Thirty-six thousand cybersecurity professionals attended the RSA conference in San Francisco last week, with a full roster of executive keynotes and four crowded expo floors. Although a few companies, such as IBM IBM, +4.12%, AT&T T, +5.17% and Verizon VZ, +4.34%, decided to not attend due to the coronavirus outbreak, there was no shortage of vendors present.
In fact the biggest challenge for any public investor in cybersecurity stocks is sorting through an industry that is at peak saturation. As of 2018, there were more than 1,200 cybersecurity companies with up to 200 vendors competing in each layer. That leaves customers such as chief information security officers (CISOs), using as many as 80 security vendors.
The explosion in the cybersecurity industry seen at RSA is for good reason. In 2004, the global cybersecurity market was worth a mere $3.5 billion and grew nearly 35-fold to $120 billion by 2017. According to Cybersecurity Ventures, global spending on cybersecurity will exceed $1 trillion cumulatively over the five-year period of 2017 to 2021 (likely fueled by the bloat of 80-plus vendors per CISO).
See: Beth Kindig runs a forum on tech stocks where she answers readers’ questions.
The excess supply is one reason companies such as Zscaler ZS, +4.01% and CrowdStrike CRWD, +1.27% came flying out the gate in their initial public offerings (IPOs), yet must continually prove they have what it takes to accelerate their business. It is not uncommon to see quarterly increases in revenue but at the cost of profits.
Notably, both companies spend heavily on sales and marketing to stay afloat, with selling, general and administrative (SG&A) expenses at 90% of revenue in Zscaler’s most recent earnings report. CrowdStrike has had similar numbers, with 91% SG&A to revenue in the quarter ending October 2018 and 72% in the quarter ending October 2019.
Both current and historic earnings from small cybersecurity vendors show the potential risks in a crowded industry where sales and marketing budgets must be leveraged to gain market traction rather than relying on product-market fit or virality.
Consolidation and leveraged moats
Consolidation in the cybersecurity space will make it more challenging for nimble security vendors to compete, especially because large-cap companies with moats can offer a more intrinsic approach to problems.
The tie-up of VMware VMW, +4.13% and Carbon Black is a perfect example. VMware’s moat lies in its access to 70 million virtual machines. After acquiring endpoint security company Carbon Black, the combined entity is now able to offer a more complete service rather than requiring CISOs to pile up on separate tools for various endpoints. That will apply pressure on CrowdStrike, for example, which does not have access to server or mobile endpoints. (I reached out to CrowdStrike for comment and received no response.)
Akamai AKAM, +5.11% and Splunk SPLK, +4.64% are similar to VMWare in that they are expanding from their core products to compete in cybersecurity. You can think of the pivot to security as being in the right place at the right time.
For instance, Akamai is traditionally a content-delivery network and website-acceleration company. With this level of access to the edge, where most security hacks occur, Akamai has found itself in a serendipitous position to offer competitive security products, such as protection from distributed denial of service (DDoS) and website-application security.
Products aside, one of the main value propositions Akamai offers is to simply reduce vendor bloat, as the company consolidates content delivery network (CDN) needs with the adjoining website security.
Similar to Akamai, Splunk is a veteran compared with most of its software peers, having been founded in 2003 and an IPO in 2012. This predates even Amazon’s AMZN, +3.50% Amazon Web Services, which was founded in 2006. The company was a first mover during a frenzy for big data software, yet today more than half of its revenue comes from its security business.
This is an intrinsic use of the product for Splunk as data brings immense value to security and IT, especially when troubleshooting the source of a breach — and needing to identify the source very quickly. According to Haiyan Song, Splunk’s senior vice president of Security Markets, many customers now come to Splunk for security first and the data software the company was originally known for second.
Risk of oversupply
The RSA conference clearly demonstrated that cybersecurity is a crowded space. Investors will need to evaluate if their investments can overcome the risk that too much supply inherently brings to a marketplace. Expect to see smaller vendors repeatedly challenged by large players that already own the server endpoints, mobile endpoints or websites, or in Splunk’s case, those that automate data for quick response to breaches. The word “moat” is popular in the financial industry, but it’s never been more important than in a crowded field such as cybersecurity.
The writer holds no shares in any companies mentioned.
Beth Kindig is a San Francisco-based technology analyst with more than a decade of experience in analyzing private and public technology companies. Kindig publishes a free newsletter on tech stocks at Beth.Technology and runs a premium research service.