IT. It can fit well into their GTM motion.
Another path is to acquire some security capabilities. There are two types. It can acquire some security products, such as the smaller cloud security products to bolster its offerings to be more competitive with the other cloud security companies. Plenty of cloud security startups have good products but fail to gain traction because of the crowded market and/or poor GTM mechanisms. They can do this at a relatively low cost (for Microsoft, that is). Another strategy is to add security services since compared to the top security companies, they lack quality in their security services, such as incident response. Google owns Mandiant, but Microsoft can consider making some plays on Expel or Arctic Wolf to create some improved SOC service offerings.
In this path, they are doubling down on their IT security offering (compared to GitHub which would take them into a newer security engineering market). They will be able to maintain much of their same sales strategy as their primary buyer is IT or security teams that closely partner with IT.
Focus on their identity offerings
The reason I bring this as an option is that Microsoft's active directory (AD) has a deep history in the IT and security world. It has no serious competitor, and it’s hard to switch to another product. Okta has tried with its active directory offering, and Google has tried with some of its LDAP. However, in my opinion, no other product has the community and maturity of Microsoft’s AD. It’s especially necessary to manage all endpoint logins in a slick way to tie to the rest of a company’s identity.
Okta’s positioning in the market is weakening given its recent breaches, and many companies use Microsoft’s productivity to a certain extent regardless if they have other productivity and identity products, such as Google and Okta. Microsoft can use AD to take some of Okta’s market share by providing a more mature competing product.
Takeaway
If Microsoft wanted to bolster its presence in the security market, it has multiple avenues given its wide portfolio of existing products and capabilities. On top of that, it has a strong presence and GTM motion with the IT community, its main buyer. Maybe, Microsoft is already thinking about this. With what I described above, Microsoft can make strides in the security market without investing too heavily and taking on too much financial risk.