Security Company Earnings Reports - Nuggets of Gold (Part 2)

I received some great feedback on my thoughts on the highlights of the Symantec, Checkpoint and Fortinet earnings calls, so through popular demand have continued working my way through security company earnings calls.  In this edition, one of the newer and sexier market players: Sourcefire

Of course, IT security is to 'sexy' what Eddie "the Eagle" Edwards was to ski jumping, so I still wouldn't necessarily be opening with your latest 'penetration testing' gag at the bar later tonight.  Unless the bar happens to be hosting a Star Trek party, in which case, make hay while the sun shines.

Anyway, on with the review.

Sourcefire 

http://seekingalpha.com/article/1387331-sourcefire-management-discusses-q1-2013-results-earnings-call-transcript

sourcefire.png

"Revenue for the first quarter of 2013 came in at $56.2 million, an increase of 21% over the year-ago period."

That's why they're the sexy ones.  21% year-on-year growth.

"21% was below our expectation."

Wow, expectations were high.  But then, when your PE Ratio is 339 (http://ycharts.com/companies/FIRE/pe_ratio), I guess that's what happens to expectations.

"Our U.S. Commercial and International business revenue grew a combined 37% over the same period last year."

Great numbers.  Unsustainable, but good to get them when you can.

"We believe our U.S. Federal business was impacted by funding uncertainties related to sequestration and the continuing resolution that wasn't approved until March 26, resulting in a year-over-year decline of 36%."

OK, should have seen that coming.  Good news first, then the bad news.  A 36% year-over-year decline is huge.  (For those who don't immediately recognise that a 36% loss is much worse than a 37% gain is good, remember that to get back that 36% loss, will require in excess of a 50% gain.)

"This approach starts by first acknowledging that there are 3 distinct phases of security from a defender's point of view. You have heard us refer to this as the attack continuum: a before, during and after phases of an attack."

Which sounds eerily similar to 'Protect, Detect and React' which we've been saying for decades.  Old wine, new bottles.

"Our cybersecurity solutions... address the full attack continuum across all attack sectors and respond at any time, all the time in realtime... This is in contrast to traditional security layers that only operate at a point in time... They have no capability versus a threat later in time."

I think I need to re-read Stephen Hawkings' A Brief History of Time to understand this.  Any time, all the time, in real time, not at a point in time, but definitely later in time.  Got it.  On a serious note, it is interesting to see how the amount of investment being poured in to solutions aimed at detecting pre-existing breaches in an environment; effectively acknowledging the fact that organisations simply cannot prevent the breaches from occurring. 

"Our [Advanced Malware Protection] solution [FireAMP] has capabilities and scope that will have the competition playing catch-up for years"

From what I've seen and read, I think FireAMP is indeed going to be a powerful tool in the security business.  As with all the latest-and-greatest technologies, however, the question will be whether anyone in Australia has the capability to implement it, configure it correctly, and manage/monitor it the way it is intended.  Otherwise it will be the next very expensive paperweight to hit our desks.

"As we continue to scale our International operations, we will benefit from the tax structure implemented last year and believe we can drive our long-term effective tax rate below 30%."

Seems pretty conservative.  Apple have managed to get theirs down to under 2%, with a "Dutch Sandwich" and some Catch-22-esque workmanship resulting in some of Apple's legal entities not being resident anywhere.  

"We don't traditionally break out our International business. I can tell you that it was strong across the board. We added 40 resellers in Q1 and a little bit more than half of them were International. In fact, half of them were in Asia-Pacific. That business is really starting to pick up for us."

Obviously Asia-Pacific is a lot broader than just Australia, but it's interesting to see how many companies are reporting strong demand and growth from this region.  It certainly matches the demand and growth in the domestic information security services sector, and I continue to believe that the services market in particular is growing faster than the supply-side can keep up with.

A question from the floor:

"And regarding the balance sheet, could you give us some color around the trends in deferred revenue? It was flattish quarter-to-quarter. Any color on that?"  

Boom!  Two uses of the buzzword-of-the-moment 'color' in one go!  I am still yet to hear it used at all in Australia, but maybe I'm moving in the wrong circles.  It can only be a matter of time.

In response to a question about which companies the FireAMP product competes with (this is long, but worth reading):

"In terms of who we compete with, there are a number of players in kind of the advanced network space that are out there, and a lot of people who claim they're out there as well. I think you look at the core anti-virus guys, a lot of them will say they're dealing with events now, where you look at newcomers, they're a bunch of startups out there. You have guys like FireEye as well. They're all kind of swirling around the problem right now looking for a solution. I would say that relative to any of them that are out there right now, there are -- some companies are taking a purely network-based approach, some are taking a purely end-point-based approach. Many of them -- well, very few of them consider the totality of networks endpoints, mobile devices and virtual environments. And of all the companies that are out there really, we're the only guys who consider them all. We use one unified detection infrastructure to analyze everything that comes in. We operate on a continuous capability model using streaming telemetry from the devices that we're connected to. And what that means effectively, if you look that this versus any of them that are out there, they all operate in what we call a point in time. They're presented with a piece of data. They make the decision either good or bad, and if they're wrong, they completely miss it and have no opportunity to go back there and do something about it again. We have continuous capability where we can see all the time, in realtime, not just the structure of advanced malware, but also its operations and behavior. And really, at the end of the day, we believe we're a disruptive player in this space because we're one of the first movers and we have a fully scoped solution that addresses the entire problem set that is out there."

A good summary of their positioning and how they see the market.  If FireEye is being included as a competitor, I assume RSA NetWitness, Solera Networks, Australian start-ups like Packetloop, and US-based companies that as far as I know haven't made it to our shores such as Damballa and Invincea should be included in there too.  It's becoming a crowded market and logically will consolidate pretty heavily over the next 1 - 2 years (noting that Blue Coat recently bought Solera Networks; and of course RSA reasonably recently bought NetWitness).  

For those in the IT security professional services industry, providing implementation, configuration, support and management around these 'next generation' tools is a huge opportunity.  While not all the products and vendors in this space will continue to be here in a few years' time, the amount of venture capital being thrown at this part of the market should guarantee short term viability at least.

Security Company Earnings Reports - Nuggets of Gold (Part 1)

All reports referenced below, and all quotes, are from Seeking Alpha - free registration required to read them.

In this first set, I've looked at Symantec, Checkpoint, and Fortinet.  In later blogs I'll look at others including Sourcefire, Qualys, Imperva, Websense, Vasco, and probably some others.

If I had to summarise the three below, this would be pretty close:

  • Symantec is like the New York Yankees.  Big budget, used to win the World Series routinely, now has an ageing roster who spend lots of time on the DL, but somehow seem to still find a way to genuinely compete.  Not a bad team, even if they don't look as razzle-dazzle as they once did.
  • Checkpoint is like the Oakland Athletics.  A good team in a smaller market (compared to the Yankees), that historically has focused a bit more internally than externally (with pretty good results most of the time).
  • Fortinet is like the Washington Nationals.  Lots of brash young players with extraordinary talent, who occasionally play the game too hard (eg http://mlb.mlb.com/video/play.jsp?content_id=27097807&c_id=mlb).  But the fact is, a few years from now, when the Yankees roster is completely different, the Nationals roster will be much the same, and they will be awesome.

Don't follow baseball, so don't understand the above?  For more color, read below.  Oh, and you'll also discover the joy of the word 'color' as a tool of management-speak.

Symantec

symantec.png

http://seekingalpha.com/article/1412431-symantec-management-discusses-q4-2013-results-earnings-call-transcript?part=single

"We delivered better-than-expected results for the quarter and year... We grew 3% organically, the largest organic growth rate in 5 years." 

I can't help but think that when 3% organic growth is the largest rate in 5 years, the company is in need of some electro-shock therapy.

[As a cross-reference, the Fortinet transcript mentions that analysts' average growth forecast for the industry is 6-10%.  Growing at below that trend line, is not a great sign.]

"FY '13 also was the start of the transformation of Symantec."

Ah, right.  The aforementioned electro-shock therapy.

"We're in the middle of rightsizing our management structure."

Do people still euphemistically use the word rightsizing?  Are we not supposed to notice that nobody has ever 'rightsized' a team and made it bigger?

"We expect to eliminate between 30% and 40% of our management positions."

Like I said.  Rightsizing is a one way street.

"We will have fewer, bigger jobs for our best and brightest. We are also attracting world-class talent from the outside..."

OK, so 30-40% of management positions are gone, and of the positions remaining, externals will take some, so we're basically saying that probably a full HALF of Symantec's management will be removed in the coming year.  Wow.

"...[we're seeing] double-digit growth in our information security business"
"...[we're seeing] double-digit growth in Business Critical Services as demand for high-touch infrastructure protection services continues to grow"
"...[we're seeing] double-digit growth that we're seeing out of areas like encryption, Managed Security Services."
"Our Trust Services business continues to grow very nicely for us."
"...as to the Endpoint Security business, that's closer to flat."

Realistically, nothing too surprising here.  Many of the fastest growth companies in the market are in the 'detect' space right now (rather than 'protect' or 'react'), and Managed Security Services and infrastructure protection services are growing well everywhere.  It would be a tough part of the market to try to operate in, to cover both mums-and-dads anti-virus all the way through to high-end MSS for financial institutions.  

Checkpoint

checkpoint.png

http://seekingalpha.com/article/1358591-check-point-software-technologies-management-discusses-q1-2013-results-earnings-call-transcript

"In the first quarter, revenues reached $322.7 million, representing an increase of 3% compared to $313 million in the first quarter of 2012."

As per Symantec, growing at 3% in a market growing 6-10%, isn't great... but of course that's always part of the challenge of being the big guy.  It's much harder to grow proportionally as quickly as all the start-ups nibbling at your market.  And of course Symantec is much bigger still.

"Revenue distribution by geography for the quarter was as follows: Americas contributed 45% of revenues; Europe was 38%; and Asia Pacific, Japan, Middle East and Africa regions contributed the remaining 17%."

This matches up pretty well to the rule of thumb that the Americas (primarily the USA) accounts for close to half of global cyber-security spend.

Regarding not having closed some "super high end deals" (which is later clarified to relate to these devices: http://www.checkpoint.com/products/61000-appliances/index.html):

"Competitive-related, no, I don't think that any of these deals -- I mean, all these deals that there are now are still open, and I think that, that part of the market is currently not very competitive to keep the deals we are seeing."

This doesn't surprise me.  As 'hot' as the security market is, and as many companies are pouring into it, it is still the case that a large part of security spend is not allocated through a competitive process; or if it is at first, it is not for some period of time after that.  Organisations are - in many cases - picking their security partners and sticking with them, until or unless there is an unequivocal reason to change (with a major breach being a big one).

"I don't think that there's any new competitors. Our market is competitive and always been competitive."

See above.

In response to a question about the future of network security, cloud etc:

"...some of that around mobility and data security, these are definitely areas we're working on and this is an area that will show some nice innovation during the rest of the year. So this is clearly an area that we are working on. "

On the 'Threat Emulation' system... This is a bit long, but worth reading:

"Threat Emulation is an exciting blade, which addresses a very fast-growing segment of the marketplace. "
"We just announced it a few weeks ago, and very, very new. In terms of how our solution is different. First, I think our immediate competitors don't have something comparable to that, and I think the unique value that we provide in the Threat Emulation space is the fact that it's all integrated into one system and the fact that we actually have prevention. If you look at many other emulation kind of solutions, they analyze the files pretty much offline, and if there is a threat found, then manually, someone had to go and look for the file. What we have is a realtime in-line system. You get an e-mail. If the e-mail is unknown, if the e-mail is not recognized... we'll take that e-mail, send it to the Threat Emulation engine. The Threat Emulation engine, by the way, can be a cloud service that we provide or it can be an appliance that a large enterprise would like to install locally. It runs the document in the sandbox, looks for the different behaviors, and then it either tells the main system, pass the e-mail, nothing was found, or it tells the e-mail something was found, stop the e-mail, don't transfer that. And that's a very, very powerful thing. Again, none of the other competitors has a realtime system like that."

This is definitely a part of the market that every major security vendor wants to be in.  The rapid growth of the segment (which didn't really exist just a few years ago), and the success of companies and products such as FireEye, RSA NetWitness, Solera, Sourcefire FireAMP and more, makes the only real decision for companies like Checkpoint, McAfee, Cisco and Symantec: Build or Buy?

Fortinet

fortinet.png

http://seekingalpha.com/article/1387761-fortinet-management-discusses-q1-2013-results-earnings-call-transcript

"...we did not see a major change in the competitive environment and no significant deals were lost to competitors."

See comment in Checkpoint analysis about the nature of the competitive environment.  Yes, it's crowded.  Yet, it's competitive.  But that doesn't mean a huge amount of business isn't being locked up without too much competitive conflict.

"So we believe the security industry remain healthy, though growing at a slower rate than what was previously estimated. On average, research firm have the growth rate of now secured to be somewhere between 6% to 10% year-over-year"

A good stat to baseline growth against.  

"Fortinet hold more certifications than any other security vendor"

I have no idea how to test/validate this, so I'll accept it as is.  An impressive statement given their relative youth in the market.

"On the innovation front, we introduced a new product that strengthen our advantage across our core market. This includes a new FortiGuard cloud-based sandboxing and IP reputation service, designed to help protect against advanced persistent threats. Using behavioral attributes to detect malware by executing them within a virtual environment."

See above commentary re: Checkpoint's Threat Emulation system.  I'm actually not sure who was first into this market, and it's too early to say who is best, but regardless, expect it to feel like Attack of the Clones in the next 12-24 months.

"we also continued to invest in sales headcount and marketing activities to support long-term growth"

See Symantec.  There are going to be a bunch of sales managers available pretty soon.

"Q1 billings were $148.5 million during the first quarter, an increase of $11.5 million or 8% year-over-year."

That's a bit healthier.  Nicely done.

"EMEA billings grew 8% despite the continued macro uncertainty there. And APAC grew very nicely at 25% with good traction in Japan, Southeast Asia and India."

Wow.  25% is indeed a very healthy growth rate.  Not sure what the base was, but shows there is still a pretty significant unsatisfied market need.

"In the Americas, we won a 7-figure deal with a large U.S. based wireless carrier where we replaced Palo Alto Networks. We were selected because of our superior reliability, scalability and overall firewall performance."
"[on a different deal]...we beat out Check Point, Juniper, Palo Alto Networks and Cisco in this deal, based again on performance and breadth of functionality we offer..."
"[on a different deal]...we beat Cisco, Check Point, McAfee and Blue Coat in this deal..."

These statements are interesting because Symantec and Checkpoint seemed to not really want to name or discuss competitors at all.  Whereas Fortinet just get straight into competitor-smack-down.  As Robbie Williams says, "sing when you're winning."

"give you some color"

This one was everywhere.  Seven appearances in the transcript, and they weren't talking about the flashing lights on the firewalls.   I read it in the Checkpoint discussion too (3 appearances) and Symantec (2 appearances).  Sounds like the latest buzzword.  Excellent.  It seems that "can you give us some color about..." basically means "can you give us some detail about..."  But the people who say the former, rather than the latter, I assume get well rewarded for their command of management linguistics.  Is it just a coincidence that the more the word 'color' is thrown about, the higher the company's year-to-year growth?  

"In terms of the strategy, I think the strategy is pretty obvious. Look, the product is advantaged in one particular context, and that is, it can do more with higher performance, far more reliable, far more scalable."

Great clarity.  You don't get that a lot.