Cyber Security The Next Big Thing In Internet Stocks; Lessons From The Tech Bubble

by: Alberto Savrieno

We're all looking for that mythical equities Fountain of Youth, Garden of Eden or what have you, the so-called "New Economy" that was apparently around at the turn of the millennium for a split second, everlasting prosperity, millionaires all over the place, until the tech bubble came crashing down with the Nasdaq in a secular bear market ever since. How can we get back to that mythical Nasdaq Garden of Eden we all tasted so long ago?

The stark answer is we can't, because it never existed. It was a construct in our heads that we all believed based on real, though misunderstood, global change. That change, based on the Internet, was indeed happening, but it was exploited in order to rationalize the fantasy that in the New World Economy, permanent prosperity is real. To put it succinctly, the biggest mistake traders made was confusing global change with a change in the actual laws of nature and the market.

There is no doubt that the Internet completely changed the world as we know it. As I sit here typing this, I'm stuck wondering how people got their investment information before Al Gore hit the scene and how people googled before Google. But even a change as colossal as the Internet is no excuse for buying any and every company in the sector regardless of merit. The world changed, but economic law never did, and never will.

The world is changing once again, and once again this change is based on the Internet. The past two years alone have seen some wild computing revolutions. Here are some of the most noteworthy, in my opinion:

  1. IPv6 increases the number of IP addresses by 340 undecillion.
  2. 3-D printing unveils the world's first 3-D printed gun, making guns available to whoever has access to a printer and an Internet connection to download the blueprints.
  3. Bitcoin is unveiled as the first Internet-based virtual currency to sort of catch on, endangering all governments' and central banks' monopoly grips on the global money supply and thus ability to inflate.
  4. The (unfortunately-named) "Internet of Things" market, aiming to plug in actual things to the Internet in order to communicate with other things, launches to $44B in 2012, projected to increase to $290B by 2017 at an annualized growth rate of over 30%.

All these advances are connected, and nearly interdependent. But instead of focusing on any one of them and investing accordingly, I want to take a different approach. An increase of 340 undecillion ports, 3-D printed gun blueprints chased down by Homeland Security, the Bitcoin exchange cat and mouse game with the government, and appliances the world over hooking up to cyberspace enabling anyone to spy on and potentially control any device hooked in, all demand and point to the inevitable mass expansion of one Internet subsector in particular, and that is cyber security.

Besides the Internet of Things market itself, Internet security is projected to be the fastest growing Internet market sector of its class, going from $64B in 2011 to an estimated $120B by 2017. The global information technology market is projected to be about $1.15T by 2017 (see link above), and cyber security will account for 10% of it. Now, having already gone through the dot com bubble 13 years ago, this time we are smarter. The world is changing once again, but the laws of the market won't.

Restricting ourselves only to equities on U.S. exchanges and companies focused mainly on security, after filtering out the penny stocks, micro caps, and ADRs, we are left with 11 companies, as follows:





Symantec Corp




VeriSign Inc




Qihoo 360 Technology Co Ltd




Trend Micro Inc/Japan




Sourcefire Inc




Websense Inc




Proofpoint Inc








VASCO Data Security International Inc




Zix Corp




Ipass Inc




If we were to count these as a market cap-weighted ETF or index, then in the last 12 months, our impromptu cyber security index went up 59%. That's double the general market's performance this past year. Long term fine, but is that sustainable in the short term?

The picture I intend to paint is that while the big cyber security companies like Symantec and VeriSign know how to run themselves more or less efficiently, the small ones do not, at least not yet. There has been a boom in these stocks this year based on huge revenue advances, but as for net earnings, they are slowing down on the whole. Unlike the old tech boom, people aren't going to start buying cyber security companies as if their lives depended on it no matter what the earnings and the cost, so this market will have to eventually reorganize and run itself more efficiently, most likely by acquisitions and consolidations. Many of the smaller cyber security companies lend themselves to this, being that few of them have any significant balance sheet debt and have ever increasing revenues. As the general market continues its correction, these companies will get caught in it, but if and when they can reorganize and consolidate afterwards, gains on the way back up will greatly outpace most other sectors.

