RSAC 2024 was crowded, buzzy, vibrant and chaotic, underscoring the very nature of the cybersecurity industry. This market has a kind of self-propelling energy with a dynamic that blends tons of money, an ever-present and capable adversary, technical innovation, public policy, geopolitics, and a smashing together of the digital and physical worlds. Despite a logical need to consolidate tooling and simplify, organizations find themselves constantly searching for answers to new problems that they face every day, week, month and year. While RSA 2023 gave hope to practitioners that AI would eventually tip the balance in favor of defenders, RSA 2024 highlighted that Gen AI is yet another attack vector requiring novel approaches to protect the unknown.
In this Breaking Analysis we share our perspectives on RSAC 2024 with some insights from some of the leading voices in the community. And as always, we’ll share some of the latest survey data from our partner ETR.
#RSAC 2024 Big Picture
Let’s take a look at some of the highlights from this year’s RSA. There were many…too many for us to cover them all but here are a few that stand out.
RSAC 2024 was held at Moscone. It felt bigger than last year and last year was north of 42,000. So it’s possible there were 50,000 people attending or perhaps even more.
Beyond AI for Security
Last year we heard a lot about AI for bad – i.e. bad actors writing better phishing emails to infiltrate organizations…and AI for good to allow things like Gen AI to improve the experience of SecOps pros. But this year we heard a lot more about AI as an exposure. AI being different and needing new approaches to make its use safe.
Here’s how Zscaler CEO Jay Chaudhry describes both sides of the equation:
The Fragility of Critical Infrastructure
The other trend that really came into light this year is the broader awareness that critical infrastructure is exposed. It’s almost as though the AI awakening has led folks to better understand the potential of AI to do bad things with drones and other machine intelligence that puts the electric grid, water supplies, data centers, energy facilities, all forms of transportation and many more services we rely on at huge risk.
The Innovation Continues in Cybersecurity on Both Sides
As we’ve written in the past, chaos means cash for criminals and investors alike and we sat down with a number of innovative startups and heard about novel security approaches. Companies like Island, Lasso, Dope Security, Thrive, Cranium, Fortanix, Finite State, Opaque and many others. We co-hosted an evening event with the NYSE, Intel Capital and Elastic where we had the opportunity to sit down with numerous startup companies on a special CUBE after dark startup showcase.
Here’s on example with the CEO of Lasso Security, Elad Schulman explaining the challenges of securing Gen AI:
So that’s a startup going after a new problem. How about one more. Here’s Kunal Agrawal talking about a new approach to disrupt an existing market. He’s the CEO of Dope Security – yeah – that’s what he named the company – cause it’s dope. Take a listen:
M&A, VC Funding and Private Equity
As always there’s M&A in cybersecuerity. Akamai announced it was acquiring Noname Security for $450M. This is company that had raised more than $200M so not a great outcome for investors. Lacework, a company that raised more than $1B and at one point was valued north of $8B, was rumored to be selling to Wiz for under $300M. But that deal fell apart in due diligence – perhaps over what was happening to all that cash they still had on the balance sheet. Wiz meanwhile closed a $1B round at a $12B valuation. We estimate this puts the company’s revenue multiple in the mid 20X range. That is staggering progress for this young company.
We spent time with Thoma Bravo, Insight Capital, Vista and several of their portfolio companies, like SailPoint and KnowBe4. These are three prominent PE firms that have made massive investments in cybersecurity. Many of those investments will pay off but several PE firms’ portfolio companies are being shopped – with mixed results – to placate LPs clamoring for liquidity.
And we explored some IPO prospects with two likely candidates – Snyk’s Peter McKay along with new CTO Danny Allan;l and Nick Schneider of Arctic Wolf. Both companies we expect to go public when the IPO market loosens.
Public Policy, Industry Self-Regulation and Collaboration
Public policy is playing an increasingly important role in cybersecurity from executive orders to cross self-governing cross-industry efforts to create more transparency. Part of the concern is that when a breach occurs there are no standards for disclosure. Zeus Kerravala and I hosted a panel focused on CISA’s Secure by Design pledge to develop and adhere to standards for disclosure. Listen to Suzanne Spaulding, former undersecretary of Homeland Security shining a light on this issue:
And finally despite all the talk about tools consolidation, tools creep is winning and continues to be the dominant theme.
