Logan: First, thanks for doing this
George: Great to be here.
Logan: nice weather. And Scott's too.
George: Should be a little bit nicer, but yeah, I get a little rain this
Logan: Yeah.
Logan: Um, so I want to talk about, uh, timing a market and determining when there's an opportunity for product market fit. Um, so before starting CrowdStrike, you were the global CTO of McAfee.
George: Yep.
Logan: What were the set of circumstances that led you to wanting to start CrowdStrike?
George: Well, I got to McAfee in 2004 at a company called Foundzone. I [00:02:00] sold to McAfee, spent seven years at McAfee and then, uh, was general manager. So was running things and then was asked to be the CTO and turned it down twice because I didn't want to be just a tech guy. Um, ultimately took it and was the best job that I had originally turned down, which gave me a much better appreciation for. How challenged the security market was at that time. And really, when you look at what people were spending money on, they, they should have been getting the outcome of not being breached, but they were basically spending money with players, Mackley, Symantec, and others that were focused on stopping malware, not stopping breaches.
Logan: And what's that distinction for people that aren't in the security industry?
George: It sounds simple and it sounds similar, but it's vastly different. Malware is, there's a file that runs, and I want to make sure it's good or bad. It's kind of a binary decision. And the problem is, if you don't make the correct decision, you have what's known as silent failure. So the program runs, you get infected, you get compromised, and [00:03:00] ultimately you get breached.
So what I looked at, it said like, industry is focused on the wrong problem. They're trying to stop malware as opposed to stopping breaches. And it was just a different way to look at it. And people really weren't looking at it that way.
George: And the way we built the system is designed that there's no silent failure.
You could have a failure in missing a file or something, but ultimately down the entire Uh, attack chain, you're going to see something that happens and you're going to be able to stop a breach. You might have an incident, but you stop a breach.
Logan: So you saw that that happening as well, and then there was a story about sitting on an airplane and seeing you were the CTO watching someone else download to try to install an update for McAfee. Is that right?
George: Yeah. So I, so I took over begrudgingly as a CTO job and I said it was a great job. Um, now I wasn't running engineering, but I'm kind of sitting over the whole product portfolio and. I'm on a plane. I literally had circumnavigated the entire globe. Um, I think I started in California and went all the way around through Australia and came [00:04:00] back. And I was sitting, there was a guy that was catty cornered to me, uh, one row up and he booted his computer and I could tell that it was Mac because it had the, the logos on it. The encryption logos as it started, and it literally took 15 minutes for the thing to start. And he was talking to the flight attendant, and he was reading his newspaper, just getting his coffee, and the thing is still grinding away. And I'm looking at that going, okay, that's just a terrible user experience. And I'm the, you know, I've now inherited this as a CTO of McAfee, what could we do differently? And that really led me to think about using the cloud and coming up with a different architecture and different focus. Um, which ultimately I did go back to, to Mackney and say, Hey, we need to do these things if we want to be competitive. Um, nobody was really interested in, I worked for the CEO. Nobody was so much interested in listening because they weren't, they wanted to sell the company.
Logan: I mean, similar story. I think Eric, you wanted zoom, did the same thing, wanted to start it in house and then, uh, ultimately spun out to start the company.
Logan: So, so the product architecture was older and [00:05:00] cloud presented a new way of new delivery mechanism. And then there were focused on the wrong problems, I guess, or in malware versus versus breaches.
So that that happens and you say, okay, I'm going to go out and do this. Now you did a short stint. Yeah. Warberg, right, as an EIR, like kind of incubating this idea. Is that
George: Yeah. So, uh, essentially I, I went to, to Mackney and said, Hey, we need to do this. Nobody wanted to do it. It was going to take, you know, a number of years.
George: It's not easy. This is part, part of the problem is, um, like can't take Siebel and make it Salesforce. You can try, but you know, you pretty much got to start over with a lot of this stuff.
Logan: And is that a technical thing or is that just like a change management, Hey, people are getting paid to do this and it's too
George: It literally is everything. But if you look at how the Salesforce sells, how they get compensated, how the whole go to market motion, it was just AV product. And there was a much different mindset and DNA than you needed to, A, go cloud. So two biggest things for me was the [00:06:00] architecture was wrong on prem. It wasn't, it was just old, right? I mean, it was what it was. All
Logan: it was right. At one point
George: It was right at one point.
George: So that point in time and to stop breaches, you needed a different architecture. So if you start with the premise of you're building something to stop breaches, you need to look at the architecture and it was wrong for that.
It was fine for. At the time, you know, when it was built many years ago for signature based AV detection, but not for stopping breaches. Uh, so, you know, again, I went and said, hey, we need to do this. Nobody wanted to do it. I was very upfront with everybody because they knew I was, you know, sort of every couple of years I'd be, um, kind of re upped, if you will, because I'm like, hey, I'm, you know.
I'm getting recruited. All these venture guys want me to do another thing. Like, what are you thinking?
Logan: were an entrepreneur and you did eight years at, you know, a big company. Right. A nice run.
George: exactly. It was, it was a great run. Learned a lot. You know, really enjoy the people that work with.
George: So from that perspective, I was just up front and saying, Hey, I'm, you know, if we're in the middle of selling the company, which we were. Um, then [00:07:00] I'm, you know, when we're done, I'm going to go do something else.
And, you know, the Warburg guys actually wanted to buy Foundstone while I was selling it to McAfee. And it didn't work out because they were kind of late and just wasn't in the process of selling to McAfee. It worked out better, you know, for me just going through the experience at McAfee. So they kept in contact with me every year and they, they basically would call once a year.
Hey, you know, what are you thinking? And, uh, you know, normally it's like, Hey, I'm busy having fun doing this. And, you know, but always thinking. And then finally we had a conversation and, you know, I said, Hey, we're selling this thing and I'm going to go do something else. So that's how the whole EIR piece came together.
Logan: Interesting.
Logan: So, so now you're there and the initial product, as I understand it, and I think, uh, Excel had some memo from the early days that, uh, I think 20 BC posted online a version of it, but the initial product that you had was services that you guys, you, you offered in addition to a software solution that you [00:08:00] were going to go after what became this EDR space, but can you, can you talk about like what, once you get there Warburg and you go give them a pitch and say, this is what I think it's going to be, what were the products you went to market with?
George: Well, I mean, the whole idea was to build a cloud based, um, there was no EDR, wasn't a term. It, it, it is all, I just looked at the slides before it came and it was literally what we built.
Logan: Did you make up the term EDR at that point
George: No, Gardener came up with the term.
We, uh, we were calling it Endpoint Activity Monitoring, EAM. Then Gartner came up with something else.
So, you know, we went with that. But there was no term. There was no MDR. There was no EDR. There was none of this stuff. And the original concept, we never would have been funded on the service company, but the original concept was, okay, we are going to, um, create this technology. And we're going to integrate intelligence because we think you have to have intelligence. First approach, given you're trying to beat adversaries, right? [00:09:00] Not defeat malware, defeat adversaries. So we were building a whole intelligence team, which is now several hundred people. And we first, it's kind of an interesting story. The guy works, still works for me today, um, who runs intelligence. He wrote a blog on these threat actor groups.
And it's much more common now to understand what's happening. Back then it was all about advanced persistent threats. And people didn't really have a good view of how it all worked. So he writes a blog and he basically puts it out and people liked it. Then he writes another blog and, um, he sends me the draft cause I'm doing everything.
So I read the draft and I go, okay, it looks good. I said, why don't you at the bottom put, if you're interested in buying Crouchrike Intelligence, you know, email intel at crouchrike.
George: com. And he said, well, we have a problem. I said, well, what's that? He goes, we don't have a, an email address called intel at crouchrike.
com. So I said, we can fix that. We'll, we'll add an email address. Just put it out there. And he goes, well, we don't have an Intel product. I go, we can fix that [00:10:00] too. Don't worry about it. So he ships it out. We got all kinds of inbounds going, Ooh, we want to, we want to buy a security intelligence and that's how we got the first incarnation, but we were always building the product, obviously it takes a while. Um, and then we, we, we had services doing incident response. So a lot of the incident response markets started at Foundstone. Um, and Kevin Mandy worked at Foundstone. Then Kevin went out, uh, when we sold the company to, uh, McAfee, he went and did his own company, which is originally called Redcliffe Consulting renamed to Mandiant.
George: And that, that was really the beginnings of the, of the instant response
Logan: And for people that maybe don't appreciate what incident response is, or intelligence and all this, I mean, this is, if a, if a hack occurs or a breach occurs, this is helping people go in and figure out a post mortem, like people are showing up on site and looking in log files and trying to figure out, hey, this was connected to this and they got this information and then went here, right,
George: it's
it's Ghostbusters when you [00:11:00] have a breach. That's basically what it is.
Logan: Then, let's figure out, is it done, what happened, all
George: Right. to recreate.
Logan: To.
George: Like CSI got to recreate it, but long story short, so we started the incident response practice along with the intelligence, uh, subscriptions as we were building the endpoint product. But the core focus from the company day one was always to build what we actually
Logan: You were always going to be a software business, but this service could serve as a tip of the spear.
George: It's a tip of the sphere because it's in security. It's a very, um, trust is big, right. And to have an intimate relationship with a customer where you're helping them. Um, is, is very important and it serves another purpose, which is to actually, um, understand how the breaches are happening. So if you have the latest intelligence and you're doing the, the, the biggest responses, you're always going to be front and center of knowing how to defeat the adversary.
Logan: So you're kind of productizing as you go along incrementally. Like, hey, we learned this new thing. Can we build this into the [00:12:00] product and make it better? And so is it, is it a flywheel like that, or that, that one goes into the other and then you're able to sell them?
George: The product was so unique and differentiated in terms of how it worked and its architect still is today. That it was a little less about that and it was more on how do you this whole concept of an OODA loop? Um, if you don't know what that is, you guys can at home can, can, can
Google that
Logan: eating itself?
George: the OODA loop is, um, it's basically when you, you observe and then you decide and then you, you kind of reorient yourself and then you make another decision.
So in the Top Gun school. Years ago, we were getting beat very badly. And there was a decision loop that came up with a guy named Boyd and basically it was this OODA loop. So it was basically understanding and orienting and then making fast decisions. Um, that's the way the system was built. So what we were doing with the services team is that we were gathering the Intel and the techniques to build into our system. So that's how it all worked. You needed the [00:13:00] techniques of how breaches worked and you needed the intel to build into this very fast loop system.
Logan: It's an interesting thing because you're you're building trust and credibility both from your blog posts as well as going on site and helping people and then you're saying, hey, to help you in the future in a more automated way. We also are building this product. We're going to have this product that you can you can use from there.
Did the customers were they fully? Aware that this other thing existed in the early days, or were you just trying to get in and build trust and then knowing that was going to come
George: we worked with, with some big companies, um, you know, to give us thoughts, ideas. We, we had our own idea. Um, and if we, if when we told somebody this idea, it wasn't. They're like, huh, you know, is that really going to work? And it was something so new and novel, um, to be able to solve this from the cloud. So we couldn't just go to a customer and say, how would you do it?
Because we would have gotten like tweak [00:14:00] McAfee as opposed to reorient into something totally different. But at the end of the day, they wanted the problem solved. They have APTs, advanced persistent threats. That was the term back then. And they had too many of them, they couldn't find them, traditional technologies were failing.
So they wanted something different. And we worked with many of them to basically get their ideas. And then we first started, you know, we got our release out and it was, you know, didn't do all that much. And then we just kept working on it, working on it and getting better, you know, at these OODA loops. What we call indicators of attack. These are attack patterns. Um, and they're all built into the product today. And, um, AI was, you know, before it's now, uh, kind of a buzzword. It machine learning was the big thing that we focused on to be able to solve problems without signatures. So that's, that was, those were the early days.
Logan: So you raised 25 million from Warburg, uh, and you're, you're going about this building services as well as software. Are these teams distinct internally? Like, do you have
George: Yeah. We actually had [00:15:00] a, uh, it was a wholly owned subsidiary that did our, our services.
Logan: Oh, interesting.
George: Um, and then we had our Intel team, which was separate. So we had product intel and services.
Logan: So then, uh, you land with software at some point, right? This is the tip of the spear, and you're selling some consulting services. Then you land with software, and at that point, you're sitting alongside the big antivirus vendors. And you're saying, hey, we'll help you with, uh, with your breaches, and help you figure out all of that stuff.
And then at some point along the way, you were able to convince them, we actually, you don't even need antivirus software?
George: Right. So what we first did is we basically, cause nobody wanted to just throw out what they had. You know, certainly in the early days where, you know, five guys, a dog in a garage, right? So we had to basically come up with something in a particular use case, which was around visibility and we would run side by side with any number of AV products that were out there. And then ultimately as we built the prevention capabilities, you know, we [00:16:00] basically, customers saw it for themselves. Like we were catching everything that. The others weren't and they're like, well, why don't we just use you? But the thing that we did different, um, than just about everyone else in the industry, most of the other companies started as certainly the ones we compete with. Um, you know, they saw what we were doing and then they copied it. They started as an AV product, first not a data product. And this is why architecturally so many of these companies have challenges because they were kind of on prem, next gen AV tools, and then they had to bolt on all the other pieces. We started with the hardest part, which was the data collection at
Logan: Yeah.
George: which allows us to, to operate much more effectively than, than our competitors out there manageability, and ability to add more modules.
Logan: Roof Timeline, uh, CrowdStrike was founded 2012, 13?
George: Uh, late 2011.
Logan: Uh, 2011. How long was it service only? How long until you started selling software? How long until you had your first, uh, antivirus displacement?
George: [00:17:00] Yeah. So it was, again, it was, I mean, the product was always there. It took two years to really get the product out. So in the meantime, we're, we're doing some of the other things, um, building our name up and, and, and gathering up. Um, you know, the revenue was nice, small, but it was more. What we needed out of it. So we did that for a couple of years. First release came out like two years later. And, uh, you know, today's market, you can, you can assemble a lot of the, the technologies, uh, when we did it, it was, uh, yeah, I feel like the old guy was, you know, uh, walking to school uphill in the snow storm, right? Like we had to build all this stuff.
Graph technology. Was so nascent, we built our own right. You just didn't go off the shelf and pick everything. Right? So we built a lot of things ourselves. So it took two, two years, um, to get it all out. But when we did, then we got a lot of feedback. And then we iterated, iterated. Um, and it was probably 2016, late before we really had kind of our next gen AV product. [00:18:00] And then from there we started to do displacement.
Logan: So late 2011 to 2013 ish, you're selling services and building the software product. 2013 to 2016, you're selling, what, EDR or whatever, right? And then at that point, you're selling antivirus. It's almost like a, uh, A business school case study of like laddering up and going into starting with something and then, uh, going into the next thing and then that gives you the right to displace the competitors and the other thing, um, and in talking to some of your investors as well, it actually played out exactly.
You founded it with this vision and it sort of played out exactly as you is that a fair characterization that was very serendipitous or you were very prescient.
George: It is. Well, you know, I got plenty of scars from doing other things. So what I knew in security was if you had the relationship, particularly on the services side, trusted relationship, you're going to be able to sell software. That isn't always the case in other industries, but security is. And I knew that [00:19:00] from, from Foundstone because we had, when I started that, I said, okay, we're going to have software and technology.
And we, we, we, we really invented vulnerability management because there was vulnerability assessment. And, and the found some days, but there was no management of it. So we kind of created that category. But when I was building a company, a lot of the VCs are like, well, you can't have services and, and technology. And it's like, well, why can't you? So everybody fought me on that. And then ultimately it turned out to be a pretty good model. You know, as long as you have the right balance, right. You can't be
Logan: Why is security unique in that regard? Yeah.
George: because it's such a trusted, uh, relationship when, when someone has a breach, it's, it's like going to your doctor, like you have a problem, you need it to be solved. And when somebody solves it, they're grateful. Um, and it isn't when someone's bleeding, like you, everything goes out the window and it's like, stop the bleeding, solve the problem. And you know, you become the hero. So if you have that level of trust all the way up through the board, [00:20:00] then it sets credibility for selling the software products.
Logan: One of the things I think you guys did really well in the early days in building the trust in this was also, um, giving faces to the new, uh, attacks that were coming in. And also, um, there was a set of circumstances going on in 2012, 2013, 14, 15, that we were just seeing an exponential growth and, and hacks and attacks and all of that.
Can you talk a little bit about like the marketing and PR strategy of, of making this more real and tangible for
George: Yeah,
George: again, I mean, these were all firsts that we came out with, um, you, you would hear the term APT and, um, some of the folks in the industry had APT1, APT2, APT3, okay, I don't really know what that is, right? So, um, I couldn't keep track of them either. And I mean, I know who the, I know what they, what they were talking about, but it was just, um, engineering stuff. Not that it's bad, but you know, we wanted to take it a different approach. So what we said is, you know, [00:21:00] there are actually humans behind this. So why don't we sort of give a face to this? Cause it's, it, it isn't a, you know, it's a serious issue, right? It's not, um, you know, we've got funny characters and stuff, but it's a serious issue.
How do we allow people to really understand that? There's nation states, there's e crime, there's hacktivism, and there's people behind it, and it's actually organized. So we came up with a whole adversary kind of universe, and you know, we would name them by pandas and bears and other things, you know, bears for Russia, pandas China, um, there's others. But so we can keep track of them and then by campaign and by specific groups that are in each of these countries, we would, we would have, you know, anchor panda for the, uh, you know, Chinese Navy and those sort of things. So we kept track of it, but When we would talk to a customer, we would say, Hey, this is the group that's doing things, or more impactfully, when they had an issue, we came in and did the services, we would say, okay, this [00:22:00] is the group here, actually the pictures of the people, this is the, who they're working for.
Logan: They're on vacation here, and here are their boats, right?
George: Yeah, yeah. Like we, we literally had this stuff. Like we, there was New York times articles that, you know, we literally had, it was all open source stuff. We were finding these people knowing where they're operating out of, and that really hadn't been done before. But when. You're talking to a CEO who just had an incident, like now someone realizes the competitive juices get going, right?
And it's like, Oh, those are the people who want to do harm to us. And it put it into a different concept rather than bits and bytes and registry keys to like, there are dedicated groups who are organized. for profit and for state sponsored activities that want to do harm to you. And I think that helped kind of revolutionize how people thought about the threats
Logan: You mentioned, uh, three different, um, types of, of attacks that are out there. The underlying current within the market, we sort of talked about the architectural reasons and the, and the cloud shift and all that, but what, what was happening that led to [00:23:00] the importance of, um, cybersecurity industry and it's kind of served as a tailwind at your back over the course of this, like why has it gotten so much more prevalent in the last decade than it was prior?
George: cyber security or the
Logan: The attacks.
George: the attacks got more prevalent because it really started with nation state and then the E crime. And there's always been kind of fraud in those things out there. But what we saw is that a lot of the nation state techniques were starting to bleed down. into the cybercrime groups.
So the cybercrime groups weren't always sophisticated enough to come up with like the ultimate sort of attacks, but as they become, as they became more public, they were able to commercialize it. So, you know, it's kind of like, I give you the analogy, like it's really hard to make. plutonium, but if he found it, somebody probably would be figure out a way to make a bomb out of it.
Right? So this nation state, [00:24:00] um, these techniques were starting to leak out yet. Snowden, you had a lot of other things where like very sophisticated attack methods were leaking out. And then you were having people being able to weaponize them. Then you combine that with the prolific, I mean, just almost exponential nature of vulnerabilities that are in the ecosystem.
Many from some of the large players that are out there. Yeah. That, you know, there's just such a large attack surface and the complexity of technology continued to increase that there was more things to basically compromise.
And that allowed other players to get into the game.
Logan: I'm sure along the way there are many points of, um, pinch yourself moments, like what exactly how I can't believe this is, this is going on, but we talked about nation states and you all have supported a number of different groups along the way related to U. S. defense and I'm sure other countries as well.
One of the, uh, I guess, notable ones that got a bunch of headlines was the DNC [00:25:00] attack. Can you tell that story and what was that like for you at that? This is a, this is an interesting when, when this starts to go on and Russian interference in the election and all that
George: This was, it was, we got called in by, by, by a law firm that we worked with. And this was just standard fare. Like it wasn't,
Logan: it didn't feel.
George: didn't even like raise any, any flags or anything. We came in, did the investigation. We're like, okay, this is what happened.
Logan: This is five years post founding. This is post election.
George: 2016. Yeah.
Logan: Post election at this point are free.
