Cybersecurity Thoughts - FinThreads
Quick and dirty thoughts on Cybersecurity prior to Q423 earnings next week
If you are on Threads, feel free to follow me over there @pennyjilleckel. I’m writing this note for the FinThreads community. Please keep in mind that I'm not in the business of calling quarters- in other words, these are intermediate term trends I’m observing and this is not investment advice. Regarding this quarter, everything in cybersecurity has run up into earnings so far, so pick your spots carefully. There may be opportunities to swoop in on a name that suffers from a post-earnings sell-off due to too-high expectations.
Over the last several quarters, the firewall market has slowed, and FTNT has already taken a beating because of it. Meanwhile, CHKP is at all-time highs and received a couple of upgrades recently.
What I can tell you about CHKP is they have a steady business and a very conservative management team. They don't grow much, but their growth doesn't slow much either. We’re talking 5% growth. It’s bulled up because people are looking for value in a space where we’ve seen a big run-up in valuations, and without understanding the nuances, it is relatively cheap. CHKP trades at 6.3x EV/rev(Cy24), while PANW, CRWD, ZS are all double digits, and even FTNT is trading around 8x after the beating it endured last year. Generally, I view CHKP as a safe, defensive name in the space- a nice way to participate in cybersecurity without taking on as much risk, though that will be reflected in modest returns.
I like FTNT as a company, but I’m not convinced the stock has been beaten down enough to tamp down high expectations. They are returning to what I believe will be sustained pre-pandemic growth levels, but investors are not ready to let go of those parabolic growth levels from 2022 and early 2023, and we’ve watched the stock creep higher in line with those expectations. I think a beat and raise are priced in, consensus is low, and it could be achievable, but it’s not a bet I’m willing to make. I think this is a slightly higher risk trade going into the call, so I’m pointing it out if that’s your style.
One that is very interesting to me is CYBR, which we’d categorize as an Identity vendor for financial industry purposes. They had a huge upward inflection in their business in late 2018 and rode that trend for a year or so. When the pandemic happened, everyone was scrambling to re-architect their networks for wfh, and CYBR didn’t do as well as vendors like ZS, FTNT, and PANW who benefited not only from the re-architecture, but also pull-forward demand of hardware based security due to supply chain constraints/concerns. Side note: I think the digestion of this additional capacity, combined with multiple price increases from those vendors are what’s impacting firewall growth.
Returning to CYBR- now that those network security re-architecture projects are being digested, we are seeing CYBR’s business tick back up again. New cybersecurity regulations are mandating Privileged Access Management (which CYBR dominates) for high-risk orgs, which is a nice tailwind for them. CYBR is not as cheap as CHKP, but it’s growing faster and is still under a double digit EV/rev multiple for now. OKTA, which is not a direct competitor but is an Identity vendor, has continued to fumble around and create problems for itself. All other pure-play Identity vendors were acquired over the past few years, so investors who want exposure to the Identity space are buying CYBR. It’s also completed a transition from perpetual licensing to subscription, which has made its business less lumpy and more predictable.
Speaking of perpetual to subscription transitions, VRNS has been going through a painful one. They continue to trudge through it, now in their second year. They’re small and don’t get as much love as other security companies because they operate in a niche space -unstructured data security- with little competition as a point solution vendor. For this reason, it’s hard for investors to value it and triangulate its place in the market. I think it’s pretty fairly valued, but I like it better under $40. Still, if one doesn’t mind enduring the transitional pains they’re going through, there is upside potential here. I still view it as a potential acquisition target, but if I were buying it for that purpose, I would need to build a position starting closer to $30. You can read more about my criteria for what makes a good acquisition target here.
If, like me, you feel things in cybersecurity are getting a bit extended, these are decent companies to hold for the long term, but pick your spot based on your investment style. I’ll have more to share on the Fy reporters in a couple of weeks before their earnings start flowing in March. This feels like a year where looking for the right short in cybersecurity has more potential upside than in the last few years. I’ll share more on that when I write about the next round of reporters. Send me any questions you have on Threads.