Platform versus Platformization:  How CrowdStrike is winning the platform battle

This is part two of a two-part series. Read part one here.

VentureBeat recently sat down (virtually) with George Kurtz, president, CEO, and co-founder of cybersecurity leader CrowdStrike, to learn more about the company’s data-centric approach and vision for the future of cybersecurity. CrowdStrike’s single-agent, unified platform architecture is cloud-based, enabling their customers to easily add new services while combining human intelligence with AI. Combining human-based contextual intelligence gained from incident response and threat hunting with data-driven insights from AI and machine learning (ML) is central to Kurtz’s vision of the future of cybersecurity.

In the second part of VentureBeat’s interview, George Kurtz, CEO of CrowdStrike, emphasizes the increasing importance of having cybersecurity expertise and leadership on corporate boards. Kurtz also underscores the potential of generative AI in enhancing cybersecurity measures, and shares advice to CISOs and security leaders when they are evaluating cybersecurity solutions.  

VB: How does CrowdStrike’s strategy align with the strategic goals and risk appetites of boards?

Kurtz: First, you have to speak the board’s language, which is risk, and how you mitigate risk.  Then,  there are three general blocks the board cares about: time, money and not going to jail. What I talk about with boards is how do we get the outcome of stopping the breach? This is the thing that security has been missing the mark on for many years. When I was at McAfee, people were buying lots of security, but they were still being breached because the industry was focused on stopping malware, not stopping a breach, and there’s a huge difference.

So when I talk to boards, the conversation is about: you’re paying money for security. Let me give you an outcome, not be breached. Let’s start there. Then it goes into, well, how do we make sure you’re compliant? Can you actually respond to the SEC regulations? That’s what is on the minds of board members.

How do you make sure you comply with what’s in the U.S. and outside the U.S. and data protection laws? How do we make sure that there isn’t a business resiliency issue? They don’t care about viruses and bits and bytes and registry changes. They care about their reputation. They care about time and money, and if they can’t ship products or interact with their customers or they’re knocked offline for three months, there is a huge financial impact. It’s about business resiliency, that’s what boards care about. 

Essentially, we can come in and say, “We’re going to give you the outcome you want. Stay safe. We’re going to make sure that you’re compliant, and, by the way, you have a whole bunch of spend that over the years has built up like barnacles. We’re going to scrape all that off. We’re going to consolidate down to a fewer number of vendors, and we’re going to take your overall spend in those areas, and we’re going to shrink it down and give you a better outcome.”  That resonates.

VB: When you talk with boards, and given the accelerating nature of threats, are you starting to see more security executives on the board, including CISOs, and have you advised certain boards to do that?

Kurtz: Yes, great question. So you look at what’s been done in the financial world. You’ve got third-party auditors, you’ve got a big focus on risk, and then what typically shows up on a board? Most public company boards have a CFO-type person. They might be running the audit committee or what have you. That’s almost a prerequisite. When we look at boards of the future, I believe that cybersecurity and that specialty is going to be a key attribute and a sought-after attribute for board members.

We work with a lot of CISOs that have come out of financial services that really are at-scale CISOs that understand business, they understand risk, they understand public companies. And I think it’s going to be that first crop that’s going to be a sort of trusted advisor for the board, and not only helping in technology but obviously the big driver is going to be managing risk and understanding their cyber exposure.

VB: Getting back to the architecture and your ability to flex and adapt to generative AI and be able to counter generative AI threats, what do you anticipate will be the next big breakthrough from an innovation perspective that we’ll see in cybersecurity based on AI and a single-agent model that you can talk about? What’s the vision that you see coming forward?

Kurtz:  I think we’re still in the early innings of generative AI. There’s so much more to do in that area. We’re in the dugout, getting the batting donuts, putting them on the bat and swinging them around.

Our vision for Charlotte AI furthers what we’ve already talked about – using gen AI to do work on behalf of customers. We’ve wired Charlotte AI into the sort of onion wheel of different categories so that it understands exposure management, data protection and cloud security. But it really is about doing work on behalf of our customers. Charlotte AI certainly understands and can answer a question, but then it can also take action. And that’s why we have this whole workflow slice of the circle.

 In almost any generative AI, the human sort of makes the decision. “Hey, ChatGPT, what do you think?” Or, “Hey, Charlotte. Okay, do this or do that.” We’ve got to get to a point where automation is trusted, and AI is to a point where you’ve got greater accuracy than a human doing it. And that’s really the breakthrough in AI is getting to a level where Charlotte can find something and can surface it and take care of it on your behalf. 

VB: What’s the one customer success that you can mention that you’re the most proud of, given the momentum that you’re building from a single-agent perspective? It’s the one customer win that sticks out in your mind when you say, “Well, that’s really indicative of us at our best.”

Kurtz: I won’t name the customer, but we have a very large SaaS provider that essentially, like many customers over the last 18 months, has come to us, and said, “Hey, we want to go all in on CrowdStrike. We want to replace a whole bunch of technologies.” And we worked with them to figure out what they had and the hodgepodge of things in their environment. I like to say they had one of everything and two of everything else. So we were able to come in with our platform and literally check off, “Okay, you’ve got this, we’ll replace that.” We just went down the list and put a bunch of check marks here, and we probably got rid of five different technologies in a really big deal.

But that’s the tip of the spear of what we can do for most big organizations. And we’re still early in our journey of making sure they can consume all of these different aspects of our technology. I think it’s really indicative of how trusted we are from a customer perspective and the fact that customers want to do more with our platform. They view it as, in their words, the most impactful security technology and control they have in their environment. 

VB: What advice would you give to organizations and CISOs that are considering reevaluating their cybersecurity strategies today, given how many more risks there are and how fast they move?

Kurtz: Yes, I think what’s important is that I’ve never seen a PowerPoint that was wrong. They must look behind the technologies.  First, make sure that they deliver on what they say they’re going to deliver and that they can provide immediate time to value. This shouldn’t be a six-month implementation. 

Two is that there is a difference between price and cost. You can have something for free, but it can cost you a ton of money, and it can cost you your reputation. So understanding the true cost of a solution in terms of people and dollars and hardware and software and all of that that goes into it is really important.