Information Security Sector Update

by: SoundView Technology Group


Information security is two years into what looks to be a five to eight year period of elevated spending, as most existing technology needs to be replaced. At the same time, consumers will be turning to more comprehensive security and privacy protection offerings that go well beyond anti-virus software. This note goes into more detail and provides a full ecosystem with a discussion of the group and some individual companies.


Information security was a fairly calm and quiet space a few years ago. Firewalls, tokens, intrusion detection software, virtual private networks and anti-virus software seemed to be basically doing the job. But then internet protocols, the cloud, mobile devices and successful attacks against many of the foundational technologies like tokens changed it to an "all bets are off" environment. Many existing solutions, including RSA tokens, are being replaced and upgraded with more modern and, typically, multiple technologies.

Recently we have heard from several very large enterprises and government agencies that they are revamping their entire information security infrastructure. In some cases, they are fairly far along and have another year or two of major spending but others haven't even begun. The recently published Verizon 2012 Data Breach Investigations Report puts the current situation in stark relief. (Available via this link.)

In simple terms, online thieves are easily incorporating malware to take advantage of weakly or unprotected users. Relatively basic protections like keystroke encryption to foil malware (typically keyloggers) and improved authentication would have prevented the vast majority of security breaches. This fact has started the wheels turning in both enterprise budgets and consumer thinking.

In terms of spending, enterprises started increasing their security budgets and putting information security improvements back on the top of their lists in 2011. This elevated spending will continue in 2012 and may remain elevated for the next 3 to 5 years.

Mobile devices have been part of the problem so far, but going forward they will be a key component of the solution as enterprises move to multi-factor authentication and exploit voice, SMS, location data and image recognition that has become possible thanks to the era of the smart phone.

From an investment standpoint, the improved enterprise information security market is helping companies reach the public markets via IPO (Imperva (IMPV), AVG (AVG) and soon Avast, Splunk, and ProofPoint) and creating an active M&A market, with the most recent acquisition being the Dell (DELL) acquisition of SonicWALL. Later in this note we'll return to Intel (INTC), which acquired McAfee in 2010 for $7.7B. Yet the information security problem is far from fixed and, turning to the consumer space, we can see it may get worse before it gets better.

Enterprise information security is only a part of the problem. An even larger one is taking shape in the form of personal security and privacy for all users, including consumers. There is a great TED video by Mikko Hypponen that highlights the massive and growing damage being done to consumers by hackers and the increasing use of their personal information by government agencies. Here are a few of the points he makes:

  • There are three main groups exploiting the lack of protection around your online information: 1) criminals who are in it for the money; 2) "hacktivists" who do it to make a statement; and 3) governments who are increasingly invading individual privacy.
  • Even certificate "authorities" have been hacked, so that what were secure and encrypted communications were intercepted and easily readable. The fact that even the providers of security tools are being hacked is a profound threat to most notions of privacy.
  • Privacy is a foundation of individual freedom. The new arms race in information security is occurring while we have few rules and a weak framework for even understanding what is going on, let alone doing the right things.

Consumers and businesses are going to take a much deeper interest in their privacy and security and we see some companies preparing for that opportunity. Here are few recent developments worth noting:

  • One company we have loved from their startup phase was The paid service was a great bargain and helped us manage to get off countless email lists. They were recently acquired by TrustedID, which provides a range of privacy, security and even reputation management services. TrustedID is a little cagey with respect to their services and pricing, but they are representative of a trend toward a more holistic approach to security and privacy management that goes well beyond anti-virus protection.
  • LifeLock just raised an additional $100M in private capital and is likely on their way to the public markets. VC and industry heavyweights are backing the company, including Bessemer, Goldman Sachs, Kleiner Perkins and Symantec. Part of the capital raised was used to acquire an enterprise risk management firm, ID Analytics. The turmoil in enterprise security is creating an opportunity for consumer-focused firms like LifeLock to get into the game.
  • Intersections, a small public company (NASDAQ: INTX $13.22), has been on a steady course and added 4.9 million new subscribers to their own identity management and security services. Their core offering is an identity production product (Identity Guard). Other offerings are a bit diverse and include custom loyalty and brand protection (like MarkMonitor) and bail bonds. What's surprising about Intersections is the relative lack of interest in their stock. The market capitalization of $240M is less than 1x sales. The company is profitable and pays a dividend that provides a current yield of 6%. It's probably a comparative bargain compared to the likely private company value for LifeLock.

For investors looking to go "beyond the radar screen," there is a very small but public technology company called StrikeForce Technologies (OTC: SFOR $0.017) which supplies their anti-keylogging software to some of the consumer security and privacy firms like Intersections and via others that act as channel partners to very large consumer customers. Beyond that the company crown jewel is patented best-of-breed out-of-band multi-factor authentication for the enterprise market.

Investing & The Ecosystem

The first thing we notice from the companies shown in the attached ecosystem is that this is a business with very attractive margins. Gross margin averages about 76% and operating margins average nearly 20% for the larger firms. These models have attracted fairly high prices, with the average enterprise value to revenue multiple being 5.5x for the larger firms and 5.0x for the smaller ones.

It's interesting that the Symantec (SYMC) margins and valuation are so low compared to most of the other companies. They have had more than their fair share of problems but one has to wonder if they might be able to get back on track. The stock has been basically flat for 8 years now.

On the smaller company side the variation is much bigger on margins and valuations. Of the more established firms, Websense, Vasco (VDSI) and Intersections seem the most interesting. Websense (WBSN) needs to show better growth. Vasco is doing well but has an odd organizational structure and jumble of products. Intersections is not well covered and has a slightly confusing story with a high dividend yield. We may do more work on all three of these names as the market develops.

We're going to see more public companies in this space soon with three of the four listed in the ecosystem already on file for an IPO. We will be putting notes and IV estimates together for the IPO names around the time they complete their transactions.

The pricing and aftermarket performance of Imperva makes it clear that there is a large institutional appetite for information security names, but a tepid reception for AVG. AVG still trades well below their $36 IV at $15.

Disclosure: I have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours.