Seeking (Cyber)Security in Uncertain Times
Cloud-based protection trends are accelerating, and moaty companies are positioned to reward investors.
For investors seeking both revenue growth and relative stability, cybersecurity has been a reprieve from the uncertainty of the global pandemic. The rise in remote working and distributed networking environments created a complex situation for security teams that we believe exposed holes in entities’ threat-prevention capabilities. Exacerbating the challenge, cyberattacks have grown exponentially in recent months, with the FBI reporting a 400% increase in complaints in April versus March, as attackers hope to expose weaknesses in an organization’s business continuity strategy. Also, data privacy laws have become much more punitive with regard to security missteps, and we do not expect any leeway amid a global pandemic.
Because of the rise of remote working, adoption of cloud-based security has accelerated, and we do not expect this trend to revert after workers return to offices. Before widespread shutdowns, these security solutions were gaining momentum because of technological efficacy and proximity to where data and threats were migrating. In our view, shutdowns caused IT teams to pivot their security solutions to trusted, more nascent cloud-based versions because of the ease of deployment, management, and protection for remote individuals and resources.
Purely cloud-based cybersecurity companies CrowdStrike (CRWD), Okta (OKTA), and Zscaler (ZS) have showcased excellent results in the face of market chaos, and we expect demand to remain resilient. We believe these companies with narrow moats and positive moat trends are winners in their segments as more cloud-based solutions are adopted. However, their stocks have appreciated significantly since widespread shelter-in-place orders began early in the pandemic, and the buying opportunities we saw in March have evaporated.
We find a more attractive investment opportunity with Palo Alto Networks (PANW) and believe that investors could be overlooking how incumbent stalwarts are finding robust growth avenues as well. Important similarities between the leading incumbents and the new, rapidly growing cloud-based companies are pristine balance sheets and solid cash flow that can provide investors with security in uncertain times. In our view, Palo Alto has built out a leading security platform that covers various aspects of enterprise threat protection, including its migration of offering cloud-based alternatives to its core firewall expertise. Ensuring compliance and consistency across on-premises and cloud environments is challenging, and we believe customers will prefer Palo Alto’s holistic offering for network protection.
In addition to its robust push into cloud-based security and security for protecting cloud workloads, we view Palo Alto’s leading automation capabilities as a game changer in the long run. We expect enterprises to shift their external managed security spending toward internal automation capabilities, which we consider a critical element in helping enterprises respond to the daily deluge of alerts amid a security talent dearth. Palo Alto’s broad-based security platform provides natural up- and cross-selling opportunities, which we believe becomes a powerful margin lever in the long term.
COVID-19 Amplified Cloud-Based Security Firms’ Winning Position
We believe the cybersecurity market is poised to grow at a high-single-digit pace in the long term. In 2020, we expect cybersecurity to grow slightly year over year and remain better insulated than overall IT demand, which should contract amid macroeconomic headwinds. However, we see a mix shift in cybersecurity spending in the near term toward cloud-based cybersecurity solutions and security products that protect cloud workloads.
The adoption of cloud-based cybersecurity has been a boon to CrowdStrike, Okta, and Zscaler. These companies, leaders in their subsegments of the fragmented cybersecurity market, have significantly outpaced legacy companies through threat-protection efficacy, ease of deployment and management, and enabling secure business continuity in dispersed work environments. The pandemic forced widespread shelter-in-place orders, spurring a dramatic increase in cyberattacks attempting to prey on users outside a secure perimeter, which we believe may have been an eye-opening experience for security teams that had been reluctant to embrace the new wave of cloud-based security solutions.
Workers will eventually return to offices, but we expect the adoption of cloud-based security protection to remain in place. These solutions that protect users, devices, and data were purposely built for the rise in using cloud-based resources and the dissipation of a defined security perimeter. We expected cloud-based security to be a dominant trend in the market; we believe that COVID-19 may have accelerated the adoption of these vendors’ solutions and that this growth will be resilient.
CrowdStrike, Okta, and Zscaler excel at endpoint protection, identity and access management, and secure web gateways, respectively. All three have solidified customer switching costs as a moat source with their mission-critical solutions. Okta’s cloud network of application integrations and CrowdStrike’s crowdsourced threat-prevention cloud caused us to award both companies a network effect moat source, too. Alongside breakneck revenue growth coming from revolutionizing their respective segments, these companies showcase incredible retention metrics. We believe these companies are land-and-expand operations, whereby profuse amounts of cash are poured into developing and marketing a unique technology to land customers. Clients typically proliferate subscriptions throughout their organization, and security companies develop adjacent offerings to up- and cross-sell, helping maximize dollars per customer, expand margins, and produce sustainable excess returns over invested capital.
Other narrow-moat pure-play cybersecurity companies include Check Point Software (CHKP), Fortinet (FTNT), and Palo Alto Networks. Their network security products and tangential solutions fortified customer switching costs, in our view. Although these companies are more mature than the cloud-based companies, we still expect cloud-based security trends to provide rapid growth avenues, especially for Palo Alto and Fortinet.
Cybersecurity Moats Bolstered by Increased Remote Work
CrowdStrike, Okta, and Zscaler provide mission-critical solutions to protect users and devices from the daily deluge of attacks, and replacing them could be terribly disruptive. Torrid growth as their wares become more widely accepted, combined with incredible renewal rates and land-and-expand opportunities, gives us confidence in their ability to earn excess returns on invested capital over the long haul. Equally important for investors is that we believe these companies are in the early stages of changing their subsegments, and each has an appreciable head start against incumbents and upstarts.
We also like these cybersecurity specialists’ ability to extract additional revenue per customer over time. These companies have consistently showcased dollar-based net retention levels around 120% while rapidly expanding their customer bases. In our view, an impressive element of this performance is that these companies are landing more lucrative initial deal sizes with larger customers, which challenges the dollar-based retention metric over time. These cloud-based solutions are rapidly becoming more widely accepted by the industry as enterprises across all sectors and governments are finding value in their offerings, creating more potential customers to look into these new ways of performing security.
These companies have various ways to initially land a customer with their security platform approaches that allow for robust cross- and up-selling opportunities. Security platforms offer various product modules that sit under a common theme. In most cases, customers will try new security solutions within a certain team or location before rolling it out to the wider organization, and platforms allow companies to try subsets of a cybersecurity firm’s offerings before adopting multiple solutions. We believe the platform approach of selling various security modules, initially or over time, is a powerful concept that is being strongly adopted with customers since it helps alleviate the number of security tool sets that enterprises need to manage simultaneously. For the security vendors, this creates powerful customer switching costs with robust recurring revenue streams, as companies are locked into an ecosystem for mission-critical elements of their threat-prevention capabilities.
Remote Work Trend Will Not Go Away Anytime Soon
While most workers will return to offices eventually, we do not view the rise in cloud-based security technologies as an ephemeral trend. We believe that entities have accelerated their adoption of cloud-based cybersecurity and that the demand for these solutions will be sustained. In our view, the coronavirus pandemic may have been a wakeup call for many enterprises contemplating next-generation security solutions to protect the distributed nature of today’s networks, which are already hybrid-cloud ecosystems that use a mixture of public and private clouds, on-premises, and edge location resources that dissipate what was once a well-established security perimeter. The increase in remote work made the hybrid-cloud concept that security teams were growing accustomed to protecting even further spread out. Malicious actors began crafting emails that seemed like corporate remote access policy information or healthcare updates, taking advantage of people outside a secure work perimeter.
A key tenet of adopting the offerings of pure cloud vendors, outside of technological capabilities that showcase superior threat defense, is the ease of deploying and holistically managing threats for an employee base. In our view, the simplicity of deploying such security measures in a rapidly evolving threat environment accelerated the trend of choosing these products. By only selling software subscriptions, alongside services, the cloud-based vendors enable customers to adopt these solutions quickly, without requiring employees to install or configure appliances on-premises. In our view, once installed, these solutions will stay in place as a core component of protection even after users return to the office.
We believe that enterprises’ security protocols are rapidly becoming a zero-trust environment, whereby every employee is treated like an unknown person who could be malicious. This shift in security mindset is important since the previously defined secure perimeter is dissolving. Today, corporate data and resources are freely traversing outside the perimeter, and cloud-based solutions help security teams ensure that people and data remain protected irrespective of where someone is requesting data. The traditional solution for remote access was to provide employees with a virtual private network connection. VPNs have been highly demanded to allow remote workers access to data center resources; however, these products can provide users with too much access and are notorious for dragging down performance. While VPNs will probably not disappear from the security environment, we believe the adoption of a zero-trust security architecture has been accelerated alongside the high demand of cloud-based security to the benefit of names like CrowdStrike, Okta, and Zscaler.
Incumbent Network Cybersecurity Vendors Holding Their Own
We believe that established cybersecurity vendors like Palo Alto Networks, Cisco Systems (CSCO), Check Point Software, and Fortinet also benefit from heightened remote access needs in a few ways.
Perhaps the most obvious benefit is that these vendors have branched out to offer cloud-based solutions with similar functionality as their on-premises appliances in the last couple of years to meet customer demand for more virtually consumed resources. As an example, customers can deploy virtual or as-a-service firewalls quickly without needing to install physical hardware. Using the same vendor for on-premises traffic inspection and cloud traffic allows enterprises to keep a consistent security policy across their entire network and assists with compliance concerns. These companies have also built out cybersecurity platforms with tangential security products to their cores to alleviate security management complexity that arises from having data and traffic in various locations. The platform approach is especially useful for customers attempting to lower the number of tool sets requiring management, and platform-based security is a crucial trend in the market, in our view.
