What cybersecurity companies will succeed?
Recent SaaS earnings might reveal some insights
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m a regular reader and follower of How They Make Money. Bertrand Seguin does a diligent job of reading through earnings and providing stock insights that are more than just a restatement of the earnings. I’ve talked with him about cybersecurity stocks, and he finds to be fascinating. So, they regularly make an appearance on his blog. However, he covers all technology stocks, so it makes sense that he doesn’t have the technical depth to dive into the product and make more product-focused analyses. That’s fine. That’s where I come in. But, overall, he writes a great blog, and I encourage you to subscribe if you’re interested in getting a good business analysis on various public market technology stocks.
Recently, he wrote about cybersecurity earnings, discussing 5 stocks, Palo Alto Networks, Crowdstrike, Fortinet, Zscaler, and Cloudflare. Based on recent earnings, he believes that Crowdstrike and Zscaler will continue to perform well. Cloudflare is TBD given its new revenue executive. Palo Alto Networks and Fortinet might struggle a bit, especially given their exposure to security hardware. He does an analysis of their business, and it’s worth a read.
I think Bertrand does a good analysis based on the public filings, but I don’t fully agree with his conclusions. That shouldn’t be surprising because he’s basing his analysis purely on the business, and I have more product-based insights. For example, I believe that Cloudflare will continue to perform well and face tailwinds rather than the headwinds he predicted, given its position as an infrastructure company, similar to AWS and Azure.
Anyway, what’s more interesting was the prelude. He declared, “Software has fallen,” and I couldn’t agree more. Software and SaaS have been overhyped without a proper understanding of the business risks. He discussed why it’s hard to disrupt the incumbents (and even the incumbents struggle):
Distribution: The main expense for most software companies isn’t research & development. It’s sales & marketing. Scale and distribution are the real moat.
Switching costs: A good freemium software is not enough to disrupt existing solutions. Slack and Zoom are exhibit A.
Margin improvements: The resources needed to develop new features will decline for everyone, giving market leaders more flexibility.
Total Cost of Ownership: Implementing and maintaining an Enterprise software solution isn’t like a Netflix subscription. TCO factors the software cost, the time, and expenses saved in the process. IT departments take a holistic view.
He flags cybersecurity as an exception because of tailwinds and AI. Given the increase in attacks, there’s a greater need for robust security solutions.
However, as usual, security is a laggard. Although there’s currently a lot of hype, I believe, similar to SaaS, cybersecurity will have a reckoning. The question is what companies will survive? I do think much of the reasoning above will foreshadow what cybersecurity companies will do well. Namely, VCs and public equity investors should evaluate companies in this light. There’s an additional factor for security, which is risk. It’s related to switching costs. Will switching vendors increase risk? Specifically, does the current vendor sufficiently address risk? Of course, this depends on the company. Sometimes, the current vendor is “good enough.” It’s highly dependent on the security risk/category, and I believe that security categories that provide “good enough” solutions will struggle similarly to SaaS since switching costs tend to be low.
As an industry, we have matured and have more data, so we know where most of the risk lies. Security teams have realized they should invest more at the beginning of attack chains, e.g. secrets and phishing. With that said, data is a moat for incumbents in areas of large risk. For example, Crowdstrike benefits from this because they have data on endpoint attacks from all their customers. Email, MDR, and cloud security vendors have a similar advantage. In other words, these vendors have data that will make them better compared to building something in-house. They will have more context and data that will effectively reduce risk than what an in-house team can do.
With that in mind, going back to Bertrand’s conclusions, it’s clear that the incumbent security companies have an advantage, and there’s much smaller room for disruption than VCs think. GTM costs are a huge cost for security companies and the incumbent ones have a substantial advantage as they can sell multiple products with a singular sales and marketing team. This way, they can amortize these costs across their product lines whereas startups likely have fewer products but still have to spend substantially on GTM costs.
Similarly, there are operational costs related to switching vendors. For those who follow my newsletter, most security teams are operationally focused, so there’s some specialization around specific tools. There’s a switching cost with changing vendors as their teams need to be trained and ramped up on the new tool.
