Chris Ahern, Principal
For a long time, services were considered a bad word to many VCs — synonymous with low margins, low multiples, and a distraction from higher-margin, scalable software product sales. But for some businesses, perhaps professional services can be used as a go-to-market strategy, a foot in the door that could lead to product sales.
CrowdStrike has been successful with this strategy for years, stating in one of its SEC filings that: “Among organizations who first became a customer after February 1, 2017, for each $1.00 spent by those customers on their initial engagement for our incident response or proactive services, as of January 31, 2020, we derived an average of $3.73 in ARR from those subscription contracts.”
So CrowdStrike presents the first argument in favor of embracing professional services — the ability to get your foot in the door, build close, personal relationships, and grow the business. Recently, FireEye has presented a second argument — the use of professional services to maintain a relationship following what would otherwise be a catastrophic event.
In December of 2020, the SolarWinds SUNBURST breach came to light. In short, the attack deployed malicious code through SolarWinds’ Orion IT product. SolarWinds believe that fewer than 18,000 public and private organizations were directly impacted by the software update that contained the malicious code. More information is coming to light each week, including a joint statement in early January by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), stating that the Advanced Persistent Threat (APT) actor is likely of Russian origin.
However, there’s another interesting aspect of this breach.
A few days after FireEye announced it had been breached, CISA issued an emergency alert. The alert recommended that organizations immediately initiate incident response procedures for any network that used affected versions of the SolarWinds Orion product and that have evidence of follow-on threat actor activity. Ironically, those affected companies will need services like those provided by Mandiant, a FireEye-owned incident response firm. When the market realized this, its stock price soared about 50%.
On December 23, Andrew Nowinski of D.A. Davidson stated on CNBC: “The 18,000 organizations that were breached will definitely need Mandiant services that FireEye can provide for incident response to help clean up this breach. I’m sure Mandiant will be very busy going forward. They are one of the top incident response organizations in the world. But it’s highly unlikely that they have enough staff to meet demand. I’d say it’s also a very low margin business. As an investor you don’t want to see that kind of business increasing in mix unless it is significantly driving the sale of their products.”
I don’t necessarily agree that all 18,000 organizations that were breached will “definitely” need Mandiant services — based on the joint statement put out, “a much smaller number have been compromised by follow-on activity on their systems”. But potentially hundreds, if not thousands, of organizations may need some form of incident response services. This isn’t limited to FireEye. Crowdstrike saw about a 30% increase in their stock price over the same period, while Varonis stated that their “security teams have since seen a spike in forensics investigations related to these findings”.
Maybe it’s time for VCs and start-ups alike to embrace professional services as a go-to-market strategy.