If you ask Robert Herjavec, entrepreneur and television personality, cybersecurity is entering a golden age. Consider this: when he told Hollywood types about his work as a cybersecurity executive 15 years ago their eyes would glaze over; today, he says, it's all they want to talk about.
SC Media spoke to Herjavec during a keynote fireside session at InfoSec World, covering the state of cyber M&A, the evolving threat landscape, and why he never hears pitches for cybersecurity companies on ABC juggernaut "Shark Tank."
We are seeing a lot of M&A in the cybersecurity space right now. We always hear that mergers will be seamless and not impact services to customers, but realistically, what should the community expect when these big deals happen?
Six months ago, you could raise money like a drunken sailor, and nobody cared about EBITDA or profit. It was all about growth rates. We did a deal about a year and a half ago; we interviewed a lot of equity firms, we had 20 letters of intent, I had 10 slides in my pitch deck on how profitable we were. Nobody cared. We would get to those slides and every equity company — I’m talking some of the largest companies in the world — would say, "Not interested. Skip through those. Let's just go to growth rate." We're the only company in our space that makes money. I felt like an outlier.
This year, because of what's happening in the public markets, if you don't have a path to profitability, you're going to have trouble raising money. There are good technology companies that were built on the basis of growth with an unclear profitability horizon. And so how do those companies survive? Regardless of how good the technology is, they keep raising money. Well, when that stops, what do they do? They get acquired, or they sell, or they have to find another source of funding. In the last 60 days alone, we've seen more activity in M&A than we have before. And it's not as opportunistic. Everybody still has a brave face, but you can tell the people that will need to sell. And what’s the Forbes statistics? 70- 80% of mergers don't work.
Yes. That’s a scary statistic.
The biggest impact is always the human element. To your question, the technology usually kind of sorts itself out. FireEye buys Mandiant, their endpoint agent changes, there's impact, but usually the technology gets better. And I think we do a very good job, being technologists, of taking the best of different tool sets and putting them into a product set. But it's the human element. Who's servicing me? Who's architecting it for me? And how it's going to market — that’s what fundamentally changes. But I think that is the nature of our business. We constantly eat our young and we are constantly evolving. How many technologies have we started with that no longer exist? I think we're going to see the same thing happen in some of our core markets like the SIEM market, the logging market, the [user and entity behavior analytics] market. Will some of these markets even exist a year or two from now or will they be part of something else?
I had someone say to me once that acquisition causes innovation to slowly wither on the vine and die, because it goes into a larger company and the exact characteristics that made the company innovative in the first place disappear. Now, you of course have Cyderes, which emerged as a result of some M&A. Tell us a bit more about the company, tell me about the focus, and how it manages to keep innovating.
Not to be an advertisement for us, but I think that we've had (knock on wood) an uncanny success rate. And people often say to me, "What do you credit that to?" And I say, "I credit that to completely screwing up the first two we did."
I think culturally, one of the things that we're very good at is introspection. In our company we are highly confident, but we don't have a very big ego; we always tend to flow to better ideas. And one of the things we found with mergers and acquisitions is that the lack of clarity really kills deals. I don't care how rosy the projections are, I don't care how good things seem to be, what people really care about is, what does it mean for me? And second, what does it mean for my customers? Because inevitably, as a sales rep or an engineer, my relationship is going to last past this merger.
If you take the top two market leaders for firewalls — if I take Palo Alto and I take Checkpoint — I get 67% market share. And that's true across the board. Endpoint: I take CrowdStrike, I take SentinelOne, and I think I get 70% market share. Some crazy number. Managed services is one of the fastest growing silos. But if I take the top eight global companies, I get 13% market share. It's highly fragmented.
So about a year ago we did a big equity deal, I sold a piece of the business and then we used that money to merge with another company called Fishtech, started by Gary Fish, who a lot of people remember from the Optiv, Fishtech days. And now we've built this 1,000-person managed services company and that's just the beginning. We need to keep going because that market is going to continue to consolidate.
When you have these mergers, there has to be a degree of picking a lane. You can call managed services a lane, but it probably needs to be even more specific or narrow than that, I imagine. How did that kind of narrowing of focus happen behind the scenes?
Gosh. That's such a great question, Jill, because I think that's one of the unique things about our space. Everybody listening to this and in the audience is in a great sector. Nobody needs to worry about getting a job. The downside of that is we all have too much opportunity. We wake up one day and we say, "wOh, my gosh. Managed services is super hot. I'm going to go there." And the next day we're like, "Oh, threat intel. The threat intel market is the hottest thing under the sun." And then a year later we're like, "Oh, threat intel isn't really a market. It's a feature set." So, to your point, I think we know some of the secular trends and we try to stay where our customers are going to go.
Fundamentally, the security managed market is driven by two factors. One is security, one is compliance. But at the same time, everything is moving to the cloud. I mean people still use IBM mainframes; I'm sure there's still people in your audience that use ArcSight or technologies like QRadar, but we know fundamentally people are moving to cloud-based technology. We love buzzwords. MDR, XDR, MSSP. I think you'll see that world come together. I think the world is realizing an MDR solution isn't enough, a managed SIEM solution just for logging isn't enough.
For what it’s worth, my first job was writing about the AS/400. That doesn’t exist anymore. Now picturing you sitting in that chair on "Shark Tank," if someone came in with a cyber solution and threw out the buzzwords, whether it be XDR or zero trust or any of the many others that exist — do you roll your eyes?
It’s funny you say that. I've been doing this show for 14 years if you can believe it. And before "Shark Tank," the mean bald guy and I — Kevin — did the show in Canada for five years. If you add the cumulative of that, I've been doing this show for 20 years. And when we started doing the show in the U.S. after the second season, I went up to Mark Burnett — who produces the show — I said, "Mark, why don't we see more cyber stuff? Why don't we see more tech deals?" And he kind of looked at me and was trying to be very nice and said, "Look, I'm not sure how to tell you this, but what you do is really boring. Nobody cares." And I said, "But, Mark, cybersecurity is super hot and sexy." And he looked at me and he said, "To you." Now, this was 12 years ago, and he was right. Jill, when I first got to Hollywood, I would go to these big Hollywood parties and people would say, "Oh, what do you do?" And I'd say, "I'm in cybersecurity. I've been doing this since I was 21. I love what we do." And people would say, "Yeah. That's interesting. Aren't you the guy on 'Shark Tank?'"
But today I am a very, very popular guy at Hollywood parties because of cybersecurity. Our industry has made that pivotal shift where consumers care about what we do. That’s the big shift. In some ways what we do has become top of mind.
Now, it still doesn't translate to "Shark Tank." And it's funny. Three years ago, we went through a period where we had all these million-dollar valuation deals, equity funded companies, and we found it tends to lose the average viewer. What people really care about is the essence of the dream; that I can create a product in my basement for not very much money and become very wealthy. And we've seen that over and over again, and I think that is the magic of "Shark Tank." It's not a multimillion-dollar equity funded deal. It's the ability for an individual to create something, bring it to market and change their life.
Well, I want you to know that my 10-year-old daughter cut off the top of a soda bottle and made a candy dispenser. If you want to hear more, she's available.
To your point, Jill, what's interesting is if you were to walk around with me on an average day, the thing that would surprise you the most is that 50% of the people that come up to me are kids. And I don't mean 21-year-old kids at university, I mean 8-year-old kids, 10-year-old kids. I went to a public school the other day with my kids and the kids thought I was a rock star. I mean it was like, "Oh, my God. It's the guy from 'Shark Tank.'"
I think if our show has done anything, it’s made it kind of cool to be an entrepreneur. Kids today don't wake up dreaming about getting a job at General Motors and working for 20 years. That is not a 10-year-old's dream. A 10-year-old's dream is: “I want to be a tech person, I want to create my own company, I want to control my destiny, I want to be an entrepreneur.”
What we need is for them to more often say, “I want to be in cyber,” because we have a bit of a workforce problem. That said, you did talk about awareness growing — even at the corporate and board level. But do they understand enough or are they just focused on the latest headline? How can security professionals argue their case?
I see this even in my own company — we're all fundamentally technologists. I love the technology. But when I was 20 years old, I couldn't present, I couldn't have been on TV, I couldn't have spoken to you when I was in my 20s. People often say, "You're not an engineer. Was it hard to learn the technology?" No. It was easy to learn the technology, because I'm deeply passionate about it. What was hard to learn was how to position the value of the technology. The biggest change that happens as we move up the executive suite is the conversation shifts from technology. They don't care about what we do from a technology perspective. They care about the associated risk.
The biggest challenge is we begin to fall in love with the feature set and not the value proposition. I'm often in development meetings where I'm looking at super cool technology and I'm like, "Oh, my God. This is so frigging cool. And we can do that!" And then at the end I'm like, "Hang on a sec. How is this good for the customer? What value does this add?" And when your CEO comes to you and says, "Hey, how does the situation in Ukraine affect us?" They're not really saying, "Tell me about our firewalls, tell me about our logging." What they're saying is, “How does our risk profile stand against our peers in the industry and how do we look against these external threats? And fundamentally, are we moving upstream and becoming more secure, are we stagnating or are we moving backwards?” I think that's what we're starting to see as a shift — security as a service where people can measure their effectiveness.
I do want to touch on the threat landscape. Where do you see the most critical gaps?
I think the geopolitical landscape isn't getting better, but it's very targeted. The one sector and one area where we still see a big gap in is healthcare. On the dark web, medical records still command a premium. If you look at credit card records, they're declining in value. The cost of a stolen credit card is coming down. Why? Because there's more of them and there's limited value. It's easy for me to cancel a credit card and get a new one. The recovery effort from a stolen credit card is pretty quick and it's mitigated because you have an external party, the credit card company, in the middle of that transaction. Medical records are very difficult. You publish my medical records, how do you get me back to whole? It's very, very difficult and it's very personal and it can be very embarrassing, and it can be very targeted. And typical hospital or healthcare system still operates on a lot of legacy-based applications and legacy-based technology.
Medical devices introduce a lot of risk. How much responsibility falls to the manufacturer? Should there be more regulation?
Well, first, we're going to see more regulation along the lines of privacy and data integration. And I think in many ways, we welcome it. The best role of government is to be a mediator for things that are good for us as a society that we don't necessarily want to do or where there's one party that isn't going to make that investment. And I do think we're also going to see more regulation around device management in the medical world. Something along the line of a PCI, logging standard, or some basic element of standardization.
Individual manufacturers are never going to protect to general standards. If you remember when Intel bought McAfee, there was this dream. I remember going to this meeting where Intel said to me, "We are fundamentally going to change the security landscape." And I said, "Why is that?" And they said, "Well, we are [going to] hard-code the security software onto our chip set and that's going to fix everything because it's going to be embedded within the hardware set." And I thought, "Wow, that's really a good idea." And then I said, "Hang on a second. It takes over two years to develop a new chip set. It takes about three years to release that… embed it in the hardware, and release that technology and then create the hardware around it. Three years is an eternity in cybersecurity. Hardware moves quickly, but nowhere near at the pace of threats.
What areas of technology make you the most excited as an investor?
I kind of draw a line and I think the stuff below the line is not sexy, not exciting, declining from a price point but necessary. I think of that kind of stuff as foundational logging. Everything above the line is high value but is built on having the data from the low-level foundational stuff. So if I look at the exciting, sexy, interesting, “hot” bucket, it is in things like multi-cloud — the need for cloud provisioning and multi-cloud security. I think a lot of the cloud vendors do a good job with their own technology in terms of the buckets and being able to secure clouds. But I think as soon as you go into a multi-cloud environment, some of those basic foundational components just don't exist.
That also comes down to configuration. And COVID and the transition to remote access didn’t help.
There are really two areas that we've seen accelerate because of COVID. One is the lack of the perimeter. The idea of perimeter-based security just doesn't exist anymore. The second biggest gap we see is identity — and not just identity in terms of privileged access and who has access to the right applications, but even more basic identity. Think of the number of contractors, remote workers that come into an average enterprise. How are we configuring those people from an access perspective when they are no longer within our systems? The entire IAM privilege access market is on fire. And there's a reason, because the typical legacy technologies in that world are old, they're archaic, they don't really work, and what's available for free is so much more inferior than what's available from some of the core vendors.
October is Cybersecurity Awareness Month, which focuses a lot on the need to educate the user community. How much should we expect of the user community to comply with security requirements?
I think we have to be careful how much we engage the user community. Training is critical and awareness is critical, but users want to do as little as possible to be secure. If you ask the average consumer in the e-commerce space, "Do you care about security?" I think something like 87% of people say, "Absolutely. It’s critical." And then there was a question in a survey that said, "If you had to click another button to be more secure, would you do it?" Like 10% of people said yes. So consumers and end-users in an enterprise want to be secure, but they want you to secure them, they want you to be secure. From a corporate enterprise level, we have to come out with a way that we monitor, ensure the security of the user community. We train them so they're aware not to click on things and go to certain places, but we have to control that access without limiting their behavior, because convenience is always going to trump security.
In the last few years Microsoft's CISO has talked a lot about getting rid of the password. Is it going away?
Who ever says, "Oh, my gosh. I'm so excited. I get to change my password." I always look at that and I say, "Why can't we move to a user-based behavior system where that application knows it's me?" I think that the idea of passwords will not exist, but we're a very, very long way away from that. Years. Like five years.
Too bad. I would like to get rid of them, myself. We’re about out of time. I would love to just give you an opportunity for some closing words.
I think that we are entering the golden age of what we do. You said you wrote about AS/400. I worked on IBM mainframes. They're gone. They're completely gone. Nobody cares. I go to meetings now and I say to people, "Oh, this feels very much like an IBM mainframe 3270 world." And nobody has any idea what I'm talking about.
But security is not going to die. Twenty years from now, we are not going to be sitting here going, "Oh, gosh. I remember when identity was an issue." It'll still be an issue. This is a great space to be in and I just think we do so much good for the world.