As we’ve reported extensively, the pandemic has affected cybersecurity markets perhaps more than any other in technology.
Remote work has caused chief information security officers to shift spending priorities toward identity access management, endpoint and cloud security. COVID-19 has been a benefactor for next-generation security companies that participate in these sectors. Notably, we believe tactical responses to the coronavirus have resulted in productivity improvements that will create permanent change in the way organizations defend themselves against cyberthreats.
In this week’s Breaking Analysis, we’ll provide you with our quarterly update of the cybersecurity market and share fresh Enterprise Technology Research data on the market. We also have the results from the most recent VENN roundtable conducted by ETR’s Erik Bradley with three senior CISOs.
No single-pane-of-glass answer in cyber
Despite the aspiration, there is no silver bullet to protect organizations from cyberattacks. The complexities of security are quite enormous and require a layered defense approach. They range from securing internal networks to endpoints, DMZ subnets, external traffic security, data in motion, data at rest, protecting from ransomware, dealing with Web traffic, and email and phishing threats. That’s not to mention threats from internal employees and contractors.
As we mentioned at the open and shown above, there are three areas of security offerings in particular that have seen significantly elevated spending momentum and that has translated to the valuations of several companies, including CrowdStrike Holdings Inc., Okta Inc., Zscaler Inc. and others. Zero-trust security has gone from buzzword to reality. Spending shifts to these technologies have siphoned off demand from traditional hardware-based firewalls, although CISOs seem to be hedging their bets because at some point people are going to come back to the office.
Lack of talent remains the CISOs’ biggest challenge to securing applications and data, and automation, while sometimes viewed as risky, is becoming increasingly important.
Several companies have hit our radar this quarter and were highlighted in the CISO panel, including Elastic NV, which has seen momentum as an open-source alternative to Splunk Inc. Notably, multiple CISOs on the panel cited concerns related to Splunk’s pricing and sales tactics, comparing them to those of EMC of the past.
Cloudflare Inc. broke into the top 10 in the ETR survey based on Net Score or spending momentum for those companies with more than 50 mentions in the survey. Cloudflare offers content distribution networks capabilities and provides security for websites.
As well, Netskope Inc., a cloud security specialist, cracked the top 10 in terms of Net Score and received high marks from the CISO panel, particularly with respect to its vision and roadmap.
Microsoft Corp., Palo Alto Networks Inc., Okta, CrowdStrike, Cisco Systems Inc., CyberArk Software Ltd., SailPoint Technologies Inc., Zscaler and Proofpoint Inc. remain focus vendors in the ETR survey as measured by spending momentum and presence in the data set. We’ll discuss more about these companies later.
Finally, even CISOs who were skeptical about the permanence of the effects of COVID are seeing business benefits that suggest many of these shifts are secular and not cyclical. Indeed, prior to the pandemic, ETR survey data shows that about 16% of organizations’ workers were primarily remote. CIOs expect that number to more than double post-pandemic to 34%.
Plotting the cybersecurity vendors
The chart below shows one of our favorite views in a two-dimensional graph. On the Y axis we show Net Score, which measures spending velocity by looking at the net percentage of customers spending more versus less money in the ETR survey. The X axis measures Market Share or pervasiveness in the survey. We’ve included a select list of companies for this view and only include those with more than 50 responses in the data. In the upper right you see a table that shows the data sorted by Net Score for each vendor.
Note: We left Microsoft out of this view because they are so dominant in the data set that it makes it hard to compare the others. We’ll talk about Microsoft later in this post.
As we indicated, Elastic has taken the top spot, just barely edging out Okta, which took over from CrowdStrike in the last survey. You can see the significant market presence of Palo Alto, Splunk and the most pervasive vendor, Cisco. Note that Cisco also owns Umbrella and Duo, which both have meaningful Ns in the survey. If we were to combine these into one view of Cisco, it would pull the company even further up and to the right. Security is one of the bright spots in Cisco’s portfolio and shows consistent year-on-year growth each quarter.
Having said that, some CISOs complain that Cisco’s propensity to rely on acquisitions to fill gaps has caused it integration challenges in the past.
Let’s come back to Palo Alto for a moment. We’ll make some comments later regarding its position relative to Fortinet, but we want to call it out here. CISOs really likes working with Palo Alto Networks. It considers Palo Alto a trusted leader with a strong portfolio and vision.
Let’s turn our attention to the pack. As we mentioned, Okta’s momentum is notably elevated and meaningfully higher than the others. Its presence continues to increase to the right, as does CrowdStrike’s. However, CrowdStrike has come off its Net Score highs. We’re not so concerned because it’s dramatically increasing its presence on the X axis each survey… but so is Okta, so that’s something to watch.
We’ve included Carbon Black for the first time because it’s a VMware acquisition and has a decent presence in the data set. VMware Chief Executive Pat Gelsigner is on a mission to “fix security” and the company has made a number of moves in cyber. VMware has a very good track record of execution and, although fixing security is a highly aspirational move, with its installed base and history of success we wanted to include it here. As well, it is getting the attention of the CISOs in the ETR panel, so we’re keeping an eye on VMware and Carbon Black.
How security positions have changed during COVID
We’re going to show you four tables here, comparing the Net Scores and Market Shares of the cyber companies for the January, April, July and October surveys — so pre-COVID and through the year.
The leftmost chart below is sorted by Net Score and the right by Shared N which is the number of mentions in the survey.
When you go back to the January survey, you see CrowdStrike was already doing very well with an elevated Net Score of 68.3% and 123 mentions. (Please ignore those companies with less than 50 N as we didn’t filter the data back then. We’re still learning how to best apply the ETR platform.) Okta was also elevated and you can see the others on the list.
The rightmost chart is sorted on Shared N, which measures the number of mentions for the vendor in the security sector of the ETR data set.
Last year we came up with a method to assign stars to those companies that had both top Net Scores and large Shared Ns in the survey and you can see Microsoft, Splunk, Palo Alto, Proofpoint, CrowdStrike, Zscaler and CyberArk made the cut and received four stars. And we gave two stars to Cisco and Fortinet Inc. because they had strong Net Scores and very high presence in the survey.
April: The lockdown’s in full swing
We tightened things up a bit in April and only included those companies with more than 50 N. And in the chart below we cut the top 10 – that’s the red line and including Dell Technologies Inc. (RSA Security) and IBM Corp. for context. You see CrowdStrike shot to the top and held 66% and increased its Shared N. And you can see the stars on the right.
July: The dog days of summer bring hope for an end
By this point we were well into the pandemic. CISOs have had time to respond and here was the picture this summer. You can see in the leftmost chart below, Okta jumped way up on the left in spending momentum and CrowdStrike moderated – although it remained elevated. They are not direct competitors but it’s instructive to compare these firms. And you see the green arrows show the direction of the momentum of the Net Score. CrowdStrike was a concern because its Net Score dropped and its presence in the data set moderated. But the company continued to report strong revenue growth and the stock remained a darling. So there were some mixed signals in the data.
Okta, Microsoft, Cisco, Palo Alto, Splunk and others remained very strong
October: The pandemic is back, investors are confused
In the chart below, we continue to fine tune our analysis. You can see two red lines. The top one is the top 10 cutoff and the second line is the top 20. As we said, Elastic hit the radar for Net Score but still not pervasively enough to hit the righthand top players with only 61 Shared Ns. So Okta in our view continues to hold the top spot for momentum and made the top 10 cut for Shared N. Its Shared N jumped from 139 to 185, meaning more and more mentions. People are increasingly relying on Okta for identity access management.
For the green arrow – the momentum lines – we’ve tried to take Shared N into account this time, so even though, for example, CrowdStrike’s Net Score dropped from 50% down to 43%, its Shared N (or mentions) jumped from 119 to 162, a 36% jump.
You might be thinking, Why is that significant? Well, CIOs and IT buyers in the ETR survey are asked to choose the areas with which they are most familiar, and then answer which vendors they use. So the fact that companies like Okta, Palo Alto, CrowdStrike and several others we’ve highlighted are on the increase is a very strong signal in our view.
And that’s why, for example, we give Zscaler two stars. Even though on a relative basis it didn’t make the top 10 cut, its Net Score held relatively firm and its Shared N jumped by 39%. So we continue to like Zscaler, Okta, CrowdStrike, CyberArk, Proofpoint and Fortinet. And of course Microsoft, which continues to shine brightly.
CISO sentiment acknowledges a permanent change
Below is a comment from a CISO of a global travel and hospitality company. It’s a name you would recognize and obviously this individual’s business was hit hard by the pandemic. So there’s an inherent bias toward a return to the normal, but look at the comment.
Valuation changes during COVID
Below is a chart that we’ve been updating since right before the pandemic hit. It compares the performance of the S&P 500 and Nasdaq with specific security players. And we’ve been tracking the revenue multiples on a trailing-12-month revenue basis over time to get a sense of how these companies compare. And although we prefer to use forward-looking revenue, we find TTM to be more consistent and frankly easier to access quickly.
Note that Splunk, Okta, CrowdStrike and Zscaler, highlighted in red, have yet to report earnings as of this publication.
A couple points here are worth noting. First, we’ve been talking a lot about the divergence in valuation between Palo Alto Networks and Fortinet. And we’ll show some more data on that in a moment.
But we want to share some CISO comments about Fortinet. People sometimes refer to Fortinet as “Forti-Knife,” as in the Swiss Army Knife of cyber. One CISO called them “Forti-everything.” Fortinet is more attractive in price, especially for midsized companies without the resources of larger firms that might gravitate toward Palo Alto Networks. The company has been around for a while and has earned the trust of CISOs because of its portfolio and track record.
The other notable item in this data is the rise in value for Okta, Crowdstrike and Zscaler, which have seen values increase 78%, 128% and 124%, respectively, in the time period we show here. You can see the highly elevated revenue multiples compared with some of the more mature companies.
Splunk is an outlier here with revenue declines because of its transition toward a subscription model, which messes with the income statement. Splunk is managing through that transition and th0ugh it has some extremely loyal customers, some CISOs are getting concerned about the pricing equation.
The bottom line is, generally, there’s a real bifurcation in the market in terms of valuations. And we think that while there’s lots of discussion about these so-called “stay at home stocks” and a shift back when the pandemic subsides, we believe that the productivity benefits of remote work are becoming more clear and these next-gen security companies will continue to thrive.
Palo Alto Networks and Fortinet valuation divergence
In February of this year, we noted that there was a widening valuation gap occurring between the two companies. We cited three factors for this gap. First, we said that Palo Alto was trying to cloud-proof its business and as such it was in transition. And it had some challenges with regard to the pace of that transition, including sales incentives and generally figuring out the model.
Second, we said that the shift away from appliance-based firewalls was accelerating and that pressuring Palo Alto’s valuation. And finally, we said that Palo Alto was facing some very tough compares in 2019 relative to 2018 and that was causing investor pause as Palo Alto began shifting to an annual recurring revenue model.
We said at the time that CISOs like Palo Alto and we felt that the company would be able to address these issues in 2020 successfully and this gap would close. The chart below shows that PANW has begun to reverse this trend.
The yellow line is Fortinet. The blue is Palo Alto Networks and you can see the growing gap coming into and through 2020, which is finally compressing, thanks to a nice earnings report this month that beat on earnings per share and revenue.
Now, we continue to believe that Fortinet has done a good job, a better job, of moving to a cloud model, and Palo Alto has largely relied on acquisitions to accelerate this trend. So we’ll see if the company can continue to thrive during the transition to cloud. But there is little doubt that CISOs want to work with Palo Alto and remain committed to having a strategic relationship with the company.
2020 has accelerated what we knew was coming
The shift to subscription models is well underway, buoyed by cloud and next generation software-as-a-service-based security players. Splunk is in transition, Cisco’s and Palo Alto’s transitions underscore the importance of this trend, and virtually all historically on-premises players are being forced to respond and develop recurring-revenue models.
ETR survey data and anecdotal information from theCUBE community highlight what the CISOs are saying: The internet is becoming the new private network and the trends toward cloud-based and remote worker support are delivering benefits that CEOs and chief financial officers will push to make operational.
CISOs must continue to take a multilayered approach to defending their data, applications and users and, as such, a fragmented market with specialists will continue for quite some time.
Despite these clear trends, CISOs face a pressing challenge. The timing of the return to the semi-normal is uncertain and we still don’t have a clear picture of what the future will look like. As a result, incumbent firms with hardened networks will have to remain in a hybrid holding pattern to accommodate whatever happens.
This means budgets will be stretched. Although security remains a top priority, don’t expect an open checkbook going to the security operations team. Throwing money at the problem wouldn’t solve it anyway. Rather, a balanced portfolio of investments, continued automation, data analytics and good security practices will continue to be the pattern.
There are many ways to get in touch – @dvellante on Twitter, firstname.lastname@example.org and comment on LinkedIn as we always appreciate the feedback from the community. These episodes are all available as podcasts so you can listen while you multitask, and don’t forget to check out ETR for the survey action.
Here’s the full video: