Cyber Security: Leaders & Laggards
Cybersecurity attacks have surged during the coronavirus pandemic in line with a rapid shift towards remote-working and online transactions. This surge has catalysed a more rapid rise in demand for cybersecurity platforms and services such as Crowdstrike, Palo Alto Networks, Okta, Fireye and national-security focussed firms such as Raytheon.
In the US, the FBI’s Internet Crime Complaint Center (IC3) has seen the same number of complaints from Jan-Mar 2020 as they saw in the entire year of 2019 whilst, across the board, there has been a surge in covid19 related attacks.
According to Accenture, it is estimated that the 2019–2023 global business/economic value at risk from cybercrime will be US$5.2 trillion.
Furthermore, the same report highlights that the average number of security breaches is rising 11% per annum (to 145 in 2018) and the annual cost of these crimes is increasing at a similar rate (to US$13m per company). Although the data is a few years old, you can see double-digit growth across the board, with Malware (trojans, worms, spyware, ransomware, viruses), web-based attacks (cross-site scripting, SQL injection) and Denial of Service (i.e. attacks to overwhelm and paralyse target websites/networks) being the most costly attacks to an organisation.
Source: Accenture (Ninth Annual Cost of Cybercrime Study)
In its 2020 Global Threat Report, CrowdStrike site the origins of such intrusion activities back to a handful of countries; with Russia, Iran, North Korea, China and the Indian subcontinent (India, Pakistan) responsible for 90% of attacks. In the case of China, a lot is aligned to IP theft (i.e. telco, pharma) as well as attacks on companies/countries interfering in geopolitical matters (i.e. HK, Taiwan, South China Sea).
Undoubtedly, attacks will only increase in frequency and complexity, and there are a large number of companies — incumbent and emerging — who stand to benefit (substantially) from this. For simplicity, all are categorised quite broadly into cloud & network, endpoint & advanced threat, email, secure access and national security (nb. a lot of companies do cross into other categories).
Below is a reasonably broad list of the public cyber-security companies (predominantly enterprise) split horizontally by core focus (i.e. secure access) and vertically based on whether the company is more of a challenger or more of an incumbent. This line is quite discretionary so, as a rule of thumb, I’ve put any company which was founded pre-2000 in the incumbent category. This doesn’t imply that incumbents are laggards but, as a rule of thumb, that they would have more legacy architecture/products making it more cumbersome to scale and adapt as much as the challengers.
To answer this in the absolute simplest/high-level way, we can assess the price relative to expected sales.
What you will generally find is that the challengers, with greater scalability and growth (in revenues and customers), trade at significant (and often eye-watering) price/sales multiples vs incumbents. The market is pricing in that probability that this growth trajectory can continue well into the future and ultimately generate a high level of free cash flows (which is one of the core determinants of value).
As can be seen below (you’ll have to zoom!) all of the companies trading above 20x forward sales are the high growth challengers (Okta, Crowdstrike, ZScaler, Cloudflare and Splunk). Conversely, all of the companies trading below 2x P/S are the incumbents (Cyren, F-Secure, Zix, SecureWorks and all of the defence/national security operators).
Again, just because a company is trading at a high multiple like Okta, doesn’t mean it’s expensive — it just means you have to determine how much of that valuation is justified and how much is hype. The only real way of doing this is via sense checking via some discounted cash flow scenarios (which I won’t go into here!).
Now let’s dive in and take a look at some (not all!) of these companies starting with cloud & network security providers.
Cloud & Network Security
Despite being leaders in endpoint security, having developed the next-generation firewall (NGFW), Palo Alto Networks are rapidly building capabilities which will put them at the forefront of solutions relating to network, 5G, cloud and edge applications (with IoT on the near-term product roadmap). Their offer is split across three core areas, including enterprise security (Strata), cloud security (Prisma) and their more comprehensive product suite Cortex. On the financial side, they’ve seen a 20% YoY rise in revenues and are sitting on a very healthy net cash and free cash flow position. The company are led by former Google Chief Business Officer and Softbank President and COO Nikesh Arora (Chairman and CEO).
VMWare was part of EMC Corp prior to the latter’s acquisition by Dell in 2015 for a whopping US$67 billion (making Dell an 81% shareholder in VMWare). The company primarily help customers manage their IT resources across private clouds and complex multi-cloud, multi-device environments. Their solutions encompass Software-Defined Data Centres (SDDC), Hybrid and Multi-Cloud Computing and Digital Workspace End-User Computing (EUC). However, they have intentions of further expanding their existing cybersecurity services, with the recent acquisition of carbon black (at a US$2.1 billion price tag) which now encompasses cloud (of course), endpoint protection and app control. Despite modest revenue growth of 6% YoY, 2020 could also see a major catalyst event with reports that Dell (who are sitting on US$52 billion of debt vs it’s US$40 billion market cap) could look to sell all or part of its stake in VMWare, which at current levels is worth ~US$50 billion (1.25x it’s own market cap)!
Cloudflare was founded in 2009 and hit the NASDAQ in September 2019 at US$15. Today (nine-months later) they’ve surged to US$40 following almost 50% growth in their year-on-year revenues. In summary, Cloudflare, have developed a cloud platform to provide business with various solutions encompassing Security (firewall, bot management, DDoS, infrastructure and IoT protection), Performance (content delivery and optimisation, routing) and Reliability (load balancing, DNS management). Of these, it is most notable for its work in preventing Denial of Service Attacks (DDoS) which is a significantly growing (and costly) threat to businesses (see below). However, being one of the ‘pin-ups’ of cyber (along with Okta and Crowdstrike) it’s trading at very hefty valuation. If we assume US$500m for 2021 revenues; it’s currently trading at 22x forward sales.
ZScaler is another recently listed company, currently trading at US$127 following a 2018 IPO at US$16 (and tripling in price since March 2020). They are a security platform (or as they put it ‘security as a service’) which acts as a security layer between users and cloud applications/platforms such as AWS, Salesforce, Microsoft and Google etc (see below for an overview of how it works). Financially, they have seen revenues increase 40% year-on-year (and a very steady 8–9% increase to revenues quarter-to-quarter) with free cash flow margins (FCF/Revenue) trending around the 10% mark per quarter which, for a relatively new company, is quite healthy.
E-mail security is encompassed in a lot of endpoint offerings, particularly from the likes of Symantec (owned by Broadcom) and Trend Micro, however, there are a couple of companies out there who have a more core focus in the area of e-mail security.
Let’s start with one of the more entrenched organisations - Zix Corporation. Zix was founded in 1988 and provides SaaS cloud email security services (SaaS) to thousands of businesses (particularly healthcare, finance, insurance, government) across the world. These services particularly focus on email encryption and data loss prevention but have grown recently due to a rapid M&A spree which has seen them acquire Greenview Data (acq. 2017), Erado (acq. 2018), AppRiver (acq. 2019) and DeliverySlip (acq. 2019) covering cloud security, archiving, e-signatures, advanced threat protection and antivirus. What these acquisitions also did was boost the organisation's net debt to equity to near 50%! The question for me is whether an incumbent like Zix can keep up with a rapidly developing competitive landscape (likely not if they are reliant on M&A to grow the top line and expand their offering).
Proofpoint didn’t list until 2012, from which point it’s increased in value by ~10x. They are firmly focussed on ‘people-centric’ cybersecurity solutions — largely within e-mail protection but broadening to advanced threat protection, cloud defence, data loss prevention and encryption. For ongoing growth, the company are active on the M&A front (i.e. Cloudmark, Socialware and Meta Networks) and proactively leveraging existing channel/ecosystem partners such as Palo Alto Networks, Splunk, CyberArk, Okta and telcos such as BT, AT&T and NTT. Their partnership strategy also encompasses a collaboration with Okta, CrowdStrike and Netskope (private) to develop an “integrated, zero-trust security strategy”. On the financial side they're hard to fault. Their most recent quarter highlighted a 22% year-on-year increase in revenues as well as a 63% increase in free cash flows (to US$79m) for the March quarter.
Endpoint & Advanced Threat Detection
The endpoint security market is vast and encompasses incumbents like McAfee (Intel, TPG Capital), Norton and Symantec (Broadcom) as well as a growing list of ‘startups’ with highly scalable (and collaborative) SaaS products.
One such company is Crowdstrike which was founded by former McAfee executive George Kurtz in 2011. The company is currently worth US$23 billion and has the goal of being the “Salesforce” of cybersecurity. They are doing this through their core SaaS product, Falcon (pro, enterprise and premium) — each offering more thorough services (which they call modules). All solutions are cloud-based and leverage what they call Cloudscale AI to continually learn about threats from each recognised attack across their entire client network. They are also building an open ecosystem, enabling customers to integrate, via the CrowdStrike Store, with an array of partner products from the likes of Splunk, AWS, Google, ZScaler etc. From a financial perspective, they’ve seen a 105% year-on-year jump in subscriber numbers, an 88% increase in revenues (US$162m for the quarter) and a jump in free-cash-flow from -US$16m to US$87m year-on-year for the March quarter. That most recent quarter catalysed an almost 3x rise in the share price from March-July.
Canada’s Absolute provides visibility and near real-time remediation of security breaches at the source. Their core product, Absolute Persistence, returns devices to their desired state of safety following malicious attacks and comes built into the firmware of most major PC manufacturers including Dell, HP, Lenovo, Panasonic and Asus. They also integrate with most major cybersecurity products and services including Crowdstrike, VMWare (Carbon Black), F5, FireEye, Forescout, Tenable, McAfee, Symantec, Trend Micro and ZScaler. Financially it is considerably more stable than many companies on this list and due to their existing scale, they are now seeing annual revenue growth in the ~5–7% range with steadying EBITDA margins at ~25%.
