Security Company Earnings Reports - Nuggets of Gold (Part 1)

All reports referenced below, and all quotes, are from Seeking Alpha - free registration required to read them.

In this first set, I've looked at Symantec, Checkpoint, and Fortinet.  In later blogs I'll look at others including Sourcefire, Qualys, Imperva, Websense, Vasco, and probably some others.

If I had to summarise the three below, this would be pretty close:

  • Symantec is like the New York Yankees.  Big budget, used to win the World Series routinely, now has an ageing roster who spend lots of time on the DL, but somehow seem to still find a way to genuinely compete.  Not a bad team, even if they don't look as razzle-dazzle as they once did.
  • Checkpoint is like the Oakland Athletics.  A good team in a smaller market (compared to the Yankees), that historically has focused a bit more internally than externally (with pretty good results most of the time).
  • Fortinet is like the Washington Nationals.  Lots of brash young players with extraordinary talent, who occasionally play the game too hard (eg  But the fact is, a few years from now, when the Yankees roster is completely different, the Nationals roster will be much the same, and they will be awesome.

Don't follow baseball, so don't understand the above?  For more color, read below.  Oh, and you'll also discover the joy of the word 'color' as a tool of management-speak.



"We delivered better-than-expected results for the quarter and year... We grew 3% organically, the largest organic growth rate in 5 years." 

I can't help but think that when 3% organic growth is the largest rate in 5 years, the company is in need of some electro-shock therapy.

[As a cross-reference, the Fortinet transcript mentions that analysts' average growth forecast for the industry is 6-10%.  Growing at below that trend line, is not a great sign.]

"FY '13 also was the start of the transformation of Symantec."

Ah, right.  The aforementioned electro-shock therapy.

"We're in the middle of rightsizing our management structure."

Do people still euphemistically use the word rightsizing?  Are we not supposed to notice that nobody has ever 'rightsized' a team and made it bigger?

"We expect to eliminate between 30% and 40% of our management positions."

Like I said.  Rightsizing is a one way street.

"We will have fewer, bigger jobs for our best and brightest. We are also attracting world-class talent from the outside..."

OK, so 30-40% of management positions are gone, and of the positions remaining, externals will take some, so we're basically saying that probably a full HALF of Symantec's management will be removed in the coming year.  Wow.

"...[we're seeing] double-digit growth in our information security business"
"...[we're seeing] double-digit growth in Business Critical Services as demand for high-touch infrastructure protection services continues to grow"
"...[we're seeing] double-digit growth that we're seeing out of areas like encryption, Managed Security Services."
"Our Trust Services business continues to grow very nicely for us."
" to the Endpoint Security business, that's closer to flat."

Realistically, nothing too surprising here.  Many of the fastest growth companies in the market are in the 'detect' space right now (rather than 'protect' or 'react'), and Managed Security Services and infrastructure protection services are growing well everywhere.  It would be a tough part of the market to try to operate in, to cover both mums-and-dads anti-virus all the way through to high-end MSS for financial institutions.  



"In the first quarter, revenues reached $322.7 million, representing an increase of 3% compared to $313 million in the first quarter of 2012."

As per Symantec, growing at 3% in a market growing 6-10%, isn't great... but of course that's always part of the challenge of being the big guy.  It's much harder to grow proportionally as quickly as all the start-ups nibbling at your market.  And of course Symantec is much bigger still.

"Revenue distribution by geography for the quarter was as follows: Americas contributed 45% of revenues; Europe was 38%; and Asia Pacific, Japan, Middle East and Africa regions contributed the remaining 17%."

This matches up pretty well to the rule of thumb that the Americas (primarily the USA) accounts for close to half of global cyber-security spend.

Regarding not having closed some "super high end deals" (which is later clarified to relate to these devices:

"Competitive-related, no, I don't think that any of these deals -- I mean, all these deals that there are now are still open, and I think that, that part of the market is currently not very competitive to keep the deals we are seeing."

This doesn't surprise me.  As 'hot' as the security market is, and as many companies are pouring into it, it is still the case that a large part of security spend is not allocated through a competitive process; or if it is at first, it is not for some period of time after that.  Organisations are - in many cases - picking their security partners and sticking with them, until or unless there is an unequivocal reason to change (with a major breach being a big one).

"I don't think that there's any new competitors. Our market is competitive and always been competitive."

See above.

In response to a question about the future of network security, cloud etc:

"...some of that around mobility and data security, these are definitely areas we're working on and this is an area that will show some nice innovation during the rest of the year. So this is clearly an area that we are working on. "

On the 'Threat Emulation' system... This is a bit long, but worth reading:

"Threat Emulation is an exciting blade, which addresses a very fast-growing segment of the marketplace. "
"We just announced it a few weeks ago, and very, very new. In terms of how our solution is different. First, I think our immediate competitors don't have something comparable to that, and I think the unique value that we provide in the Threat Emulation space is the fact that it's all integrated into one system and the fact that we actually have prevention. If you look at many other emulation kind of solutions, they analyze the files pretty much offline, and if there is a threat found, then manually, someone had to go and look for the file. What we have is a realtime in-line system. You get an e-mail. If the e-mail is unknown, if the e-mail is not recognized... we'll take that e-mail, send it to the Threat Emulation engine. The Threat Emulation engine, by the way, can be a cloud service that we provide or it can be an appliance that a large enterprise would like to install locally. It runs the document in the sandbox, looks for the different behaviors, and then it either tells the main system, pass the e-mail, nothing was found, or it tells the e-mail something was found, stop the e-mail, don't transfer that. And that's a very, very powerful thing. Again, none of the other competitors has a realtime system like that."

This is definitely a part of the market that every major security vendor wants to be in.  The rapid growth of the segment (which didn't really exist just a few years ago), and the success of companies and products such as FireEye, RSA NetWitness, Solera, Sourcefire FireAMP and more, makes the only real decision for companies like Checkpoint, McAfee, Cisco and Symantec: Build or Buy?



"...we did not see a major change in the competitive environment and no significant deals were lost to competitors."

See comment in Checkpoint analysis about the nature of the competitive environment.  Yes, it's crowded.  Yet, it's competitive.  But that doesn't mean a huge amount of business isn't being locked up without too much competitive conflict.

"So we believe the security industry remain healthy, though growing at a slower rate than what was previously estimated. On average, research firm have the growth rate of now secured to be somewhere between 6% to 10% year-over-year"

A good stat to baseline growth against.  

"Fortinet hold more certifications than any other security vendor"

I have no idea how to test/validate this, so I'll accept it as is.  An impressive statement given their relative youth in the market.

"On the innovation front, we introduced a new product that strengthen our advantage across our core market. This includes a new FortiGuard cloud-based sandboxing and IP reputation service, designed to help protect against advanced persistent threats. Using behavioral attributes to detect malware by executing them within a virtual environment."

See above commentary re: Checkpoint's Threat Emulation system.  I'm actually not sure who was first into this market, and it's too early to say who is best, but regardless, expect it to feel like Attack of the Clones in the next 12-24 months.

"we also continued to invest in sales headcount and marketing activities to support long-term growth"

See Symantec.  There are going to be a bunch of sales managers available pretty soon.

"Q1 billings were $148.5 million during the first quarter, an increase of $11.5 million or 8% year-over-year."

That's a bit healthier.  Nicely done.

"EMEA billings grew 8% despite the continued macro uncertainty there. And APAC grew very nicely at 25% with good traction in Japan, Southeast Asia and India."

Wow.  25% is indeed a very healthy growth rate.  Not sure what the base was, but shows there is still a pretty significant unsatisfied market need.

"In the Americas, we won a 7-figure deal with a large U.S. based wireless carrier where we replaced Palo Alto Networks. We were selected because of our superior reliability, scalability and overall firewall performance."
"[on a different deal]...we beat out Check Point, Juniper, Palo Alto Networks and Cisco in this deal, based again on performance and breadth of functionality we offer..."
"[on a different deal]...we beat Cisco, Check Point, McAfee and Blue Coat in this deal..."

