The cybersecurity market is akin to the semiconductor market in many ways. It continues to thrive on economies of scale and the law of compound interest, which has seen the proliferation of internet-enabled devices. The cybersecurity market is projected to grow to $120 billion by 2022. That sentence is cliche to investors familiar with this market, and I'm sure you've heard it a thousand times.
However, inside the cybersecurity market, we have multiple segments and companies at different stages of their growth. While some are firmly positioned to capture more market share, others are struggling with declining growth and profitability. Investors often have a rough time picking winners.
Before I dive into a deeper analysis of how to seek alpha in this industry, I'll be highlighting two key drivers of growth in the industry.
5G: If 4G network technology is fast and furious, 5G is going to be faster and better. The invention of 4G changed the world, and I think we've failed to fully appreciate the IEEE engineers that made this happen. 4G ushered in a whole lot of possibilities. Tech trends such as BYOD, cloud computing, and SaaS were possible due to the seamless transfer of data between a private cloud server and a local network. Most businesses can't afford network downtimes, however, with new network technologies such as caching, load balancing, and traffic redistribution, there's been little reason to worry about network downtime.
4G also increased the adoption of the internet in rural communities. Millions of people who couldn't afford internet subscription were able to come online as the cost of a gigabit of internet access fell drastically across the world. It also made it easy for enterprises to communicate with their customers who relay their grievances via social media platforms such as Instagram, Twitter (TWTR), and Facebook (FB).
The introduction of 5G is going to double the acceleration of these trends. Big tech giants are already making bets in online video streaming, gaming, AR, and VR. Google (NASDAQ:GOOG) (GOOGL) recently launched Stadia to compete with Twitch in the online gaming space. The latest eSport champions of the popular Fortnite game were provided with a prize pool of $100m. Since then, parents have been encouraging their kid gamers to keep up the good work.
Small and mid enterprises are now outsourcing their data center and servers to cloud service providers. Also, software companies are now switching to a SaaS-based subscription billing model to replace the old perpetual license model.
Movies are now largely consumed online thanks to Netflix (NFLX). Music lovers have also embraced the streaming model. We now connect to the internet to watch our favourite TV series, download the latest album by our favourite artist, and watch the latest matchup of our favourite sports teams.
While all these trends have driven convenience and productivity, they've also exposed our personal identity, privacy, and intellectual property to cybercriminals.
Enter the gatekeepers
In the typical 1984 by George Orwell fashion, some entrepreneurs have predicted these trends ahead of time. Not only have they been correct on their predictions, they've also built solutions to solve the privacy problems that will ensue from the proliferation of IoT devices. From network firewalls, ATPs, to SWGs, the cybersecurity market is replete with security solutions and devices to protect us from cybercriminals.
However, like every industry, we have the first movers, mature companies, laggards, cash cows, and disruptors.
The cybersecurity market is highly fragmented. However, an understanding of the multiple attack vectors and verticals can help guide investors to make informed decisions when differentiating winners from losers.
Innovation and technological capabilities in this industry are reflected in growth and margins, while maturity is reflected in financial stability and market share.
Cybersecurity companies can be broadly divided into growth plays or value plays.
Source: Seeking Alpha, YCharts
A growth play is a typical young start-up which has recently gone public or is about to. The typical growth play has a market cap of less than $3 billion and annual revenue of less than $500 million. It records y/y growth in excess of 30% with most in the high double-digit to triple-digit growth range. Its tech capabilities rely on the latest machine learning or artificial intelligence algorithms to prevent, detect, and provide threat intelligence on the latest attack vectors. Most growth plays are not GAAP profitable, and they adopt a subscription-based pricing model. Also, they rarely sell physical appliances.
In terms of valuation, they command lofty valuation multiples, and investors have little to glean beyond their sales multiple. They mostly have a gross margin in excess of 70% with the bulk of their operating margin lost to stock-based compensation.
Source: Seeking Alpha, YCharts
Value plays are companies with a market cap of $3 billion or more. They have consistently recorded annual revenue of more than $500 million and are guiding for a billion or more in ARR within the next three years. Value plays have a mix of physical appliances and cloud-based solutions. They are also the ones making a transition to a SaaS-based revenue collection method. They are mostly GAAP profitable and have better gross and operating margins than their growth counterparts.
Value plays have multiple products, and they thrive on bundling these offerings to drive down the total cost of ownership of their solutions. They do this to defend market share and drive out niche players who command a premium on their products. Most value plays started out as network security companies, and they've grown mostly via acquisitions. Most value plays will continue to rely on acquisitions to match the technical capabilities of niche growth plays which have superior value propositions in their segment. It's also not rare to see growth plays get acquired by value plays.
When picking a growth play, it's important to watch out for superior product capabilities. These can be confirmed from third-party testing tools such as Gartner, NSS, and IDC. Good growth plays lead their segment in terms of product innovation and value for money. Also, it's important to watch out for improvement in operating margin and free cash flow. Superior growth plays are able to balance growth with profitability. This ensures an easy transition into the maturity stage when growth slows and valuation multiples contract.
Great value plays are mature companies with the best free cash flow margin. Most value plays have seen their yearly growth rate slip into the single-digit territory. Great value plays are able to maintain a double-digit growth even in the face of the cannibalization of their appliance-based offerings by their newly acquired cloud business. Superior value plays demonstrate the ability to win Federal contracts. They serve more than 50% of the Fortune 500 companies, and they regularly displace weak players during refresh cycles.
They are also good at acquiring smaller start-ups at a bargain. BlackBerry's (BB) acquisition of Cylance is a classic scenario of a value play acquiring a fast-growing niche player at a bargain.
Given all the information, if I'm saddled with the responsibility of picking one value play and one growth play, I'll go with a combination of Fortinet and CyberArk.
Fortinet is a well-established security company with a competitive moat provided by its ASIC chip technology which powers its security appliances to give it more pricing flexibility over its competitors. It is well-diversified and it has the largest install base of security appliances. It ranks highly on the Gartner quadrant for most of its product offerings including NGFWs, UTMs, SWGs, and endpoint protection solutions. Compared to other competitors, it has one of the best operating and FCF margins. It has a steady growth rate. At a Price/Revenue of 6.9X and growth rate of 20%, Fortinet's valuation is cheap compared to its peers.
CyberArk is the steadiest growth play in the cybersecurity market. Though recent multiple expansion might have baked in future revenue growth, it remains the growth play with the best combination of growth and profit. Its privilege escalation security solutions protect against the most ubiquitous attack vectors, including spear phishing, ransomware attacks, and social engineering.
Investors who want diversified exposure to the cybersecurity industry can invest in the HACK ETF (HACK), which is a basket of some of the top growth and value plays I highlighted earlier. It was launched in 2014, and its top three holdings are Fortinet, Cisco (CSCO), and Palo Alto Networks. It has returned 58% since inception.
The future of the cybersecurity industry is bright. While investors are going to face difficulties separating winners from losers, using some of the qualities I've highlighted can help investors make more informed decisions.
CrowdStrike remains my top short thesis in the cybersecurity space. At a market cap of $20 billion (significantly above its peer average) and annual revenue of <$300 million, its near-term valuation multiple will inevitably cool off and we are headed for a significant correction in coming quarters. On the bright side, it offers some of the best endpoint products and its growth rate is attractive in the triple-digit range.
Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.