Our team at RSA 2024

Our team members Matthew Jacobs, Curt Kahn and Andrew Brodsky recently attended RSA, a leading global cybersecurity conference in San Francisco. The team spent the week meeting with companies, advisors and other investors to discuss a variety of industry topics. Below are some key takeaways from the conference:

Gone are the days of "growth at all costs."

In contrast with recent years, investors were much more focused on profitability at this year's RSA Conference. In light of a more difficult macroeconomic backdrop, investors are showing less appetite to fund cash-burning businesses for years on end. As such, cybersecurity companies are focused on demonstrating profitable growth. While rapid growth will remain a characteristic of the cybersecurity industry for years to come, there is a growing desire by investors to balance growth with profitability.

For example, a common metric used to evaluate cybersecurity (and broader software) companies is the Rule of 40. In brief, a company is considered healthy if the addition of its annual revenue growth and EBITDA margin sums to 40%. In prior years, many cybersecurity companies were able to achieve "Rule of 40" status by growing more than 40% per year, offset by cash burn. At this year's conference, companies that demonstrated balanced growth (e.g., 30% growth combined with 10% EBITDA margin) were viewed most positively.

A shift from "best of breed" to "best of suite."

For years, companies have looked to adopt best-of-breed security solutions to achieve maximum cyber coverage. For many customers, however, this has led to a proliferation of tools and technologies that aren't as compatible or effective as desired. To address these issues, companies are undergoing comprehensive evaluations of their cybersecurity posture, oftentimes leading to rationalization of vendors. This results in a preference for cybersecurity platforms vs. individual solutions, to reduce complexity and maximize utility.

From an investor perspective, we view this as a critical shift in customer behavior. In order to compete in a crowded market, companies must understand whether they fall into the "platform" or "solution" category. While there are many factors to determine this categorization, one good way of determining viability as a platform is to look at net retention. Strong net retention figures indicate a company's ability to upsell additional modules and/or capabilities (i.e. act as a platform, not just a single solution).

While being a platform may be desirable in the long-term, there still remains plenty of opportunity for best-of-breed solutions. Any company with strong gross retention figures has the ability to drive consistent growth. However, it's important that solutions think creatively around partnerships and M&A consolidation as potential avenues of driving long-term value.

Cloud hyperscalers continue to jostle for cybersecurity market share.

One of the bigger pre-RSA Conference announcements was the broadened strategic partnership between AWS and CrowdStrike. For years, AWS, Microsoft and Google have competed alongside pure-play cybersecurity platforms for market share. Recent data indicate that Microsoft has been winning this battle. However, AWS' partnership with CrowdStrike, one of the leading pure-play cybersecurity platforms in the market, has the potential to disrupt recent market momentum.

The partnership does raise several questions, however:

• How does this impact AWS' efforts to build homegrown security solutions?
• Will this lead to questions around cloud hosting independence for CrowdStrike customers?

It's likely too early to tell how big of an impact this partnership will have on AWS, CrowdStrike and the broader competitive landscape - but it's certainly interesting to observe collaboration at the very top of the cybersecurity market.