Finally, given recent advancements in developer tools, fewer resources are required to develop new features. Security companies need to find another way to differentiate rather than features.
Which cybersecurity companies will perform well?
I believe that switching costs and total cost of ownership will drive which cybersecurity companies will do well. Also, companies are willing to invest more in key areas of risk.
In particular, infrastructure-focused security companies, such as Zscaler and Cloudflare, will perform well. The reason is that these companies have their infrastructure as a moat and advantage. These companies have the ability to handle large amounts of network traffic and as a result, have large amounts of data. It doesn’t make sense for a security team to build this until they are at a larger scale. It would be hard and costly for a security team to build this, and it doesn’t make sense. The cost to build and maintain this would be high, and it’s not clear a team could build a product of similar quality. For the same reason, it’s also hard for competitors to enter this space because there’s a high capital and R&D cost. Since infrastructure tends to be a core part of a business’s operations, the barrier to switching is also much higher. That is, once a company chooses a vendor, they are unlikely to switch unless another vendor is substantially better. Finally, analyzing network traffic is a crucial area of risk, so companies want a high-quality product.
Endpoint companies, like Crowdstrike, are in an interesting position because they have some infrastructure, e.g. the endpoint agent. Crowdstrike will do well because it provides managed services for its products and general services that complement the product, like incident response. Having a strong endpoint technology is important as bad agents might affect employee productivity. There are also switching costs to changing vendors as there’s a lack of predictability around how a new agent will affect endpoint performance. Being an incumbent with large amounts of data helps as Crowdstrike can likely detect issues before other vendors. Another draw here is that the effort to run the product is low, and protecting endpoints is an area of major risk as it is usually where many attacks originate.
Although I believe that application-level security companies will generally struggle (more on that later), email security companies have an interesting niche. Companies, like Abnormal and Material Security, continue to do well. One key reason is that they are easy to install and not only reduce costs for a company but also address a major threat vector. I allude that these email security companies were aptly timed as the older email security companies couldn’t handle the shift to the cloud, which required a shift to API-based email analysis rather than having an email gateway. I allude to this broader trend in my newsletter on SaaS posture management tools. It’ll be interesting to see how much progress these two companies continue to make.
Which cybersecurity companies won’t do well?
I believe that most application-level security companies will face a similar fate as the SaaS companies. Most of these companies, such as the ones in application and cloud security, will struggle to maintain relevancy. They will suffer from high GTM costs. I allude to this when I discussed how companies like Snyk and Wiz will fail.
These companies are currently trying the typical SaaS playbook of platformization to reduce their GTM costs and amortize them across their products. This is going to be costly, and it’s clear that this will reach a similar ceiling to what is going on with Salesforce.
Identity companies like Okta also fall into this bucket as they struggle to grow. Luckily, Okta has strong brand recognition. They are feeling pressure from Azure AD. With that said, it is hard to be a new entrant in this market. An interesting play here for Okta is Auth0, which deals with customer authentication. This becomes closer to an infrastructure play, which is core to a company’s operations of the product. This might have some stickiness and value.
Finally, Fortinet and Palo Alto Networks have unclear fates. They have profitable hardware businesses, but those businesses are shrinking and will weigh them down. They also need to continue to invest in their cloud security software businesses. They have some important strategic decisions to make soon. The question is what will they do?
The reason that most application-level security companies will struggle, in my opinion, is that as the cost of ownership goes up, companies might find it more strategic to start developing it in-house even though switching costs might be high. Since it’s application-level software, it’ll be easier to develop than something with an infrastructure component. This will be especially true for software where the risk vector is relatively lower, and it’s fine to have “good enough” software, e.g. vulnerability management.
Takeaway
Cybersecurity software is currently having a boom, but the more mature software market is showing signs of decline. This will likely happen to cybersecurity, and I believe that most application-level cybersecurity companies will suffer as the ones focused on infrastructure will do well. I’m excited that there are more cybersecurity products out there, but as we are realizing with SaaS, not all cybersecurity problems need to be solved with a software product.