Despite being founded in 2004, FireEye didn’t launch its first commercial product until 2010; listing a few years later in late-2013 at US$20 (it’s now trading at ~$12). This lacklustre performance is perhaps down to poor execution by their previous CEO David DeWalt who was replaced in 2016 by the founder/CEO of Mandiant (who FireEye acquired for US$1bn shortly after listing). FireEye’s core product is the Helix Security Platform — an enterprise dashboard to notify and solve cybersecurity threats within an organisation (much like any other enterprise endpoint platform). The company’s recent Q1 results showed meagre results. New customer acquisitions volatile (flat to slightly up), number of high value (i.e. $1m+ transactions) trending down and Q2 guidance revenue looking to be flat. Plus, they’ve never looked close to reporting a profit (hence why they’re underperforming vs peers).
SecureWorks focusses on penetration testing, threat detection and response across endpoints, networks and cloud. The company was acquired by Dell back in 2011 and, in 2015, they took the company public at $14 (whilst retaining an 86% stake in the company via Class B shares). The stock is currently trading ~$12 and, as with VMWare, there are various rumours around what Dell’s intentions are, ranging from a full or partial sale to a buyout of minority (Class A) shareholders. However, unlike VMWare, the company’s results have been lacklustre with marginal (for the sector) revenue growth of ~5% per annum and ongoing net losses.
Next to Crowdstrike, Splunk appears to be the most hyped stock in this ‘endpoint security’ sector (although it’s more of a data visualisation/insight platform!). The company provides software solutions around big data - gathering information from systems and devices to create actionable insights across an organisation. They call this a “data-to-everything” platform, and its core focus is on business transactions, customer and user behaviour and security threats. On the security side, Splunk see themselves as the security “nerve centre” — central to understanding risks, responding to attacks and providing automated compliance reporting. Like all progressive organisations, they have also built an open ecosystem (~2k app integrations) with other leading platforms such as Crowdstrike, Palo Alto Networks, Okta, AWS, Fortinet, Cisco, Google Cloud and Microsoft Azure (to name but a few). As alluded to earlier, despite a highly rated and attractive business model, the company has also (along with Crowdstrike, Okta etc) attracted a lot of investor attention of late; stretching valuations to (and in some cases) beyond their upper bounds. To justify their current trading levels you require ~40%+ growth in free-cash-flows (year-on-year). Certainly possible; but it is a bit of a stretch given high R&D and sales burn (as well as ~10% annual growth rate in customer acquisition).
Secure Access Management
With a significant shift towards work-from-home during covid19, the importance of secure access has escalated. Being outside of the physical infrastructure of the office (and it’s IT/cyber architecture) opens up greater risks of a cyber attack on employees. Okta (below) reported an 80% month-on-month surge in multi-factor authentication (MFA) from February to March and this is consistent across other platforms such as Google, Symantec etc.
If you invested in Okta back in 2017 (at the $17 IPO price), you would have made over 10x your initial investment. Not many companies come close to the short term success this company has had. They are by all measures the access management leader who have developed best-in-class products and services for single sign-on, multi-factor authentication, universal directory and authentication. Revenues are up 46% year-on-year off a 28% jump in customer acquisition (~20% of whom contribute >$100k p/a). Like many of the other leaders in the space, they are also highly collaborative with over 6.5k technology integrations and apps (including Zoom, Slack, Workday, DocuSign, Atlassian, AWS, Box, Google, Salesforce, Crowdstrike, Cloudflare and Proofpoint). You might see a bit of a theme here — collaboration is king!
Israel’s CyberArk were (more or less) first movers in the secure access market. In fact, they have onboarded 80% of the top 25 companies across insurance, banking, energy, manufacturing and telco and continue to innovate and collaborate, most recently via a partnership with peers Okta and SailPoint to secure enterprise access end-to-end. Hedging their bets, they also recently acquired Okta competitor idaptive this year who provide ‘identify as a service’ to ~500 customers. On the financials, they’ve seen ~16% increase in revenues year-on-year and an impressive 47% increase in net profit year-on-year (to Dec 2019). Healthy cash flow management rounds out what is an overall impressive organisation.
This year has created a significant opportunity for public and private cybersecurity companies across the entire ecosystem (consultants, software vendors, hardware manufacturers). Without doubt, the next decade will only continue to see considerable growth in the sector as threats (particularly from Russia, Iran, China, North Korea and the Indian Subcontinent) escalate in sophistication and frequency.
Coupled with increasing geopolitical risk and organisational disruption (i.e. a surge in work-from-home) an environment is created which will undoubtedly create a significant opportunity for investors.
However, as with any investment that offers potentially high rewards, you have to be mindful of the significant risk. Many of these companies, as alluded to earlier, are trading at extremely high multiples (some justified, some not).
As with most other industries, we are also seeing a bit of a battle play out between the incumbents and challengers. Incumbents, often inwards looking, struggle to innovate and grow revenue organically. These guys also often ‘bolt-on’ revenue through M&A where they often (not always!) struggle with integration and synergy.
On the other side, there are the challengers. The new kids on the block who are focussed on cloud, collaboration and scalability from day one. Despite many of them running at a net loss (for now), they are laying a foundation for high customer acquisition, retention and lifetime value which will soon see them turn a corner; becoming highly profitable and valuable businesses over the long run.