CEO George Kurtz has had a banner year. The cybersecurity firm has seen its stock price surge more than 135%, beating out larger rivals and the . It's continued to grow its annual recurring , albeit slower than years past, and in an interview with CNBC, Kurtz said CrowdStrike's path to $10 billion in within seven years remained achievable.
The successes come as cybersecurity risks weigh heavier than ever on investors and executives. Beginning Monday, public companies will be required to disclose "material" . The new rules from the formalize an already acknowledged reality for executives: investors deserve to know when hacks hit corporate bottom lines.
"What you're seeing with the SEC and mandatory disclosure," Kurtz told CNBC, "is really the fact that cybersecurity used to be a backroom operation and now it's really front and center in the boardroom."
The new regulations will likely offer upside for CrowdStrike, Kurtz said. The company does a selling its Falcon security platform, which protects millions of its clients' computers from hackers, but it also has a professional services unit that helps companies large and small respond to hackers who are already in their systems.
The latter business has seen double-digit growth year over year, according to financial filings. A rash of high-profile hacks — the kind of incidents that the new SEC rules will apply to — have hit victims' market caps hard. In the last six months, for example, the crippled at , and . Caesars $15 million in ransom, sources previously told CNBC, while MGM took a $100 million hit .
Responding to hacks makes for great business. For every dollar companies paid CrowdStrike to respond to hacks, CrowdStrike collected roughly $6 on average in new subscription revenue, Kurtz said. CrowdStrike's professional services unit — the emergency response side of the business — saw revenue grow 57% year over year in its most recent quarter.
"In most organizations, it's not an if, it's a when," Kurtz said, referring to the inevitability of a hack. For public companies suffering a breach, the intelligence CrowdStrike gathers responding to incidents will likely form a big part of deciding whether boardrooms need to disclose a hack or not.
"It's not something we can answer" for companies, Kurtz said.
While incident response is good business for CrowdStrike, Kurtz emphasized that CrowdStrike's main focus is "to help customers prevent these sorts of attacks upfront and provide visibility."
CrowdStrike has also focused on growing its sales to government agencies — building on the public-private partnerships that underpin U.S. cyber defense.
"I think there is a real recognition of the threats that are out there," Kurtz said of the , and its director, "It takes longer than I think anyone would like in government, but we've seen progress over the years."
The Biden administration, including Easterly, has that cybersecurity is a matter of national security. Like many companies, including Cloud's , CrowdStrike works closely with the government to analyze and respond to hacks, including those emanating from actors aligned with and .
Much of that work is done behind the scenes, given the national security and diplomatic implications.
Still, the CrowdStrike CEO did not hold back in criticizing response to a that shook the U.S government earlier this year, when Microsoft security by Chinese intelligence and used to the State and Commerce departments.
"It's odd to me that they didn't file an 8-K, given the extent — literally their certificates being stolen and used to break into the government," Kurtz said, referring to the regulatory filing companies make when a "material" event has occurred. His words echo a familiar refrain for CrowdStrike, which has associated with Microsoft software in its sales pitches. But others, including Sen. Ron Wyden, D-Ore., have said .
Microsoft declined to comment.
Kurtz doesn't think 2024 will be any better for businesses large or small. The advent of readily available artificial tools could make both — exploiting vulnerabilities in human operators — and software-driven attacks more potent.
The risk from China remains constant, despite an apparent lessening in tensions following Chinese President 's . "In 2023, I don't know that there is any sector that is exempt from being worried about China," Kurtz said.
"If you're the smallest SMB, maybe you won't be subject to attack," Kurtz said, referring to small to medium-sized businesses. "But at the end of the day, you may have some interaction with another company that they really care about. Whether it's China or other adversaries, you might just be part of the collateral damage to get to a larger objective."