Cloud, IAM & Endpoint Security are rocking the markets.

Over the past 150 days, everyone in the technology industry has become an expert on COVID in some way shape or form. We have all lived the reality that COVID-19 has accelerated by at least 2 years, many trends that were in motion well before the virus hit. The cyber security sector is no exception and one of the best examples where we have witnessed accelerated change.

Hello everyone and welcome to this week’s Wikibon’s CUBE Insights, Powered by ETR. In this Breaking Analysis we want to update you on the all important security sector which remains one of the top spending priorities for organizations. Thanks to Erik Bradley, our colleague at ETR who gave provided some great data and macro trend insights as well as some anecdotal commentary from CISOs for this episode.

Shifting Sands in the Cybersecurity Space

For many years we’ve talked about the shifting patterns in networking – moving away from what’s often referred to as a “North South” architecture – meaning a hierarchical network supporting age old organizational structures. The network is flattening into an “East West” model and the moat or perimeter has been vaporized. The perimeter is now wherever the user is and the users are at home… or at their beach houses thanks to COVID.

This is a bad actor’s dream as the threat surface is expanded by orders of magnitude. And as we’ve said in the past, the adversary is well funded, extremely capable and highly motivated because the ROI of infiltration is outstanding. The CISO’s job simply stated is to lower that return on investment.

The other big trend we see is that cloud and SaaS are reducing reliance on hardware based solutions like traditional firewalls. Because so many workers are now at home, accessing sensitive data, identity and endpoint security are exploding. XDR or extended detection and response, and zero trust networks are on the rise. Organizations are increasingly relying on analytics and automation to detect and remediate threats. Alerts just don’t cut it anymore. I want action.

To accomplish this, customers are turning to a number of best of breed point products that have the potential to become the next great security platforms. And this is setting up an epic battle between hot startups that are growing very quickly and entrenched incumbents that are not going down without a fight.

Finally, while security is clearly a top spending priority, customers and their CFOs continue to be circumspect with respect to how they allocate budgets, especially in the context of a shrinking IT spending climate that we have dropping between 5-8% in 2020.

Security is Critical Governed by Tight Budgets

Cyber remains a top category in the ETR taxonomy in terms of its presence in the data set. But what the chart below tells us is CIOs and IT buyers have other priorities that they must fund. This data shows a comparison of Net Scores over three survey dates – October, April and July. Net Score remember is an indicator of spending velocity, which is calculated by subtracting the percent of customers spending less on a technology from those spending more. And you can see that at a 29% Net Score, the security sector is just one of many priorities for IT buyers.

Now remember that this July survey is asking customers are you planning to spend more or less in the second half of 2020 relative to the first half. And it’s a forward looking metric so what may be happening here is that at the height of the lockdown and the pivot to work from home, organizations spent heavily and are now fine tuning those investments…and addressing other digital priorities.

Pre- and Post-COVID Views of the Security Vendor Spending Landscape

Let’s quickly take a look back and see how security vendor landscape and spending momentum have changed in the past eight months.

Pre-COVID Picture

First we’ll go back to the January data set. We actually originally did this exercise last year and then we updated it right at the beginning of 2020. The chart below shows the top ranked cybersecurity companies based on two metrics. The left hand side sorts and ranks companies based on Net Score or spending momentum and the right side shows ranking by Shared N – which is a measure of the pervasiveness of a company in the data set – ie the number of mentions they get in the sector.

And we gave four stars to those companies that showed up in the top of both rankings. And two stars to those that were close. So you can see Microsoft, Splunk, Palo Alto, Proofpoint, Okta, Crowdstrike – we added Zscaler as new in January – and CyberArk Software. All got four stars and then we gave Cisco and Fortinet two stars.

Impact of the Pandemic

This Next Chart shows the same picture at the height of the U.S. lockdown.

Now you may say – ok what’s different? Still Microsoft, Palo Alto, Proofpoint, Okta, CyberArk, Zscaler & Crowdstrike at four stars with Cisco and Fortinet having two stars. Splunk fell off but that’s it. Well what’s different is instead of making the cut the top 22 we narrowed it down to the top 10 in order for a company to make the grade.

So if we had done that in January, Okta, Crowdstrike, Zscaler and CyberArk wouldn’t have made the cut. But in April they did as their presence in the data set grew…and we strongly believe this is a direct result of the work from home pivot. Crowdstrike – endpoint, Okta – identity access management, Zscaler cloud security and disrupting traditional appliance based firewalls.

Just to note we placed Dell EMC (which was RSA) and IBM in the list just for context.

Second Half 2020 Look

Now let’s look at the most recent July survey

We’re a bit out on a limb a bit here because many of these companies haven’t reported yet so we don’t have full visibility on their business outlook. But we show the same data below for the most recent survey.

The red line is the top 10 cutoff point and you can see Splunk, which didn’t make the cut in April, is back on the four star list. It’s very possible buyers took a pause last quarter and focused attention on work from home, but Splunk continues to impress as it shifts toward a subscription model. Splunk has a strong hold on the SIEM space. But everyone wants a piece of Splunk – especially some of the traditional firewall companies who see their hardware business dying. So we’re watching the competition from these and other players like Tenable.

Proofpoint fell off the four star list because its Net Score didn’t make the top 10. Crowdstrike, CyberArk and Zscaler also fell back because they dropped below the top 10 in Shared N. But we still really like these companies and expect them to continue to do well. Could be some anomalies in the survey…but we’re trying to be as transparent as possible. Share the data, listen to it and adjust our models accordingly.

Interpreting the Signals

Let’s make a few more points and try to interpret what might be happening here.

First – Okta pops to the top of the Net Score ranking, overtaking Crowdstrike’s top spending momentum from the last survey.

One customer in the financial services sector told Erik Bradley on a recent VENN roundtable:

We’re seeing amazing things from Okta. But the traditional firewall companies are stepping into identity. They may not be best of breed but they have a level of integration that is appealing. 

This individual specifically called out Palo Alto and Fortinet as trying to encroach – so keep your eyes on that.

Crowdstrike has declined noticeably in this past survey, which surprised us. Zscaler actually is showing more momentum relative to last quarter’s survey so that’s a positive. Palo Alto and Microsoft are holding serve and continue to lead. Proofpoint and CyberArk are showing a bit of a velocity drop and SailPoint and Tenable are catching our attention…and of course SailPoint – identity management – had a great quarter and re-instituted guidance – giving us the benefit of hindsight on its performance. So easy to give them two stars.

Just a side note by the way – we’ve cut the data here with those companies that have more than 50 mentions in the sector, which pared down the list and represents higher quality.

We maintain the premise that cloud, endpoint and identity are the big security themes and drivers in the market. We believe this is a longer term trend and not a work from home fad. Moreover, CISOs need tools to be responsive and don’t want to just get an alert. SecOps pros would rather immediately shut off access and risk angering users than get hacked. And companies are increasingly using AI to detect and they’re relying on automation to remediate or protect and fence off critical resources.

Visualizing the Players Relative Positions

Followers of these segments know that we like to plot vendors within sectors across two of our favorite metrics – Net Score – or spending momentum, which is a simple metric that tracks those spending more versus less on a technology; and Market Share, which measures a vendor’s pervasiveness in the data set. It’s calculated by taking the number of mentions a vendor gets within a sector divided by the total number of respondents.

What we show below are the key security players that we’ve highlighted over the past several quarters.

Let’s start with Microsoft. Microsoft has consistently performed well in the security sector as well as other parts of the ETR taxonomy. They have a huge presence in the survey which is indicated on the horizontal axis and you can see they have a very solid Net Score which is shown on the Y-Axis.

One interesting thing is you don’t see AWS on this chart. And it’s because AWS and Microsoft so far have somewhat different strategies with respect to security. Microsoft with its long application software history and SaaS presence across Office 365, SharePoint with Active Directory has been really focused on selling security solutions to directly protect its applications. Offerings like Defender ATP – advanced threat protection, Sentinel which is its SIEM cloud offering, Azure Identity Access Management – the company is really going after the space hard.

AWS prioritizes security but they don’t show in the ETR dataset the same way Microsoft does. It’s almost like AWS is hiding in plain site. AWS has always put a great deal of emphasis on securing the infrastructure like the S3 buckets and it announced IAM for EC2 way back in 2012. And last year at its re:Inforce conference you saw an impressive focus on security and a burgeoning security ecosystem. In fact when you think of getting started in AWS you think EC2, S3 and IAM. So I would expect to see AWS really become more prominent over time in the data set.

Now I want to talk about Okta

For the first time since we’ve been analyzing the security space with ETR data, Okta has the highest Net Score at 58%. It had consistently been Crowdstrike in the momentum lead. The company has dropped in this quarter’s survey and that’s something we’re watching. By the way, we’re not to imply that Okta and Crowdstrike are direct competitors – they’re not.

And you can see nonetheless that Crowdstrike, Zscaler and SailPoint show very elevated Net Scores. And we’ve plotted Tenable here which is also showing strong. You can see the respective positions of Proofpoint and Fortinet – these are more mature companies founded in the early part of the century so you’d expect them to have somewhat lower Net Scores.

And then there’s Cisco with a huge presence in the data. Cisco is doing well in security. It consistently grows its security business in the double digits each quarter and it’s a real feather in the Cisco portfolio cap. Which is important as its traditional hardware business continues to come under pressure.

Splunk we talked about a lot – no surprise at their leadership position. But I want to talk a bit more about Palo Alto Networks. Here’s a company that we’ve talked about in the past. They are a tier 1 player with great service. CISOs want to work with them because they are thought leaders and have an impressive portfolio of great solutions. But their traditional firewall business is coming under pressure for the reasons we discussed earlier. Palo Alto has expanded its portfolio to the cloud and with Prisma the company’s suite of security services it will maintain a leadership position in our view. But Palo Alto as we discussed had some missteps with its product transitions, sales execution and pricing models. And it hurt their stock price but we’ve always said that they would work through those issues and that was a buying opportunity. The other thing about Palo Alto is they’re considered the expensive choice by customers. You pay for those top tier offerings. So that’s a two-edged sword.

Here’s an example as to why. People often compare Fortinet to Palo Alto and we shared in previous segments the valuation divergence between Palo Alto and Fortinet – where the latter was making a smoother transition to its future. And people often tell us that Fortinet, while maybe is considered not as elite as Palo Alto – they are the value choice. Their stuff just works and Fortinet is a great alternative to Palo Alto and that has served them well.

Cyber Valuation Trends Since COVID Hit

Let’s now take a closer look at the valuations of some of these companies. We started this segment by saying that the pandemic has affected every sector and especially cybersecurity.

This chart below shows the progression of key valuation metrics since earlier this year.

What we show above are the valuations of nine of the companies in the security sector since mid February. The data tracks their respective valuations, revenue multiples and growth rates in both value and revenue terms. Revenue growth is shown in the last column for the most recent quarterly report.The companies in red have yet to report so as we mentioned, we’re flying a bit blind here, After the earnings we’ll take another look to see how the survey data aligns with the results.

