Is there a System of Record in Cyber?
Short answer. No.
As you know I have taken on the role of cybersecurity historian for our industry. (See Security Yearbook 2024). There are many reasons for loss of shared memory. Among them are the old guard retiring or moving on. John Thomson who led Symantec during its massive acquisition days still dabbles in security but no longer leads the biggest vendor. Gene Hodges, who led Network Associates in its restructuring from a holding company of six or seven product lines into the powerhouse McAfee, passed away. Many cybersecurity giants today are led by people that do not have memories of history. The danger is that the lack of that understanding will lead them to repeat history.
Let me just say it. Plaformization is a fantasy spun by marketing teams to make sense of the product portfolios that cybersecurity behemoths have accumulated over the years. That’s OK because that is the job of marketers. What is not OK is when the CEO falls for their own marketing and the fantasy becomes the strategy.
There is a nuance in terms here of course. Palo Alto Networks itself grew to its position today with a network security platform, variously called UTM or NGFW. It makes perfect sense for all packet processing and inspection to occur in a single appliance. That move towards network security platforms defines the entire network security industry today. If an upstart comes up with a network security capability that starts to get traction, Fortinet and PAN will just build that feature into their platforms. Note the fast failure of FireEye which went public with a single feature: in-line sandboxing.
Endpoint security vendors also tried the platform approach. McAfee’s EPO was the best example. When Webroot Software introduced its enterprise product for anti-spyware, McAfee simply turned a switch and started writing signatures for PUPs (potentially unwanted programs). Webroot falied at getting traction on the endpoint and moved on.
Platforms for network, endpoint, identity, encryption, and GRC all make perfect sense. Each of these categories have separate buying centers within the enterprise. Think of it, the team that manages Archer (GRC) will never be the team that manages Active Directory (IAM), or the firewalls.
We got a little more visibility into Palo Alto Networks CEO Nikesh Arora’s thinking this week and it is a little built scary.
In a long post on LinkedIn Arora cited examples of companies that he thinks have platforms.
“…employees and HR teams now have streamlining with platforms like Workday, sales teams have Salesforce, IT professionals use Servicenow - why wouldnt we see evolution that SOC platforms connect their tools, Security practitioners over time get a platform for managing their network security. That's our north star Palo Alto Networks. -Nikesh Arora”
Yes, if I were the CEO of the largest cybersecurity company by revenue, I would study the companies that were bigger than mine. But I would also learn how they are fundementally different. All of these, Salesforce ($274 billion market cap), Workday ($64 billion), and Servicenow ($197 billion), are what is known as the “System of Record” for their respective categories.
“First, there really are only three types of SaaS businesses: System of Record (CRM), System of Engagement (eg Outreach), and System of Decision (eg any BI tool).” -TK Kader
These are all SaaS businesses. SaaS is an attractive business model. The marginal cost of goods sold is practically zero. You can increase revenue dramatically without increasing costs. If you keep your churn rates down you have perfect visibility into each quarter’s revenue because you have already collected the money you recognize. If you are a hardware appliance manufacturer like PAN you envy all SaaS companies.
In SaaS a System of Record is at the core of the entire industry category. Salesforce dominates CRM, Oracle and SAP dominate ERP, Workday is striving to dominate HR.
What would be the System of Record for security? Obviously it would be a SIEM product. Arora even reveals that is what he is thinking about in the above quote when he mentions the SOC.
Even Splunk, the biggest SIEM vendor, did not achieve System of Record status before being acquired by Cisco for $28 billion. There are 164 vendors in our database with SIEM products. A modern SOC platform, envisioned as one dashboard, would combine brilliant analytics with a data lake of alerts, logs, UEBA, XDR, SOAR, eBPF and now AI. Palo Alto has some of those components, but they have been selling them as best of breed. They have a lot of work to do before they can sell all-in-one SOC operations, especially when AI is going to completely disrupt the space. The big vendors have NEVER created the innovation that disrupts the industry. They ALWAYS acquire it.
One more term to bring up is sell-through. This is the acutal business model that works for giant companies. Instead of being the System of Record a large company like a telecom equipment maker has actually built a massive selling machine. Cisco is like this. When their customers start showing demand for a new product category the mega company acquires the leader in that space and immediately adds it to its catalog. The sales/delivery engine it has built sells the new product to its existing customer base. There have been cases of telecom equipment companies making an acquisition for $100 million and generating that much revenue in the first year after the deal closes.
Sell-through works. This is actually how Palo Alto operates. It works so well that even the CEO misjudged their quarterly guidance earlier this year when he announced the platformization strategy. The result was a 28% haircut in market cap.
Note the recovery since then as PANW executes well on sell-through, NOT on platformization.
One more lesson from history. Juniper Networks, the #2 network vendor after Cisco made a bold acquisition of Netscreen in 2004. They paid $4+ billion for the first firewall vendor to incorporate IPS. At the time of acquistion Netscreen was doing $500 million in sales. Juniper set out on the path of creating a combined OS based on their routing platform. That process dragged on for years while firewall sales plummented below $200 million. Eventually a disgruntled Nir Zuk took a core team with him and founded, you guessed it, Palo Alto Networks. Juniper was acquired ealier this year by HPE for $14 billion. Read the announcement from HPE. Security is not even mentioned in the body of the press release. Juniper was so focusused on platformization that they lost site of sell-through.
Just an aside here, as long as we are talking history. Nir Zuk was brought into Juniper through the Netscreen acquisition. The founding CTO of Netscreen was Ken Xie who left Netscreen to create Fortinet. Zuk probably based his new firewall on a reimagining of Netscreen, literally the NextGen of Netscreen :-) (Juniper sued him for patent infringement but settled for $172 million.) In other words, the two largest stand alone network security vendors today, Fortinet and Palo Alto Networks, arose out of Netscreen.
It should be taken as a warning when large companies like Palo Alto look outside the security industry for models to follow. There is no opportunity for a System of Record in cybersecurity.
Our history is littered with the carcasses of large vendors who were once on top and are now shells of their former greatness, Juniper, Symantec, CA, McAfee among them.
Investments in cybersecurity should always be based on mitigating risks in your cybersecurity program - not because of a fancy product feature.
Thanks for sharing, Richard
You wrote that SIEM is the likely product to support system of record for security. Any particular reason you selected SIEM! Then why SIEMS are not doing it now?