Cybersecurity Spotlights, 3 Companies that Excite Us
We launched the Rize Cybersecurity and Data Privacy UCITS ETF in January last year with the objective of enabling investors to participate in one of the biggest growth stories of our time: cybersecurity. This is a space that – over the last couple of years – has exploded in size and scale and grown into a multi-billion-dollar industry yet still to this day shows no signs of abatement. Companies in the sector have been focused on capturing this growth, as the consistent and unrelenting uptick in cyber-attacks around the world has forced their security teams into a game of cat-and-mouse – trying to stay one step ahead of their most challenging adversary yet – the insidious cybercriminal.
In the last few years, we have also seen security teams eschew antiquated technologies to address the omnipresence of the cyber-threat in favour of new and more sophisticated tools. In particular those leveraging cloud-native software and machine learning. We have seen the emergence of predictive security, zero trust and identity and data privacy solutions. We have seen the rise of brand-new companies in the cybersecurity ecosystem with better and more powerful offerings that are more suitable and scalable across the organisation that needs protecting. In this piece, we review three highly innovative companies in our ETF to illustrate why they have us excited.
Number 1: Cloudflare
Cloudflare (NET) may be the biggest internet company you have never heard of. Founded in San Francisco in 2009 by entrepreneurs Matthew Prince (now CEO), Michelle Zathyn and Lee Holloway, Cloudflare debuted on the New York Stock Exchange on September 13th, 2019. Cloudflare describes itself as a web performance and security company focused on providing online services that protect and accelerate websites online. In simple terms, they help customers with cloud deployments to make their internet properties (such as websites, blogs, apps and web-based services) faster, more reliable and more secure.
Here’s how it works:
In the early days of the internet, if you wanted to load a website, your request would go from your computer to a server, which would then return the website you requested. If too many requests came in at once, the server would overwhelm and crash, becoming unresponsive to anyone trying to access it. This made it difficult for owners of internet properties to provide content to users that was fast, reliable and safe. Cloudflare came along to try to solve this problem. They began experimenting with ways to lower latency in the system by adding advanced caching processes and removing bad traffic. This intermediary design allowed Cloudflare to offer a level of filtration for security. By sitting between the client and the server, it could detect malicious traffic, intercept cyber-attacks, remove bots and limit spam. This design became known as the Cloudflare Content Delivery Network, or their CDN service.
Since then, Cloudflare has grown its service to dozens of new products and hundreds of new features, all while opening six offices across three countries and bringing over 190 data centres online. All of these efforts have propelled the benefits of their service – including security, performance, reliability and insights – to millions of customers around the world.
Source: Cloudflare Blog, “#BetterInternet: Join the Movement”, 2 October 2018. Available at: https://blog.cloudflare.com/betterinternet-join-the-movement/
Why do we find Cloudflare so exciting? Two key reasons. One is that, until recently, most of Cloudflare’s customers were companies – big and small. However, about two years ago, in an interesting move, Cloudflare launched a new service aimed at the consumer cybersecurity market, dubbing it 188.8.131.52, or 1 dot 1 dot 1 dot 1. This has put Cloudflare on the map as a champion for consumer privacy. The new service allows everyday consumers to protect their data from leaking on to internet service providers and/or other businesses trying to track them across the internet. It does this by encrypting the traffic to the servers that web browsers contact in order to translate a site’s URL (such as Google.com) to its numerical IP address (such as 184.108.40.206), thereby taking away an easy web-surfing roadmap for snoops. These snoops can be anyone from a lone hacker to more nefarious organisations.
The other is that reason is that Cloudflare truly is a cloud security pioneer. Indeed, the name Cloudflare itself is derived from the company’s original mission of building firewalls directly in the cloud. In the past organisations have kept their vital data and services behind firewalls – within a simple perimeter – that has been relatively easy to control. But with the rise of public clouds, private clouds, hybrid clouds and others, this perimeter has been pushed into the internet itself. And unlike a lot of legacy security vendors who have scrambled (and some which are still scrambling) to unify and bundle their services in the cloud, Cloudflare’s service have always been cloud-based. This has meant that the company has been more successful at scaling and ensuring compatibility with cloud-based architectures versus legacy hardware solutions that have required continuous patching and upgrades.
While the cloud has certainly created new vulnerabilities, it has also created a host of new possibilities and opportunities and Cloudflare has been well positioned and continues to capitalize on these. Just like Apple capitalised on mobile, Salesforce on SaaS and Zoom on video communication, Cloudflare now has the opportunity to capitalise on the cloud – it is truly part of the company’s DNA.
Number 2: CrowdStrike
CrowdStrike (CRWD) has fast become one of the most respected cybersecurity companies in the world. Their name first sprung up in the news back in 2016 when they were brought in by the Democratic National Committee to investigate the cyber-interference in the US election campaign. It was CrowdStrike that subsequently uncovered that the cyber-attack had been carried out by two groups of Russian-backed outlets rather than by a lone hacker (as had been originally assumed).
CrowdStrike is perhaps best known for its core offering, Falcon. This market leading platform is designed to prevent even the most sophisticated attacks with endpoint security points sitting right at the heart of a unified set of cloud-delivered technologies.
