Livecast #2: The Business of Cybersecurity in China with Ed Tsai

Our livecasts are recorded live, and we welcome everyone to join our discussions!

The below transcript is compiled and edited by Yalan Wu.

FULL TRANSCRIPT

Rui Ma: Everyone, welcome to the room. My name is Rui. I do want to let everyone know that the first half of this conversation is being recorded. But I will not be recording the Q&A. The first part of the conversation is going to be a fireside chat with Ed Tsai, our special guest for today.

Before we get started, I want to give everyone a sense of the Insight Asia Club, which you should join if you have it, as well as Tech Buzz China, the podcast that I host along with Ying, also up here in the moderator slot. 

Insight Asia is a place where we dig into the industries, countries, themes, and people that define Asia. And we do that by drawing on the knowledge and expertise of people who have worked in research and analyze the continent, themes, and identities they’re in.

So, today’s conversation is being recorded live as part of the Tech Buzz China podcast Livecast series. Please subscribe to us.

We are powered by the Seneca podcast network by SupChina, wherever you get your podcasts. We have been going strong for almost three years. You can check out our reviews on iTunes or other platforms. And the regular podcast is a biweekly one focused on giving you a peek into what’s buzzing within the tech community in China.

And we try to bring you unique insights, perspectives on takeaways on headline tech news, that don’t always make it to English language coverage. Today’s is an experiment on light casting, so instead of doing our usual scripted and deeply researched podcasts, we’re actually just going to have a conversation with one of our many friends who has worked for a long time in China, on the business of cybersecurity.

I’m really excited to welcome Ed Tsai. Ed, can you give us a brief introduction of yourself and your experience, especially around the cybersecurity industry. 

Ed Tsai: Great. Thanks, Rui. It’s a great to be on here with you and Ying and so it’s an honor to join you guys.

I’ve been in China for the last six years and working at two of the largest cyber security companies in China. So one was (Qihoo)360, which is focused more on consumer security and now it’s moved into enterprise as well. And they’re Not a 15 billion market cap company, about 5,000 employees.

And I recently finished a time with QiAnXin, which was an enterprise security focused spin out from (Qihoo)360 and they recently went IPO on the Shanghai stock exchange for about 10 billion, a US equivalent. So, one of the largest pure play enterprise security companies in China and so for them I was doing investment in corp dev.

And so, for QiAnXin, I raised helped him raise around 700 million US equivalent, so 5 billion renminbi for their Series A and Series B. And last six, seven years just been in China looking at investments and seeing the ecosystem. And before that I was at DCM and Bain so worked on US investments, so I have a sense of the difference between the two. And also was an investor when I was at (Qihoo)360 and one of the top cybersecurity funds in the US called TenEleven Ventures. 

Rui Ma: Okay, thanks Ed. For that introduction, I’d like to hear a brief overview of the industry in China because I think there are a lot of us in the room who just don’t have a good grasp of the sector, could you tell us more?

Ed Tsai: Cybersecurity industry in China is quite interesting. It’s been around for a little bit over 20 years, some of the largest players like Venustech and NSFOCUS and Sangfor are guys who do some firewall work, Tianrongxin would be in there as well. They’ve been chugging along for about 20 plus years and in the first 10 or so years up to maybe about 5 or 6 years ago it was a hard market because nobody really wanted to buy cybersecurity products. Cybersecurity products were seen as a cost center. And there was a regulation in China called the Multilevel Protection Scheme in Chinese it’s called dengji baohu (MLPS). So that’s basically a public security bureau requirement for certain IT systems of certain organizations, so usually, more so in the beginning was more for government or critical infrastructure. You had to have a certain amount of security product and pass a security scan, if you will, network scan to be compliant. Now, the good part of that is then people had to install security, the bad part is as long as you pass the security scan, you were considered compliant. So everybody’s picked the lower costs are the stuff that you know could get you pass the security test.

