CrowdStrike, Inc. (CRWD) originally designed its Falcon endpoint security platform to appeal to enterprise users but has broad appeal to the small business segment in just the United States alone. The analysis here builds a case for CrowdStrike to grow increasingly stronger as a go-to solution for small businesses.
Small is Big
Some of us might be surprised at what SBA (Small Business America) considers to be a ‘small business.’ Per the SBA Table of Size Standards, a business can qualify as being small based on the number of employees and average annual receipts, both of which vary by industry segment. The size standard classification is intended to assess a business’s eligibility for SBA loan programs and federal contract opportunities. To offer a rough idea of the range of eligibility, depending on the segment a business operates in, it can be classified as a small business if annual receipts are under $1 million to under $41.5 million or if it has under 100 to under 1,500 employees on its payroll.
By this reckoning, there were approximately 30.9 million small businesses in America in 2019, which made up 99.9% of total U.S. businesses and 47.3% of the total private workforce in the country. Even if each business spends a ridiculously low average of $1000 every year on protecting its endpoints, that’s a $30-billion-a-year opportunity right there. For reference, an endpoint is any device connected via the Internet to a company’s web assets, digital files and networks, and that includes desktops, laptops, smartphones, IoT devices, and other connected or ‘smart’ devices.
The Threat Landscape for Small Businesses
Although the NIST Small Business Cybersecurity Act (S. 770) was signed into law more than two years ago, small businesses continue to face a significant threat from bad actors. The 2020 Data Breach Investigations Report from Verizon shows that 28% of the nearly 4000 confirmed breaches covered by the report targeted small businesses. Extrapolating that to the small business landscape, more than 1 in 4 – or about 8.7 million – businesses face the risk of a potential data breach, which could cost them an average of $200,000. There’s also evidence pointing to the pandemic seeing elevated levels of attacks. Extend that data further as it applies to small businesses around the world and what you have is a mind-blowing market opportunity waiting to be captured through simple digital advertising and content marketing techniques.
Now, combine all those data points with the fact that small businesses that somehow managed to keep their heads above water during the lockdowns are now under tremendous financial pressure. The result is a massively exposed and financially weak attack surface that is highly attractive to bad actors now and in a post-pandemic era. Moreover, with most businesses now following a work-from-home model for large numbers of their employees, that attack surface has expanded exponentially. The reality is that smaller businesses are largely unprepared to deal with the heightened security challenges posed by a WFH set-up.
CrowdStrike is Well-positioned to Fill This Gap
There’s no denying that a huge gap exists between what small businesses need in terms of security and the resources they have access to. That’s where CrowdStrike’s appeal comes in. By taking advantage of the highly simplified front-end Falcon agent/sensor, a small business can quickly protect its endpoints no matter where its employees are working from or where such endpoints are deployed. In addition to next-generation anti-virus protection, the Falcon system offers add-on options such as threat intelligence, USB device control, firewall management, incident response, threat hunting, etc. All of these are essentially click-to-turn-on services that can be activated once the agent or sensor is installed on the device.
CrowdStrike’s managed services for the Falcon platform can also help small businesses keep their costs down in terms of eliminating the need for a dedicated expert to handle their security needs. I think that’s one of the major key selling points when talking to resource-crunched businesses. An information security specialist can command a rate of up to $50 an hour, and if you include bonuses, benefits, profit-sharing, commissions, and so on, you’re looking at an annual salary in excess of $120,000 a year at the upper end. Moreover, with the job market being seriously short on cybersecurity experts, businesses will have to spend even more on hiring costs and joining bonuses to find the right person, on-board them, and retain them.
One of the reasons smaller businesses don’t have the kind of security posture they need in the current threat environment is the complexity of most endpoint security solutions; either that or the prohibitive cost of a managed service from a larger provider – or both.
In such a scenario, an easily deployable, cloud-enabled, and SaaS-like (Software as a Service) solution like CrowdStrike Falcon – in effect, an ‘endpoint security as a service’ solution – offers an attractive proposition to small businesses that need protection now, not later.
Global Appeal for CrowdStrike’s Services
Although this article focuses primarily on CrowdStrike’s opportunity in the small business segment, not surprisingly, many of the aspects of cybersecurity relevant to small businesses also apply to enterprises.