George: think it was pre. So we, uh, we got caught like we do.
We're, I mean, this professional outfit, you called in your dispatcher guys and gals and investigate. Here's the report that didn't think much of it. And then obviously, you know, there was a, there was a whole, uh, you know, interesting, um, Uh, series of events after that
and, uh, you know, I knew we've arrived when two heads of states, uh, mentioned our names.
So,
Logan: Zelensky and Trump are talking about crowd strike and yeah, yeah. [00:26:00] That's uh, that's an interesting, I'm sure that was a pretty surreal moment.
George: it, it was, and you know, again, we just, we just did our job, wrote the report and whatever happens after that. That's
we can't control. We don't get involved and we're not politicians or policymakers. We're, we're security
Logan: Yeah, makes sense. So, uh, the founding of the company. So you're at Warburg there, and I think I had heard you mentioned some of your VCs in their early days that found stone. Uh, there was an interesting comment about you never wanted to make someone's fund or have their ability to continue to exist to be predicated on your success.
I found something sounds like maybe there was some pressure to sell among the VCs or some people that were more short sighted. Is that a fair
George: That is a fair characterization.
Logan: did that impact you? The next go round and thinking about your investors and picking Warburg and ultimately excel in.
George: Well, it impacted me a lot because, uh, my first go around when I started the company, I was 29, first time doing it, it was like, you know, you don't have a track record, so, [00:27:00] um, you know, you kind of work with what you have, and, um, you know, we had some decent backers and those sort of things, and they were good folks, but And they did a lot of investing in 99.
So their funds pretty much blew up 2001. I remember raising money in 2001, not so easy. And then 2004 came, didn't really want to sell the company. McAfee reached out and, you know, I was really on the fence of whether we should sell it or not, but there was a lot of pressure cause we were literally the only thing in their fund that would have returned. Yeah. Any capital. So,
Logan: And a lot of the names, by the way, I went back and looked up those names don't really exist, uh, or a lot of your original investors, I'm sure on doing other stuff as 99 vintage. A lot of people did. So I, I assume they were just looking for a win or
George: They're looking for a win.
Logan: move on in some way,
George: They were looking for a win. Like, like anything else. I mean, you know, your business. You got, you have LPs. You got a return capital. And it's, uh, it's part of the game that you're in. So anyway, um, again, not bad folks, but that's, that's the way they wanted
to go. Incentive [00:28:00] structures and, uh, you know, we were kind of split whether we sell or not we sold and, and really it all worked out.
I mean, I can't, I wouldn't necessarily change anything from my perspective when I started found someone like I wanted to be well, I mean, um, CrowdStrike, I wanted to be well capitalized. Warburg, you did not your traditional Series A by the way, they did only one other Series A like this, which was a BEA.
Logan: pretty good tracker for the, there were one spot. If I'm a very prominent venture firm back in the, uh, 1970s, 80s, but, uh, they've moved more into the private equity direction.
George: right. So to do a, like, basically, I mean, you'd call it a C today, but an A round on 25 slides is not a traditional thing for them. So they had plenty of money. And then, um, you know, Excel, uh, Samir kept pinging me and wanted to meet Samir Gandhi. He's a great board member. And I kind of put him off for a little bit and finally met him and, you know, we, we hit it off really well and got Excel in and then Google and others came in.
But. The whole idea was like, I [00:29:00] was not going to let anybody in that wasn't necessarily named brand. And if I was going to, if we were going to be the company that made their fund, I didn't want any part of it. We're not going to make, um, a fund for Excel or for Warburg or others. We're going to make it really good, but we, they don't need us to make the fund.
So that's really what I was focused on.
George: Yeah.
Logan: um, people are being a little bit more discerning, entrepreneurs, uh, in terms of some of these consideration sets. I, I think in the 2021 vintage, we were in the world of just highest price and whoever versus now there's a little bit more inputs into longevity and partner and, and all of that stuff, which from my perspective is great.
But, um, how did you go about thinking about, um, what firms had longevity and lasting, you know, brands and all of that. Was there any tangible, um, [00:30:00] metrics around it? Or was it just, Hey, Excel's a venerable name and Warburg's been around for a long time and they've, well.
George: I knew Warburg, so I knew the people. I think for me, it was like I needed to get to know the people first. I knew the Warburg folks. That's why I did the deal with them. And then, um, you know, I got to know the Excel team really well and really liked them and, uh, Uh, you know, for me, it was always what I wanted to be.
I didn't have flexibility in my life. I didn't really want to be working with people I didn't like. So, um, you know, we were able to kind of handpick who we wanted, um, investors and, and on the board and those sorts of things, and, you know, it served us well because we, if we didn't have good board members, they wouldn't have seen the vision that I had and the company could have been sold many times over super early, uh, if we wanted to, but, you know, we knew we could be a generational. And the, and the whole idea when I started it, which we didn't cover was, you know, there was Salesforce, there was Workday, there was ServiceNow, there was no [00:31:00] platform company at security. There was no Salesforce of security. And it was just a missing element. Um, and that's really what we want it to be. And we wanted investors and board members who had that vision.
Logan: We talked about the data ingest versus the antivirus considerations from the early days. There were, there were a handful of companies. Uh, we were fortunate enough to be investors in 701. Um, silence was another name. There's a few others that were founded similar vintage. Um, when you look back, the data ingest and antivirus is one component of it.
Logan: Are there other things just from a pure execution standpoint that you feel like you all did really well, um, that might be transferable to an entrepreneur listening?
George: Well, certainly the, the approach that we took was different. I mean, the, the reason why Silas got, you know, is now BlackBerry is because they just took one approach, which shows antivirus, right?
Logan: Versus you did the hard thing first and built it for longevity.
George: still hard, hard for people to replicate. You know, even when I, when I look at a lot of these, these new companies that come out that just plug into, you know, an [00:32:00] Amazon or, uh, Azure API and suck data in, they've got, you know, pull a graph database off the shelf, pull, you know, uh, your UI of choice, a react off the shelf, make something in, you know, a year or a year. Nine months and go out to market. Like it's not hard to do that. So we did all the hard stuff first and that really set us up. So I think what we did, and to, to the heart of your question, like we didn't take shortcuts and I had plenty of conversations with guys internal. I said, why do we have to do that?
That's gold plate of plumbing. They're like, George, you're going to need it. And it was fantastic advice. But here's the thing that we never compromised that. And both SentinelOne and Silents did. They started as, you know, with on prem technology, but they had on prem pieces. We never had that. No matter what, how we got pressured, we never had on prem.
The agents run wherever. But we never had an on prem anything because it compromises the entire system. And that's where you run [00:33:00] into scalability challenges and all kinds of other things. So my point in that is. Many young entrepreneurs who want that big deal from that bank who says we need it on prem will say, Okay, we'll just make it work for you.
And then it's a noose around their neck going forward.
Logan: I know competitors, uh, is probably something that you don't spend a ton of time thinking about, at least that original cohort, but there was a racing analogy that you talked about, about mirrors and crashing when, when talking about competitors. Can you speak, can you speak to that?
George: My general thoughts on that is the windshield is 20 times bigger than the rear of your mirror. So you should spend more time looking out the windshield and going forward than looking out, you know, behind you or sideways.
George: And I think the racing analogy holds true. If you're just driving in your mirrors, you're going to go off the track and crash. You have to be aware of your competitors. You have to respect your competitors. Um, You, the competitor is going to push you and make you better. But if you're focused out front, you're focused on the right thing going
Logan: One of your competitors today, I guess, is [00:34:00] Microsoft, which is a company that I don't think a lot of people aspire to compete with, at least in broad based software today. I think they're a highly functioning org underneath Satya, but you guys have done a great job executing against them and competing, or out competing them.
How have you been able to do that within security?
George: Um, not easily, um, but put a lot of hard work and, and, you know, a lot of focus and, and, um, I'll come back to your question in a minute, but a lot of people don't realize that many years ago I found some Microsoft is one of our biggest customers. And many years ago, I did the first ever pen test, external pen test for Microsoft.
So it's kind of a funny, you know, where life brings you. Now they're, now they're a big competitor of ours. Um, you know, at the end of the day, what we're focused on every day we get up, we think about how do we stop breaches, right? We're not thinking about building clouds. We're not thinking about building productivity apps.
Or operating systems, we're thinking about how do we stop these breaches [00:35:00] and our architecture is fundamentally different. Microsoft architecture, a number one, it's legacy AV. 2004, they bought an AV product. Guess what? Every day there's six updates that come with signature updates. You know, same thing McAfee and Symantec did.
If McAfee and Symantec worked so well, there'd be no CrowdStrike. So when we look at someone like Microsoft, are they really solving the problem of stopping the breach? Most times they're causing it because of their architecture, their vulnerabilities, their hygiene, and those sorts of things. So, you know, from our standpoint, trust is a big thing in security. Um, Focus is a big item and having something that actually gives you the outcome is what people are paying for. So that's the way we've been able to execute. It's taking care of the customer and delivering what they want. A system that works at scale, single agent, it works, uh, overall, it's actually cheaper. to run and manage and gives them the outcome. So that's how we compete it there. They're a [00:36:00] big competitor. Of course, you know, you have to have a lot of respect. Um, Satya and team have done a great job, but, um, you know, there's always room for multiple companies out there and, you know, we've got our niche.
Logan: I've heard you talk about the two different, uh, stages of company execution.
Logan: Uh, there's the evangelical leadership stage and then the scaling and delegating stage. Um, can you, can you speak a little bit to that and what the distinctions between the two are?
George: And it really, it really, a lot of that comes around the. The selling piece of it, right? So you have evangelical scaling and coin operated a lot of times when you're looking for sales organizations. But so I think, you know, from my perspective, when you first get out there and you're pitching something that doesn't have, it's a different approach. Right. You're in a category of endpoint, you're in a category of like security is important, stop a breach people, you know, started to get that nobody was doing cloud. So you have to be an evangelist starting with me. I had to go out, explain what it was, why we want to do it. I had plenty of people laugh, you know, banks [00:37:00] go, we'd never use that.
I mean, I can go through the story of that's never going to work, you know, et cetera, et cetera. But we got through all that. And once you. Once you get past the evangelical phase, which I don't know if you ever passed, but once you kind of get past that, you have some scale, then you, you're hiring in a different set of people, particularly on the sales side, you're scaling it up. And then, you know, at some point, and we're not in that phase at all, nor do I necessarily want to be in that phase, but you've got the coin operated, um, you know, folks who just want to come in and take orders.
