Lately, there have been a lot of questions about the overvaluation of stocks in the cybersecurity space. I've had contributors who think the entire sector should be shorted. I mean, regardless of growth rate, ROIC or P/E, just short the entire sector and its glory.
Well, I understand the concern. Most of the hottest stocks in this sector have disappointed a lot of optimistic investors who believe cybersecurity is a growth play with enough TAM to return outsized value versus invested capital.
This belief rests on a tripod, with the legs being:
- Incessant cases of cyber attacks
- Panic buying by corporations to stay compliant and prevent data breaches
- A proliferation of connected devices (increasing TAM), with millions of gadgets projected to be internet-enabled in the near future.
While all these are true, it is interesting to know that delivering value to shareholders won't be easy for any company playing in the cybersecurity niche.
Initially, it was easy for the early entrants to pick the low-hanging fruit. The likes of Symantec (NASDAQ:SYMC) and Check Point Software (NASDAQ:CHKP) enjoyed a great ride in the early days of the AV and firewall boom.
However, with every technology, disruptions are bound to happen. The disruption that dethroned most of the old cyber warlords was largely driven by the shifting threat landscape and the rise in sophistication of attack vectors.
Hackers became better at coding all sort of malicious software, and the massive explosion of internet-enabled devices meant security vendors couldn't provide an updated signature solution for every threat.
This fragmented the industry, leading to the formation of different cyber niches. From endpoint, network, email, cloud, DLP, advanced malware and threat intelligence, it has been hard for any single player to cover all threat surfaces.
(Source: Momentum Partners)
New cybersecurity firms were being established every other day, and VCs couldn’t resist the urge to fund startups with proven technologies capable of disrupting incumbents.
Only a few startups that made it to IPO have been able to survive till today. Those that couldn't catch up were mostly acquired. There has been hardly a case of a cybersecurity firm going bankrupt. Given that most niche segments were still in the infancy stage, large and well-established firms simply picked them up to reduce their competition and increase their market share.
This happened at a time when the equity market was growing at a tremendous rate. With interest rate kept low post-2008 recession, debt was cheap and easily accessible. Also, the risk premium required to own most stocks has been relatively low, meaning investors could take more risk given that most markets expand post-recession.
However, lately, the fall of a number of major players has raised a number of unanswered questions. Do cybersecurity firms deserve the lofty valuation multiples they've enjoyed in recent years? Do these firms deserve a growth-based valuation, assuming investors believe they are still in their growth phase? How close are we to the end of the growth phase? How many of these players have the right management and leverage to transition from the growth phase to profitability?
(Source: Momentum Partners)
If you have been following the news for some years now, you must have witnessed the rapid multiples contraction of most cybersecurity stocks. Those that couldn't sustain their triple-/double-digit growth have been correspondingly punished. I'm talking about the likes of FireEye (NASDAQ:FEYE), Gigamon (NYSE:GIMO), Palo Alto Networks (NYSE:PANW) and Barracuda (NYSE:CUDA).
Others that have been able to sustain their growth story are still enjoying the growth-based valuation. These are the likes of Proofpoint (NASDAQ:PFPT), CyberArk Software (NASDAQ:CYBR) and Checkpoint.
Most of the hot cybersecurity segments have also been projected to witness a decline in momentum. For instance, the network security segment, which is arguably the largest, has been forecasted to witness a lower growth momentum in terms of on-prem alliance sales, with an uptick in cloud-based solutions driving more demand.
Some other segments are in decline due to commoditization. These include the DLP, EFSS and AV segments.
There are still a few fast-growing segments, but these are now heavily congested. They include cloud, threat intelligence, SIEM and analytics.
Virtually every major network security vendor now boasts of a cloud offering. And most of them have attached to their security appliances subscriptions for other services, including threat intelligence, malware analysis and sandboxing.
This fierce competition has made it hard for most vendors to maintain their lofty valuations. It is safe to assume that the few that are still trading at valuation multiples above market average will eventually revert to the mean. However, regardless of the headwinds to valuation, there are still a few players that are trying to set themselves apart from the crowd.
Standing out requires a combination of great leadership, superior technology, a large and established market share, a huge cash advantage (with little debt to make key acquisitions and investments to acquire the right talent) and a sustainable growth story compared to competitors.
When we analyze each quality, we will find that only a few companies tick all boxes.
Great leadership: This can be identified by the ability to maintain the fundamental thesis of a business model, while growing faster than the competition. The key metrics to monitor here are return on invested capital, return on asset and return on equity.
Using ROA (trailing) as our valuation yardstick, few stocks have been able to generate returns in excess of invested assets. These include Check Point (driven by low cost of capital via cheap talent acquisition), Symantec (more cloud-based assets), Cisco (NASDAQ:CSCO) (superior sales force with the advantage to cross-sell into its networking division) and Fortinet (NASDAQ:FTNT).
Superior technology: Comes in the form of product capabilities and cost.
The yardstick here is TCO. In the most recent NSS rating, few vendors have the technologies to prevent data breaches at a cost-effective price point. From the chart above, most players have a limited edge in terms of TCO. There is hardly a wide margin, and it all boils down to who spends more on marketing, with more edge coming in the ability to globalize and also capture niche local markets. Here again, Check Point and Fortinet standout.
Market share: A number of big and established vendors have lost their market share to smaller competitors. In terms of market share, the leaders are Palo Alto, Cisco, Symantec, Check Point and Fortinet. Those that are losing market share include FireEye, Barracuda and Symantec (ex-acquisition).
In FireEye's case, this has been driven by the orchestration of its security solutions to drive down TCO. For Symantec, the declining market for AVs (consumer security segment) is eroding its revenue and profit margin.
For the others that are finding it difficult gaining market share, it is due to the automation of processes, which is driving down profit margins and sales of redundant systems.
Going forward, I foresee a recalibration at the top, with market leaders having a healthy balance sheet acquiring cheap and promising competitors with poor leadership.
Balance sheet: With most segments heavily congested, leading to a decline from double- to single-digit growth, most security companies don't have the financial leverage to spend on R&D to develop important IPs. Also, few can make strategic acquisitions to shore up their portfolio without losing their credit ratings. Therefore, it is important to watch out for the debt ratios of key security firms before considering them as a long-term buy.
A few vendors with a good balance sheet include Fortinet and Check Point, and their absence from the chart above indicates their low debt-to-equity ratios. Investors in FireEye and Symantec have little flexibility in the debt market and will have no choice but to look inwards when seeking alpha.
Further shifts in the threat landscape will expose companies with high debt-to-equity rating, as equity investors will be pushed to expand valuation multiples at a high risk premium.
Profitability: This is the ultimate goal, given that it drives and confirms future cash flow projections. It is important to watch out for security firms that are not GAAP-profitable, as a slump in the growth narrative can delay their path to profitability. It is easier for a security firm which is already GAAP-profitable to grow FCF by cutting costs while it develops new IPs to expand its market share.
The companies with superior profit margins include Check Point, Cisco and Fortinet.
A few security companies actually tick all boxes to justify their current valuation. It is essential to examine each stock before adding it to your portfolio. Unexpected macro headwinds can lead to catastrophic damages, and a sudden dearth of the growth narrative can lead to an earnings miss, which more often than not results in a massive sell-off.
Most investors aren't really comfortable holding stocks that do not issue dividends, and with a lack of growth, investors might be right about their skepticism.
If you like my article and would like to stay up to date on the next one, you can click the "Follow" button next to my profile or share with friends.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.
I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.