For instance, the WFH scenario has a much deeper and wider impact on large corporations because the number of endpoints just explodes when thousands of employees are remotely using multiple devices to connect to the company’s secure networks. And because of this mass decentralization of endpoints, the only answer is an equally decentralized endpoint security utility delivered like any other cloud-based software application, but with a single, lightweight agent that’s easily installed on the device in question.
Another important value proposition for both enterprises and small businesses is the sheer data off of which the Falcon platform works. At the heart of CrowdStrike’s solution is Threat Graph, the brains behind the operation. Threat Graph leverages the power of AI-driven cloud analytics to process trillions of events on a monthly basis, capturing endpoint telemetry, analyzing the data intelligently for correlation, and making actionable information available to the endpoint agent in a real-time environment. As the number of endpoints connected to the Falcon platform grows, the volume of data available to Threat Graph grows along with it. This allows the agent to detect and defend with the most current information at its disposal – a critical consideration in any type of security architecture.
Although CrowdStrike’s technical credentials are certainly impressive, potential investors will want to know more about the business in terms of growth momentum, the competitive landscape, and the edge that CrowdStrike has over the competition.
One of the ways to look at the competitive advantage is to measure a company’s revenue growth momentum against the estimated growth of the overall market segment. Per the company’s own estimates and data from IDC, the market is expected to keep expanding at a CAGR of around 9% through 2022.
Source: Q2 Earnings Slide Presentation
When you compare that figure with CrowdStrike’s revenue growth over the past few years, it’s easy to see that its platform has a significant edge in endpoint security. Between FY-17 and FY-20, total revenue grew from $52 million to $481 million, representing an eightfold increase over the three-year period. In the last reported quarter, Q2-21, the company recorded an 84% revenue growth rate.
Such growth rates typically point to a company operating in either a new niche or one that’s low on competition. On the contrary, endpoint security is a mature market with a mix of deep-pocketed, seasoned players and newer, more agile trailblazers. There’s virtually no moat in this segment, and that’s exactly why a company like CrowdStrike that’s less than a decade old can come in and still keep growing at nearly ten times the rate of the overall market. The growth cadence will certainly slow down as the company achieves greater scale, but as long as the company keeps delivering revenue growth in mid to high double-digit percentages, it will stay ahead of the pack. According to the Forrester Wave Enterprise Detection and Response report for Q1-2020:
Forrester’s research uncovered a market in which CrowdStrike, Microsoft, and Trend Micro are Leaders; SentinelOne, Cybereason, Bitdefender, VMware Carbon Black, and Elastic are Strong Performers; and Kaspersky, McAfee, Palo Alto Networks, and BlackBerry Cylance are Contenders.
CrowdStrike is yet to achieve profitability, but if you look at the income statement, it becomes immediately clear why that is the case. The company has been spending 60% to 70% of its revenue on SG&A to fuel its growth. The bulk of that expenditure goes toward sales and marketing and is currently at over 50% of total revenue as of Q2-21. I’m of the opinion that establishing a sustainable growth cadence is far more important than impressing investors with a hefty bottom line, especially at such an early stage of a company’s journey. The profitability will eventually come when the business achieves economies of scale, but it’s far too early for that. Right now, the priority is and should be on capturing market share and growing its customer base.
Source: Seeking Alpha
As an investment, CrowdStrike offers a lot of opportunity for capital appreciation. Over the past six months, the stock has appreciated 135%, and I believe there’s more than enough revenue growth momentum to help it double in value over the next year to eighteen months. Even using a highly conservative year-over-year growth rate of 55% on top of the Q2-21 TTM figure of $654 million, we could see the company breach the billion-dollar TTM revenue figure come Q2-22. If H1-21 is anything to go by, that might happen as early as Q1-22.
From a risk perspective, CrowdStrike has largely been able to nullify the threat from competitors both large and small. It has created a niche within a niche and is leading the pack with aggressive spending on growth, which isn’t something that most of its larger competitors can afford to do. That’s not an advantage we can or should ignore. The business risk in terms of concentrated streams of revenue is virtually absent, and the larger threat of an extended pandemic will only bolster the need for businesses to secure their exposed endpoints as their employees continue to work from the safety of their homes. I said earlier that there’s virtually no moat in this market, but if there is a moat somewhere in this highly fragmented playing field, CrowdStrike just may have found it.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.