We believe the added complexity of managing the heightened threat environment of remote work while attempting to provide employees uninterrupted access to business tools also exposed holes in security teams’ cloud strategies. Cloud security is a shared responsibility, with the protection of data being solely on the enterprise. The distributed working environment can shed light on concerns around the threat exposure within cloud environments and software-as-a-service applications. Security vendors developed tools like cloud access security brokerage and cloud security posture management to provide insight into these resources that are outside an enterprise’s control. We believe the adoption of these tools has accelerated and that these solutions will remain a core component of security after workers return to offices. In our view, having insight into and setting policies for workloads, traffic, and users within cloud environments is critical to lower the threat exposure that could go unnoticed. Additionally, these tools provide enterprises with methods to ensure compliance with data regulations as well as preventing the loss of sensitive stored data. The risks and fines associated with data privacy missteps can be too large for enterprises to ignore; in turn, we expect enterprises to now always require security tools that provide insight and compliance for cloud workloads.
Software-defined wide-area networking, or SD-WAN, is another enabler for remote access, which is aimed at helping companies use generic Internet connections over expensive, dedicated multiprotocol label switching, or MPLS. The MPLS connections would go from the remote users back into a centralized data center to retrieve data center resources or if the user wanted to access cloud-based resources. SD-WAN alleviates traffic hairpinning and reduces the load on the network by allowing remote users to go directly to their requested cloud-based resources, over generic Internet connections instead of dedicated lines. In our view, this rapidly adopted technology was initially rolled out with more thought to cost savings and convenience over security; however, incumbent security companies have entered this market by selling secure SD-WAN solutions, which we expect to be a hallmark of remote access and branch offices because of the concrete lower cost of ownership than dedicated MPLS connections.
While we previously highlighted zero-trust architecture as a next wave in cybersecurity, the rise in remote workers, and the associated devices they use, still drives a heightened demand for VPN capacity. Remote workers need access to corporate resources, and VPN-enabled firewalls can establish a safe tunnel for traffic flowing from the individual to the corporate data center. In our view, the burst in VPN demand will most likely dissipate as remote workers return to offices; however, the adoption of solutions like cloud-based firewalls will continue to replace hardware appliances that go into on-premises data centers. Another consideration is that many enterprises are wary of making, or do not have the allocated resources to perform, transformational changes to their security or networking environment during times of uncertainty and will look to incumbents for methods to keep their employees secure without undergoing a complete digital overhaul.
Finding Security in a Downturn
Cybersecurity is a much younger industry than the traditional safe harbors investors flock to in times of uncertainty. The risk of investing in a rapidly changing environment with an influx of market entrants attempting to unseat incumbents could seem too risky compared with investing in companies with decades of operating history that have previously weathered downturns. But we believe that sentiment changed drastically during the pandemic, and various cybersecurity companies can be seen as a refuge from the uncertainty.
In our view, cybersecurity, especially via moaty companies, has become a haven for investors seeking growth and business sustainability. Pristine balance sheets flush with cash with limited, if any, obligations are supported by healthy free cash flow. The moaty companies have copious amounts of recurring and deferred revenue, creating predictability and providing comfort around business health.
The remote work effect has not broadly affected cloud-based product demand beyond potentially slowing new customer trials or customers attempting to preserve their spending because of budget constrictions. Malicious actors do not stop developing threats or attacking entities because of global uncertainty; rather, we believe these are times when threats are ramped up to expose constrained budgets and personnel. And enterprises do not have a reprieve from data privacy legislation regulating security measures and the associated steep fines for breaches and missteps.
We view global uncertainty and the heightened demand for remote work solutions as a boon to cloud-based security companies. Cybersecurity spending drivers, fueled by protecting workers from threats and preventing internal and customer data exposures, and the associated fines for missteps, are largely insulated from other IT budget cuts that enterprises may consider, in our view. The cloud-based security demand is evident in the pure cloud-based security companies’ robust quarterly results and the strong guidance they’ve issued while the pandemic’s economic impact plays out.
Although IT budgets are likely to be slashed broadly in 2020 as companies conserve cash and delay infrastructure upgrades, we expect cybersecurity to largely be spared. While we believe the shift to the cloud is going to affect the deployment of on-premises products, we still model a recovery for critical security products like firewalls next year; however, that firewall rebound could be seen through enterprises adopting more virtual or as-a-service versions. We do not expect other on-premises products like secure email gateways or endpoint security management to fare as well and expect cloud to eventually consume the on-premises deployment options. Security for ensuring compliance and visibility into cloud-based workloads should remain a hotly demanded market, in our view, on top of the trend of enterprises demanding more cloud-delivered security products.
In addition to enterprises demanding and consuming more solutions off-premises, we believe this will drive a trend of security vendors relying on subscriptions instead of perpetual offerings. In our view, enterprises have become accustomed to consuming cloud-based resources as operating expenses and would favor this model over sizable capital expenditures. This consumption trend has no impact on the pure cloud-based security vendors, as they solely offer subscriptions. We expect the incumbent networking security vendors to gradually adjust their business models to offer subscriptions for cloud-based products but offer a choice for traditional hardware purchases. At the expense of less up-front revenue and cash flow, this creates a more recurring and predictable inflow for organizations. In our view, incumbents changing their sales model keeps customers from changing vendors and is the correct action for long-term business sustainability.
Mark Cash does not own (actual or beneficial) shares in any of the securities mentioned above. Find out about Morningstar’s editorial policies.