Here are the key points:

  • Market Averages Defy the Economic Reality. First we see the S&P 500 and NASDAQ performance in Feb, June and August. Pandemic? Recession? What do you mean? The NASDAQ especially up 14% since mid Feb is quite astounding.
  • Palo Alto & Fortinet Valuation Divergence. Next – let’s come back to the discussion about Palo Alto and Fortinet. Fortinet has reported its quarter and Palo Alto has not yet but you can see, based on the revenue multiples highlighted in red, that the valuation divergence is shrinking. We’ll see if that holds up after Palo Alto reports.
  • Three Disrupters Stand Out. The eye popper is the valuation increases from February to August for Okta, Crowdstrike and Zscaler. 52%, 67% and 104% increases respectively. Now you can’t say we didn’t warn you that these companies were all well positioned when we reported last year and in January. But I did say in our last episode that these three, I thought were getting expensive. And since then they’ve continued to run up. So if you’ve been waiting for an entry point based on my advice – well sorry…
  • Revenue Multiples Keep Expanding for Growth Plays. Look at the revenue multiple expansions in the orange. Okta from 34X to 52X. Crowdstrike 39X to 66X. Zscaler – 25X to 43X. I mean wow. Let’s see what happens after these three report. We would have hoped they’d take a breather this summer so you could jump in but these stocks just keep going up. And despite the decline in Net Score for Crowdstrike we still like all three of these companies and feel they’re very well positioned from a product standpoint and customer feedback perspective.
  • SailPoint’s Strong Quarter. SailPoint crushed its quarter, bringing in some large deals and providing forward guidance. Nearly a 50% valuation increase since February and a revenue multiple expansion from last quarter, when the street wasn’t thrilled with its numbers. But identity management is hot and so now is SailPoint from the street’s perspective.
  • Eye on Growth Rates. Last thing we’ll stress is watch the growth rates. Expectations are high and the street will cream any of these companies that miss. Which may be your opportunity to jump in because we like these disruptors. As always do your research and watch out for the whales trying to freeze the markets on these guys.

Key Takeaways

We covered a lot of ground today and surfed the landscape a bit.

The trend is clear. The move to SaaS is entrenched. By the way this isn’t necessarily all good news for buyers. CIOs and CFOs tell us that the dark side of CAPEX to OPEX is unpredictable bills. But the flexibility and business value gained is outweighing the downside risks.

We believe the remote work trend is here to stay to a large degree. Organizations are rearchitecting their businesses around work from home and we think they are seeing some real benefits. They’ve made investments, it’s driving new modes of work and productivity and they’re not going to just throw away those recent investments. Why should they? Just to go back to the old way? We don’t see that happening.

As we’ve said previously, the Internet is the new private network and VPNs and SD-WAN start to look like stop gaps. The Cloud, endpoint security and cloud-based IAM are winning.

We’re also seeing new security regimes emerge where the CISO and SecOps teams are not an island. We’ve even seen some CISOs falling back under the CIO, which used to be taboo, like the fox guarding the hen house. But this idea of shared responsibility is not just between the cloud providers and the security teams. Because security is a board level priority everyone in the business is becoming more aware.

Now the last two points are interesting. We remember reading a post by Jon Oltsick who is an ESG security analyst. And he predicted last year that integrated suites would win out over the buffet of point products on the market. And we generally agreed with that but at least in the near and mid-term, that’s not happening as we’ve seen with the hot companies highlighted here.

Products v. Platforms

Now these companies have ambitions beyond selling products and they would bristle at us lumping them into point products. Their execs are going after platform plays so they’re all on a collision course in our view. This should be fun to watch because the big integrated companies are well-funded, have great cash flows, large customer bases and as we said aren’t going down without a fight. So we would expect eventually there will be more of an equilibrium to what seems to be a bifurcated and unbalanced market today.

Expect more M&A activity, however at these valuations, some of the companies we’ve highlighted are becoming acquisition proof. As such they’d better keep innovating or they will be in trouble.

That’s it for now. Remember these episodes are all available as podcasts wherever you listen – please subscribe. These segments are published weekly on Wikibon.com. We have added in the Wikibon.com menu bar a Breaking Analysis link of all these episodes. We also publish on Siliconangle.com so check that out and please do comment on our LinkedIn posts. Don’t forget to check out ETR for all the survey action. Get in touch on twitter @dvellante or email david.vellante@siliconangle.com

Thanks for reading and watching.

Watch the full video analysis: