The Compound and Friends - Breaking Down the Threat Landscape
Episode Date: April 11, 2022On this special episode of Live from the Compound, CrowdStrike CEO George Kurtz joins Josh Brown and Ben Carlson to discuss the latest in cybersecurity, the evolving threat landscape, and George's exp...erience as a race car driver! For more on CrowdStrike, visit: https://www.crowdstrike.com/ Check out The Compound shop: https://idontshop.com Follow The Compound on Instagram: https://instagram.com/thecompoundnews Follow The Compound on Twitter: https://twitter.com/thecompoundnews Obviously nothing on this channel should be considered as personalized financial advice or a solicitation to buy or sell any securities. See our disclosures here: https://ritholtzwealth.com/podcast-youtube-disclosures/ Hosted on Acast. See acast.com/privacy for more information. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Our special guest here tonight, we have an interview with George Kurtz, who is the founder
and CEO of CrowdStrike, which is a publicly traded company on NASDAQ, ticker symbol is
CRWD.
George, welcome to the show.
Thanks so much for doing this.
I know how busy you are.
It's great to be here.
I certainly enjoy doing it. Awesome. So excited you are. It's great to be here. I certainly
enjoy doing it. Awesome. So excited to talk to you about all these topics tonight. Just a quick item
of housekeeping and then we'll get into it. I am personally a long-term shareholder in the company.
Nothing that you hear from us tonight should be construed as financial advice or a recommendation
to buy or sell any security. For a full list of terms and conditions. You can see the link below.
And the same applies for George and all the regular safe harbor protections that govern
these types of public communiques. Sorry, George, we have to do that stuff in the securities
industry. Let's start with this. Yeah. So first, congrats on all your success so far. You are a $50 billion market cap company. The IPO
was priced at $34 in June of 2019. So in about three years, shareholders are up 535%. Even if
they bought the closing price that first day of trading, they'd be up 270 something percent
versus the S&P 500's total return of about 60 percent. So I know there's a lot of work still
to be done, but do you feel some of the pressure come off now that you're into year three? You know
how much value has already been created for shareholders in a fairly short period of time?
Like what's your mindset as the CEO of a company that's reached this level?
Well, we're certainly happy with our performance,
but there's always more to do. All right, good. I didn't want you to say we're good.
No, no, we're not. We're here to win. That's why we get up every day, and that's really important.
So great IPO, great performance over the last 11 quarters. And I think it really helped reinforces what I tried
to build in late 2011, along with many other CrowdStrikers, not just me. And you can see the
results. And security is so important in today's day and age. It's like air and water and shelter,
right? It's a must must have for any corporation.
And we're filling a big need and most importantly, delivering a lot of value for our customers.
I think you made a really important statement that I just want to spend a second on.
Everybody talks about what's the next big secular growth story, whether it's AI or machine
learning or it's crypto or fintech.
You really can't do anything, though, without the right security.
Anything you would try to build or anything you would try to innovate or create,
without security, you're building a sandcastle.
I'm sure that's apparent to people in high tech,
but can you make that point a little bit more from the inside for my audience who are
investing in all sorts of software companies? Sure. And it's a good question. I get asked it
all the time, like the state of security and how it's evolved. And I think the easiest way to
explain it is security parallels the slope of the technology curve. So if we think about the early
days of the web, you'd go to a website, you'd browse to it, and you'd get some information that was that.
And over time, that's evolved to a much more interactive view of what's happening.
And you're interacting with data.
You've got these platforms.
You've got e-commerce.
I mean, over 30 years, you can see how it's evolved.
And as the technology has matured, there is a security curve that had to follow it.
So there's a few things that you needed to do
in the old days of a firewall on a website,
and it's much more complicated today with, you know,
cloud, with Kubernetes, with containers,
with all these various elaborate
and really, you know, effective technologies,
they need to be secured.
So if we believe that security is going
to get going to continue to get more complex, I should say, if we believe technology is going to
get more complex, then security has to follow along with it. George, a number of years ago,
Josh and I were at a conference that we're putting on and Vanguard CEO Tim Buckley was
giving a speech and someone asked him, what's your biggest risk that no one talks about?
And he said he walks into this room every day and there's a map of the United States
and he just sees pings of light every once in a while and it's all people trying to hack their
systems. Obviously for financial institutions, that's a huge thing. Where are these threats
coming from? People picture on movies hackers sitting in a basement of their mom's house or
something, but how sophisticated are these people going after this stuff and who are they?
mom's house or something. But like, how sophisticated are these people going after this stuff? And who are they? Well, it's funny, because we call in the security industry,
we call those pew pew maps where, you know, people are shooting and it looks good for the
for the board members. But behind the scenes, there's a lot of men and women trying to secure
those systems. And there's a lot of adversaries trying to get into them. So if we break down the
threat landscape into three areas, just to make it simple, starts with nation state, the most sophisticated of the adversaries that are out there, Russia, China, North Korea, Iran, et cetera.
Right. And they have different capabilities. Then you move into e-crime and e-crime is, you know, they say a trillion dollar type industry.
And we've seen things like ransomware and business email compromises, all the wire transfer, all that gets wrapped up into those kind of groups. And then the third one, which had tailed off a little bit, but as you
might imagine in today's environment, geopolitical environment is hacktivism. And that is trying to
get into a system, making a statement, et cetera. So what we've tried to do at CrowdStrike over the
years is really identify the adversaries. Sure, we build a great platform. We can go through that later. But part of what I think has made us successful is taking an adversary centric view of who's
actually trying to get into the system. You know, is it North Korea? Is it Russia? Is it China? Who
is it? How do you how do you look at their techniques? How do you defend against it?
And when you do that for the board of directors, you really put in the context,
why are they trying to attack you? You know, we spend time actually looking at the China five-year plan. We know where they're
deficient in certain areas, right? And we know that's where they're going to attack to try to
steal that intellectual property. And when you can put that in business terms, it makes a real
impact to boards of directors. That's a really good point. And we're going to talk a little bit
more about the geopolitical and hacktivism landscape in a moment. I want to get into some of the numbers
just to give people a sense of the scale of your business at this point and where it seems to be
headed. So you reported Q4, total revenue was 431 million, which puts you at about 1.45 billion in total revenue for the year 2021, which is about 66%
growth. Annual recurring revenue, which is the number that Wall Street is most fixated on,
up 65%. So you are a very recurring revenue sort of business, which is what we like these days.
Gross margins, 76% in Q4, which I think would make pretty much any company
on Wall Street pretty jealous. And stock price wise, I know this isn't terribly important for
you. But in the month of March, Nasdaq's up about 3%. CrowdStrike was up 16.5%. You guys have had a
lot of news flow and a lot of momentum. And you've been singling out individual customers as part of the reason for that success.
So I wanted to ask you about the first one, which you mentioned on the conference call, Amazon AWS public cloud service as a big growth driver for the company.
What are you guys doing with Amazon, and why should investors be aware of that?
Well, we're doing a lot with Amazon.
First and foremost, they're a customer.
They're a public reference for us, which is fantastic when you think about the size and scale of Amazon.
Second, they're a great partner to us.
The Amazon marketplace has been a tremendous growth area for us.
And we're one of the leading companies in the AWS marketplace.
And that's where customers can go.
They can basically pick technologies like ours. They can spin up an instance and have CrowdStrike
in their instance, as well as they can actually procure CrowdStrike for their on-premise
workstations and servers, which is really another good opportunity. And the interesting thing about
AWS, I mean, it's a fascinating company, a lot of respect for them. They've created something called the enterprise contract that basically, you know, a vendor and a customer agree on the contract language.
And you kind of click away and it takes the six months of negotiating a large contract out of the picture.
And we literally have done massive seven figure deals in the span of 45 minutes. People tried the technology, liked it, but to get the deal done, it took all of the picture. And we literally have done massive seven-figure deals in the span of 45 minutes. People tried the technology, they liked it, but to get the deal done, it took all of 45
minutes. So when you look at how friction-free they can make it, we're excited about that channel.
We talked about the growth. We talked about the numbers over 100 million. And we continue to
focus on the success with them. So your business on that platform has doubled year over year.
And I guess selling directly to enterprise-level customers on AWS probably saves not all of the money but a lot of money that would have, in a prior generation, gone to people in the middle, outside contractors, inside salespeople.
Does that, in part, explain why the margins are as
healthy as they are? Well, it's a little less of that because when you look at that ecosystem,
there are some economies of scale there, but we have salespeople, we have channel partners,
we have AWS. You have to keep all those partners and constituents happy. So they may get a little
less, but they're still getting rewarded for the efforts they're putting in. When you look at why the margins are so high,
we can dive into that. And that is really the scalability of the model that we've built.
And the key thing about CrowdStrike is when I started it, I looked around and I saw Salesforce
and I saw Workday and I saw ServiceNow, but there was literally nothing.
There was no platform security company.
It didn't exist.
And I thought there should be one.
So I created CrowdStrike.
Were you at McAfee or Norton at that time?
No, I was at McAfee. I had a company called Fountainstone in the vulnerability management space and I sold it to them and then spent seven years at McAfee.
So you saw the industry as it was and then said, what's missing here?
A hundred percent. I mean, the way the story goes, how I got the company started, we'll get
back to the margins here in a minute, is I sold a company called Foundstone to McAfee in 2004,
spent seven years at McAfee. I was a GM, ran a couple of different business units for them.
And I was asked to take the CTO role, which I didn't want.
I turned it down twice.
And the third time I took it, they said, hey, just take it.
We're probably going to sell the company, help us out.
Ultimately, we sold it to Intel.
But when I was sort of looking over the entire portfolio, everything to me looked like Siebel, and I thought it should look more like Salesforce.
And there were two big epiphanies there.
One, people are spending money on security.
Guess what?
They should get the outcome they deserve,
which is not to be breached.
But the entire industry was focused on stopping malware
instead of stopping breaches.
And I just thought about it a little bit differently
and said, why not build a platform
that actually can work from the cloud
that's focused on stopping breaches
with a much
more modern architecture. And that leads to, just to answer your question on the margin,
is because the architecture is a collect once from the agent that runs on these workloads and
endpoints, once we have the data collected and we've already paid for that, every module we add
is almost pure gross margin. And that's where you get the scalability in the
model. That's where you see the margin improvements. George, I saw the news the other day that you
signed a deal with the United States Department of Defense. Talk about this from the perspective
of national security. And does that change at all the way that you view this? Or is it kind
of the same process? Well, sure. And to clarify, last quarter we announced the deal or two quarters ago with CISA, which is one of the kind of departments in the government that's focused on cybersecurity.
And what we talked about just a week, meaning the more controls you have,
the greater the population in the U.S. government you can sell to. So we were IL-3. We got IL-4,
which opens up the DOD. And then we're in process for IL-5. So it's a big opportunity for us.
What does IL-5 get you, Hunter Biden's laptop?
You know, we'll leave the color political commentary
to others, but at the end of the day, we're focused on helping the government, not only the
US government protect themselves, but other governments around the world. So what does IL-4
allow you to do in terms of working with the government? It obviously, it sounds like a higher
level of clearance and it sounds like your products would be more instrumental in protecting us, like in protecting America.
Yeah.
So today where we operate is in civilian agencies.
So that's not the DOD and that's IL-3.
IL-4 starts to open up more of the DOD to CrowdStrike.
Okay.
DOD to CrowdStrike. Okay. And this is something that obviously very strategically makes sense from a business standpoint, aside from the revenue that would come from the government.
I would assume when Fortune 500 companies or organizations around the world are vetting you
to do work with them, they probably look at that as like a good housekeeping seal of approval to
some extent, right? Well, they certainly do. And when you look at the CISA win that we had,
it takes a long time to get a win in a government.
I like to say our win there was an overnight 10-year success.
You know, it takes a while.
They have to get with the program in terms of want to use cloud.
You need a GovCloud, things of that nature.
And we competed against everyone else in the industry and won that.
We have a few agencies, but there's over 100 agencies that we can sell to,
and it really is the beginning, I think, of a long opportunity in the U.S. government.
I wanted to ask you about another recent news item that caught my eye
and I think the market's attention.
You guys signed a strategic agreement with Mandiant,
which most people that say, well, I've heard that name before. There was a bidding war between, I think, Microsoft and Google to acquire Mandiant and
Google One or Alphabet One. But Mandiant sounds to me, maybe you could explain this better,
almost like a SWAT team that comes in after a breach, assesses the situation. And then maybe this is a great funnel for you guys to come in and say,
okay, Mandian hands it off to CrowdStrike and we make it so that this never happens again.
Do I sort of have that relationship right? Is that how it's going to work?
Yeah, it's close to that. So let me explain a little bit. There's a little bit more history
there. So Kevin Mandian started Mandia and he actually worked at Foundstone
in my first company. And that was the early days of the forensic and incident response market. He
went off, was super successful, sold the company to FireEye and ultimately took it over. When FireEye
disposed or sold off some of their endpoint assets to McAfee, it became a great opportunity
to work with Mandia. Mandiant then gets acquired
by Google. By the way, Google was a big investor in CrowdStrike. So we have a great relationship
there. And we work with the Google Cloud team. So now when we look at the opportunity with Mandiant,
and we do this with other incident response providers, is they come in, you know, they do a
lot of the work, we do a lot of the work as well in these
big breaches. And what we find is that when you roll out our technology to actually assess what
happened, it stays. And it stays because it gives you visibility of what happened, but also gives
you prevention going forward. And just to give you a stat that we give out internally, when we do
these sort of response engagements, for every dollar of service work, it turns into $5.71 of recurring subscription revenue. So if we can have Mandiant,
they can do all the IRs that they want. It's fantastic. They're one of the best in the
business. They're great in this industry. They can use our technology, leave it behind. And
that's a win-win for customer, for Mandiant, and for us.
The Colonial Pipeline event last year, which as Americans, we already forgot a week later.
Oh, that happened?
We actually had like a third of our energy infrastructure on ice for days and days.
People don't even remember because keep in mind everything that's going on with the kardashians and so on but to me as an investor in in crowdstrike and just somebody that tries to be a little bit aware
um that seemed like a big deal for your industry like that seemed like the kind of thing that
should be a point of no return for overall enterprise and government spending on cybersecurity as though it's the same as any other kind of defense spending.
Do you feel that that's kick-started the business the way that it should have,
or is there still a delayed reaction?
Well, there's a couple of big events that kind of get people focused on the right things.
If you look at Sunburst and what happened with SolarWinds and Microsoft and others and that attack,
that was kind of an eye-opening moment, very sophisticated attack,
focused on abusing identity as an example, which is one of the areas that we cover with CrowdStrike.
The second one was Colonial Pipeline that was really focused on ransomware.
And it gave everyone, I think, a pretty good view of this is not just I lose a
computer. This is I lose a business if my entire infrastructure gets encrypted. We lose heating.
Yeah, we lose heating, right? It's not funny. Is there an element of education now? Because
obviously a lot of companies that maybe weren't so software heavy before, like the pandemic forced
them to do so. So obviously the tech companies probably understand the threat. But are there
other companies now that you're having to go to them and educate them and
tell them like, these are the threats that you don't even know about? We still have to do that.
But I would say in today's environment, particularly for public companies, the number
one risk for any board of directors is cyber. Like go ask any board of director, what's your
one or two big biggest risks? Cyber will be probably one, if not one or two.
So how do you have to educate them from that standpoint?
Well, I would tell you over the last year, I've done more board education where they said, hey, this big attack happened.
Come in and talk to us. And we talk about their maturity. We talk about the risks.
We talk about the adversaries focused on their organization and then we talk about how do you move your maturity from a lower level of maturity
to something higher there's a maturity scale that we we talk about you know zero through five and
that has really i think allowed people to move the ball forward and realize that security is not a
nice tab it's a must-have and And not only can it impact your business,
but then obviously there's all the regulatory requirements
that companies have to deal with.
So George, the Securities and Exchange Commission
has made it a regulatory priority
when they come in and look at firms like ours
in their regular examinations
to really get detailed information
about what we're doing to protect customer data,
customer assets, logins, et cetera.
