What’s The Half Life Of A Unicorn?

“Cybercorns” are companies that have surpassed the magical $1 billion valuation. Several of these extraordinary ventures are Okta, Sophos, Tanium, Palantir, FireEye, Splunk, Zscaler, Lookout, CloudFlare, Illumio and AVAST.

Each has attained an enviable position as a valued solution to an important set of customer security pains. The entrepreneurs who built these companies (many of which are privately held) and the investors that backed them deserve their success. But in a world where technology is changing rapidly, and in which attackers are agile and focused, which of these unicorns will survive? What is the halflife, perhaps measured by stock value, of a cybercorn?

The most profound trends in the IT landscape are, of course, the rapid adoption of cloud services and growing mobility of the workforce. All too soon, application back-end micro-services will automatically and reliably scale as needed in the cloud, accessed by users over the public Internet.

Cybercorns that have bet on a long-lived traditional IT infrastructure are already in trouble. If the user is working in Starbucks, what value is a network security product that attempts to protect an indefensible network perimeter? If your organization is adopting Office 365, when a user opens a potentially threatening attachment, it runs in a virtual machine, in Azure.

You have no need for a supposedly secure “email gateway” that attempts to find evil attachments on your Exchange Server. FireEye stands to lose most among the cybercorns I’ve listed — its halflife is already being probed by the public markets.

Companies that are built for and can secure the future of IT infrastructure — cloud-based applications and mobile app users — can ease customers’ transition to the cloud and deliver value that stands the test of time.

A quick sort of the cybercorns I listed identifies those that deliver value as a cloud service: Okta, Zscaler, CloudFlare and Illumio deliver products and technologies form-factored for the cloud, paid for on a subscription basis, that are easy to adopt, sticky (valuable) and non-intrusive in traditional IT operations.

Splunk has delivered tremendous value and is very sticky, and though its deployment is primarily tied to traditional enterprise on-premise infrastructure, it also can be consumed from the cloud. As a big data platform, it has the opportunity to unlock tremendous incremental value through the addition of new vertical apps that help to further streamline IT operations, including security.

On the downside, Splunk’s core technology is not awfully hard to replicate, and open source competitors already exist. Splunk’s biggest weakness is its data size-based pricing, which leaves customers wondering about the marginal value of more data — the precise opposite of the obvious strategy, which is to encourage customers to store more and more data in the platform and to charge based on the value delivered from it rather than the volume.

Proofpoint is also cloud-centric, but like Tanium and AVAST, it controls and manages the endpoint. Proofpoint is an agile escape artist that has avoided the rapid commoditization of mobile security products thus far. But Microsoft’s presence looms large, and its Enterprise Mobility Suite offering includes Enterprise Mobility Management, Azure AD and mobile security for only $7 per user, placing an immovable floor on the market opportunity.

Proofpoint also needs to compete with well-heeled enterprise players such as VMware and Citrix in a crowded market that has already witnessed the shocking collapse of Blackberry and Good Technology.

Rapid changes on the endpoint will dramatically challenge other cybercorns. For instance,  AVAST is popular among consumers for its free AV, and charges for premium versions. But even my mother knows that AV is not needed for her iPad, and the appeal of free, consumer-centric AV in the enterprise is limited.

In an online environment faced with agile, adaptive adversaries, every detection tool will fail at some point.

Sophos is a successful cybercorn in the enterprise endpoint security market. It faces an uphill battle, though. Antivirus-style detection is outmoded and ineffective and Microsoft System Center Endpoint Protection is included free with the enterprise license agreements. Sophos also faces stubborn incumbents in McAfee and Symantec, has yet to offer any substantially differentiated technology and faces commoditization from the 25+ other traditional endpoint security vendors fighting for the same dollars.

Tanium, which cut its teeth in patch management and then pivoted into endpoint detection and response (EDR) faces a double whammy: Its idea of a peer-to-peer patch delivery protocol has already been subsumed into Windows Update, and its EDR feature set offers little more than the free utility Sysinternals offered by Microsoft. It has the advantage of a rumored $200 million in annual revenue, and may be able to avoid commoditization. But to do so successfully it will need to escape from the already crowded EDR market.

Gartner is tracking more than 40 vendors of EDR products, including the major incumbents, Symantec and McAfee (now part of Intel Security). Finally, all of the detection-focused cybercorns face the brutal mathematics of Turing’s halting problem: In an online environment faced with agile, adaptive adversaries, every detection tool will fail at some point. Detection tools cannot protect their customers, and while helping IT staff to more quickly sniff out breaches is useful, it amounts to little more than closing the stable door once the unicorns have bolted.

Ultimately, I foresee only two long-term defensible plays for these cybercorns. First, a focus on securing customers’ transition to and use of the cloud. And second, companies that quickly and intelligently sift through reams of data to make IT more responsive, agile and secure. It will be fascinating to watch what happens.