I was working in my home office the other day when I heard the beeping of a car. It sounded like it was in my driveway. The beeping continued. Annoyed, I ambled to the front door and opened it to see the source of the noise. The Undercover CISO was in my driveway behind the wheel of some exotic red convertible sports car. I noticed the vanity license plate was ‘CRWD’.
“Hey, do you like my new car? It’s a 2022 Ferrari Portofino. Twin turbo V-8 and 600 horsepower. Let’s go for a ride!” he shouted above the rumble of the engine as he hit the gas pedal.
“How did you afford this thing? It must be 200 grand,” I said as I shoe-horned myself into the passenger seat.
“A quarter million actually. I told you I was shorting CrowdStrike. Bubble waiting to burst. Easiest trade in the world. Made enough to buy this bad boy,” he replied.
Then I remembered the stock ticker for CrowdStrike stock is CRWD. CrowdStrike has fallen like a lead balloon since the UC made his short trade. It really tanked after its last earnings report, which actually wasn’t horrible.
He drove us up to an empty two-lane road in the desert outskirts of Phoenix. He stepped hard on the accelerator and quickly shifted his way through the gears as the speedometer spun to 105 miles per hour. My head was pinned against the headrest. Over the din of the wind and roar of the engine he shouted, “Never mind those video-game toy Teslas. This baby is just as fast!”
My stomach was churning. Thankfully, he began to slow down. As we entered traffic on a busy street, I regained my composure and asked, “Well, how did you know Crowdstrike was overvalued? They have quality security products.”
“Economics, of course. Haven’t you heard of George Akerlov?”
Indeed I was well aware of him. Akerlov won a Nobel Prize in Economics for his classic 1970 article, “The Market for Lemons.” To summarize:
Akerlof’s model was simple but powerful study of information asymmetry. Assume that some cars are “lemons” and some are high quality. If buyers could tell which cars are lemons and which are not, there would be two separate markets: a market for lemons and a market for high-quality cars. But of course, the sellers have information the buyers don’t. The buyers know this so they have to discount all used cars on the lot due to the chance they might end up with a lemon, even if the car is in perfect condition.
He continued, “The security tool market is the ultimate used car lot. There are thousands of security tools out there, but the buyers – CISOs – never really know which ones work better than any others. It’s a crap shoot based on marketing and Forrester reports. When the Yugo came out in the late 1980s, it was very cheap to buy, but no one really knew how bad a car it really was until they drove it. Companies like CrowdStrike and SentinelOne have top quality products, but there are a lot of security tool ‘lemons’ out there in the Gartner Magic Quadrant. Furthermore, the stock market valuations are based on consistently huge growth projections. The economy is slowing. People think that security budgets are immune from spending cuts but that just isn’t true.”
He went on. “Most importantly, Microsoft virtually gives away its security products to high-end Azure subscribers. So, when the CIO moves the company to Azure, the existing security products get replaced by Microsoft equivalents. The CISOs are stuck with the decision because they can’t quantify the improvements their security suite offers over Microsoft’s.”
As we returned to my driveway I felt some of the blood return to my head. I crawled out of the seat and turned to him.
“Are you done with the short selling?” I asked.
“No way! I need to get my private jet! I have my next target, but that is a topic for another day. Stay tuned.” With that, he screeched his tires and roared out of my neighborhood.
He made some good points. While Endpoint Detection and Response (EDR) is the best single defense against ransomware, it doesn’t mean every company is going to buy it. Security sales to non-Fortune 500 companies take more time and require bigger discounts. Many security vendors are in a stock market bubble, and the bubble may burst as we head toward a recession.