The past week’s RSA Conference 2024 was crowded, buzzy, vibrant and chaotic, underscoring the very nature of the cybersecurity industry.

This market has a kind of self-propelling energy with a dynamic that blends tons of money, an ever-present and capable adversary, technical innovation, public policy, geopolitics and a smashing together of the digital and physical worlds. Despite a logical need to consolidate tooling and simplify, organizations find themselves constantly searching for answers to new problems that they face every day, week, month and year. While RSAC 2023 gave hope to practitioners that AI would eventually tip the balance in favor of defenders, RSAC 2024 highlighted that generative artificial intelligence is yet another attack vector requiring novel approaches to protect the unknown.

In this Breaking Analysis we share our perspectives on RSAC 2024 with some insights from some of the leading voices in the community. And as always, we’ll share some of the latest survey data from our partner Enterprise Technology Research.

RSAC 2024 big picture

Let’s take a look at some of the highlights from this year’s RSAC. There were many — too many for us to cover them all — but here are a few that stand out.

RSAC 2024 was held at Moscone. It felt bigger than last year and last year was north of 42,000. So it’s possible there were 50,000 people attending or perhaps even more.

Beyond AI for security

Last year we heard a lot about AI for bad – bad actors writing better phishing emails to infiltrate organizations — and AI for good to allow things like gen AI to improve the experience of SecOps pros. But this year we heard a lot more about AI as an exposure — AI being different and needing new approaches to make its use safe.

The fragility of critical infrastructure

The other trend that really came into light this year is the broader awareness that critical infrastructure is exposed. It’s almost as though the AI awakening has led folks to better understand the potential of AI to do bad things with drones and other machine intelligence that puts the electric grid, water supplies, data centers, energy facilities, all forms of transportation and many more services we rely on at huge risk.

Innovation continues in cybersecurity on both sides

As we’ve written in the past, chaos means cash for criminals and investors alike and we sat down with a number of innovative startups and heard about novel security approaches — companies such as Island, Lasso, Dope Security, Thrive, Cranium, Fortanix, Finite State, Opaque and many others. We co-hosted an evening event with the NYSE, Intel Capital and Elastic where we had the opportunity to sit down with numerous startup companies on a special CUBE After Dark startup showcase.

M&A, VC funding and private equity

As always there’s mergers and acquisitions in cybersecurity. Akamai Technologies Inc. announced this week it was acquiring Noname Security for $450 million. This is a company that had raised more than $200 million, so not a great outcome for investors. Lacework, a company that raised more than $1 billion and at one point was valued north of $8 billion, was reported to be selling to Wiz Inc. for under $300 million. But that deal fell apart in due diligence – perhaps over what was happening to all that cash it still had on the balance sheet.

Wiz, meanwhile, closed a $1 billion round at a $12 billion valuation this week. We estimate this puts the company’s revenue multiple in the mid 20X range. That is staggering progress for this young company.

We spent time with Thoma Bravo, Insight Capital, Vista and several of their portfolio companies, such as SailPoint Technologies Inc. and KnowBe4 Inc. These are three prominent PE firms that have made massive investments in cybersecurity. Many of those investments will pay off but several PE firms’ portfolio companies are being shopped – with mixed results – to placate limited partners clamoring for liquidity.

And we explored some initial public offering prospects with two likely candidates – Snyk Ltd. CEO Peter McKay along with new Chief Technology Officer Danny Allan and CEO Nick Schneider of Arctic Wolf Networks Inc. We expect both companies to go public when the IPO market loosens.

Public policy, industry self-regulation and collaboration

Public policy is playing an increasingly important role in cybersecurity, from executive orders to cross self-governing cross-industry efforts to create more transparency. Part of the concern is that when a breach occurs there are no standards for disclosure. Independent analyst Zeus Kerravala and I hosted a panel focused on the Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge to develop and adhere to standards for disclosure.

And finally, despite all the talk about tools consolidation, tools creep is winning and continues to be the dominant theme.

Is tools consolidation just vendor marketing or a real trend?

Let’s explore this a bit. The bottom line is both can be true, but the marketing and vendor narrative is well ahead of the reality on the ground. Two weeks ago we introduced some new data to you that we’re showing here. It’s from a survey of 321 security pros we did with ETR.

The purpose of this survey was to preview practitioner sentiment in advance of RSAC. We surveyed 321 SecOps pros from the C-suite down to practitioners. More than 50% of the sample was actually attending RSAC.

The key question was: “Over the next 12 months, do you expect to increase or decrease the number of cybersecurity vendors in your stack?” Fifty-one percent said increase, 37% said stay the same and only 9% said decrease. And you can see in the red, only 6% of the sample cited consolidation as a means to simplify their security stack and get to a decrease.

That is really an eye-opening finding of this survey. We ran this data by several companies, including Palo Alto Networks Inc., CrowdStrike Holdings Inc., Zscaler and some others. And they all said the same thing, that they see the market differently — that in their space, they’re consolidating. But when we talked to the practitioners at RSAC, they said the opposite. Every practitioner we talked to said they are increasing the number of vendors in their security stack.

Innovation in cybersecurity is moving faster than consolidation

Below is more evidence that customers continue to seek best-of-breed tooling and new approaches to filling security gaps. This data is from that same survey drilling down into the 170 practitioners and chief information security officers planning to attend RSAC. The survey asked: “What new-to-you vendors are at the top of your list to visit or meet with at RSA?” The response of “Other” comprises a whopping 72% of the respondents.

This data, we believe, underscores that buyers are looking for new ways to plug holes, that they’re looking for best-of-breed. Now of course, you see CrowdStrike’s right up there, Cisco Systems Inc., Palo Alto, Okta Inc., Zscaler, Fortinet Inc., SentinelOne Inc. and Wiz as firms they want to visit. They’re showing semi-prominently in this data, but compared with “Other,” it’s not even close.

Why do we have these firms underlined in red? Because each of these, and we probably could underline every one of them, has a theme around consolidation and simplification. And we’re going to look into some of those companies a little later in this episode. But again, to us, this is just more evidence that the trend of consolidation is really not a broad-based trend. Rather, it is perhaps isolated in certain pockets for certain companies, but it is definitely not a ubiquitous trend across the industry.

This is not necessarily bad news for the consolidators because: 1) We do believe it is happening for companies with compelling value propositions around simplification – such as Palo Alto, CrowdStrike and its partners such as Zscaler and Okta, and others; and 2) It means there’s lots of upside potential for sellers to further penetrate the market and for buyers to cut costs.

A mixed year for cybersecurity stocks

Let’s look at a couple of key companies and see how the stock market is acting this year. Here’s the year-to-date relative performance for CrowdStrike, Okta, Palo Alto, the BUG ETF and Zscaler. It has been a mixed year for cyber and we’re seeing some bifurcation in performance. There have been situations where companies hit their number and gave guidance that scared off investors. This was the case with Zscaler, where its guidance was back-loaded toward the fourth quarter, and it cited an overweight of large deals. Others such as Rapid7 Inc. had a slight earnings beat, but the Street didn’t like the guide at all and took the stock down.

Above you can see CrowdStrike is the standout and is priced to perform. Okta had a rough go of it over the past couple of years but had a strong beat and raise last quarter. Palo Alto CEO Nikesh Arora mentioned the phrase “spending fatigue” in the last earnings call, which set off a chain reaction in the industry last quarter.

But the real hit to Palo’s guide was the government’s pause on the big Thunderdome project for which Palo Alto had been qualified. But that project looks like it’s back on track. Palo had a number of announcements at RSAC – as did everyone – and customers we talked to were excited to do more with Palo Alto Networks.

Zscaler is the outlier on this chart and it’s worth mentioning that Barclay’s analyst Saket Kalia wrote a note several weeks ago citing survey data that showed momentum for Zscaler – we have some data as well on that – and it showed for the first time a marked decline in hardware-based firewalls. So with Zscaler as a pure-play Secure Access Service Edge vendor that essentially created the category, he felt the valuation divergence from the likes of CrowdStrike was unwarranted and could represent an attractive entry point for investors.

