CrowdStrike Chief Executive George Kurtz is photographed in the company’s offices.
Katie Falkenberg | Los Angeles Times | Getty Images
CrowdStrike CEO George Kurtz has had a banner year. The cybersecurity firm has seen its stock price surge more than 135%, beating out larger rivals and the broader indexes. It’s continued to grow its annual recurring revenue, albeit slower than years past, and in an interview with CNBC, Kurtz said CrowdStrike’s path to $10 billion in recurring revenue within seven years remained achievable.
The successes come as cybersecurity risks weigh heavier than ever on investors and executives. Beginning Monday, public companies will be required to disclose “material” cybersecurity incidents. The new rules from the Securities and Exchange Commission formalize an already acknowledged reality for executives: investors deserve to know when hacks hit corporate bottom lines.
“What you’re seeing with the SEC and mandatory disclosure,” Kurtz told CNBC, “is really the fact that cybersecurity used to be a backroom operation and now it’s really front and center in the boardroom.”
The new regulations will likely offer upside for CrowdStrike, Kurtz said. The company does a brisk business selling its Falcon security platform, which protects millions of its clients’ computers from hackers, but it also has a professional services unit that helps companies large and small respond to hackers who are already in their systems.
The latter business has seen double-digit growth year over year, according to financial filings. A rash of high-profile hacks — the kind of incidents that the new SEC rules will apply to — have hit victims’ market caps hard. In the last six months, for example, the same hacking group crippled operations at Caesars Entertainment, Clorox and MGM Resorts. Caesars paid out $15 million in ransom, sources previously told CNBC, while MGM took a $100 million hit for the quarter.
Responding to hacks makes for great business. For every dollar companies paid CrowdStrike to respond to hacks, CrowdStrike collected roughly $6 on average in new subscription revenue, Kurtz said. CrowdStrike’s professional services unit — the emergency response side of the business — saw revenue grow 57% year over year in its most recent quarter.
“In most organizations, it’s not an if, it’s a when,” Kurtz said, referring to the inevitability of a hack. For public companies suffering a breach, the intelligence CrowdStrike gathers responding to incidents will likely form a big part of deciding whether boardrooms need to disclose a hack or not.
“It’s not something we can answer” for companies, Kurtz said.
While incident response is good business for CrowdStrike, Kurtz emphasized that CrowdStrike’s main focus is “to help customers prevent these sorts of attacks upfront and provide visibility.”
CrowdStrike has also focused on growing its sales to government agencies — building on the public-private partnerships that underpin U.S. cyber defense.
“I think there is a real recognition of the threats that are out there,” Kurtz said of the Cybersecurity and Infrastructure Security Agency, and its director, Jen Easterly. “It takes longer than I think anyone would like in government, but we’ve seen progress over the years.”
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly testifies before a House Homeland Security Subcommittee, at the Rayburn House Office Building on April 28, 2022 in Washington, DC.
Kevin Dietsch | Getty Images
The Biden administration, including Easterly, has emphasized that cybersecurity is a matter of national security. Like many companies, including Google Cloud’s Mandiant, CrowdStrike works closely with the government to analyze and respond to hacks, including those emanating from actors aligned with China and Russia.
Much of that work is done behind the scenes, given the national security and diplomatic implications.
Still, the CrowdStrike CEO did not hold back in criticizing Microsoft’s response to a high-profile breach that shook the U.S government earlier this year, when Microsoft security keys were stolen by Chinese intelligence and used to hack into the State and Commerce departments.
“It’s odd to me that they didn’t file an 8-K, given the extent — literally their certificates being stolen and used to break into the government,” Kurtz said, referring to the regulatory filing companies make when a “material” event has occurred. His words echo a familiar refrain for CrowdStrike, which has highlighted security risks associated with Microsoft software in its sales pitches. But others, including Sen. Ron Wyden, D-Ore., have said much the same.
Microsoft did not respond to CNBC’s request for comment.
Kurtz doesn’t think 2024 will be any better for businesses large or small. The advent of readily available artificial tools could make both social engineering attacks — exploiting vulnerabilities in human operators — and software-driven attacks more potent.
The risk from China remains constant, despite an apparent lessening in tensions following Chinese President Xi Jinping’s visit to San Francisco. “In 2023, I don’t know that there is any sector that is exempt from being worried about China,” Kurtz said.
“If you’re the smallest SMB, maybe you won’t be subject to attack,” Kurtz said, referring to small to medium-sized businesses. “But at the end of the day, you may have some interaction with another company that they really care about. Whether it’s China or other adversaries, you might just be part of the collateral damage to get to a larger objective.”