Who will lead the roll-up charge? Possibly Intel (NASDAQ:INTC), which bought McAfee Security for $7.7B n 2011. Cisco (NASDAQ:CSCO) is another candidate, as it acquired IronPort in 2007 for $830M and currently makes 3.7% (page 53) of its $46B annual revenue from security sales. That number will have to rise if the estimates of market growth prove to be accurate. Here's a look at some of the smaller companies in the list that fit the bill, starting off with leader by market cap Symantec to get a more general view of the sector.

Symantec , the cyber security market leader

The interesting thing about Symantec is that the vast majority of its over 100% capital growth since the '09 market bottom has come in the last year. This, despite its year- over-year revenue increase without exception since 2008. Earnings have been choppy year to year, but taking two endpoints from 2007 to today, earnings have increased 89%, while the stock has only increased 27%. So taking the long view and just based on earnings, Symantec is undervalued.

The bearish sign is that the yearly trendline has been breached and continues down. I would not suggest buying Symantec right now as it will probably go down with the rest of the market from regression-to-the-mean forces, but the point of buying cyber security is not to make your move now, but to buy the sector as a potential major outperformer once general market conditions are no longer so overbought. Every time SYMC (and almost anything else, really) has been stretched this far above the 200-DMA (see below), more downside usually follows.

Sourcefire is on , don't get burned

There are three numbers that need mentioning when it comes to Sourcefire, and together they create quite a dissonant picture.

  1. Since the end of 2009, revenues are up 116%. (See here and here.)
  2. During that same time period, net income has been down 43%.
  3. FIRE is nevertheless up 48%.

Clearly, Sourcefire's Internet security is selling like hotcakes. And just as clearly, the company simply can't run itself efficiently, or at least efficiently enough. Just last quarter it reported a net loss of $26K. Investors haven't seemed to notice yet, or if they have they don't care. General market conditions will bring down the fire as it will everything else, using recent earnings struggles as a good excuse to sell off. However, considering its massive revenue growth, the imminent disappearance of its accumulated deficit, and its complete lack of debt, the ride back up with the rest of cyber security will be very strong, especially if management can cut down operating expenses or an acquisition is made.

ZIX Corp is the same story

Zix Corp has the same problem as other young cyber security companies. It sells well, makes money, but can't get a handle on expenses. Zix sells one product very well: email encryption software-as-a-service. Its earnings statement looks a bit confusing, but this is due to phantom counting of its tax assets forward. Take those out, and the picture is a lot clearer. Revenues have increased every quarter for the last four quarters, but net income has dropped consistently just the same from $2.6M, $1.9M, $1.6M, and finally to an anemic $0.6M last quarter. It's almost as if Zix is pushing the pedal down harder while running out of gas simultaneously. And yet again, like other companies in the space, there is zero debt on its balance sheet. The stock, however, has been on a 62% tear since last year. Investors like the sales growth and smell the potential in cyber security, but Zix is probably headed back down short term along with the rest. Wait for regression back to the mean, and then buy.

Proofpoint can't get a handle either

Trading for a little over a year, Proofpoint sells data protection and also appears to be doing a good job at getting its product to market. Revenues are up 64% in two years, but net loss is consistently and stubbornly high at around $20M a year. Negligible balance sheet debt, and the stock has doubled since November. Clearly investors like that it sells but have ignored that it can't get net positive. Look again for a regression to the mean, and then get long and wait for it to be acquired. Those revenues won't just be abandoned to the wind.


What happened in the tech boom 13 years ago will not happen again. But doubtless, the world is changing radically, and cyber security will be at the core of those changes. Much like techs and dot coms ended up consolidating into a few big winners and the rest died away, expect something like that to happen with cyber security as the market grows into 2017. In the short term, look for a regression-to-the-mean correction as current earnings growth does not yet justify these capital gains, but once this sector corrects and restructures, the way back up for cyber security stocks will be a sight to see.

Disclosure: I have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it. I have no business relationship with any company whose stock is mentioned in this article.