These statements are interesting because Symantec and Checkpoint seemed to not really want to name or discuss competitors at all.  Whereas Fortinet just get straight into competitor-smack-down.  As Robbie Williams says, "sing when you're winning."

"give you some color"

This one was everywhere.  Seven appearances in the transcript, and they weren't talking about the flashing lights on the firewalls.   I read it in the Checkpoint discussion too (3 appearances) and Symantec (2 appearances).  Sounds like the latest buzzword.  Excellent.  It seems that "can you give us some color about..." basically means "can you give us some detail about..."  But the people who say the former, rather than the latter, I assume get well rewarded for their command of management linguistics.  Is it just a coincidence that the more the word 'color' is thrown about, the higher the company's year-to-year growth?  

"In terms of the strategy, I think the strategy is pretty obvious. Look, the product is advantaged in one particular context, and that is, it can do more with higher performance, far more reliable, far more scalable."

Great clarity.  You don't get that a lot.

Want to maximise your sale price? Build a product

When you run a cyber-security consulting firm, servicing hundreds of clients, and delivering thousands of projects over the course of many years, you get a pretty good idea of the problems that organisations are experiencing, as well as the problems you are experiencing, and would like to have solved.  From that position, invariably a discussion occurs within the leadership of the company, about whether or not to stay 'pure' as a consulting firm - and do what you know well, recruiting, delivering, and tracking utilisation - or reallocate some of the brainpower in your consulting team towards research & development and more specifically towards the development of some kind of 'product' that will solve the problems you have identified.

The obvious attraction is that products are (often) scalable.  People are not.

Part of the consideration in deciding whether to make this investment, is the expected return at the point of 'exit', particularly, the likely valuation differential that could be commanded at the point of a trade sale.  Having analysed the data for over 600 cyber-security industry transactions completed in the last decade, this is what that premium looks like:

Comparative valuation multiples - software, hardware & consulting led cyber-security businesses, 2004-2013


So what does the data tell us?

Breaking the organisations into consulting-led, software-led, and hardware-led categories (noting that not enough managed services company data is available for this category to stand alone), and comparing valuation multiples for revenue and profit, with consulting-led firms normalised for each category to '100%', we get the following differentials:

  • Compared to consulting-led firms, hardware-led firms have sold for revenue multiples between 3%-45% higher.
  • Compared to consulting-led firms, software-led firms have sold for revenue multiples between 101%-177% higher.
  • Compared to consulting-led firms, software-led firms have sold for profit multiples between 69%-109% higher.
  • (Insufficient comparative profit multiple data is available for the hardware firms so isn't included)

To put those figures in perspective, if your consulting-led cyber-security business is expected to sell for a revenue multiple of about 2 or a profit multiple of 6, a software-led cyber-security business next door will likely sell for a revenue multiple of between 3 and 5.4, or a profit multiple of between 10.1 and 12.5.  That is a significant difference.

In other words, if you have both consulting and software parts to your business, when valuing the business, it is likely that $1 of profit from your in-house developed software, is worth twice as much as $1 of profit from your consulting business.

Of course, this isn't without its exceptions.  Just looking at listed companies, it's easy enough to find cases of services-driven firms being valued more highly than product-driven firms.  As an example:


(Of course, I do acknowledge the significant growth of Checkpoint and Symantec in the services area of their businesses, and particularly Symantec with regard to managed services.  But I would be pretty confident that investors see them significantly as product companies first.)

But then those are all very mature businesses and realistically are well past the point of 'explosive growth'.  When you look at the younger crop of cyber-security product companies, you get some pretty crazy numbers:


To give some perspective on what a P/E of 319 means... Sourcefire's income (profit) for the last 12 month reporting period was a tad over $5 million.  Their current market capitalisation is $1.57 Billion.

But these companies have massive growth potential (Sourcefire has been growing revenue at 25-35% a year), and are also obvious acquisition targets for the more established firms in the market.  The enormous market capitalisations reflect this growth profile and the fact that investors are comfortable the companies will find a way to provide a return to shareholders.

It is also important to recognise, however, that building a successful product business is significantly more difficult than building a consulting practice, and the likelihood of a 'moderate' success is much lower.  In other words, building a consulting practice, it is reasonably easy to run a small team, build up a client base, and operate at a healthy level of profitability for as long as you are willing to continue driving the business.  Building a product business, this type of viability-without-being-the-market-leader is harder to come by, and success is much more likely to be all or nothing.  So while the payoff may be higher, the likelihood of getting a payoff at all is most likely lower.

Also of importance to consider is that the 'buyer universe' changes significantly when your consulting firm starts building a product-led business unit.  Companies that previously may have been interested suitors, may not want the R&D or support and maintenance expenditure necessary for an ongoing product-led operation.  

Ultimately, there are many ways to build a valuable company that will appeal to a sufficient number of potential buyers to achieve a healthy exit for the founders.  What is important, is understanding where the value is within your business, and how to stitch it together into a coherent story to maximise value during the sale process.

Cyber-Security Transactions - Buyer Analysis (or "who is buying all these cyber-security companies?")

At Delling Advisory, we believe that we can provide the best advisory services to our IT security industry clients, through having an unsurpassed understanding of the market, both from first-hand experience having started, built and run IT security companies, as well as from access to unique data and analytics.  

This year, we have collated the data on about 650 cyber-security related transactions around the world, dating back to 2004.  A significant amount of work has been completed to categorise each transaction based on the 'company type' of the acquiring firm, as well as the security-related services that the acquiring firm previously provided and that the target firm provided (professional services / hardware / software / managed services), the country of origin of the acquirer and target, as well as the financial details of the transaction where that information is available (either publicly or via our industry contacts).  An early version of this data set is graphically represented in the map at the start of this post - blue being the acquirer and yellow being the target of the acquisition.

Over the next few weeks, we will start presenting snapshots of this information, to provide a high-level picture of the trends and directions that have taken shape over the last decade, with respect to the cyber-security market.  Obviously there is a significant amount of proprietary data that we have compiled through this process, and we use this information in our advisory roles to better understand and communicate the state of the market, as well as valuation trends and trends in the 'buyer universe'.

To get started, a couple of initial data sets.

Q. Who is buying all these cyber-security companies?

In short, many different companies (and 'company types') are acquiring cyber-security companies.  The defence industry has been in the media for the last few years as one of the most significant buying groups, but back to 2004 they only account for about 12% of all transactions.  Just taking the years 2010 to 2012, when transaction volume was highest in the defence sector, those firms still only accounted for about 18% of transactions (since although their transaction volume went up significantly, so did everyone else's).

The most prevalent acquirers of cyber-security companies are now (and have been every year since 2004), other cyber-security companies, and other IT companies seeking to expand their security-related offerings.

(As an aside, I'm sure people will wonder what 'other' contains.  'Other' contains a mix of companies buying capability to build into their own products, or for diversification.  Some example transactions in the 'other' bucket:

The heavy acquirers - as can be seen from the transaction map at the start of this post, have tended to be companies such as Cisco, McAfee, Oracle, CA Technologies, Symantec, IBM, Microsoft, EMC Corporation and Dell - although the defence primes Raytheon and BAE Systems have also made a dent.

Q. Are transaction volumes sky-rocketing?

Not really.  There are certainly many more cyber-security related transactions now than there were in 2004... but there are many more cyber-security businesses now than there were in 2004.  In broad terms, from 2009 onwards, transaction volume has been about 50% higher than in the period 2006 to 2008.

Cyber-security has become very important to a lot of companies, very quickly.  As a result, and given the difficulties in recruiting cyber-security professionals, adding this capability by acquisition continues to be very attractive.