Cyber-security: a renewed sense of urgency for enterprises

Security has been a chief concern for enterprises since the early days of computing. As software has evolved to enable businesses to be more productive, hackers have also evolved to take advantage of vulnerabilities in the tech stack. The DDoS attack on Dyn last October, which resulted in much of the American internet being unavailable for the majority of the day, unveiled a pretty scary weapon available to hackers called the Mirai botnet. And while the malware was eventually contained, cyber attacks remain a very real threat to enterprises.

I’ve noticed at McKinsey, where we pride ourselves on client confidentiality, that we have begun to approach enterprise security with a renewed sense of urgency. The firm has conducted a massive cyber security campaign including: mandatory courses for new hires, periodic phishing tests (unfortunately, yours truly has failed a few!) and the addition of a new cyber solutions group to support the firm internally as well as engage with many of our enterprise clients. All this is encouraging and I’m glad the firm is investing in this area. But still it’s tough to feel at ease if for no other reason than the fact that it’s tough to deciphere the world of cyber security jargon.

So what exactly is shaping the nebulous world of cyber security and what can we expect in the near term? There’s a lot of literature on the various types of attacks and the underlying technology being used in these attacks. In layman’s terms, however, it boils down to two (almost opposing) trends:

  • (1) Commodification and automation of basic attacks: Known vulnerabilities are being included in attack scripts and being made available to less skilled attackers. In addition, networks of attack robots are running attack scripts against any device connected to a network.
  • (2) Professionalization and specialization of attackers: Attackers are acquiring the skills to plan and launch long-term campaigns and advanced persistent threats (APTs). In addition, electronic platforms, e.g., “ExploitHub”, connect attack experts globally and allow for trading specific skills. Finally, better educated attackers are entering the scene, e.g. secret services building up cyber security capabilities.

While the development of these themes (particularly the second one) is alarming, the good news is that there are a number of industry stalwarts who have long been building and re-building software to fight these attacks. In addition, there are a range of emerging players who are also building meaningful security products.

Cyber security companies can be grouped into 5 categories: (1) endpoint security, (2) network security, (3) web/ messaging security, (4) identity and access management (IAM) and (5) security and vulnerability management (SVM). Below I have provided a view by category of each of these categories and some of the existing and emerging players:


So where’s the opportunity for new entrants? All five of these categories have real opportunity and one could credibly build a company around each. But right now IAM and SVM are particularly relevant to large enterprises, many of which have little institutional knowledge of these categories. IAM is crucial because corporate data, and especially customer data, is often an enterprise’s most valuable asset – to suffer identity fraud could be catastrophic. SVM is important as well becasue most large enterprises don’t have a clear sense of their risk levels or ways to track vulnerability. Diagnosing and then monitoring risk levels helps enterprises understand where they are vulnerable and what they can do to shield themselves from attack.

I hope we see more companies built around these two areas because we’re going to need high quality software tools to protect against the attacks we are seeing from a new, and very sophisticated, generation of hackers.

Metrics that Matter in SaaS

Today, software entrepreneurs are very fortunate to have a wealth of information available on the indicators and metrics to focus on when running a SaaS business. There is so much out there that it can be a bit overwhelming to absorb. With that in mind, I’ve put together a one page summary of the core areas every SaaS founder should focus on when first starting and running a SaaS business.

This is not meant to be an exhaustive list of every KPI but rather an 80/20 “boil-it-down-to-what-matters-most” view of the qualitative and quantitative indicators of the overall health of a SaaS business. This also doubles as a checklist when going out to raise an institutional round of capital (most VCs will ask for these metrics as part of their diligence process.)


The way to think about it is in 4 categories.

  • (1) Qualitative: Indicators in this category, while not as quantitative as the rest on this list, are likely to be the most important for early stage companies. They include a sharp focus on the team and the founder(s). The product/ service itself and early customer feedback are likewise very important.
  • (2) Market Metrics: Venture investors care a lot about the market in which a business is focused on (and entrepreneurs should as well to ensure they are solving a worthy problem!) Key metrics here include the overall TAM and growth (or stagnation/decline) of the industry. In addition the competitive landscape, both the number of competitors and share of each competitor, is key.
  • (3) Financial Metrics: Metrics in this category tend to be a bit more objective – but even here much is dependent on the idiosyncrasies of a particular business, what stage it is in and the market opportunity ahead of it. Here, most financial metrics boil down to 3 things:
    • Top-line revenue and growth: CMRR/CARR is the most accurate predictor here
    • Margin profile: some combination of gross and operating margin
    • Cash position:both burn rate and runway
  • (4) Operating Metrics: Operating metrics tend to be a bit more unique in SaaS than in other business models. A good way to think about operating metrics is through three sub-categories:
    • Customer willingness to pay: a combination of ACV, NPS, expansion revenue, etc. combined with the pricing model employed can help determine overall WTP
    • Sales efficiency: magic number (developed by Scale Venture Partners) is a great metric as are payback period and sales cycle length
    • Churn: gross revenue churn is closely tied to growth but cohort analysis and the quick ratio (developed by Social Capital) are also good metrics to track

As mentioned earlier, there is a wealth of information on all of 4 of these areas as well as best-in-class metrics based on revenue, stage, etc. Some of the best material out there for further reading includes: Byron Deeter’s State of the Cloud report, David Skok’s For Entrepreneurs blog and Jason Lemkin’s content on SaaStr.

Grow fast or die slow: Why unicorns are staying private

In today’s world, technology companies worth more than $1 billion—and many worth $10 billion—have fewer reasons to go public than they did in the past. It’s a new paradigm shift that has really changed many of the dynamics in the startup community. A few of us in McKinsey’s High-Tech practice put together an article on the software IPO environment and the implications for founders and VCs. We hope it’s an insightful read.

The full article is available here.