Customer spending profiles for leading cybersecurity platforms

Below we show one of our favorite charts. If you’re following this program, you’ve seen this two-dimensional format before. The data below shows Net Score on the vertical axis. That is a measure of spending momentum on a specific platform. The horizontal axis is called “Overlap” which refers to the presence of that platform – or its overlap – within the more than 1,800 accounts responding to the survey. The math is essentially the N for the platform divided by the ~1,800 total N in the sample.

On the right-hand side, we insert a table that informs how each dot is plotted, sorted by Net Score — starting with Microsoft Corp. at 59.1% Net Score and followed by Wiz, CrowdStrike, Zscaler and the rest. Again, Net Scores are a measure of spending momentum calculated as the net percentage of customers spending more on a platform. We’ll explain the methodology in a moment with more detail.

You can also see the shared N in those 1,800 accounts. The bigger the N means the bigger the market presence in the survey. The red dotted line at 40% on the vertical axis indicates exceedingly high spending momentum.

Above that line you can see Wiz, HashiCorp Inc. and Datadog Inc. Zscaler is over and SentinelOne right on the line, with CrowdStrike over the line. That company has just been performing amazingly. Okta popping back up a bit. During the pandemic, Okta was well above that 40% line. But given the challenges that it had with the Auth0 acquisition and other execution issues it was under pressure. Palo Alto, given its size, is very prominent just under that 40% line. And you can see this massive pack of folks grouped.

What’s interesting to us in cyber is ETR basically uses the red, yellow, green methodology to simplify the Net Score performance. We plotted here the top 20 Net Score performers and none of them is even yellow – they’re all in the green.

And that is unique to the cyber sector in the ETR data. In many other markets, take data storage for example, it’s all yellow with lots of red and maybe a little light green. Some of these legacy markets are just not as dynamic as security. This both underscores the opportunity for investors, startups and companies to gain share, but it also shows the complexity for practitioners who are trying to defend against attackers every day.

Zscaler’s Net Score performance

Now we’re going to dig into the Net Score methodology that ETR uses. We’ll explain it a bit more detail using Zscaler’s time series data as an example for no other reason than it’s handy and pretty impressive. This chart below shows the granularity of Zscaler’s Net Scores.

Net Score is calculated as the percentge of customers in the survey that are Zscaler accounts, taking the specific actions. Remember from the previous chart, of the roughly 1,800 respondents, 340 are Zscaler customers. The lime green represents new customer adds – that is, the percent of customers adding Zscaler new. So of those 340 customers in the April, 12% are adding Zscaler – new logos for the company.

The forest green represents the percentage of existing customers that are spending 6% or more on the platform in the next 12 months. The gray is spending is flat, plus or minus 5%, the pinkish is spending down 6% or worse. And then, the 4% is containing or even churning the platform. Subtract the reds from the greens and you get Net Score – shown over time as the blue line.

For Zscaler, the blue line bottomed in October is starting to show an uptrend, consistent with the Barclays survey. We’ll see, because the guide was really back-loaded toward the fourth quarter.

That yellow line is the number of mentions for Zscaler divided by the total survey N, which is around 1,800. And you can see it sort of bobs around a little bit. The other point of this methodology to emphasize is this data represents percent of customers. It is a customer count method and not representative of dollars.

We have ways of digging into the dollars. For instance, we can look at some of the big spenders – the Fortune 100 or the giant private companies, which is a category that ETR has and tends to be a bellwether… or even the Global 2000. So, from the patterns of these larger companies, you can infer they are bigger spenders and we can do cuts on that. But for this Breaking Analysis, we’ll just leave it there for now. So, you now have the background on Net Score and what it means.

Comparing spending momentum for five leading security firms

With that as background we can do some comparisons over time with some of the names we like to track in this space. The chart below shows Net Score, or spending momentum, over time. Again, this represents the net percentage of customers that are spending more on a platform. We show five companies here, Wiz, CrowdStrike, Zscaler, Palo Alto and Cisco. And we’ve added in the text the Ns from the survey just to give you context on the relative size.

