Follow the (Microsoft cybersecurity) money

Posted by

Bob Woodward: Hunt’s come in from the cold. Supposedly he’s got a lawyer with $25,000 in a brown paper bag.

Deep Throat: Follow the money.

Bob Woodward: What do you mean? Where?

Deep Throat: Oh, I can’t tell you that.

Bob Woodward: But you could tell me that.

Deep Throat: I can point you in the right direction if I can, but that’s all. Just…follow the money.

The movie All the President’s Men portrayed the taking down of President Richard M. Nixon by two young Washington Post reporters named Bob Woodward and Carl Bernstein. They were guided in this unprecedented journey by a mysterious and anonymous White House insider they code-named Deep Throat. Deep Throat’s guidance to “follow the money” was advice we should all keep in mind, even in cyber security.

To understand what this means, let’s discuss a little background about security spending. Most companies spend roughly 4-8% of their IT budgets on cybersecurity. However, budget line items allocated to the security organization can vary. For example, in many companies firewall management, while certainly securely related, is performed by the IT network team and comes out of the general IT budget. Similarly, domain controllers, while certainly security relevant, are often managed by system administrators, and that spending also comes out of the general IT budget. Other capabilities, such as Identity and Access Management (IAM) and Endpoint Detection and Response (EDR) solutions, usually are cyber security budget items.

Why all this background?  I wrote previously about how Microsoft is very successfully gaining a stronghold in the security market. I expect this trend to continue in large part due to how IT and security expenses are budgeted in organizations.

Microsoft is not really in the security business. It is in the cloud business. When customers buy Microsoft’s E5 offering, they get some pretty good security tools like Defender ATP “thrown in.” Big companies like Microsoft have a tremendous advantage: cross subsidization. They don’t necessarily need to make money in specific business lines as long as it fuels their overall sales. For example, the Cable companies bundle telephone, Internet, and TV in order to increase revenues, simplify customer billing, and increase switching costs (reduce churn).

We have no idea how much money Microsoft’s security unit nets, because they don’t break out revenues separately in their financial statements. But they have obviously made the decision to bundle security offerings in their E5 packages to drive overall cloud sales and reduce customer churn. However, Microsoft Defender ATP competitors, like CrowdStrike, Carbon Black, and Cylance need to (at least eventually) have a path to profitability.

It is hard to for security vendors to compete when Microsoft is giving essentially the same stuff away for free.

Now let’s go back to corporate security spending. When an organization buys Microsoft’s E5 offering, it is generally budgeted and paid for by the overall IT organization. The security organization gets some security tools such Defender ATP “thrown in” without a budget expenditure. Some security organizations may still elect to pay for similar point-solution third-party security tools (such as CrowdStrike and Cylance). Many security professionals feel they are superior than Defender ATP. It is not necessarily easy to replace security products once operators are trained and the tools are tuned. However, as Microsoft’s offerings get better and security budgets get squeezed, organizations may shed some of their non-Microsoft licenses.

It is hard for security vendors to compete when Microsoft is giving essentially the same stuff away for free. Further, the Microsoft security products are tightly integrated with the full Microsoft software and cloud suite – a characteristic that is impossible for competing products to duplicate. This makes it easier to shift from competing point-solution products to Microsoft offerings.

Is this an an unfair advantage for Microsoft? Matt Stoller thinks it may be:

“Now, what Microsoft is doing could be illegal, but they would argue otherwise. And there is a tension between ‘tying’ which is an antitrust violation, and ‘integration’ which is simply creating a better product by putting two existing products together into one. One way to start making this distinction is to look at the market power of the entity doing the tying. By that metric, Microsoft needs more scrutiny. The corporation often goes unnoticed as a monopolist, largely because its President Brad Smith is a deft political player, but the corporation is still there, eating up markets.”

Matt Stoller

Regardless, security budgets are tightening. If you follow the money, you’ll see that Microsoft is going to be a juggernaut in the security space this year and for years to come.