Breaking Analysis: Cyber Security Update – Expectations for RSA 2020

Preparing for RSA 2020. Welcome to this week’s Wikibon CUBE Insights, Powered by ETR. In this Breaking Analysis, ahead of the RSA Conference, we want to update you on the cyber security sector. This year’s event is underlined by two major news stories: 1) Coronavirus fears – IBM has pulled out of the event and cited the epidemic as the reason; and 2) The sale of RSA to STG partners, a private equity firm. 

The Big Picture in Cyber

In our last security drill down we cited several megatrends in the security sector. These included:

• The ever-escalating sophistication of the attacker;
• The increased risks from the data economy;
• An expanded attack surface with the number of IP addresses exploding via mobile and IoT;
• The lack of skills and the challenges that brings to CISOs;
• An explosion in the number of cyber security tools hitting the market.  

In these segments we like to share insights from theCUBE. We start this analysis with comments on cyber from two statesmen. General Keith Alexander, former Director of the NSA and Dr. Robert Gates, former Director of the CIA and Former Secretary of Defense comment on the nature of the threat and the awareness that boards of directors should have regarding security. 

Listen to General Keith Alexander and Dr. Robert Gates on cyber.

General Alexander underscores the danger and the nature of the actors. Meanwhile, Dr. Gates articulates what we’ve said many times on theCUBE, that cyber security is a board-level agenda item. Notably, the comments from both of these leaders represent tailwinds for cyber technology companies because of the severity of the threat and the awareness in the C-suite.  

CISOs Face Major Challenges

While the fear-factor brings budget momentum and fuels growth, CISOs face pressing challenges as do many of the suppliers. Cloud migration and the shift from north-south to east-west network traffic is changing traditional security architectures and pressuring legacy appliance-based perimeter security solutions. The increased complexity and lack of skills are the other macro factors including questions on ROI. CFOs ask:

“Why are we not more secure if we’re spending so much on cyber security each year?” 

Listen to the the perspectives of two CISOs on the challenges they face and how they are dealing with them.

We’ve featured CISOs Brian Lozada and Katie Jenkins of Liberty Mutual in prior Breaking Analysis segments. You can hear from these Cyber leaders that we lack the talent to even fight the day-to-day battles. Cloud computing and automation are areas they are pursuing in an attempt to re-tool their security platforms and drive automation. 

Regardless, at the end of the day, organizations have no choice but to make cyber security a priority. The sophistication of the attacker is very high and the answer to the CFOs ROI concerns are fear-based justifications. In other words:

If you don’t invest in cyber you might lose billions in market cap and do some serious brand damage…and you might lose your job.

How Attackers “Live off the Land”

Living off the land is a metaphor for cyber attackers using the resources already available at an installation against an organization. So instead of bringing in outside tools and processes, which could signal anomalous behavior, the bad guys are leveraging what’s already there to attack. In this approach they can surf an organization’s data and go undetected for longer periods of time. 

Listen to cyber expert T.K. Keanini explain in more detail how this works; and one CISOs advice on the most important skill needed for cyber practitioners.  

The really insidious thing about what TK Keanini says in this clip is the attackers are well funded, smart and know how to use your tools and processes against you. Brian Lozada’s mandate to security pros is you need to be a great communicator in order to get the funding needed to compete with bad actors. In other words, you need to translate tech speak into the language of business or you won’t get the resources required to secure your organization’s data.

This is a critical takeaway for security practitioners at RSA 2020.

What to Expect at RSA 2020

Security practitioners attend RSA 2020 to learn, to obtain new skills, to bring back ideas to their organizations and importantly, better communicate to the executives writing the checks.

One of the things we did to prepare for this analysis is read the RSA 2020 conference content agenda co-authored by Britta Glade. And we read numerous blogs and articles about what to expect at RSA 2020. From all that content we put together this word cloud, which conveys some of the key themes we think will be prominent at RSA 2020.  

Skills jumps right out. The human element is going to be a big deal this year. IoT and the IT OT schism…everyone’s talking about the Olympics and seeing that as a watershed event for Cyber. How to apply Machine Learning and AI is a big theme as is cloud with containers and serverless, phishing, zero trust and frameworks…frameworks for privacy, governance and compliance. The 2020 election and weaponizing social media with deep fakes. And expect to hear a lot about the challenges of securing 5G networks, open source challenges, supply chain risk and of course the need for automation. 

And it’s no surprise there will be lots of talk about cyber technology, products and the companies that sell them. 

Evaluating the Spending Data in Cyber

There will be lots of vendors presenting at RSA 2020. They’ll be talking about the market, the concerns about cyber, major trends and why they are in the best position to help you. It’s our job to help you understand what’s real and what’s hype and we use survey spending data to keep the vendors honest. 

The first chart we want to show is spending on cyber security relative to other initiatives. What this chart below shows is the spending on security – highlighted in green – relative to other sectors in the ETR taxonomy. The blue dot shows the change in spending expected in 2020 vs 2019. 

There are two key takeaways here: 1) Despite the narrative we always hear, that security is the number one concern of CIOs, the reality is other initiatives compete for budget. Organizations can’t just keep throwing cash at the security problem. As we’ve said before we only spend about .014% of our Global GDP on cyber so we are barely scratching the surface; and 2) There is solid year on year growth in cyber – quite high at 12% for a sector that’s estimated at $100 – $150B billion worldwide according to a variety of sources. Even though cyber security initiatives have to compete for budget, they are still top of mind. 

Which Security Vendors have Momentum?

Let’s take a look at some of the players in this space that will be presenting at RSA 2020. You might remember in our 2020 predictions Breaking Analysis we focused on two ETR metrics: Net Score – which is a measure of spending velocity – and Market Share which measures pervasiveness in the dataset. And we anointed nine security players and referred to them as “Four Star” companies in cyber. The list was Microsoft, Cisco, Palo Alto Networks, Splunk, Proofpoint, Fortinet, Okta, CyberArk and CrowdStrike.

The chart above provides an update of that analysis with the January survey data.

The four star companies were defined as those in the cyber security sector that demonstrated both Net Scores (or spending momentum) – shown on the left hand chart – and Market Share (or pervasiveness in the survey) – the right hand chart. Companies that showed up in the top 22 for each category made the grade.  

Here are the five key takeaways:

1. There are a lot of cyber security companies in the green from the standpoint of Net Score. This is a vibrant sector from the standpoint of spending momentum;
2. Two is that Fortinet and Cisco fell off the four star list because their Net Scores, while still holding up reasonably well, dropped somewhat relative to the October survey;
3. Some other companies like Varonis, Veracode and Carbon Black jumped up on the Net Score rankings in the January ETR survey;
4. However, Cisco and Fortinet are still showing some strength in the market overall. Cisco’s security business was up 9% in the quarter and Fortinet is breaking away from Palo Alto networks from a valuation perspective – which we will dissect later in this analysis. So we are going to give Cisco and Fortinet 2 stars this survey period and keep them on the radar. 
5. Zscaler is moving up…the company made the four star cut this time. Zscaler’s Net Score or spending momentum jumped from 38% last quarter to nearly 45% in the January survey – with a sizable shared N at 123. So we’ve added Zsclaler to the four star list and will continue to watch this quarterly horse race.

Finally, we would be remiss if we didn’t point out that Microsoft continues to get stronger across the board including in the cyber security sector. 

Unpacking Cyber Security Vendor Valuations

We want to turn our attention to the valuations in the cyber security space. For reasons we have discussed the market is hot right now. Some people think its over valued but we think the space will continue to perform well relative to other areas in tech. Why? Because cyber security continues to be a huge priority for organizations, the software and annual recurring revenue  (ARR) contribution continues to grow on their P&Ls, M&A will continue to be robust in our view, which will fuel valuations further. 

Let’s look at some of the public companies in cyber. 

The chart above shows eight public companies that were cited as four star or two star firms as defined earlier, ranked by market value. In the columns we show five areas: The company, market cap, trailing twelve month revenue in billions, the revenue multiple and annual revenue growth. 

We have highlighted Palo Alto Networks and Fortinet because we want to drill into those two firms further. There’s a valuation divergence going on between those two companies that we want to better understand. We’ll come back to that.  

There are several we want to make here: 

1. Theres definitely a proportional relationship between growth rate and the revenue multiple or premium being paid for these companies. Generally growth ranges between 1.5 – 3X the revenue multiple being paid. Crowdstrike for example has a 39 X revenue multiple and is growing at 110% – so they are at the high end of that range with growth at 2.8 X their revenue multiple today;
2. In a related trend, you can see a wide range of revenue multiples based on these growth rates with Crowdstrike, Okta and Zscaler as the standouts in this regard. And we have to call out Splunk as well…they are both large and high growth although they are moving beyond security into adjacencies in big data analytics. But you have to admire Splunk’s performance.
3. The third point is this is a lucrative market. You have several companies with valuations in the double digit billions and many with multi-billion dollar market values. Cyber chaos means cash for many of these companies and their investors.
4. Palo Alto throws some of these ratios out of whack. In other words, why the lower revenue multiple with that type of growth? It’s because they’ve had some execution issues lately and this annual growth rate is not the best reflection of the stock price today…which is really being driven by quarterly growth rates and less robust management guidance from Palo Alto Networks.

Valuation Divergence Between Palo Alto and Fortinet

Let’s dig into this a bit. The chart below shows the one year relative stock prices of Palo Alto Networks in the blue and Fortinet in the red. 

Look at the divergence in the two stocks. They traded in a range and then you saw the split when Palo Alto missed its quarter last year, while Fortinet surged. Here’s our perspective on what’s happening. First, we have to point out that Palo Alto has been a very solid performer since it IPO’d in 2012, delivering more than 4X returns to shareholders over that period. 

But the cloud is challenging Palo Alto as is often the case with established players. They’re trying to “cloud proof” their business by transitioning more to an ARR model and relying less on appliance centric firewalls. Legacy firewalls is a core part of their business and it’s underperformed expectations lately. You cant take legacy tech and cloudwash it, which is often what large established companies try to do. Cloud native competitors like Zscaler are taking advantage of this transition.

Notably, Palo Alto Networks also had some very tough compares in 2019 relative to 2018 and that should somewhat abate this year. 

But the big issue is that Palo Alto has had some execution issues during this transition especially related to sales incentives and aligning to the new world of cloud.

Finally, Palo Alto is also the process of digesting some acquisitions like Twistlock and PureSec and others and that could be a distraction. 

Fortinet on the other hand is benefitting from a large portfolio refresh and is capitalizing on that momentum. In fact of all the companies we listed, Fortinet may be undervalued despite the drop off from the four star list we mentioned earlier. Fortinet is one of those companies with a large solution set that can cover a lot of ground…and Fortinet, while it faces similar cloud headwinds as Palo Alto seems to be executing better on the transition. 

What Does the ETR Data Say about these Two Companies?

The last thing we will share on this topic is some data from the ETR regression testing. ETR data scientists run regression models and fit a linear equation to determine whether Wall Street earnings consensus estimates are consistent with ETR spending data. 

What this chart above shows is the results of that analysis for Fortinet and Palo Alto Networks and as you can see the ETR spending data suggests that both companies could outperform expectations. Now we wouldn’t recommend running out and buying the stock based on this data as there’s lots more to this story but let’s watch the earnings to see how this plays out and learn how to apply this data over time. 

Analyzing Dell’s Sale of RSA to STG

Ahead of RSA 2020, we want to make a few comments about the RSA sale. EMC bought RSA in 2006 for around the same number – roughly 2 billion dollars – that STG is paying Dell. So we’re obviously not impressed with the return that the RSA asset delivered. 

The interesting takeaway is that Dell is choosing liquidity over the RSA cyber security asset. So it says to us that Dell’s ability to pay down debt is much more important to its go forward plan. Remember, for every $5B Dell pays down in gross debt it drops 25 cents to earnings per share. This is important for Dell to get back to investment grade debt, which will further lower its costs. 

In thinking about this its interesting that VMware, which is acquiring security assets (most recently Carbon Black) and building out a cloud security division obviously didn’t pound the table fighting to roll RSA into that division. Or maybe they did but the financial value of the cash to Dell was greater than the value of the RSA customers, the products and the RSA Conference.

But our guess is Gelsinger didn’t want the legacy tech…he’s said many times that security is broken and its his mission to fix it or die trying. So we would bet that he and VMware didn’t see RSA as a path to “fixing” security. Rather it’s more likely they saw it as a non strategic, shrinking asset that they didn’t want. 

For the record – and we won’t even bother showing you the data – In the ETR data set, RSA is an unimpressive player in cyber security. Their Market Share or pervasiveness is middle of the pack but their Net Score or spending velocity is in the red and in the bottom 20 percentile of the data set.

Nonetheless, RSA is a known brand in cyber security with a great conference and it’s probably better that a PE company owns them than being a misfit toy inside of Dell struggling for relevance. 

Summarizing the Cyber Space Ahead of RSA 2020

As we’ve been stressing in our Breaking Analysis segments and on theCUBE, the adversaries are very capable and we should expect continued escalation. 

Venture capital continues to fund startups and that will lead to more fragmentation but the market remains ripe for M&A. The battle continues for best of breed tools from upstarts like CrowdStrike, Okta and Zscaler versus suites from big players the like Cisco, Palo Alto Networks and Fortinet. 

Growth will drive valuations and observers should keep an eye on the cloud. It remains disruptive to some and provides momentum to others. 

Security practitioners will continue to be well paid as skills shortages will not abate despite the push to automation. 

We didn’t talk much about machine intelligence in cyber but AI and ML tools are a two edged sword. Bad actors are leveraging installed infrastructure, tools and behaviors to live off the land, upping the stakes in the arms race.  

theCUBE will be broadcasting at RSA 2020 so please stop by and see us. John Furrier, Jeff Frick and the Palo Alto team will be at the event in force and we look forward to reporting on the show.

As always, we really appreciate the comments we get on our LinkedIn posts and on Twitter @dvellante so thanks for those.  Also, you may want to check out this ETR Tutorial we created, which explains their spending methodology in more detail.

Finally, here’s the full video analysis of this week’s segment: