Why security is a bad business
It's competitive and fragmented.
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
In the past decade, we have seen a huge increase in cybersecurity products. CISOs and security leaders have been struggling to navigate a convoluted and changing landscape. There are tools with overlapping functions, and security sales and marketing have ramped up. A day doesn’t go by when a security leader doesn’t receive a cold call. One of the major struggles is to keep up with the tooling and solutions out there. Many times, security teams spend the majority of their time researching the right vendor.
How did we get here?
It’s a combination of changes and trends. In general, technology has become a more prevalent part of organizations. With the rise of the cloud, it’s much easier to use technology with relatively low infrastructure costs compared to the past. In this more digital setup, organizations have become larger targets for cybersecurity threats. It doesn’t help that technology stacks constantly evolve as companies aim to stay competitive. The result is that there is more exposure and threats, which have led companies to invest more in their cybersecurity organizations. All these effects have led to the market growing. Therefore, there has been more activity in the space with VC funding, acquisitions, and increased market caps of public security companies.
It also helps that security has been a consistent spending category historically, and it seems like a persistent problem, i.e. security will never go away. Especially to investors, security as a category feels like a required spend rather than a discretionary one.
Finally, security for a technology typically lags behind the technology itself. This makes sense. There’s no reason to develop security for a technology when its success and use cases are unknown.
Cybersecurity is a tough business
Cybersecurity has primarily become a SaaS business like most software companies. Although there are still hardware businesses, such as firewalls, the market for those businesses has shrunk, so I won’t be talking about those. However, it’s worth noting that those are even harder businesses because the market is stagnating at best, if not shrinking, as people move away from on-premise hardware and software. That’s why Palo Alto Networks had to transform to stay relevant and grow.
As some might know, I believe SaaS businesses are also tough businesses, so cybersecurity is no different. Many of the challenges that apply to general SaaS also apply to cybersecurity. For example, it’s hard to get the unit economics right and make the business profitable because there are heavy sales and marketing spending to capture and maintain market share. It is also easy for competitors to enter the market since the cost to enter is low.
One aspect that makes cybersecurity less challenging is that there’s always a budget. There are already some pre-existing markets that are ripe for disruption. Similarly, there will also be new markets for companies to enter as new technologies will likely require security.
One main problem with cybersecurity right now is that there’s too much hype. This hype has resulted, in my opinion, in more companies and solutions than problems. To make the situation worse, many products have overlapping functionality, which confuses customers and makes vendor management a regularly moving target.
Another difficulty is that there are so many personas in cybersecurity. There’s the traditional IT security persona that’s focused on operational security. There is a new emerging persona of the software engineer that does security. Finally, there is the in-between, which is the DevOps engineer who is doing security. Of course, there are different spectrums for each. However, the product and GTM motion are different for each persona, so it’s hard to build a market for all of them.
The IT security market is larger, but it’s growing slower than the security engineering market. However, the security engineering market is new, but its future and growth pace are unclear. Finally, the budgets and expectations of the product are different. Software engineers don’t like dashboards and UIs, and they tend to want more automation and intuitive tools with plenty of documentation. Operational security likes to use turnkey solutions that have plenty of features, but they usually lack the technical skills to customize themselves. With these differences, there are a lot of resources spent on marketing as well as product understanding, which further complicates an already competitive space.
What this means is that it’s hard for a cybersecurity company to be profitable. It’s no surprise that very few of the public cybersecurity companies have any positive GAAP earnings. The competition and expanding market force companies to spend ahead, especially since innovation cycles are so fast, i.e. cybersecurity products can easily become irrelevant.
What should companies do? (and another core issue)
To build a profitable security company, the company has to build a platform. Unfortunately, there aren’t many platform cybersecurity companies that can exist. Most companies are products or features. Feature companies aren’t great because they lack a strong value proposition and it’s likely a product company can add that feature easily to make the feature company irrelevant. Product companies are better, but having a singular product makes it hard to scale and amortize operations costs, such as sales, marketing, customer success, etc. Also, it becomes increasingly hard to capture more customer value in an economical way with one product. Honestly, at some point, a product is likely good enough, and any improvements are diminishing returns for the company.
This leads us to the platform company, where the business can use the same platform to sell multiple products. They can have large customer bases and have many options to land and expand. It allows for great amortization of cost. Finally, they can keep their moat as many customers want tool consolidation, especially in security where tool management costs are becoming operationally burdensome and expensive. The platform is the moat, and to further keep them in the moat, the company can offer services to customize the platform and use it appropriately. Although services have low gross margins, they can add revenue and operating margins because the product operations costs can amortize the service operations costs, especially in areas like G&A. It will also provide a further moat as customers are less likely to leave a customized platform. The downside is that it is a high cost to acquire a customer who is on another platform. Some examples of great platform companies are Crowdstrike, Zscaler, Palo Alto Networks, and Cloudflare.
Therefore, the core issue with a cybersecurity company is that regardless of where they start, e.g. feature or product, they have to have a path to become a platform company. It’s no surprise that the only profitable cybersecurity companies are platform ones that also happen to sell services.
Takeaway
Cybersecurity is a hard business. The markets are large but highly competitive. Like SaaS businesses, they have to build a platform and find unit economics that makes sense for them to be profitable. It’s a tough journey, and it doesn’t help that the market is rapidly evolving. We likely will see a consolidation toward platforms in the future, and companies are going to expend significant resources and take risks to remain relevant.