Wiz is the “now” company, if you will, the hot firm, like Snowflake a couple of years ago, Wiz’s Net Score was nearing 80 and it has come down to CrowdStrike’s highly elevated level. Remember, anything above that 40% line is considered highly elevated.

But it’s interesting to note the N. Remember, this is a random survey. So, ETR goes to its information technology decision maker panel and asks them about their environment and their spending plans and the customers respond. So, it’s not as though they’re trying to target buyers of specific platforms; it’s random. As such, the N is a good representation of the real world.

By the way, people often ask us: What’s the repeat rate in the survey? It’s 75% to 85% repeat survey-takers. So, we feel pretty good about the consistency of the data. At any rate, as you can see, CrowdStrike, Zscaler and Palo Alto all have substantially higher market penetrations as indicated by the proxy of N, than does Wiz. And we’ll see where Wiz goes from here. With its smaller presence, you’d want to see its sustain well ahead of the others.

We also show Cisco. Cisco has a big presence in the market, as you can see by its larger N. Cisco also made several notable announcements, one was around extended detection and response and security information and event management integration with Splunk, which is great because it didn’t take long for them to actually announce some kind of integration.

And then, a few weeks back, it announced its HyperShield, which the company is very excited about, as are many of its customers that we talked to. And this capability is intended to be available in August of this year, we’ll see. If Cisco hits that, it’s a really positive sign.

Watch Cisco’s head of cyber, Jeetu Patel, explain the company’s announcements at RSAC.

What to watch for in cybersecurity

We’re going to close now with some thoughts on the things we’re watching in this space. Let’s start with that point that we’ve been talking about consistently, which is the vendor and the tools heterogeneity.

More tools

David Linthicum talked about this on theCUBE this week. It remains an ongoing fact of life that tools complexity is “Thing 2” in cyber, right behind “Thing 1,” which remains the perpetually looming threats from highly capable adversaries. More tools adds to complexity, it adds to cost, and it continues to be a management challenge for customers.

Why then do we keep adding more tools? At RSAC one practitioner said to us, “the number of tools is increasing because innovation is happening faster than consolidation.” And that underscores the trend that we’re seeing in the surveys and in the market, despite vendor claims.

Security budgets are growing but are not unlimited

The third point above is while cyber budgets are growing faster than overall IT spending, they’re not unlimited. Let’s talk about that for a second. Overall, IT budgets are probably growing in the 3.4% to 3.5% range this year, based on the ETR survey data. At least that’s the current expectation.

Cyber budgets are growing faster. We know from the last ETR drill-down survey that the vast majority of customers, 87%, are increasing their cybersecurity spend. And about 75% of those are increasing more than 5%. There’s a big chunk that are well over 5%, some over 15%.

So, when you dig into the data, we would estimate that cybersecurity spending is growing two to three times faster than that 3.4% to 3.5% rate that we talked about earlier. But budgets are not unlimited. So, CISOs have to figure out how to allocate their bets and to the extent that they can save, they will.

This is why we think that despite the dissonance between what the vendors claim and what we see actually happening in the market, we actually do believe that the leading consolidators, such as CrowdStrike, actually are seeing consolidation. CrowdStrike doesn’t have 100% of the market — it has a relatively small share of the overall $200 billion market – so its success and the success of others such as Palo as consolidators doesn’t show prominently in the survey data.

This also says there’s significant upside opportunity for consolidation, especially as budgets tighten.

The AI trend shines a light on critical infrastructure vulnerabilities

The fourth point above is that the AI awakening has catalyzed in our view a greater awareness of just how exposed we are with critical infrastructure. The threats to the United States are particularly concerning — the bringing together of the physical and the digital worlds, when you think about potential for drones attacking power plants, electrical grids, nuclear facilities and the like.

So, that is something that we think people basically see what AI is capable of and it becomes an “uh-oh” moment of what happens next. How do we protect this critical infrastructure and where are the holes? There are many.

And finally, this chaotic market means opportunity for hackers, for investors and entrepreneurs. And we don’t see that changing for quite some time.

What did you see at RSAC 2024 that was exciting? Let us know.