So from my perspective, it's making sure that we got the right people for the right phase of the company.
And. When you move from evangelical to scaling, like you can't do everything and you really do have to delegate that makes you got the right people on the bus.
Logan: Hmm. You hired a number of roles, I think, earlier than conventional wisdom would, would recommend. Uh, were there any of those that you feel like particularly benefited the company that maybe came in a stage earlier than a VC would recommend or something?
George: Yeah. So one of my co founders was actually our CFO early [00:38:00] days. He was my CFO at Foundstone. It was a great guy. He literally was retired. I had to get him out of retirement and say, can you help me for a couple of years? Um, and he only wanted to give me a few years and wanted to go be with his grandkids, a odd choice of a CFO as a co founder, I would say, and be, um, That was pretty early on, but I knew that you had to have the right foundation in the areas of, um, accounting in the areas of revenue recognition in the hygiene of the company.
And I see too many younger companies that I invest a lot in, in startups where it's like. You know, we'll get the CFO four years later and it's like, well, if you do that, there's going to be a, you're going to have a huge mess on your hands. So when you look at what we did, ultimately when we went public, everything had to be audited.
Everything was audited by the way. So we, there wasn't a lot of hygiene that we had to go fix. Um, to be ready to be public and whether you're going to be public [00:39:00] or if you're going to sell the company and most venture backed companies, there has to be some exit, right? So pick one. Um, you want to have the right finance team in place and then you want to combine that with the right legal team.
We knew the cloud was going to be difficult. We knew privacy was going to be an issue. We saw what was happening with. I mean, you had Salesforce, you had Amazon, you had others. We, you know, it's an issue to put your data somewhere else. So we want to have the light, the right legal people in place. So we, we, we really went out and tried to get the best folks. Um, you know, our first GC was like the former GC of the FBI, like super senior. People are like, why do you need that guy? Because we need to put everything in place.
Logan: Hmm. Interesting. Delegating as you move from that evangelical leadership to scaling and delegating. Uh, I heard you mention that, um, Ultimately you, you ran, you were able to ran, run, and assess different business units off of KPIs and dashboards, and that sort [00:40:00] of gave you a feel for, um, can, can you speak to, to that and the, the willingness to pass and trust, uh, some of the responsibilities within an org to the different leadership team
George: Yeah, it starts really with the people. So I had to make sure I had the right people in place, which I, I did, um, you know, for that stage, uh, for the most part. And I, I, I couldn't do everything. So it was more like what, what are the, what are the critical, uh, KPIs we need to look at? How do we manage those?
And how do we course correct? Um,
Logan: for each different functional
George: for
George: each different functional area. And, and really, you know, you only need three or four critical KPIs for each one. Uh, so I sat down with everyone and said, okay, well, what are the key ones? And if you couldn't tell me the key ones, that was problem number one. But we, we got through that and, uh, you know, to this day we, we still, I don't think I'm ever satisfied with all the dashboards and the data, but we have a huge piece internally of dashboarding and KPIs and around everything.
And it, it's, um, it's a journey. It's never an end state, like you're [00:41:00] never going to be happy with what you have and you always have to tweak it. Um, you have to get out of the trap sometimes when you get big enough where people, you know, turn things that are yellow into green and tweaks a number here or do something.
And it's, so you look at it, you're like, okay, that looks good. But you know, what, what's the sample size or what did you, you know, did you change how you actually are calibrating your, um, you know, net promoter scores, those kinds of
Logan: Yeah, there's a lot of when you measure something, people are going to manage to it. And so you need to constantly analyze what, uh, the unintended consequences to the, uh, to, to the, yeah,
George: and the inputs, because you could look at something and go, well, that looks good. But you know, did you talk to two customers or 2000?
Logan: yeah, that makes sense. What are some of the things you learned, uh, about managing and leading people that you knew when you were, uh, was it E and Y, uh, early days or was. Flutterhouse, PwC, when you were coming out and or [00:42:00] the original days of starting Foundstone as you look back on that, if you could tell yourself about leading thousands of people, is there anything that stands out
George: For me, it's, you know, and I've gained this over the years, but it really always is about starting with, with the best team that you possibly can, you know, a players we'll figure it out. You know, if I always say, if you have, you know. A C player with an A game plan, you're, you're, you're still screwed, right?
So it's better to have an A player with, you know, a B game plan or, or something else because they're going to figure it out to get to the, to the outcome. So for me, it was starting with the best folks and we did that at CrowdStrike. I literally handpicked 20 of the top people, didn't matter where they were, and that became the founding team. But when I go, when I look back in time and I think about kind of what I learned is if you put the right people in place and you don't constrain their, their creativity, um, you get great results. And I think that was a key part. Like when you're at Pricewaterhouse or [00:43:00] EY, great places, but it was very structured and didn't always have the flexibility to kind of, you know, Bob Ross it as we say, um, take the blank canvas.
So, you know, for us, it was, here's a blank canvas. What, What, pretty trees are we going to paint today on the Bob Ross canvas?
Logan: that point? Like, what are you looking for in a 1st meeting? And I guess, specifically, I've heard you talk about possibility people versus parameter people. What's that distinction? And if you're interviewing someone and trying to figure out if they're in a person.
George: If it's all about the, the, the parameters, like, didn't you kind of constrain yourself into a box and you're only thinking about the parameters in your box. If you're thinking about the possibilities, it's like, okay, that hasn't been done before. And it's really hard. And, you know, people haven't thought about it.
And, you know, is there a market or not? Like you got to figure all that out, but Hey, it's, it might be possible. Right.
George: As opposed to starting with, I call professor knows. You know, no, no, no, like, and you know, if you're very [00:44:00] parameter driven and your first answer is no, you're probably not going to be a good fit. And I think it's like, okay, we'll get, get the white canvas out and what, what, what, what is the art of possible rather than the parameters that would constrain you from developing something new? Because. If we weren't possibility people or just parameter people, there'd be no CrowdStrike, you know, you'd still have signature AV somewhere.
Logan: Are there questions you ask to try to tease that out in an interview?
George: Yeah, I mean, I like to understand somebody's background first and just hear their life story because it tells me how they operate and what they've done and, you know, what, what really drives them. Um, and we can, we can talk about what, what makes people take care in a minute if you want, but. From my perspective, I'm always just trying to figure out are they, how do they solve problems and you know, how do they think about, are they competitive and what do they do in sports and those sort of things, which gives me an idea on how, how they operate, what makes them [00:45:00] tick. So I, I asked a lot of questions about that. You know, ask him what, what drives and do they, do they love to win or do they hate to lose? And then I can tell like the personalities from there.
Logan: What's it? What's the distinction there? Love to win versus hate to lose. Which one's better?
George: Well, it's, it's all different. And you know, somebody who listened to this is going to just try to come up with the right answer next time they talk to me. But I think the, what I would say is, um, it's great to want to win, but if you look at the best athletes in the world, And I, I met a lot of them, talk to them, they really hate to lose the, and if you think about like you played sports, you win, how long does the win last?
Logan: A lot shorter than the losses hurt.
George: So if you played football, which you did,
yeah. So you knew Saturday you lost, you gotta wait till next Saturday or two weeks from
now. That's kind of the way we, but again, there, there isn't a right
answer. Just trying to understand what makes people tick.
Logan: I heard you say that you never regretted firing someone too early, but often regretted [00:46:00] keeping someone around too long. A lot of our companies are going through the point in time if they're successful, that the person that got you there might not be the person that takes you there, right? Um, how do you think about that?
Are there things that you should be asking, uh, if this person's the right to be on the journey with you?
George: I think every day, um, you have to look at the team and you have to think about, is that the right person for that role at that point in time? And at that point in time is important because when you're a hundred people, it might've been fantastic for that role, but at 5, 000, they may not be. Doesn't make them bad.
Doesn't mean that they don't. either have a home in your organization, or maybe they can find a home and leverage experience they got. But I've never, and I really have asked the question to many folks, you know, many CEOs, friends, et cetera. Have you ever regretted firing somebody too early? And the answer is no.
I mean, normally it's like, Oh, I let that person hang around too long. And you know, we knew that person that was somebody we were friendly with, or we, you know, they worked with us in five other [00:47:00] places. Yeah. Whatever story you want to come up with. I mean, it's never an easy thing because it's, you know, people's lives, but. I think if you have the discipline to, to say, like for me, CrowdStrike is a special place. You should be an A player if you're here. If you're not an A player, then, you know, what are we doing? So not everybody's in, you know, can or will be an A player. But my point is, if that person isn't right for the job, then it's better for them and it's better for the company. To, you know, give them a hug and, and either find a different role, which is fine, or, you know, part ways and, and there are many folks that I'm still friendly with today that we, we parted ways, um, just because it wasn't the right fit at that time. But you don't want to wait around.
Logan: Do you encourage managers, like when they have that inkling, just to, to obviously be thoughtful but, but act on it because it's not going to, the toothpaste doesn't go back in the tube?
George: Toothpaste doesn't go back in a tooth. We have a Uh, I mean, I mean, uh, one of our, uh, our chairman, we have a saying like in racing that if you have a noise in a [00:48:00] gearbox, it doesn't fix itself. Like it will not fix itself. Trust me, that thing is going to blow up. So if you have that inkling or, you know, the noise is there, just get it fixed.
Cause it is not, you know, you can try to course correct and, and, and do those sorts of things. I got it. But at some point. The hair on the back of your neck stands up, the little voice keeps saying like, I don't know if this is going to work out. You can convince yourself to not listen to the little voice or you can basically say like, like we tried, feedback was given, we're not going to get there or they don't have the skills.
You know, it's attitude and aptitude. You got to have both. And if it's not the right fit, then you got to move on. And the problem is, and how you get mediocre organizations and, and the landscape is littered with mediocrity.
Logan: By definition, right?
Logan: Yeah. Average is normal.
George: just let people hang around.
Logan: Uh, one of the other interesting, I guess, forcing functions or frameworks is if you, if you would hire that person [00:49:00] back into that role again today or, or not.
George: Yeah. So that, that's the way I look at it.
George: Like what, what I, you know, the simple, and this is probably one of the best maybe takeaways from, from this whole podcast is just one thing just to remember, forget everything else is if you ask yourself, would you hire that person for that job today? If it's a yes, great.
If it's a no, then you got to take action,
you know, and, um, you shouldn't wait around. Like there's always considerations of not tomorrow, but you know. Maybe in two weeks or three weeks, but not two years from now.
Logan: It is an interesting framework of would you take that person or the field, right? It's like the gambling terms of like everyone else that maybe I can interview or that specific person that I have today. And if your inclination is over there, uh, maybe that's your, that's your answer.
George: Because people have a hard time coming up with the answer.
Logan: Hmm.
Logan: Um, we touched on this a little bit, but the, uh, the different types of salespeople in, uh, the evangelical, the scaler and the coin operated.
Um, we talked about the [00:50:00] leadership different phases of this, but, but the coin operated is that that's just a transactional order taker
George: Yeah.
Logan: and scaler is someone that comes in after the evangelical sale has occurred
George: Yeah. So, so you basically, you know, evangelical is, Hey, we've never heard of this product. We don't know this market. What is it going to do? Why do I even need it? What's my problem? You're trying to solve. So you got to get through all that stuff. And then people go, wow, this does, works better, solves a problem.
And I'm willing to part with my money.
George: Uh, and by the way, I, I, I'm not sure if everyone appreciates, and I know you do, um, in your companies, how hard it is to actually get people like in an enterprise to part with their money. It is a really difficult thing to do. Like, so you got to get past the, somebody's going to write you a check for it. And then once you have that, then it's like, okay, well, we have something about product market fit.
George: How do we scale this? How do we put all the sales processes in place? How do we, you know, put the marketing pieces, the go to market, the engineering piece? Like we've got to scale this thing. [00:51:00] And on the sales side, you know, it's George making the sale. Or someone, you know, in a senior team making the sale to, we can take all this and package it and put it into a scalable sales organization. And there's, you know, there's a real skill and art to that.
Logan: at that stage.
Logan: Are you more willing to hire for parameter, uh, people, uh, when, when the packaging and the scaling is occurring?
George: Yeah, you have to and, and it is really a good point because if you had all possible people, you may not have it zero execution, right? Like
Logan: they'd all be wandering. So I'll
George: be wandering around. So they'd all be, you know, at the whiteboard. Like at some point you have gotta get the, the deal in cash in the bank. Um, so there does need to be some structure, right?
Which is, yeah, there's a lot of things that we can do, but what's it going to take to get the deals done? What's it going to take by deal, by week, by month, by quarter to make sure that you're going to hit the targets that you have in place?
Logan: touched on some of this stuff earlier, but, um, the early days of marketing and, and PR and just, um, getting your [00:52:00] name out there. I think you guys did a, did a great job of was, was that the founding team and just sort of the DNA there? Did you have a marketer? Was this a purposeful
George: pretty much us. Yeah.
Yeah. Like,
George: you know, the, the, the early folks had, had, um, strong reputations and, you know, we, it's not our first rodeo and we were known. So it was, um, relatively easy to be able to go out and take some of the intel that we had and some of the things that we were seeing and being able to explain that to, to, um, the industry at large and people were interested in that.
So it, it, it definitely helped build credibility. Um, I had written a book, a couple of books, and that was, that's kind of the best business card you have too. So that, you know, you kind of leverage all that to. Get your name out there and kind of stand up, uh, above the
Logan: Was the original book, by the way, was that with this in mind that it would build your credibility or was it a, maybe I'm going to be an author
George: No, it wasn't to be an author. It was, um, When I, when I was doing, um, So when I was at [00:53:00] Pricewaterhouse, I was in accounting. Got really bored of that. Then moved into management consulting. And they basically, it's 93, they said, Hey, can you sort out this internet thing? It might, might have legs. So I'm like, all right.
So I looked into it and like, okay, you know, I mean, I was pretty good on technology and then really developed a lot of these pen testing methodologies that hadn't been developed. Like they just, again, it was the whiteboard. So I wanted to write it down because people were asking me about it. So that, that's how the first book really came about with a couple others. Um, and you know, the whole idea, I kind of laughed because I think it would have made more. Uh, working at, um, you know, a fast food job at the time, uh, then I got paid on the book like per hour. We put a lot into it, but it was really the best business card. And at Foundstone, we always had a saying is you, you want the people who read the book doing this work or you want the people who wrote the book? I don't know. You know, if I offered that to you, you'd probably want the, the guy or gal who wrote the book. So that, that was our business card. So we use that to our advantage at Foundstone and, and [00:54:00] certainly at CrowdStrike. I
Logan: Were there any tactics of, I mean, it sounds like there was a lot of white papers or blog posts you guys did in the early days of PR and marketing. Anything, um, that, that you look back on, uh, what that was particularly Um, useful or interesting that, that, that comes to mind.
George: think the fact that we were able to humanize these attacks. Which no one really had done before, put an aim to a face, you know, put how this all works, demystify this, you know, things happen in ether. Well, this is actually how it works. I think that really gave us a leg up and credibility as being experts in this space.
Logan: CrowdStrike doesn't really have a, uh, a mission statement beyond stopping breaches, I guess. Is that, is that fair?
Logan: Uh, how has that simplicity helped you, um, kind of drive the company and set the vision?
George: Well, I always say we don't have a mission statement. We're on a mission and that's true today. It was true when I started the [00:55:00] company. In fact, when people would, um, we had this very Spartan sort of stealthy website, you know, one page thing before we launched the company. And if you want a job at CrowdStrike, when you emailed, it wasn't emailing jobs at CrowdStrike, it was emailing mission. And that really put it in perspective, like, we want people to sign up for the mission. And I think in security, if you have a mission and purpose, like every day we're saving customers. I mean, there's countless stories of, you know, saving customers from e crime groups or nation states or what have you. So it really is a noble cause and we wanted like minded people who, and certainly in the early days, like, you know, they could have got a job at. A big bank, they could have been assisted with a big bank, they could have done all kinds of stuff and made more money on a cash basis, like beyond CrowdStrike, um, not the stock, but you know, so what we want to do is we want to have people focused on that passion for our customers,
Logan: The state of [00:56:00] cybersecurity today, I'm sure whenever, um, you get asked about this, people are, it's bad and it's, there's, there's a lot of different groups out there. Can we talk about the different, um, there's nation state e crime and hacktivism that you referenced earlier. What's the distinction between them and what's the, uh, I guess, how, how would you sort of draw the different perspectives of who's the more aggressive actors or anything along those lines?
George: Well, nation state is, you know, many of the places that you would suspect. Um, it's really, you know, an operational mission of either gathering intelligence, uh, or planting technologies for future use. And, or potentially using it, which we've seen in the past in terms of destruction capability, it's the simplified version of it, right?
So people get paid every day they get up, you know, they're, they're in these organizations either by choice or not by choice, but their job, you know, nine to five is to be able to go out and get [00:57:00] into companies and it's like a, it's a full company that's designed who can get access, who can get the data, who can understand it, who can operationalize it.
That's what they do. Um, so that's their, their, their goal. And that's happened for the last 4, 000 years. And it's going to continue to happen now. It's just easier to do because you have the
internet. Then you've got the e crime actors who people have been doing bad things for the last 4, 000 years too. So now that's just, they can do it. You know, used to have the pickpocket that would, pickpocket that would canvass one block radius. Now somebody sitting in their bedroom in their pajamas can, you know, they've got the whole world at their fingertips, right? So it just makes their job a lot more scalable to steal more money and less risk. And hacktivism, you know, people have always been speaking out and, and, uh, having a view on things and, Now, uh, it's a little bit easier to kind of get your view out there, uh, in ways that could be destructive to the organization. So it's it continues to get worse. Um, just because [00:58:00] the way I look at it is security has to parallel that the slope of the technology curve. So if we think about technology, and I would argue, That in 1993, when I got in the business, technology is pretty simple, you know, for the internet, yet you really didn't even have a firewall. You had like a router, you had a website, you know, you barely had a database. So super simple thing about the technology, like the curve is, is hyperbolic in terms of like all the new innovation. So if security doesn't parallel the slope of that curve, that's really where you have problems. But there's so many more opportunities. That it's become big business for security companies, but big business for governments, e crime, and others. And that's why we're in the state we are in today.
Logan: when e crime occurs within a company and there's I guess ransomware or they're they're asking you to pay something to get your information back How do you help a company think through if that's the right decision for them or a government? I guess as the case may be versus setting a precedent [00:59:00] that you know, you pay if you get attacked I'm gonna
George: It's really, it's really a risk based decision. You know, it's a business decision to be, to be clear. Um, and I'll tell you a story and, and I'll get into details of your question, but a number of years back, we got a call on Friday at five. Um, because nothing good happens before. Right. You have five, right?
Yeah, your, your deal that you want to get closed never comes in and at that point it comes in, you know, two weeks later, but like the IR call comes in, it was CEO writing a public company and they said, Hey, we got, you know, like thousands of computers got taken out. They weren't a customer. Um, they called me and said, can you help us?
Yeah, we got on a call within an hour. Sorted out and, you know, looked like ransomware. And, uh, you know, we said, okay, we think this is what it would cost if he wanted to pay it. And as I said that he, you know, the words didn't even hit the air. They, they were hanging in the air and he said, we pay it and. [01:00:00] To be honest, if he could have paid it, he, he, he would have, and it would have been a much better outcome.
He couldn't because it was actually destructive, uh, malware that was masquerading as ransomware. So there was nobody to pay.
Logan: Wait, what's that just say? I mean, uh, destructive malware that was masking as ransomware. What does that actually mean?
George: Yeah, it was basically, uh, it was a Russian based attack that was designed to be destructive, um, against Ukraine many years ago. Um, but it was designed to look like ransomware.
Logan: So look like, Hey, if you pay this amount of money, we'll go away. And in truth, it's not that it's actually trying to just attack and
George: Exactly. Yeah, that's the whole purpose. So, um, so they couldn't, they couldn't pay it. And then, then there was, you know, big recovery and those sort of things. But getting back to the point, you know, that was one area where he would have paid. It would have been a lot easier to pay and it would have been a lot less costly. So customers need to just make that decision. In today, in 2023, we deal with a lot of it. Um, a lot [01:01:00] of the customers do decide to pay, um, because of you, you have this, uh, Kind of double ransomware right now, sometimes triple, where you've got the data that's being encrypted or the data stolen first. And then even if you restore from backups, which people have got better at. They'll just go to a dedicated leak site and dump data. So it's a bit of a Hobson's choice. Like, do you want all your data out there or do you want to pay? And yes, you have an issue. Yes, it's reportable and those sort of things, but at least your data that, you know, maybe your customer's data is not floating around and they will actually, the e crime actors will film the data destruction. They will actually write reports on how they got in. They will actually give recommendations and products. We happen to be one of the products they recommend. How about that?
Logan: Is that a channel for you? E crime, the E crime
George: And it's just, you can't make this stuff
up. Like when you actually see it, you're like, did they just put together a consulting report and have product recommendation answer is yes. So that that's [01:02:00] how, that's how mechanized this whole process
Logan: Why, why do they do that, by the way? Why do they help, uh, after
George: They got, they got paid. They're, they're, they're trying to make the
Logan: It's just, it's just a product. Yeah. Yeah. They're saying, Hey, this is what we,
George: This is what we found. This is how we got in. This is the data being destroyed. Um, and you know, if, if there wasn't, if all of a sudden you paid and then the data got leaked. Right. And the next guy paid and data got leaked, somebody would go, well, why would I pay?
Cause it's going
to get leaked, right? There's, there has to be some level of,
Logan: Brand,
George: yeah, like, you know, otter among thieves, I guess. Right. If, if no one was, if people were getting paid and not getting the outcome, that would stop pretty quickly, but people are paying. It doesn't mean they won't come back. It doesn't mean they can't do bad things, et cetera, et cetera.
But they basically. Most cases holding up their end of the bargain that depends on the group. Some groups have better reputations of,[01:03:00]
Logan: I mean, this is just for people that are outside of cyber or, uh, to make this totally clear. So I'm working at a big company and there's a group in Russia or wherever they are, and they hack into our systems and they get our credit card information or our customer's information or whatever it is, and they're saying, Hey.
You can have this back, but you need to pay us. And then if, if, if you pay them, then they're delivering you, Hey, here's how we got in. Here's how you need to protect yourself. Here's our recommended vendors for it. And if not, they might go dump it on a big exchange and it'll all be out there. And so they're building their own ethical, uh, uh, or not ethical, but their own brand and reputation that if we get you and you pay us, then we'll help you.
Uh, which is kind of this funny prisoner's dilemma that putting CEOs.
George: It is. And the groups that do incident response were one of, of, you know, one of the bigger ones that do it. Um, we kind of know who the groups are and we have a view of whether if you pay them, whether they're just going to still dump the data or what they're going to [01:04:00] do. Right. So,
Logan: I'm curious, uh, and I realize this is probably a hard number, but let's take fortune 500 companies, uh, and they get attacked are, uh, the, the ethical, uh, criminals, I guess would be the right term. Are most of them these days, uh, ethical in the way that they'll do if you pay them, they'll actually do what they say they were going to do, or is it?
George: yeah, I mean, I, I don't, I don't throw ethical in
the same context, but I think, do they, do they hold up their end of the bargain
for, for some point in time, I would say for the most part, what we've seen, you know, the, the, the bigger brand name ones,
Logan: It's hard to talk about criminals like
George: it's not, and you know, it's a super serious
subject, but, um, when you explain it to people, cause somebody is going to, you know, maybe people listen for the first time and they're going to go like, really, does this happen? Like people break in, steal the data. If you don't pay them, they just go nuts. But if you pay him, like there's some honor of. Like, here's the video of it being destroyed. Here's the report. Here's, you know, it's kind of a crazy
[01:05:00] world.
Logan: a fascinating, uh, fascinating business out there.
Logan: Um, what about, uh, uh, AI in this, in this whole world? We've, uh, Generally, we don't make it very, I don't think any podcast and technology these days makes it this long without really, you referenced it earlier, uh, back in the days when we called it machine learning, but now it's a, I, um, how is a, I changed some of the attack vectors for the potential criminals that we're talking about and also how has the founding principles around a, I benefited CrowdStrike and going forward.
George: Well, it was a founding principle of, you know, quote, AI was, that was really more of a marketing term at the time was machine learning, which you can say is AI is fine, but you know, it was not generative AI that, that really wasn't around. So, you know, for us, we, we. That's why the approach was get the data first, right?
Because once you have the data, then it unlocks the AI piece of it. And that was, that's been very successful in, in stopping breaches and finding things that haven't been found before. Now, when you look [01:06:00] at generative AI, we've got a product called Charlotte AI, which is essentially, you know, your virtual SOC assistant that not only can answer questions, but can do work on your behalf.
So the whole goal for us is how do you take eight hours of work and turn it into, 10 minutes for a SOC analyst. Um, so that's the goal. So I think there's a lot of promise for it, um, from the, from the defenders, but obviously that can be used for malicious purposes as well. And for many years, we dealt with adversarial AI, um, teams trying to defeat our AI in terms of files and things of that nature.
And now it's moved into more like dark AI, which would be, you know, how do you use, uh, generative AI models that don't have guardrails? You know, like fraud GPT and others that are out there. So, um, what that is going to allow, basically, what, what does all that mean? It means that you can democratize, um, the, these very hard concepts of getting into a company or creating exploits or malware, and you can democratize that and [01:07:00] make that available to a much larger population because now it's, it's, you know, like, like chapping tea for the, for the bad guys, right?
They have their own, their own, it's not chapped GPT, but. They have their own models, right? So you have many more folks who maybe don't have the expertise can now execute a campaign. That's one. And two, the time it takes to actually figure all this out is now compressed. And this is, this is part of the problem in security.
It's really a time game of, you know, how much time do you guess you want to prevent it, but if something bad happens, you got to be able to, to react to it. And you can't do that in three days. You got to do that in, you know, under 60
minutes.
Logan: fraud AI is actually a, uh, so there's a there's a fraud GPT. Sorry. So there's a, um, chat GPT equivalent that doesn't have any guardrails on it. And if you want to do malicious. Attacks. You no longer need the expert sitting next to you saying, Hey, let's try this [01:08:00] permutation of this and do that. Now, uh, fraud GPT will do this on your behalf.
And so it's while, uh, chat GPT or whatever it is, is democratizing creativity or whatever it is. This is democratizing cybersecurity attacks for these bad actors. Um, is there, is that just the new state of What we need to deal with and you all and folks like yourself are just going to need to continue to get better.
And is there anything we can do beyond, uh, about this type of thing going on?
George: I mean, it's just, you know, first you got to be aware of it, understand how the adversaries work, right? And what makes them tick, which is really important because, um, this is why security intelligence is, is, is a hallmark of what we do. If you, if you don't know what the offense plays, what they're going to be, it's hard to run, be a defender like football, right? Um, you got to know what the playbook is over there. So that's the new playbook [01:09:00] and it goes back to. Security needs to parallel the scope of the technology curve. You're not going to, nor should we want to inhibit any technology innovation. We should, as a security company and security practitioners, we should focus on how do we enable that new technology to be used safely, uh, and, and the main purpose it was intended to be used for.
Logan: What's one thing you'd recommend any person listening, uh, at a company beyond by CrowdStrike, I guess, but that they do to up their security posture or try to prevent some of these attacks from occurring.
George: I mean, it extends through small companies to large enterprises, but one of the biggest areas of, um, exposure is identity and poor passwords. We've been going to RSA for 30 years, been talking there for 30 years, and we still have the conversation of like poor passwords. Um, and as, as an industry, we still haven't solved it.
We've gotten better in [01:10:00] areas, but we still haven't solved it. So I think having, um, better passwords, password managers, two factor authentication, um, where possible to enable those in many of the larger cloud providers and Apps have that, that would be a, a big step in just preventing somebody from getting in. Uh, and then after that it's, you know, having the right security technologies and it's, um, you know, really protect, detect, respond, and, and now it's gonna be report that's gonna be the fourth element 'cause of the SEC reporting. But from, from the average person, you know, I think. Shoring up their identity and their passwords using two factor is going to be a good starting point
Logan: Because you touched on it, the SEC reporting now for public companies, they have four days to
George: for these.
Logan: disclose. Once they know, then they have
George: Once it's, once they know it's considered material,
Logan: And when did that come to pass?
George: December 15th, 2023.
Logan: So just recently, this is a, this is a new thing. And, uh, and so does [01:11:00] that include like when any person within the org finds something out and they have to escalate it to the CEO and everyone has,
George: It's, if you have an incident that is, um, I'm kind of paraphrasing, there's, there's, devils are in the details, what's material, when you found it, and those sort of things, but If you had sort of a material, material incident, then you have four days to be able to publicly disclose that, which is a tight timeframe, particularly if you do an incident response and trying to figure out the, the cone of exposure and compromise and where people. You know, if you have an active adversary in there and then you don't have enough time to kind of sort it all out, well, in four days, you know, you got to make a disclosure. And now what we're seeing, kind of get back to the ransomware pieces, we've actually seen ransomware groups who hadn't got paid report to the SEC.
So it's like triple extortion, you know, either your data is going to get dumped, it's going to be encrypted, or they're going to, if you're a public company, they're just going to run to the SEC and say, Oh, by the way, we broke into them. They hadn't reported to you.
Logan: we've been talking for probably a decade. It feels like in this, uh, from [01:12:00] my seat about like cybersecurity now being a boardroom. level conversation, but we're, we're seeing now with this sec rule being passed and we've seen a lot of, uh, big public companies, stock prices with all this stuff be very well, I assume we'll, we'll see even more of that going forward, uh, as a result of a result of this,
George: Yeah. And you know, you see a lot of companies that have issues. Um, any big company is going to have an incident and it's making sure that you, you try to make sure that incident doesn't turn into a catastrophic breach or what have you. I haven't run into too many companies, particularly bigger ones and public companies where they're not taking security seriously or they're not spending money on security or they're not trying to do the right things.
I mean, Each one is a different spectrum and maybe you have different industries, but, um, for the most part, people want to do the right thing. It's just, it's really hard. The adversaries are good. Um, you have to be better and you have to have, unfortunately, you have to have the right technologies. Um, [01:13:00] because many companies buy one of everything and two of everything else, and then they have a hodgepodge of things that don't work together and wherever those little seams are. In their security products across the spectrum of what they need to do is where the adversaries generally hide.
Logan: we talk about network effects so much with, uh, consumer businesses and we think about Facebook or whatever, all that. But the, I guess the other term of accumulating advantages that come from, um, Some level of consolidation of cyber security tools, uh, you all continue to benefit from the incremental customers you have because you see more attack vectors.
You know these groups even better. It's interesting to see a real enterprise accumulating advantage play out for you.
George: That's the crowd in the crowd strike. People always ask me, well, how'd you come up with the name? You know, crowd is the crowd sourcing piece, strike is the fact that you're operating from the cloud and you have to, you know, dive down very quickly and make sure that you can deal with these things. And that's why the product is Falcon.
It's the fastest diving, diving, bird in the [01:14:00] world, 200 miles an hour. So that's how we put it together. And it was that network effect. And literally from day one, that's why we started with the data. The more data we had, the smarter the system would get and you know, the more things that we could do. So we operate. Uh, we have agents in 176 countries. When I say agent software, that runs on that on someone's computer cloud, and there are many attacks that we haven't seen. There aren't many techniques we haven't seen. So it gives a real advantage of this community immunity sort of approach. And then, you know, those sort of things get baked into, um, the product. You know, in the algorithms and, you know, they, they auto adjust themselves to be able to make sure that the rest of the community is protected as we see them
Logan: What's next in the cyber security industry as you kind of look out? Is AI the big one or are there other things that you're really paying attention to?
George: in the early, early stages of AI, what it can do and how it works. And people are, um, trying to figure out how they commercialize it, make money, how it actually adds value to a customer. So you have that. I think from [01:15:00] a cloud perspective, that the cloud technologies are moving so quick. Um, you know, used to be compute and storage, and now it's literally the alphabet soup of things that are out there, um, that make all this work, and it's very complicated.
So I think that's, that's really the new frontier, which is why we've spent a tremendous amount of R& D dollars, and we're one of the largest cloud security companies. Independent companies on the planet. So we think that's a great opportunity, um, from a business perspective, but it's also a big opportunity for the adversaries.
Logan: want to back up a little bit. We touched on your journey into being an entrepreneur, but what was did you grow up thinking you were going to start a company and found stone was just the manifestation of that? Or do you kind of accidentally fall
George: Nah, yeah. I always wanted to do something on my own. Um, yeah, I, I mean, I grew up, I had zero money and, uh, you know, put myself through school and that kind of stuff. Um, and then. I got an accounting degree because I didn't want to [01:16:00] be a mainframe programmer because I went to college in the 80s and really didn't, I didn't, didn't mean, you know, you can be a Unix programmer or something back then, but a lot of it was around mainframes.
Didn't want to do that. Really wanted a business degree because I knew I wanted to do something on my own. And yeah, that's how I picked accounting was. I just thought it was a good way to, to, have a foundational element, you know, understanding of business and, and how things work. And that's really how I, you know, I was, I've always been creative. And sort of had that, you know, mindset that the, the security mindset is like, how do you think about how somebody is going to break your system, but you're always. Thinking about the creativity, like what, what's next? How do we, what do we do? How do we solve problems? And, you know, for me going out on my own with Foundstone to kind of solve a unique problem that I saw was fun.
And, you know, I honestly, I'd rather bet on myself than others. So that was, that was a big piece of it.
Logan: the original product and team, you, you all [01:17:00] were in New Jersey at the time and I read that you met, uh, your VC in the Minnesota airport or something, uh, to raise money. What was the, like, how did you get the group, the band together to go build?
George: Yeah, we, we had all worked together at E& Y and, um, you know, we're kind of like, this is, you know, there's things that we want to do and, um, you know, it was a fine place to work, but, but beginning at so many constraints because. It's, you know, independence issues and all kinds of things that you couldn't do if you were an independent company. So, um, that was, that was really it. We, we sort of got some folks together and said, Hey, there's a problem in the industry, which is like, we can't. Cause we were doing a lot of pen testing and those sorts of things and people couldn't find all the vulnerabilities. And at the time it was like desktop scanners. Um, not enterprise vulnerability management solution. So we, we said, well, why can't we take this simple desktop scanning assessment technology and make it an enterprise ready vulnerability management solution? And that's how, um, that's how [01:18:00] we literally created the term vulnerability management that didn't exist before we, we, we put it out there because people were assessing, but they weren't managing and they weren't doing it at enterprise.
So that's how, um, we got that going. You know, for me, it was just, I'm a blank sheet guy. Like, how do you create new things? How do you solve problems? That's part of being an entrepreneur.
Logan: does it, how, how does the late twenties, uh, I assume, I mean, you were at least, I don't know if the others on the team were, but E and Y. Uh, people in New Jersey, how did they end up finding their way to Silicon Valley investors and, and, uh, ultimately like getting this business going?
George: first VC was out of Seattle and basically said, you could move to California or you can move to Seattle. And I said, nah, I'll move to California. And so I like the weather a little bit better there. So that's how I got to California.
Logan: Wow. Yeah, I, I think that's pretty distinct from the, the way that VCs operate today with the remote and all of
George: Yeah. This wasn't a, this wasn't a choice.
It was like
Logan: that's, uh, that's fascinating. Uh, and [01:19:00] you guys have been remote. I mean, I referenced it, you've been remote ish from the, from the start, from the early days.
George: remote first as a company. I mean, now we have many offices and, uh, you know, we're encouraging people who are near an office to go back in a couple of days a week, which is always a challenge post COVID. But what I wanted to do in, in, in that foundational team, those first 20 people is to handpick, um, the best folks, put them in place wherever they were at, and then we ran things remotely.
And even, uh, I remember having the conversation with Samir at Excel, you know, how's all that going to work? And I'm like, well, the most effective software model I think in the world is open source and everybody's all over the place. So I think we can try some of that and, you know, we'll make it work. And it did.
And literally, I mean, we did this before Zoom. We did this before. Slack, we did this, like the tools we had were stone age in 2011 compared to today of what you can do, but we made it all work. We literally had tried, you know, [01:20:00] tap a talk and you name the crazy stuff. We used it, um, but we made it all work.
And then over time it was, you know, still being able to have the flexibility to hire people that were remote, but then have offices that were really hubs where you can have some center of, of gravity. Not only in the U. S., but worldwide. So that, that's how we operate.
Logan: Are there first principles, things that you, you all do from an operating standpoint, hey, everything needs to be written or everyone needs to be on a zoom with their own screen or anything along those lines that you all do that you recommend,
George: when we first started and we were a remote company, um, we made everyone, no matter where they were, come into, at the time it was California, for one week of immersive training. And it was required that someone on each staff had to teach some part of it. Every time we had someone that we ran an
Logan: the staff executive,
George: executive staff.
Yeah. So just basically somebody that represented the executive staff had to go there, [01:21:00] meet the people. And teach them and tell the stories, not the whole week, you know, but like there's section of it. And, um, we had to stop that with COVID, but we did, it didn't matter whether you were a receptionist in Sydney, you flew to California and you basically got immersed for a week.
Logan: and that made it through thousands of.
George: Thousands of
people, I mean, expensive, but it really helped build the culture. Um, and it got people, you know, to, to buy into what we were doing. They weren't always in an office, they weren't always being touched. So you, you wanted to give them that foundational piece. So I think that was important. And then the other piece that we did is we, we had many sort of forced meetings and, and offset, not forced in a bad way, but Hey, we're not going to see everybody in person for, you know, for three months.
So we're going to get the entire engineering team together over here. And again, there was expense associated with it, but we weren't paying for all the real estate, so it kind of balanced out and that really made a big difference. Getting everyone together to accelerate the collaboration.[01:22:00]
Logan: It sounds like there's a methodology that you use for, uh, how you operate and run CrowdStrike. Can you speak a little bit about that?
George: Yeah, it's something I came up with over the years. I mean, it's nothing, uh, you know, so for so formal, but it's it's kind of what I use to to try to operate a company. And I I came up with, uh, just an acronym so I can remember it, called PETS, which is People, Execution, Time, and Strategy. So I think a big part is you, you know, you have to have the right people.
And there's a methodology of finding the right people, uh, who can execute. And, you know, there, there's sort of the, the say, do ratio. There's a lot of saying, but not a lot of doing. They're probably not executors. Right. Um, and there's a piece that goes into how you execute, how you manage the business, how you understand your KPIs and all the things that goes into making, you know, execution take place. And then there's a strategy piece of like, okay, what is the game plan here? What's the, you know, immediate game plan, medium term and long term. And then how do you put time around it? And [01:23:00] the challenge I see with a lot of, uh, folks at organizations, even young entrepreneurs is like, like time matters. You know, I'm looking at a watch, not a calendar. Um, so, you know, if you don't take all of those things and execute within the timeframe that you have. You know, I mean, if CrowdStrike came out today, we'd be crushed because it'd be everyone else, you know, uh, you know, that's doing all kinds of stuff, right? We, we were at the right time, we executed, we had the right people, and we had the right strategy, we put it all together.
So, you know, there's all subcategories of that, we don't have to go into it, but it's just a simple way for me to look at it. If you don't have the right people, you can have the best. You know, strategy, it'll go nowhere. Um, you're not going to execute it unless you have the right people. And then you're certainly not going to do it within the timeframes you want.
So that's really why it starts with a P. Going to come out, come up with a different acronym that would have started with something else, but it started with a P for that reason. So that's really the way I use it. I talk about it internally. People know it internally. And, [01:24:00] uh, It's been, you know, a helpful but simplistic way to, to think about, you know, making Crotch Strike, uh, you know, even better than it is today.
Logan: And so is that the PETS acronym as it goes across, there's a bunch of sub questions that you'll ask within each department. And is this something that actually folds into a, uh, to KPIs and frameworks and all of that as well?
George: Yeah.
it's um, you know, it's not so structured that, uh, I probably need to put pen to paper one day and, and write it all down. But,
Logan: Yeah. Write another book. Yeah. Yeah.
George: go. Um, but I think if you take sort of those key principles, it can be applied across what we do in, in many areas. You know, just getting people to think about it in the right way.
Logan: Early days growing up in New Jersey, uh, so you, you mentioned, uh, putting yourself through, through school, uh, I read around seven, your father passed away, is that right? Um, and at that point, you took a job to be a newspaper. How, how did that [01:25:00] experience or whatever, whatever part of it you want to speak to influence you today as a founder, operator,
George: you know, it's one, it's one of those things that I think like if you look at the top entrepreneurs, um, There's probably always some level of trauma in their life, no matter what it was, that I think helps galvanize their thinking and their work ethic and, and, you know, really who they become. So, um, I think if you can take those life experiences and, and, uh, galvanize and turn them into something that you can build on, I think that's important.