Let’s explore how that works:
Traditional endpoint security is about protecting endpoints. Endpoints are normally end-user devices such as computers or laptops, mobile phones, IOT devices or virtual workloads. Preventing attacks at the endpoints therefore is of critical importance because that is where all the sensitive data is stored. Endpoint security differs from traditional ‘antivirus’ software which is considered the most basic prevention component and is designed to remove only known viruses or malware. Even if – for example – a threat slips past the antivirus programme, endpoint security can be far more dynamic and detect and contain the attacking party.
CrowdStrike has managed to differentiate itself from competitors by not only unifying endpoint security with next-generation antivirus software, but also by delivering it entirely over cloud-native infrastructure and embedding Artificial Intelligence (AI) into the security layer. The company has spent years developing and honing a powerful AI that is being constantly bombarded with high volumes of crowd-sourced attack data to achieve better efficacy and lower false positive rates. This technology allows the company to not only rectify threats but also detect would-be threats as well as uncover new forms of potential hacking through pattern recognition.
CrowdStrike went public on June 12th, 2019 at a valuation of $12.6 billion. Today the company has a market value of over $62 billion. But we believe this is just the beginning for CrowdStrike. Amongst its endpoint peers, CrowdStrike already shines with its next-gen security cloud that is getting smarter by the day. And with a brand that is already reputable and well established, we expect this company to go from strength to strength.
And incredibly, the company’s brand is not just well known to its customers and investors. It is also well known to its adversaries. The following story perhaps sums it up best.
In 2015, a besieged CrowdStrike customer needed backup support. So the company sent in reinforcements, placed its software sensors across the breached business’s computing environment, and started gathering intel. In very short order, the investigators spotted a state-sponsored hacker known as “Hurricane Panda”, an old Chinese nemesis that the CrowdStrike team had been fighting since 2013. What happened next surprised them: When the attacker discovered traces of CrowdStrike in the machine they had infected, they actually fled.
Number 3: KnowBe4
Whilst technological solutions such as those offered by Cloudflare and CrowdStrike can be highly effective, the possibility of an employee him or herself succumbing to social engineering can never be entirely prevented. Education and awareness are therefore pivotal in preventing employees from being manipulated, deceived or influenced into handing over the keys to an organisation. This is where our third company comes in: KnowBe4.
KnowBe4 is the world’s largest integrated platform for security awareness training and simulated phishing attacks, enabling organisations to assess, monitor and minimize the ongoing cybersecurity threat of social engineering.
The company’s value add is highly visible and real proof of its effectiveness is demonstrated through its results-based training programme.
Take its Kevin Mitnick Security Awareness Training programme.
The programme begins with a baseline test to show the actual phish-prone percentage of an organisation’s users. It then immerses users in interactive, on-demand browser-based training. Finally, it allows employers to send frequent simulated phishing attacks to employees to reinforce the training and provides tools to monitor the improvement of the phish-prone percentage over time.
Many of you reading this may indeed be familiar with the ‘Report Phishing’ button on Microsoft Outlook and the message congratulating you for identifying a potential phishing threat as part of an ongoing cybersecurity training programme.
KnowBe4 was crowned a leader in the Forrester WaveTM: Security Awareness and Training Solutions in Q1 2020 receiving the highest scores possible in 17 and out of the 23 evaluation criteria. This report placed it against 12 leading vendors in the cybersecurity category which included companies like Infosec, CybSafe, Mimecast and Kaspersky to name a few.
KnowBe4 went public on the Nasdaq in April 22nd, 2021 with its shares opening nearly 25% above the offer price. The firm benefited vastly during the pandemic as companies spent large amounts of money to protect their IT infrastructure with employees working from home, and threat of social engineering becoming realer than ever. According to one global CIO survey, social engineering was the fifth leading investment priority in cybersecurity with 30% of respondents reporting a significant investment increase planned in this area. We believe the “human link” in the cybersecurity chain is likely to remain the weakest link. Attending to this human element will therefore remain critical and – we believe – help drive continued spending on for security and training solutions. This bodes well for KnowBe4 and companies like it.
 Bloomberg, “Cloudflare Jumps in Trading Debut After Raising $525 million”, September 2019. Available at: https://www.bloomberg.com/news/articles/2019-09-13/cloudflare-jumps-in-trading-debut-after-raising-525-million
 Cloudflare, “What is 220.127.116.11?”, 2020. Available at: https://www.cloudflare.com/learning/dns/what-is-18.104.22.168/
 Medium, “CrowdStrike, The DNC’s Security Firm, Was Under Contract with The FBI”, June 2017. Available at: https://medium.com/theyoungturks/crowdstrike-the-dncs-security-firm-was-under-contract-with-the-fbi-c6f884c34189
 Google Finance, “CrowdStrike Holdings Inc”, 05 December 2021. Available at: https://www.google.com/finance/quote/0A3N:LON?sa=X&ved=2ahUKEwia2degvYf0AhWUecAKHRr4AggQ3ecFegQIBhAc
 KnowBe4 Security Awareness Training, November 2021. Available at: https://www.knowbe4.com/pricing-kevin-mitnick-security-awareness-training
 The Forrester Wave™: Security Awareness and Training Solutions, Q1 2020, Forrester Research, Inc., February 25, 2020
 Reuters, “KKR-backed KnowBe4 valued at over $3.5 billion in strong Nasdaq debut”, April 2021. Available at: https://www.reuters.com/article/us-knowbe4-ipo-idUSKBN2C92JW
 Worldwide; Flexera Software; 2020; 302 respondents; Majority of respondents are C-suite executives (CIOs and senior IT executives) from organizations with at least 2,000 employees.