And so therefore, like the prices were really smashed down but more recently there’s been a number of new laws in China. So more, most recently, the December 2019 the Multilevel Protection Scheme 2.0 came out and that really upgraded the requirements of each IT systems that needed to be protected. In addition to that, you have the Cyber Law, Cybersecurity Law in 2017 and what that really did was in the past, you might get fined if your company didn’t follow the Cybersecurity laws, but after that passed then not only did companies get fine, but also people.

There was a list recently out by Digit China, which showed that the IT director or different government officials would get fined if their system had some security holes or let’s say your data got stolen. So once that came out, people were like oh, if I’m going to get fined and, in some cases, people would go to jail if the charge was serious enough. Then you really go from buying a cheapest Kmart, Walmart style way of thinking to buying quality. And so that really helped the cybersecurity industry take off in 2000, it’s about 2017- I think 2016, 2017- is when it started to turn and that in addition to the Internet companies like Alibaba, Tencent and even Xiaomi started hiring a lot for great security talent, because they realize that since now you have Wechat and other payments systems online and even guys like Didi, which is the equivalent of Uber in China. There’s a lot of security and safety issues that come: your user data got stolen or the places that people get go get stolen. That’s a huge issue and so people started hiring a lot. So, the security, I think the security industry really started taking off then. 

Rui Ma: Okay Ed., I’m just going to ask a question that’s on everyone’s minds. You had mentioned decoupling as an opportunity for the Chinese cybersecurity industry. Could you tell us more about that?

Ed Tsai: Yeah. Decoupling is one big thing. I would say at the start of when I went to China in late 2013, 2014 China and US were more like buddies, there was lot of investments from China VCs and large companies going to the US, and that was fine. I would say probably around 2016, when I changed to go to QiAnXin was probably when it started getting more sensitive in the last few years. And right around that time, probably about 2015, 2016 Symantec used to have a big security group in Chengdu, but they had to shut that down because the government started requiring the use of local technology and purchasing reqs and also started requiring as some of you guys may know Microsoft had to give access to its source code for Windows to be used in government entities.

So, there was that requirement of using source code or opening up your source code. And so that became more tenuous and then the continued work with in the Trump administration with some of the relationships with China got tighter. Then, you know other companies, local companies were given preference on the requisition acquisition list for government entities and Chinese companies.

And so you bring up a great point, that’s another reason why the Chinese security companies have been doing so well in the last few years. It’s similar to what happened to Google and Baidu, when Google wasn’t willing to comply, they weren’t in China and that Baidu did very well. And so I think that’s the same thing that’s happened to cybersecurity companies in China.

Rui Ma: What are you talking about those requirements? Are you talking about just for government clients or is that for everyone?

Ed Tsai: It used to be a government and now government and definitely military. You had to have either your source code have a source code review and also for military you have to have a special certification and more recently, they’d been even stricter. You can’t even have a foreign capital in your company and so those are some requirements. 

I think it’s getting stricter now. So that even if you’re a multinational, operating in China, you will still need- not necessarily from the vendor side- but even from the customer side you need cybersecurity requirements. If you’re using cyber security products, I think, they’re starting to increase regulation that makes it even harder for foreign companies to sell into China.

But there are companies still tenable and Paul [time stamp 9:07] so they do still sell in China. Yeah, I think you’d be able to split up the landscape into four types of companies and this is how we viewed it when I was at QiAnXin. The one thing I want to note is even when I was at (QiAn)Xin and we were reviewing the market the foreign players didn’t really even come into mind there.

Rui Ma: So, could you actually just give us an overall overview of the landscape in China right now, especially with regards to the foreign players that still, like you said, have somewhat of a market position there.

Ed Tsai: The market share and the competition especially among large scale enterprises, SOEs, and government, you would not see very much or as much foreign players other than in a few specific verticals where there was a high performance requirement or they’re multinationals.

But within the Chinese companies, there’s basically four types. There’s one: the large traditional security players, so Sangfor, NSFOCUS, Tianrongxin, Venustech, and you could put QiAnXin half into that bucket. The second is there’s networking background companies: Huawei, H3C, which was a joint venture between Huawei and Symantec. So they have more of a networking focus but then they added on security, so probably less strong in endpoint security, but they’re a second type. The third type is the internet player, so Tencent has a lot of security, Alibaba and 360, but especially Tencent and Alibaba, in the past, their security product was really for more for their cloud services.