Is Tools Consolidation Just Vendor Marketing a Real Trend?
Let’s explore this a bit. The bottom line is both can be true but the marketing and vendor narrative is well ahead of the reality on the ground. Two weeks ago we introduced some new data to you that we’re showing here. It’s from a survey of 321 security pros we did with ETR.
The purpose of this survey was to preview practitioner sentiment in advance of RSA. We survyed 321 SecOps pros from the C-suite down to practitioners. More than fifty percent (50%) of the sample was actually attending RSA.
The key question was “over the next 12 months, do you expect to increase or decrease the number of cybersecurity vendors in your stack?” Fifty-one percent (51%) said increase, 37% said stay the same, only 9% said decrease. And you can see in the red, only 6% of the sample cited consolidation as a means to simplify their security stack and get to a decrease. That is really an eye-openiung finding of this survey. We ran this data by several companies including Palo Alto, CrowdStrike, Zscaler and some others. And they all said the same thing, that they see the market differently. That in their space, they’re consolidating. But when we talked to the practitioners at RSA, they said the opposite. Every practitioner we talked to said they are increasing the number of vendors in their security stack.
The Innovation in Cybersecurity is Moving Faster than Consolidation
Below is more evidence that customers continue to seek best of breed tooling and new approaches to filling security gaps. This data is from that same survey drilling down into the 170 practitioners and CISOs planning to attend RSA. The survey asked: “What new-to- you vendors are at the top of your list to visit or meet with at RSA?” The response of “Other” comprises a whopping 72 % of the respondents.
This data we believe underscores that buyers are looking for new ways to plug holes, they’re looking for best-of-breed. Now of course, you see CrowdStrike’s right up there, Cisco, Palo Alto, Okta, Zscaler, Fortinet, SentinelOne and Wiz as firms they want to visit. They’re showing semi-prominently in this data, but compared to “Other,” it’s not even close.
Why do we have these firms underlined in red? Because each of these, and we probably could underline every one of them, has a theme around consolidation and simplification. And we’re going to look into some of those companies a little later in this episode. But again, to us, this is just more evidence that the trend of consolidation, it’s really not a broad-based trend. Rather it is perhaps isolated in certain pockets for certain companies, but it is definitely not a ubiquitous trend across the industry.
This is not necessarily bad news for the consolidators because: 1) We do believe it is happening for companies with compelling value propositions around simplification – e.g. Palo Alto, CrowdStrike and its partners like Zscaler and Okta; and others; and 2) It means there’s lots of upside potential for sellers to further penetrate the market and for buyers to cut costs.
A Mixed Year for Cybersecurity Stocks
Let’s look at a couple of key companies and see how the stock market is acting this year. Here’s the YTD relative performance for CrowdStrike, Okta, Palo Alto, the BUG ETF, and Zscaler. It’s been a mixed year for cyber and we’re seeing some bifurcation in performance. There have been situations where companies hit their number and gave guidance that scared off investors – this was the case with Zscaler where their guidance was back loaded toward Q4 and they cited an overweight of large deals. Others like Rapid7 had a slight earnings beat but the street didn’t like the guide at all and took the stock down.
Above you can see CrowdStrike is the standout and is priced to perform. Okta had a rough go of it over the past couple of years but had a strong beat and raise last quarter. Palo Alto’s CEO Nikesh Arora mentioned the phrase “spending fatigue” in the last earnings call which set off a chain reaction in the industry last quarter. But the real hit to Palo’s guide was the government’s pause on the big Thunderdome project for which Palo Alto had been qualified. But that project looks like it’s back on track. Palo had a number of announcements at RSA – as did everyone – and customers we talked to were excited to do more with Palo Alto Networks.
Zscaler is the outlier on this chart and it’s worth mentioning that Barclay’s analyst Saket Kalia wrote a note several weeks ago citing survey data that showed momentum for Zscaler – we have some data as well on that – and it showed for the first time a marked decline in hardware based firewalls. So with Zscaler as a pure play SASE vendor that essentially created the category, he felt the valuation divergence from the likes of CrowdStrike was unwarranted and could represent an attractive entry point for investors.
Customer Spending Profiles for Leading Cybersecurity Platforms
Below we show one of our favorite charts. If you’re following this program, you’ve seen this two dimensional format before. The data below shows Net Score on the vertical axis. That is a measure of spending momentum on a specific platform. The horizontal axis, it’s called “Overlap” which refers to the presence of that platform – or it’s overlap – within the more than 1,800 accounts responding to the survey. The math is essentially the N for the platform divided by the ~1,800 total N in the sample.
On the right-hand side, we insert a table that informs how each dot is plotted, sorted by Net Score. Starting with Microsoft at 59.1% Net Score followed byWiz, CrowdStrike, Zscaler and the rest. Again, Net Scores are a measure of spending momentum calculated as the net percent of customers spending more on a platform. We’ll explain the methodology in a moment with more detail.
You can also see the shared N in those 1,800 accounts. The bigger the N means the bigger the market presence in the survey. The red dotted line at 40% on the vertical axis indicates exceedingly high spending momentum.
Above that line you can see Wiz, Hashi and Datadog. Zscaler is over and SentinelOne right on the line, with CrowdStrike over the line. That company has just been performing amazingly. Okta popping back up a bit. During the pandemic, Okta was well above that 40% line. But given the challenges that it had with the Auth0 acquisition and other execution issues it was under pressure. Palo Alto, given its size, is very prominent just under that 40% line. And you can see this massive pack of folks grouped.
What’s interesting to us in cyber is ETR basically uses the red, yellow, green methodology to simplify the Net Score performance. We plotted here the top 20 Net Score performers and none of them are even yellow – they’re all in the green. And that is very unique to the cyber sector in the ETR data. Many other markets, take data storage for example, it’s all yellow with lots of red and maybe a little light green. Some of these legacy markets are just not as dynamic as security. This both underscores the opportunity for investors, startups and companies to gain share, but it also shows the complexity for practitioners who are trying to defend against attackers every day.
Zscaler’s Net Score Performance
Now we’re going to dig into the Net Score methodology that ETR uses. We’ll explain it a bit more detail using Zscaler’s time series data as an example for no other reason than it’s handy and pretty impressive. This chart below shows the granularity of Zscaler’s net scores.
Net Score is calculated as the percent of customers in the survey that are Zscaler accounts, taking the specific actions. Remember from the previous chart, of the roughly 1,800 respondents, 340 are Zscaler customers. The lime green represents new customer adds – i.e.the percent of customers adding Zscaler new. So of those 340 customers in the April, 12% are adding Zscaler – new logos for the company.
The forest green represents the percent of existing customers that are spending 6% or more on the platform in the next 12 months. The gray is spending is flat, plus or minus 5%, the pinkish is spending down 6% or worse. And then, the 4% is containing or even churning the platform. Subtract the reds from the greens and you get Net Score – shown over time as the blue line.
For Zscaler, the blue line bottomed in October is starting to show an uptrend, consistent with the Barclays survey. We’ll see because the guide was really back-loaded toward the fourth quarter.
That yellow line is the number of mentions for Zscaler divided by the total survey N, which is around 1,800. And you can see it sort of bobs around a little bit. The other point of this methodology to emphasize is this data represents percent of customers. It is a customer count method and not representative of dollars. We have ways of digging into the dollars. For instance, we can look at some of the big spenders – the Fortune 100 or the giant private companies, which is a category that ETR has and tends to be a bellwether…or even the Global 2000. So, from the patterns of these larger companies, you can infer they are bigger spenders and we can do cuts on that. But for this breaking analysis, we’ll just leave it there for now. So, you now have the background on Net Score and what it means.
Comparing Spending Momentum for Five Leading Security Firms
With that as background we can do some comparisons over time with some of the names we like to track in this space. The chart below shows Net Score, or spending momentum ,over time. Again, this represents the net percent of customers that are spending more on a platform. We show five companies here, Wiz, CrowdStrike, Zscaler, Palo Alto and Cisco. And we’ve added in the text the Ns from the survey just to give you context on the relative size.
Wiz is the “now” company, if you will, the hot firm. Like Snowflake a couple of years ago, Wiz’s net score was nearing 80 and it’s come down to CrowdStrike’s highly elevated level. Remember, anything above that 40% line is considered highly-elevated. But it’s interesting to note the N. Remember, this is a random survey. So, ETR goes to its IT decision maker panel and asks them about their environment and their spending plans and the customers respond. So, it’s not as though they’re trying to target buyers of specific platforms, it’s random. As such the N is a good representation of the real world.
By the way, people often ask us, what’s the repeat rate in the survey? It’s 75% to 85% repeat survey-takers. So, we feel pretty good about the consistency of the data. At any rate, as you can see, CrowdStrike, Zscaler and Palo Alto all have substantially higher market penetrations as indicated by the proxy of N, than does Wiz. And we’ll see where Wiz goes from here. With its smaller presence, you’d want to see its sustain well ahead of the others.
We also show Cisco. Cisco has a big presence in the market as you can see by their larger N. Cisco also made several notable announcements, one was around XDR and SIEM integration with Splunk, which is great because it didn’t take long for them to actually announce some kind of integration. And then, a few weeks back it announced its HyperShield, which the company is very excited about, as are many of its customers that we talked to. And this capability is intended to be available in August of this year, we’ll see. If Cisco hits that, it’s a really positive sign.
[Watch Cisco’s head of cyber, Jeetu Patel, explain the company’s announcements at RSA].
What to Watch for in Cybersecurity
We’re going to close now with some thoughts on the things we’re watching in this space. Let’s start with that point that we’ve been talking about consistently, which is the vendor and the tools heterogeneity.
More Tools…
David Linthicum talked about this on theCUBE this week. It remains an ongoing fact of life that tools complexity is “Thing 2” in cyber, right behind “Thing 1” which remains the perpetually looming threats from highly capable adversaries . More tools adds to complexity, it adds to cost and continues to be a management challenge for customers.
Why then do we keep adding more tools? At RSA one practitioner said to us, “the number of tools is increasing because innovation is happening faster than consolidation.” And that underscores the trend that we’re seeing in the surveys and in the market, despite vendor claims.
Security Budgets are Growing but are not Unlimited
The third point above is while cyber budgets are growing faster than overall IT spending, they’re not unlimited. Let’s talk about that for a second. Overall, IT budgets are probably growing in the 3.4-3.5%, range this year, based on the ETR survey data. At least that’s the current expectation. Cyber budgets are growing faster. We know from the last ETR drill-down survey that the vast majority of customers, 87%, are increasing their cybersecurity spend. And about 75% of those are increasing more than 5%. There’s a big chunk that are well over 5%, some over 15%. So, when you dig into the data, we would estimate that cybersecurity spending is growing two to three times faster than that 3. 4% / 3.5% rate that we talked about earlier. But budgets are not unlimited. So, CISOs have to figure out how to allocate their bets and to the extent that they can save, they will.
This is why we think that despite the dissonance between what the vendors claim and what we see actually happening in the market, we actually do believe that the leading consolidators, like CrowdStrike, actually are seeing consolidation. CrowdStrike doesn’t have 100% of the market, they have a relatively small share of the overall $200 billion market – so their success and the success of others like Palo as consolidators doesn’t show prominently in the survey data.
This also says there’s significant upside opportunity for consolidation, especially as budgets tighten.
The AI Trend Shines a Light on Critical Infrastructure Vulnerabilities
The fourth point above is that the AI awakening has catalyzed in our view a greater awareness of just how exposed we are with critical infrastructure. The threats to the United States are particularly concerning. The bringing together of the physical and the digital worlds, when you think about potential for drones attacking power plants, electrical grids, nuclear facilities and the like. So, that is something that we think people basically see what AI is capable of and it becomes an “uh-oh” moment of what happens next. How do we protect this critical infrastructure and where are the holes? There are many.
And finally, this chaotic market means opportunity for hackers, for investors and entrepreneurs. And we don’t see that changing for quite some time.
What did you see at RSA 2024 that was exciting? Let us know.
