How Could Platformization Work in Cybersecurity?

There is no such thing as a cybersecurity platform...yet. What would it take for platformization to happen?
How Could Platformization Work in Cybersecurity?

The idea of a cybersecurity platform seems unreasonable because...well, it is unreasonable. That's the whole point.

In his new book Same as Ever, Morgan Housel said this about people's behavior towards limits:

Optimism and pessimism always have to overshoot what seems reasonable, because the only way to discover the limits of what’s possible is to venture a little way past those limits.

That's it. Being optimistic about platformization in cybersecurity is about testing the limits of what's possible in our industry.

Being pessimistic about a single, end-to-end cybersecurity platform is easy to do. There are all kinds of reasons platformization hasn't worked in cybersecurity. But it's a straw-man argument.

Why? There will never be a one-ring-to-rule-them-all cybersecurity platform all customers buy from a single company. The real discourse here is about something different.

Platformization is about the process of cybersecurity products moving towards platforms. It's not about the extreme ends of the spectrum. It's about the market moving towards one side of the spectrum or the other.

The question isn't, "why won't platformization work in cybersecurity?"

A better question is, "what would it take for platformization to work in cybersecurity?"

Being optimistic and unpacking the conditions required for platformization to happen in cybersecurity is harder. It's where we need to put our energy and brainpower. We need to venture a little way past our limits.

Let's start by talking about platformization in other areas of tech.

Platforms are tech's ultimate prize

If you zoom out and look at the broader tech industry, you see the same pattern play out over and over: platformization wasn't possible...until it was.

A common goal among tech's most ambitious companies has been their desire to build platforms in areas where they didn't exist before.

Apple and Microsoft built personal computing platforms.

SAP built an enterprise resource planning platform.

Epic built a healthcare platform.

Salesforce built a customer relationship management platform.

Facebook built a social networking platform.

Amazon built an infrastructure platform.

ServiceNow built an IT operations platform.

If people's lives, work, health, money, and relationships can be platformized, cybersecurity can too. We're important, but it's tough to argue we're more important than most of the domains where platforms already exist today.

Speaking of platforms in cybersecurity...

We already have platforms in cybersecurity

An important detail got lost in the fray of bantering about platformization: we already have platforms in cybersecurity.

Okta is an identity platform.

CrowdStrike is an endpoint security platform.

Zscaler is a network security platform.

Splunk is a security operations platform.

Wiz is a cloud security platform.

They're all pretty good ones, too. Not perfect, but enough to drive the buying behavior of security leaders from dozens of point products to platform companies in each of these domains.

What we don't have yet is a multi-estate platform — something that spans major domains like security operations, networks, identity, and so on. Single domains are the current limit of what's possible in cybersecurity.

Moving beyond our current limits requires thinking in relative terms, not absolute terms. Let me show you what I mean.

The spectrum of cybersecurity platformization

Thinking about platformization as an all-or-nothing thing is a trap.

Security leaders are never going to buy all of their products and services from one company. They're never going to buy from all different companies, either.

These scenarios are the extremes. Reality lies on the spectrum between them:

The spectrum of platformization and distribution.

The way to think about this is in relative terms — where do we sit on this spectrum? More importantly, where will we sit if certain things happen?

Distributed products are the default state. Most companies can't just wake up in the morning and decide to be a platform. It takes a lot of capital, and there are stages of progression involved to get there. Platformization itself is a competitive moat.

Movement along the spectrum is where the real magic happens.

If things like cybersecurity mesh architectures gain traction, or cybersecurity companies get really good at partnering and integrating, the market gets further entrenched on the distributed end of the spectrum.

If the benefits of using cybersecurity platforms built by a single company clearly exceed their distributed alternatives, they'll push the market towards the platform end of the spectrum.

How far cybersecurity companies can bend the median is a multi-billion-dollar proposition:

Platformization-distribution budget curve.

The economic tilt of even a small movement towards platformization is huge.

With platforms, fewer companies control a greater percentage of overall cybersecurity spend. You don't even need to be the end-all be-all cybersecurity platform. Just nudge the needle, and you’ve won.

This dynamic and its forces are a very fluid situation, but we're never going to end up at either one of the extremes.

Lots of factors can drive movement in either direction along the spectrum. Let's look at what it would take for a meaningful movement towards cybersecurity platformization to happen.

What could work: nudging cybersecurity towards platformization

Successful platformization is so rare that it's silly to say a playbook exists. Cybersecurity has its own set of nuances and idiosyncrasies, just like every relatively large industry.

However, there are some themes we can draw from platformization in other areas of tech and what's worked (and hasn't worked) so far in cybersecurity.

Real platforms: by the technical definition, not the marketing definition.

Building actual technology platforms is the biggest factor by far that will influence the success of platformization in cybersecurity.

Yep, this means everything real platforms have, soup-to-nuts — integrated UIs, data layers, ecosystems, you name it. There aren't any non-technical shortcuts, even if you buy parts of the platform. Everything has to work.

It's disingenuous to call a bundle a platform. This strategy might work for a little while, but technology doesn't lie. Once you're exposed, it's all over. Just ask Symantec, McAfee, and CA.¹

The only way the cycle of product innovation, sales and marketing, financial incentives, and other factors we're discussing here will work is if customers actually want the product.

Product innovation has to be able to keep up with every other idea we're discussing in this section. If the product falters, nothing else works.

Obsession: cybersecurity focus, expertise, and commitment.

Building a multi-estate cybersecurity platform is going to take focus. It needs to be a singular effort. "Obsession," in a word.

I have a hard time seeing a company who isn't fully focused on cybersecurity pulling this off. Large technology companies theoretically have the resources to build a cybersecurity platform. What they lack is the focus, expertise, and commitment to make this a reality.

Expertise has been a major factor in the cybersecurity platforms we've seen so far. George Kurtz knew exactly what needed to be done differently to build an endpoint security platform when he started CrowdStrike. Todd McKinnon had a similar insight for Okta from his time at Salesforce. It's possible an industry outsider could overcome this, but platformization is hard enough as it is.

And then comes the commitment part. A shift towards platformization is probably a decade-long effort or more. It's either going to take founder-led companies or some really committed senior execs to get this done.

Right now, we're in the middle of a multi-billion-dollar experiment to find out if it's possible for large tech companies to build cybersecurity platforms. Broadcom, Cisco, Alphabet, and Microsoft are all investing heavily in their cybersecurity business units. I'd expect some level of success, but it's improbable any of these companies will end up with a cybersecurity platform that has everything it takes to work.

Technological shifts: big and small technology changes, both inside and outside of cybersecurity.

Some factors driving platformization in cybersecurity are outside the control of our industry. Technological shifts are one of them. They've been a factor for platforms in every other sector of technology. We're no exception.

I'm not sure if AI is going to be the technological shift that makes cybersecurity platformization possible or not. AI is being thrown around as the hand-wavey solution to every problem right now. It will probably be part of the reason behind platformization in cybersecurity, but don't count on it being the only reason.

The breakthroughs driving platformization in cybersecurity might be more pedantic. It's easier than ever to build integrated technology platforms in any domain because our tools and frameworks are better than ever. As this leverage compounds, it gets easier to build and scale larger pieces of software.

Things really get interesting when technological shifts combine. Wiz became the fastest-growing cybersecurity company ever because of this. Building great products quickly got easier, and they used this to relentlessly seize the opportunity to redefine how infrastructure security is done for cloud computing.

Curation: creating a cybersecurity platform through building, buying, and partnering.

The phrase "building a cybersecurity platform" is oversimplified. When we're talking about platform scale, building alone isn't enough.

Mark Zuckerberg has talked about how finding and developing engineering talent is the number one constraint holding back growth of Meta. If Mark Zuckerberg can't find enough people to build at Meta, we have no chance.

Platformization in cybersecurity will need to happen through a combination of building, buying, and partnering. There can't be no building, of course — but solving the riddle of platformization is going to take some good old fashioned dealmaking.

We all know about M&A, but acquisitions have to be executed differently this time. For platformization to work, companies need to buy the best products at the right time and... Actually. Integrate. Them.

This means having enough capital available for acquisitions, identifying companies in emerging categories early, then successfully executing the transactions before a competitor acquires them. None of this is easy to do.

I also expect we'll see white or gray labeling of components in a platform become more of a thing going forward. The incentives for moving the needle towards platformization are too high. Companies will do whatever it takes to source and integrate the best products, even if it means OEM'ing them from someone else.

Brand status: the first "luxury" cybersecurity brand.

Platforms seem to have an allure of luxury and exclusivity, at least in the early days. This isn't necessary in cybersecurity, but the broader trend is worth acknowledging.

Apple is the gold standard (no pun intended) of case studies for technology platforms. It's a luxury brand — they've literally hired luxury brand executives to run their business.

People pay more for Apple than they would for similar products if Apple didn't exist. Why? It's partly because they make amazing products. It's also because people want the status of owning an Apple product.

We're already starting to see this model replicated by a handful of leading cybersecurity platforms. If cybersecurity platforms truly can become better than distributed alternatives, owning one is going to be viewed as a luxury among big company executives.

Customer segmentation: big companies buy big cybersecurity platforms.

Building a multi-domain cybersecurity platform will likely require disciplined customer segmentation. This may seem counterintuitive at first — shouldn't platforms try to reach as many customers as possible?

Broad cybersecurity platforms for businesses of all sizes and consumers haven't worked yet. Symantec and McAfee tried this strategy with endpoint security and ended up unceremoniously separating their B2B and consumer businesses.

The enterprise customer segment is the obvious target for platformization, but it's not a straightforward answer. Enterprises have more complex problems and need more tools than consumers. This is tempting, but it also makes the challenges of platformization harder.

A cybersecurity platform for consumers or SMBs would likely have a smaller scope. A narrower focus on the product side could be an advantage in platformization, but time will tell.

Incentives: inertia is powerful, but so are the right incentives.

Lastly, platformization in cybersecurity needs the right blend of incentives.² In our industry, this means financial, social, and regulatory incentives.

The power of incentives becomes a lot more realistic if a cybersecurity company builds a platform customers really want. A great platform makes people want to buy something that they can't afford — or at least spend more money than they would before because they need to have it right now.

Customers won't stop buying point products unless (a) platforms are legitimately better, (b) they're forced to by their CFO or procurement, or (c) both.

Savvy security leaders aren't going to buy bad security products to save their company money. But they're also not going to buy commoditized products from multiple vendors. They're smart enough to recognize when a platform is advantageous and when it's not.

The bar for incentives is really high. For platformization to work, it needs to be clear that platforms provide the best possible defenses and advantages far beyond anything distributed products can offer.

Beyond our numbers and stories

Does executing all of this sound impossible? It should — that's part of the lesson here.

Platformization might be the single most difficult outcome to accomplish in technology. Just because it's difficult doesn't mean it's impossible. The only way to find out is to keep testing the limits.

Morgan Housel describes it like this:

The only way to know we’ve exhausted all potential opportunity from markets—the only way to identify the top—is to push them not only past the point where the numbers stop making sense, but beyond the stories people believe about those numbers.

Are we past the point in our industry where numbers and stories about platformization stop making sense? Maybe. We'll find out where the top is.

I don’t know which cybersecurity company is going to be the one who figures out platformization. Both numbers and stories tell us the journey has a ton of risk. Many a promising company has been destroyed in the pursuit.

Any company that figures out cybersecurity platformization is going to be worth $500-billion-plus. Anyone who doesn't is going to the private equity graveyard to be dismantled alongside the companies who tried before them.

And then the next audacious cybersecurity companies are going to keep on trying.


This article was influenced by thoughts from a broad set of people on the topic of platformization. A few specific influences are Adrian Sanabria, Eric Parizo, Francis Odum, Richard Stiennon, Tyler Shields, and our Palo Alto Networks Q2 2024 earnings webinar attendees.


¹Okay, "it's all over" might be dramatic. The point is companies who make this argument and get exposed lose their swagger and become B-list or C-list companies struggling to remain relevant.

²Charlie Munger would have wanted me to put incentives first, but here we are. RIP, GOAT.

You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.