But you have seen like recently Tencent did put a big investment into Tianrongxin which is a firewall company and they’re starting to move into enterprise security as well. And you could say Alibaba because they have private cloud work as well, you can say they’re moving into that realm as well.

And the fourth one, I would say it would be security startup. So individual players that are focused on a specific vertical. And there’s hundreds if not close to a thousand private security startups depending on how you divide the market, but there’s about 80 to 100 fundraising rounds per year. And I think that number is increasing slightly and especially in the amount raised by security startups per year that are funded by VC. So those would probably be the four types of the landscape. And I probably would add one more thing, cybersecurity in China is not just tied to, okay, I’m a cybersecurity vendor so I just sell my stuff; some of these players are tied to state owned enterprises. So QiAnXin does have a large portion of their stock owned by CEC. And you’ll see, I believe one of the digital forensics companies is also partly owned by SDIC.

So, you see some state-owned or state-affiliated funds or entities that are also investing in cybersecurity players. So CETC, for instance, invested in, I believe, in NSFOCUS as well. 

Rui Ma: When you’re talking about for the requirements, that’s just for government clients or that’s for everyone? Just for those of us in the audience who don’t know what that is, CEC is what? China Electronics Corporation?

Ed Tsai: China Electronics Corporation, so they’re a very large state-owned enterprise. And so they do a lot of the work that when you see the Belt and Road Initiative, it’s not necessarily like small companies and China just signing these deals.

It’s actually a very large state-owned enterprises which will sign a big infrastructure deal. Let’s say they take care of networking and security or a technology or even other kinds of infrastructure for a Belt and Road initiative. But then they’ll bring in affiliated or cybersecurity companies that they invested in, so that’s a working model in China. 

Rui Ma: Okay. I feel like the landscape, the way you segmented it had a lot to do with the size of the players or like their age, for example, or their corporate background of their original business in the sense of Tencent and Alibaba being consumer internet companies that now have some security services. But what are some of the other sort of business differences, especially between US and China cybersecurity space. I know that you also have looked a lot at the Israeli market and in other markets, maybe you could give us a breakdown of the biggest differences. 

Ed Tsai: Yeah, that’s a great question. I think I’ll say one difference within China between the internet players and the large players, and then move on to US and Israel.

I think the breakdown of the internet company, as I mentioned, so Tencent Alibaba, 360, the difference with them is they have a lot of data also from users. So like mobile apps, security, mobile security, so they can be able to understand where people are at. When for instance, I think 360 has a relationship with the government where they can tell when someone’s trying to send fake banking SMSs. So in China, Rui you’ve probably seen this before, some people can strap on a base station on a backpack and run around in a bicycle and send these fake spam bank messages saying: oh, log in here, you need to set your password because someone hacked into your system, but it’s actually a phishing attempt.

And so that kind of attack, guys like 360, guys like Tencent can see because they have security software installed on the mobile device. So that’s another kind of realm, if you will, especially 360 also on the PC side, they can see attacks on consumer side. And so a lot of these other vendors, Sangfor and NSFOCUS are more focused on security for the enterprise.

So, when I compare that with the US it’s the equivalent of saying, if Google had some more security product and I know Microsoft does on the PC, but all that access Microsoft, for instance, has on Windows for security product, they can use some of that attack information or you can say visibility on consumer side to inform their enterprise security product.

So, it’s seeing when you see, because one big concept in cybersecurity is visibility – so where am I getting attack? So, in China because there was that relationship between QiAnXin and 360, I remember there was one attack; they found out because there’s some students or some professors getting hacked and they were using 360’s consumer product, but then had some enterprise products that they were able to protect. I think it was some maritime related and also university entities from some external hacking. 

And so that’s one of the unique things I think with these consumer players is that they have that visibility. I would say for, you know US, if I was to compare US and China and Israel the unique thing, I think about a US market is it’s had a lot more time and maturity for cybersecurity to be used.

So, people and companies are much more willing to buy Startup products in cybersecurity in the US, just because they’re trusting that product and some of these executives have been in the older companies like Cisco, Symantec, Trend Micro, and I would even say, Palo Alto now are at newer companies, at the startups and they’re like, oh, okay, why? I bought from you before and I know your team is great. And so, there are some early adoption is easier, I think, in the US and that leads to driving for specific solutions that Okta went public a few years ago, CrowdStrike went public a few years ago but they’re doing extremely well. But they’re just focused in- let’s say Okta in identity and and CrowdStrike in endpoint.

But in the US I think that market’s much easier to do because people are okay to buy pure play. In China, it’s a little bit different in that people like to buy from larger companies in general. So sometimes the startups will work together with larger companies like QiAnXin or Sangfor or NSFOCUS to sell together like the old adage people saying you don’t get in trouble from buying from IBM. So, I’d say that’s more true in China than it is in the US, so I’d say that’s one difference. 

The second difference would be if I looked at Israel, Israeli startups are very focused, so they’ll focus on a very specific security issue and do that really well. Versus China, especially when you go to some of the smaller startups in China, sometimes they have the tendency to spread thinner. When something like a new security concept like zero trust comes out then they’ll say, oh, I do zero trust too, or I do cloud and I do this and that. And that’s really because they’re trying to, be very revenue-centric and just trying to survive versus I think Israeli companies are saying, I just do this one thing, maybe it’s like attack detection from mobile networks on my mobile phone and they just do that, but they do that extremely well and eventually they may get acquired. But in China, I think the DNA’s a little bit different. They’re like revenue hungry, even if it’s a different product then they’ll try to address that product, even though it might be spreading themselves too thin.

Rui Ma: Given what you’ve told me so far on the Chinese cybersecurity space, it doesn’t seem like there’s a lot of room for foreign companies to enter so my first question is that correct? If so, please, if not, please correct me. And then number two: are we going to see Chinese cybersecurity companies go the reverse, so if foreign companies have trouble entering, is there an opportunity for Chinese cybersecurity companies to sell abroad outside of China? And if so, what are the challenges?

Ed Tsai: Yeah, I think there’s two ways, I think on a pure play, cybersecurity company in like of foreign company trying to enter into China, to be honest I think it’s very challenging.

Unless your product is on you can consider critical and unique, so some infrastructure guys like VMware are still very popular in China, but they’re not really security they’re more infrastructure. And then there’s guys like Cyberbit, there’s a large Israeli company called Cyberbit which does a cyber range, which is basically networks security training.

And we did a cooperation with them to bring them into China and because that kind of product is not directly in the network path of the data in China, then that kind of company that can come in. But I think it will be harder and harder for companies outside of China to do things directly, they’ll have to partner and figure out maybe potentially some OEM deal, but even in the OEM deal, there’s still sensitivity on do you have to give your source code, especially if you want to sell in government.

So, I think it will be harder and harder for a foreign company to sell in China unless they do partnerships and even then, it’s still difficult. I think on the flip side for cybersecurity companies selling externally into US, maybe not US, but other parts of the world, so Southeast Asia, Latin America, Middle East and Africa, I think one comparable is looking at Huawei and Huawei has done a really great job, I think, in selling to these sort-of emerging markets just because their price point is so much lower than a comparable like Cisco.

So I think that would be a similar model with the companies coming out of China. And if you just look at the base price or the list price of these Chinese companies, their firewall, or their UTM that are sold in China versus the list price for foreign products, it’s sometimes it’s half or even a third. And list prices are just list prices, the real prices are maybe even half or even a third of that. So usually, I would say the Chinese companies have at least a half to one, maybe it can be even one third of the price of the products that are sold in the US or US branded products.

So, there’s a huge there’s a huge pricing difference. And so some of the countries or the regions that have been able to use, are open to using guys like Huawei, I think would be open to using other China cybersecurity companies. But the places where there’s a lot of sensitivity for that, in Europe and US, especially, there’s been a lot of tension between use of Huawei’s networking or 5G product in Germany or in the UK, I think that will be difficult for Chinese cybersecurity companies to sell there. 