Wealth management is extremely fragmented.
There are 18,000 registered investment advisory firms like mine.
Nobody really has any market share, not asset managers, but wealth managers.
And yet all of us and our systems are in possession of like pretty important,
sacred customer information. Salesforce does a wealth management cloud specifically for our
space. Have you ever looked at financial advisory or brokerage or wealth management as maybe the
kind of thing where it would be worth customizing a product for? Or have you just not gotten there yet?
What are your thoughts as it pertains to what we do for a living?
Well, it's probably a sales and market motion.
The beauty of our technology is, and let me just back up for a minute.
If we take financial services as a broad umbrella, we have 15 of the top 20 banks, right?
Now, I know you guys are smaller, but still financial services.
And the interesting thing about our technology, this is very rare if you think about this in any marketplace,
is the same product we sell to the DOD, we can sell to you and, you know, a three-man shop or
three-person shop. It's the same product, like there's different bells and whistles and options,
but it's pretty elastic of what we can do. When you look at our SMB penetration, we talked about, you know, kind of the mid market.
It's over a 300 million dollar business and that's bigger than many of our competitors like entire business.
But it's still less than one percent penetration in those markets.
So we're still in the early innings and we've had a lot of success.
And absolutely, with our trial to pay and some of our MSSP relationships, we can cover organizations like yourself.
Okay. Before we get to the Formula One stuff, which we'll end with, I want to ask one product
related question so that people understand what sets you apart from the Sentinels and the other
publicly traded cybersecurity names out there. And there are probably six or seven
that most investors are following. I think your flagship is called Falcon. It's what most people
seem to know you best for. Can you explain why that product is so powerful and why it's been
so successful in the market? Yeah, I think the simple explanation is it works.
That's a good starting point. It's a starting point, right?
It works and it works really well.
And there's a lot of folks that try to copy it,
but it comes down to the architecture.
Like why did Siebel fail in like the online sales cloud world?
Because it wasn't architected that way.
Yeah.
Right?
And you look at Salesforce, it started from the beginning.
We literally started from the beginning as a cloud platform.
And we're the only folks that have this single agent architecture with one data store with a
modular framework that allows all of this expandability, gross margin, business model,
et cetera. At the end of the day, we're solving really hard problems, which is stopping breaches.
And we do that in a way that's A, scalable, and B, reduces a lot of the agent footprint that's out there.
And this is something that's not really talked about.
On average, there's 13 agents,
the pieces of software that run on your computer.
Everyone will know when they start their computer,
it's real slow and like lots of things run.
We can reduce that dramatically, four, five, six agents.
And that level of consolidation works with one agent,
collect data one time, and we can reuse it many.
So the architecture, the AI behind what we built, but more importantly, the platform that we've created allows us to exceed in security and then move into adjacencies where we took our future TAM up to over the next couple of years, $126 billion.
And that not only solving a security problem, but it's solving
a IT problem. And again, at the end of the day, the numbers don't lie.
Less pieces of armor, less room for gaps in between those pieces of armor.
So when you're able to reduce that agent problem.
Correct. And what that means is it's a better user experience. There's less cost and complexity for
the organization.
And what we found, and I've called this out in some of the earnings calls, is that a lot of our competitors and next gen included, when they get installed on something, they can't even get rolled out.
They don't even they don't scale.
They don't work.
It's just kind of a disaster. And I recently got a truck and I have a Tesla.
I'm a car guy.
We'll talk about that in a minute.
And my Tesla just works.
I got in the truck and the screen kept freezing and rebooting and everything else.
And people go, wow, why can't these folks copy Tesla?
Well, same reason.
The thing just works.
It seems simple, but it's really hard to actually replicate the user experience.
Duncan, get in here.
I'm out of my depth on this topic, but you are very involved in Formula One.
A lot of our audience is dying to hear a little bit about that from you.
So why don't you, while Duncan gets his first question ready, tell us why you've become
associated with the sport and what you do.
008 Sure.
So we got involved in Formula One a few years back. I've always been a Formula
One fan. And when you think about Formula One and racing, I mean, I'm a racing fan. It really
ties into speed and technology. And how we got into the Mercedes organization is they became
a customer. They actually had Microsoft. It wasn't working for
them. They came to us. They became a customer. They loved it. And then they knew I liked racing
and there was a passion. And we put together a very effective marketing program. One, people
know us. I mean, you look at the safety car, you see CrowdStrike. But two, for the in-person events,
we actually have a CXO summit. So we talk for three hours on security with thought leaders
and CISOs and CIOs and CEOs. And then we take them for a very unique experience in the Formula One
paddock. And that has served us really well. I can tell you, we've generated a tremendous amount of
new business from those events and people know us. Yeah, for sure. Duncan, you're on. Ask an insightful question about Formula One.
Okay, so first up, I just wanted to ask,
you've driven a lot of different cars
in a lot of different series.
Do you have a favorite car?
Do I have a favorite car?
Yeah, I would say,
so I've driven a lot of different stuff.
This year, I drive a Leger P3 car,
which is a prototype car in the
msa series and i drive a mercedes gt3 keeping with the mercedes brand and sro i love both
they're both different but for pure speed and downforce and just like it's crazy to drive one
of these things particularly like sebring the p3 is a pretty special car so i have fun doing that
but both are great cars and i enjoy doing uh uh, both series. Yeah. Those will mine cars look so cool. The, those prototypes. Yeah. Um, okay.
So, uh, another one, uh, what's your, your favorite track? Do you have a favorite track
around the world? That is a good question. Um, I would say, I mean, in the U S it's probably
road America, um, which is a very famous track and a lot of drivers like it. I would, in the U.S., it's probably Road America, which is a very famous track, and a lot of drivers like it.
I would say in Europe is Spa, which is a Formula One track, and it's just kind of crazy, Eau Rouge.
You know, you probably know that well.
And we do a 24-hour race there, which has been pretty fun, so I like that track.
Okay, so a little longer one.
So how has being a race car driver made you a better CEO, you think?
Well, that's a good one.
I talk about that all the time.
And it really is about the details.
You know, in a race car, cars are going to be pretty similar.
But it's the details that matter, how you set it up, how you prepare.
Everything's about preparation, just like in our own business, right?
What's our goal?
Is the team informed? Is everybody prepared? Do we, do we drill and practice? And then we got to execute.
And if you are really into the details, which I am of racing and you focus those, that level of
like commitment and, you know, prep, prep, prep, like we're not surprised on things, which is,
which is why you see the results that we've come out
with because it's all planned it's all practice all has a purpose and just like in the race you
know some days go well in the race some days don't in the real world some go well some don't but
more times than not if you focus on the details uh you'll get the win at the end you just want
and you just won something is that right you? St. Petersburg. Do you want your category?
In racing or for companies or what?
In racing.
In racing.
In racing, yeah.
I was in St. Petersburg.
We were the warm-up act for the Indy guys and gals.
And so I won there.
And we've got a race coming up in Sonoma.
So, you know, we'll just keep plugging away.
George, I want to say thank you so much on behalf of all of the viewers of The Compound,
the live viewers and people who will come across this video in the weeks to come and learn a lot more about cybersecurity and CrowdStrike's role in what I think is one of the biggest
secular growth opportunities in the world over the next decade.
So you guys seem to be
winning all the time and want to thank you as a shareholder. And thank you so much for giving us,
I know how important your time is right now. So thank you for giving us a small piece of that
today. Well, thank you, Josh. And thank you, Ben. And I will tell you, I really appreciate the level
of detail that you go into and the work you put in because you understand CrowdStrike versus everyone else in terms of our competitors.
I think with a high level of detail, and I appreciate that.
Oh, thank you so much, sir.
Have a great night and good luck with everything.
Thank you.
All right.
We're going to let George pop off.
Thank you guys so much for joining us tonight on the live.
Really appreciate it. Make sure you like and subscribe so others may
utilize the algorithm effectively to find this content and more that we're doing here on The
Compound. We will be back with you all week with our regular slate of shows. Thanks to George.
Thanks to Duncan, John, Nicole, and we're out. Bye.