George Kurtz, CEO of CrowdStrike, discusses Microsoft, China, and the SEC.

This year, the stock price of cybersecurity company CrowdStrike has increased by over 130%, outpacing both the broader indexes and its larger competitors. George Kurtz, the CEO, discusses the company’s accomplishments and the significance of cybersecurity for national security.

George Kurtz, CEO of CrowdStrike, has had an incredible year. The cybersecurity company’s stock price has increased by over 135%, outpacing both the broader indexes and larger competitors. Even though it has grown more slowly than in previous years, CrowdStrike’s annual recurring revenue has continued to rise, and Kurtz stated that the company can still reach its goal of $10 billion in recurring revenue in seven years.

The achievements occur as executives and investors are more concerned than ever about cybersecurity risks. Disclosure of “material” cybersecurity events will be mandatory for publicly traded companies. The Securities and Exchange Commission’s (SEC) new regulations formalize for executives what is already known: investors have a right to know when corporate profits are impacted by hacks.

“What you’re seeing is really that cybersecurity used to be a backroom operation and now it’s front and center in the boardroom,” Kurtz stated about the SEC and mandatory disclosure.

According to Kurtz, there will probably be benefits for CrowdStrike from the new rules. In addition to making a healthy profit from the sale of its Falcon security platform, which shields millions of customers’ computers from hackers, the company also operates a professional services division that assists both big and small businesses in dealing with hackers who have already gained access to their systems.

Financial filings show double-digit growth for the latter company every year. The market caps of victims have taken a serious hit due to a spate of high-profile hacks, the kind of incidents to which the new SEC rules will apply. For instance, Caesars Entertainment, Clorox, and MGM Resorts’ operations have been severely hampered by the same hacking group in the past six months. As previously reported by sources, Caesars settled a $15 million ransom, costing MGM $100 million for the quarter.

Reacting to cyberattacks is a profitable endeavor. According to Kurtz, for every dollar that businesses paid CrowdStrike to address hacks, the company earned about $6 in new subscription income. In the most recent quarter, revenue at CrowdStrike’s professional services division—the emergency response branch of the company—grew by 57% year over year.

Regarding the likelihood of a hack, Kurtz stated, “In most organizations, it’s not if, it’s when.”

The information that CrowdStrike obtains from incident response will probably play a significant role in determining whether boardrooms of publicly traded companies experiencing a breach will have to reveal the breach or not.

“It’s not something we can answer for companies,” Kurtz continued.

Kurtz stressed that although incident response is profitable for CrowdStrike, the company’s primary goal is to help customers prevent these sorts of attacks upfront and provide visibility.

In addition, CrowdStrike has concentrated on expanding its business with government organizations, thereby strengthening the public-private alliances that support US cyber defense.

“I think there is a real recognition of the threats that are out there,” Kurtz said about Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency. Government work takes longer than I believe anyone would like, but things have improved over time.

Easterly and the Biden administration have stressed that cybersecurity is a national security issue. Like many businesses, CrowdStrike closely collaborates with the government to analyze and respond to hacks, including those that come from actors associated with Russia and China (such as Google Cloud’s Mandiant).

Considering the implications for national security and diplomacy, a large portion of that work is done behind closed doors.

Nevertheless, the CEO of CrowdStrike did not hold back when he criticized Microsoft’s handling of a high-profile hack that rocked the US government earlier this year. Chinese intelligence had stolen Microsoft security keys, which they then used to break into the Departments of State and Commerce.

Kurtz stated, “It’s odd to me that they didn’t file an 8-K, given the extent — their certificates being stolen and used to break into the government.” Kurtz was referring to the regulatory filings that companies make when a material event occurs.

For CrowdStrike, which has emphasized security flaws with Microsoft software in its sales presentations, Kurtz’s remarks are a familiar refrain. Sen. Ron Wyden, a Democrat from Oregon, among others, has expressed similar views.

Microsoft opted not to respond.

Kurtz believes that neither small nor large businesses will fare any better in 2024. The development of easily accessible artificial tools has the potential to increase the effectiveness of software-driven attacks as well as social engineering attacks, which take advantage of weaknesses in human operators.

Even though there seems to be less tension after Chinese President Xi Jinping visits San Francisco, the risk from China is still there.

“I don’t know that there is any sector that is exempt from worrying about China in 2023,” Kurtz stated.

Kurtz said, related to small and medium-sized companies. “Maybe you won’t be attacked if you’re the smallest SMB. Ultimately, though, you might come into contact with a different business that they genuinely care about. You might just be collateral damage in the process of achieving a greater goal, whether it is China or other enemies.”