Rui Ma: That makes sense. Okay, I have one last question for you before we it opened up to the audience. And this was just, again, based on our prep chat, you had mentioned that in your experience, so you worked at a Chinese company the entire time you were in China and there were some interesting innovations you observed, so maybe you can share some of those. 

Ed Tsai: I think there’s two or three types I think to highlight. One is not necessarily an innovation, but like the pace of work like everybody here is about 996, working from 9:00 AM to 9:00 PM, six days a week. I think for some older cybersecurity companies that’s not true, but definitely for some of the newer cybersecurity companies, they work extremely hard. Some of the CEOs that I know, they have some health issues just because they’re working so hard. But that kind of pace that you could see in some of the top startups in Silicon Valley, you see it true in Chinese companies, even in cybersecurity.

I would say that some interesting things I’ve seen in terms of business model innovation is: one is the MSSP model which wasn’t very big in China before, but I think that plus the sort of external security operations center is becoming a little more popular. Like QiAnXin basically they opened a 5,000-person training center in Mianyang which is in the same province as Chengdu; they are training thousands or hundreds to thousands of entry-level security operation analysts that can be on site, almost like just an MSSP but these guys are not necessarily very expensive.

But they’re they can do the basic security stuff needed for a lot of these mid-tier companies or enterprises who don’t have enough money to pay for a very sophisticated security team and the reason driving that is just like in the US there’s a dearth of security talent in China. And so, it’s very expensive to hire your own in-house staff that can keep up to date with stuff so that’s a model that QiAnXin has done and I think it’s been doing very well. 

The second kind of innovation is companies in China are very knowledgeable of the capital markets. So I would say some of the strongest investors in China are actually the enterprises like guys like Tencent and Alibaba. But even in cybersecurity, like QiAnXin we started our own cybersecurity fund or spun out a fund called cybersecurity capital. It took two years to spin up, but after two years it spun out and that’s invested in a number of cybersecurity companies to help as a pipeline for QiAnXin for understanding the market, for acquisitions and whatnot. I know there’s been a little bit of that in the US as well like I think Okta has its own fund or I think Snowflake nearly has its own fund, but I think in China the use of venture capital funding and corp dev is much more aggressive than in the US. I think those would probably be the two things. If I were to add a third, it would be that in China there’s a lot of emphasis also on services, which is similar to what FireEye and Mandiant when they were combined, I think they’re like splitting now, but what they were trying to do in that model, which is combined sort of your product and security services model. I think in China because the infrastructure is so variant, you need a lot of security services as a people to do implementation, to do some customization on security solutions especially for large enterprises.

So there’s probably slightly more emphasis on that in China than there is from in the US but I think that’s probably unique too. 

Rui Ma: So, basically if I want to recap Ed, it seems like what you were saying is that cybersecurity as a market, because of China’s just overall rise in digitization but also because of the accelerator by the decoupling it’s a huge and growing market to invest in and maybe to start businesses in right now, but as a foreign player it seems like it’s very tough to go there. 

Ed Tsai: Yeah, I think that’s right, it’s a big market, it’s growing. it’s important. The Chinese government supporting internally but it is tougher and tougher for foreign companies to go in unless they do some kind of partnership and even then, sometimes there’s still some challenges. 

Rui Ma: Thank you so much Ed for joining us and taking time out of your Friday afternoon to share your knowledge with us. If you are interested in more conversations like this with industry experts who have worked or are currently based in China, please join us next time on the Clubhouse app for our Livecast recordings. 

We ended up having a 30 minute more Q&A with Ed which was really exciting. If you are interested in joining us next time, please download the app and add me at R-U-I-M-A. So that you can see all the events we’re holding here on Tech Buzz China. If you don’t have access to the app or don’t have time to join us, that’s okay because you can still subscribe to this YouTube channel and get our recordings. Thank you so much!