Darktrace: He Said, She Said, and Probably They Said Too
January 20, 2022
The high flying cyber security sector suffered a headache when the SolarWinds’ misstep was disclosed. Since that time, the mass media have started paying attention to what a year or two ago was the content discussed at cyber security conferences and workshops. Now, everyone including most US government agencies, hundreds of start ups, and probably a grandmother or two in a Golden Years Long Term Care facility are talking about cyber security, ransomware, bad actors, the Dark Web, the Deep Web, bots, smart malware, and the equivalent of Crime as a Service or CaaS, the on demand resource for stealing financial data.
I read “Short Seller says Darktrace Targets Are a Pipe Dream”. The back and forth between the UK financial firm and the Darktrace cyber services firm is interesting.(Keep in mind that years ago I did some small project for Autonomy, but my experience was pretty good. Nevertheless, before some research-minded 20 something tweets about my consulting, you have been alerted.)
The write up hits three interesting points. I am not interested in Darktrace, however. I think these points apply to a large number of the companies closing deals, often for Palantir-scale invoices, for threat intelligence, cyber defenses, digital canaries, smart perimeters, yada yada.
What are those points?
- Projections are extremely optimistic. What cyber security firm thinks about running out of clients for six and seven figure license fees? Hint: Think of a number between minus one and one.
- Headcounts move around, change, and are disconnected from an old school GraybaR (circa 1869) organization chart
- Customers sign on and then bail out. Does this sound like a Theranos-type observation.
The write up states:
ShadowFall says Darktrace’s business is driven by “an aggressive, promotional, sales focus” and is unlikely to stand the test of time. British hedge fund ShadowFall has taken a short position against cybersecurity specialist Darktrace, calling its business “watery-thin”. The hedge fund is known in the City as the ‘dark destroyer’ for its practices of unpicking corporate reports and devaluing shares. While the fund paints its work as a public service, as a short seller its own business model relies on driving down the prices of companies it bets against.
What’s up here? I think Darktrace is like many cyber security vendors. Consequently, ShadowFall is probably getting the curling stone close to the scoring circle in the game of full body contact investment curling. However, the specific issues like the three I identified above are part of the Silicon Valley territory. I call this phenomenon of overstatement, misdirection, and management management magical misdirection part of the behavior I described a decade ago in my monograph “The Google Legacy.”
The cyber security sector is not doing a Tom Brady grade job protecting an organization’s data. Why? Breaches occur because careless or indifferent employees click on links which invite bad actors to come in and have a seat in the engineering meeting. Bad actors prowl message boards for an unhappy employee, pay that employee to insert a USB stick into a laptop, or exfiltrate log on credentials. Finally, giant companies don’t build software with security as Job One. Every day I learn about another flaw in either commercial software or open source libraries. Bad actors don’t have to worry too much. There are quite a few bright bad actors and an expanding pool of oligarchs responding to a business opportunity.
No cyber vendor can keep up. In fact, best of class outfits are selling to those outside of the cyber security National Honor Society and Phi Beta Kappa stratum. (Example: Recorded Future to a general service outfit.) There are too few top flight cyber security engineers to staff the companies building or needing these specialists. Yep, a people shortage exists.
The net net is that ShadowFall has diagnosed an industry wide problem. The write up, however, focuses on ShadowFall’s analysis of a single company. A more useful and fair analysis would take a good, hard look at other cyber security firms. A spectrum or league table of behaviors can be generated. Then a company in the cyber security business can be put into a performance context. I understand that in the UK Darktrace is news. That’s okay with me. There is a far more significant analysis job to do. Darktrace becomes a data point, and my experience suggests there are outfits which warrant a similar analysis and commercial enterprises for which there is more data available.
Where is this type of analysis? I have not seen one. The reason may be, “Who wants to kill the gold goose laying cyber threat eggs filled with money?”
Stephen E Arnold, January 20, 2022