So when you don't have a lot of money and you gotta, you know, figure it out, you gotta go out, um, make your own luck. And. I think if you realize, like, if you have no money and you're making it yourself and it's hard, you remember all those principles, you know, as you start companies. When you look at CrowdStrike, um, you know, I'm still, I still look at. [01:26:00] All the cash that comes in, you know, AR and cash are our biggest, uh, areas that we focus on, but it through our whole history of Foundstone and CrowdStrike, like expenses matter, cash matter. We were never a company that just spent at any cost and, you know, hope for the best. So I think those sort of blue collar experiences. You can translate into running a company and how you deal with people and how you hire people and, um, you know, it's just life experiences that you file away and hopefully make you better.
Logan: my understanding is you played a lot of sports growing up. What, uh, any, any sports you look back on, you think were the most impactful to you. I know you still race today, so I don't
George: I didn't, I didn't get to race one. I mean, I did all kinds of crazy, you know, motorbikes and stuff like that, but, um. Didn't have enough money. Racing is, can be expensive, so I didn't have enough money to do that. But I, the biggest one, I mean, I, I swam, I ran, I wrestled, I baseball, football. I think football [01:27:00] was, was the biggest one for me.
Um, that was really impactful. It was team sport and, you know, I was never the biggest, the fastest, the, you know, go down the list. Um, I think, you know, I was probably the. The guy with the biggest heart put the most work in, which again, translates into, into things that you do later in life. Um, but I think, you know, working with a team, even today you look at so many kids are just in their bedroom and they're playing video games and those sort of things.
And it's, you know, sometimes it's good to be out, be on a team, understand how it feels to win. Um, understand how it feels to lose and take all those life experiences. So I would say football was the biggest impact for
Logan: Football's an interesting one, as you referenced and we talked about earlier, I, uh, I played as well and it's, um, I guess for our international audience, maybe they wouldn't, won't appreciate this point quite as much, but it, I so much appreciate it because every body type has a kind of [01:28:00] different spot that they can potentially pay if you're a big heavyset kid, you can do this.
If you're a small, fast kid, you can do that. And then it requires such Coordination among the group, right? Like just having one person do their own thing might work in basketball or soccer or whatever it is. But you all need to be in concert kind of working together. And if one person fails, the whole team could fail and actually put each other at risk in some way physically.
And so I've thought it's a I realize there's a lot of safety concerns around, around it and rightfully so. But, uh, there's so many good lessons. I feel like I took away from that sport specifically.
George: Absolutely. I agree. And we didn't, you know, we didn't have all of the, the fancy equipment, everything.
Like literally I was telling the story the other day to somebody like, if, if you screwed up, uh, you know, your punishment was, was you didn't, you didn't get to go to the water trough. Like people, you know, people are dying now because they don't, they don't get water. That was our punishment. No water for you. Like, you think about that. That [01:29:00] makes no sense.
Um,
Logan: Concussions were called shaken up or
George: yeah, yeah, shake it off.
Like, I can't tell you how many concussions we probably all had that
we just You know, we would, uh, we just go back and we had a coach that, you know, if you screwed up, you'd take his whistle on his, uh, we would twirl it, whack in the helmet, your ears would be ringing for the next two hours,
Logan: I don't think that plays
George: not anymore. but that's what we
Logan: You, you learn, you learn a lot of good lessons, uh, along that, um, we, we referenced PricewaterhouseCoopers, uh, in, in working there in their early days. Did that, anything from that experience, um, that you, you took with you today or as an entrepreneur specifically, obviously it led to your entrepreneurial journey, but any lessons of being an accountant right out of undergrad?
George: So I, I was an accountant, I was a, uh, intern. So it was like a special program that I got into internship stuff and, uh, was able to work, um, you know, many, many long hours, uh, while I was still. in school. And I think it gave me, you know, an appreciation for attention and detail. [01:30:00] And, uh, Probably work ethic.
And I, again, I have so many stories when I first got to Pricewaterhouse, I literally was using 16 column and 10 key keyboard, you know, 10 key calculators, right? There was one PC, um, which barely worked. And so we were adding all this stuff up, but anyway, long story, there's plenty of stories around, you know, what we did to try to help make that a little bit better.
But I remember when I first turned in my first set of work papers, and if you've ever seen these things, now they're, I'm sure they're all electronic, but it was like a phone book. And I turned it in and the senior that I worked for, she literally, I was so proud. It took me months to audit accounts receivable for a big pharmaceutical company. And she went down, she looked down the side of this piece of paper, like not paper, but the work bundle, and she slid it back and she goes, all the pages aren't, aren't even, what do you mean? They're not even, they're not even. Then I had to literally go back and refold because [01:31:00] you had, you had to use this little eight and a half by 11 cardboard thing.
And then you had 16 column came out here. Right. Dating myself. You had to fold it like twice. And then you had to put this, this little cardboard thing in so that everything was even. And I'm like, you gotta be freaking kidding me. Like this is the dumbest thing. But when I look back, it was attention to detail. So it's, you know, why the Marines flip a quarter on the bed. Can't make your bed right. You know, you're not looking at, you know, your equipment, right?
Logan: It's funny, I have a funny one from investment banking, which I notice fonts all the time. And if it's like a, uh, if a presentation or something has like a different font in the chart than they do in the, uh, I just, I can't not see it. And it's just, it's funny. These things get kind of ingrained in you. And I'm sure you look at stacks of papers and we'll notice that
George: I look at, yeah, all that, but any little detail, my, my biggest pet peeve is if I see a, and you probably seen this, like PowerPoints that have, [01:32:00] um, a date, but they're out of date,
like it's 2024. I shouldn't see a 2023.
And if I see that, it's like, well, what else have you missed?
Logan: Totally. Oh, yeah, it opens up. It opens up a bunch of different questions along the way. As entrepreneurs sort of think about the timing of an individual market and the tailwinds, we talked about the different components that you were, you were thinking about. Is there a way of, um, that you advise companies to sort of assess if now's the right time or if they're the right person to go out and actually start a business?
George: Sure. Well, there's two pieces of that. One is the market ready. And two is, are you ready to go do that? Um, which sometimes are, you know, mutually exclusive. But I think from a market timing perspective, when I looked at CrowdStrike, I saw that the need for security, A, wasn't going away. B, the outcome that people were paying for, literally people are paying billions of dollars for security and they're still being breached, right? Um, because everyone's focused on malware. I mean, you know, it's still a problem today. There's still security issues. But [01:33:00] certainly back then, people were spending a lot of money with these legacy companies and firewall companies, and they're still being breached. I mean, is there a company that you know of that has been breached that didn't have a firewall?
Logan: No,
George: They all have them, right? So, I mean, okay, things that policy enforcer. So my, my point on that was like, there was an outcome that we needed to solve for and people being breached was an issue. So I knew there was a better way to do it too. And this is a really important point is I like markets where, you know, you have incumbents with high customer dissatisfaction, you ask any customer.
And I was at Mac, I won't pick on Mac, like pick the whole lot of them. Did anyone really like their technology? 95 percent of the customers are like, no, this thing is slow. It takes too long. You know, it doesn't work. I'm still being breached. I need something better. So with that level of dissatisfaction, there's got to be a better solution.
It was like perfect for us. And there are other markets like that. Um, you know, if you're going to enter a market where everybody loves the product and people don't see the new problem and. You know, they're not going to figure out what they need [01:34:00] into the next five years. That may be a tougher slog, but for, for us, we knew high dissatisfaction outcome that people wanted.
And biggest thing was we had a unique and differentiated approach.
Logan: yeah, my framing of that, uh, which actually my father in law used in his, uh, his father of the bride speech, uh, was, was why now, why you and why this, like answering those three things. Why is this moment in time? You can either be too early or too late. You're never, it's never the right day to start a company.
Uh, and ideally you're, you're going to be a little too early, uh, and then grow into it. And then why do you uniquely have a skillset to go do it? Because, uh, anyone else in the world could probably go do it. And then, and then why this, like, why this approach to solving the problem versus anything
George: selling, selling one on one.
Logan: Yeah. And then, and then it's, why does it, why does it matter? What happens if it's successful?
George: Is he in sales too? Is he in sales? I
[01:35:00] think the
Logan: yeah. Yeah. It's an inter interesting thing. Yeah. Um, cool. There's a lot of ambitious people that might be listening to this thinking like, how do I rise within my organization?
Or what, what does successful people within a company like CrowdStrike do? And I, I, I imagine you've had a lot of young people scale within your Europe org. Are there commonalities either? Characteristics or anything you would point to that, like people that have really succeeded within CrowdStrike and have continued to scale within the organization have
George: Um, play for the name on the front of the jersey, not the back of the jersey. And, you know, if you're always playing for the name on the back of the jersey, just because you're worried about your own career or yourself or something, that, that doesn't really work out so well. So the team aspect of what we do, I think people have pitched in, people have been thrown into areas where like they've maybe not had a lot of experience, but they had to figure it out, but they had the right attitude. And, um, you know, again, it's attitude and aptitude. Maybe, maybe they don't have all the [01:36:00] skills in an area. Uh, or the experience, but to get the right attitude. And I think that is one of the key pieces. So we like really wicked, smart folks who have a, you know, start with a yes and play for the name on the front of the Jersey.
Um, and are really worried, just focused on getting stuff done. Uh, it doesn't really matter. I mean, there's 20 excuses you can come up with of why not to do things or why it was hard or dogging my homework or all that kind of stuff. It's like, none of that really flies. Like we got to get stuff done. It's not going to be easy. Let's figure it all out, work together as a team. That, that's what we, that's what worked out well, I think. You know, the best for our culture. And if I was to give any advice, um, you know, if, if you focus on making the customer happy and you focus on being a team player, then a lot of the good things come, like if you just focus on making a bunch of money and just yourself. People tend to get themselves derailed. And I think if you just, [01:37:00] and certainly from a company building perspective, focus on the customer, the rest takes care of itself and you know, don't always, it's not always about you, you know, or the founder or the CEO or those sorts of things like it's a team sport and you've got to keep that in mind.
Logan: awesome. Thanks for doing
George: All right.