We have all lived the reality that COVID-19 has accelerated by at least two years many trends that were in motion well before the virus hit — and cybersecurity is no exception. Indeed, cloud security, identity and access management, and endpoint security collectively are one of the best examples where we have witnessed accelerated change.

Welcome to this week’s Wikibon’s CUBE Insights, powered by Enterprise Technology Research. In this Breaking Analysis we want to update you on the all-important security sector which remains one of the top spending priorities for organizations. Erik Bradley at ETR provided macro trend insights, great data and some anecdotal commentary from chief information security officers.

Shifting sands in the cybersecurity sector

For many years we’ve talked about the shifting patterns in networking, moving away from what’s often referred to as a “North-South” architecture – meaning a hierarchical network supporting age-old organizational structures. The network is flattening into an “East-West” model and the moat or perimeter has been vaporized. Thanks to COVID-19, the perimeter is now wherever the user is and the users are at home, or at their beach houses.

This is a bad actor’s dream, as the threat surface is expanded by orders of magnitude. The adversary is well-funded, extremely capable and highly motivated because the return on investment of infiltration is outstanding. The CISO’s job, simply stated, is to lower that return on investment.

The other big trend we see is that cloud and software as a service are reducing reliance on hardware-based solutions such as traditional firewalls. Because so many workers are now at home, accessing sensitive data, identity and endpoint security are exploding. Extended detection and response, or XDR, and zero-trust networks are on the rise. Organizations are increasingly relying on analytics and automation to detect and remediate threats. Alerts just don’t cut it anymore; we want action.

To accomplish this, customers are turning to a number of best-of-breed point products that have the potential to become the next great security platforms. And this is setting up an epic battle among hot startups that are growing very quickly and entrenched incumbents that are not going down without a fight.

Finally, while security is clearly a top spending priority, customers and their chief financial officers continue to be circumspect with respect to how they allocate budgets, especially in the context of a shrinking information technology spending climate that we have dropping between 5% and 8% in 2020.

Security is critical but governed by tight budgets

Cyber remains a top category in the ETR taxonomy in terms of its presence in the data set. But what the chart below tells us is chief information officers and IT buyers have other priorities that they must fund. This data shows a comparison of Net Scores over three survey dates – October, April and July. Net Score is an indicator of spending velocity, which is calculated by subtracting the percentage of customers spending less on a technology from those spending more. And you can see that at a 29% Net Score, the security sector is just one of many priorities for IT buyers.

Now remember that this July survey is asking customers, “Are you planning to spend more or less in the second half of 2020 relative to the first half?” And it’s a forward-looking metric, so what may be happening here is that at the height of the lockdown and the pivot to working from home, organizations spent heavily and are now fine-tuning those investments… and addressing other digital priorities.

Pre- and post-COVID views of security vendor spending

Let’s quickly take a look back and see how the security vendor landscape and spending momentum have changed in the past eight months.

Pre-COVID picture

First we’ll go back to the January data set. We originally did this exercise last year and then we updated it right at the beginning of 2020. The chart below shows the top-ranked cybersecurity companies based on two metrics. The left-hand side sorts and ranks companies based on Net Score or spending momentum. The right side shows ranking by Shared N, which is a measure of the pervasiveness of a company in the data set – that is, the number of mentions they get in the sector.

We gave four stars to those companies that showed up in the top of both rankings and two stars to those that were close. So you can see Microsoft Corp., Splunk Inc., Palo Alto Networks Inc., Proofpoint Inc., Okta Inc., Crowdstrike Holdings Inc., and we added Zscaler Inc. as new in January as well as CyberArk Software Inc. All got four stars and then we gave Cisco Systems Inc. and Fortinet Inc. two stars.

Impact of the pandemic

This next chart shows the same picture at the height of the U.S. lockdown.

Now you may say – OK, what’s different? Microsoft, Palo Alto, Proofpoint, Okta, CyberArk, Zscaler & CrowdStrike are still at four stars, with Cisco and Fortinet having two stars. Splunk fell off, but that’s it. What’s different is instead of making the cut the top 22, we narrowed it down to the top 10 in order for a company to make the grade.

If we had done that in January, Okta, CrowdStrike, Zscaler and CyberArk wouldn’t have made the cut. But in April they did as their presence in the data set grew, and we strongly believe this is a direct result of the work-from-home pivot: CrowdStrike in endpoint, Okta in identity access management and Zscaler in cloud security, disrupting traditional appliance-based firewalls.

Just to note, for context, we placed Dell Technologies Inc. (which was RSA Security LLC) and IBM Corp. in the list.

Second-half 2020 outlook

Now let’s look at the most recent July survey. We’re a bit out on a limb a bit here because many of these companies haven’t reported yet, so we don’t have full visibility on their business outlook. But we show the same data below for the most recent survey.

The red line is the top 10 cutoff point and you can see Splunk, which didn’t make the cut in April, is back on the four-star list. It’s very possible buyers took a pause last quarter and focused attention on work from home, but Splunk continues to impress as it shifts toward a subscription model. Splunk has a strong hold on the security information and event management or SIEM segment. But everyone wants a piece of Splunk – especially some of the traditional firewall companies that see their hardware business dying. So we’re watching the competition from these and other players such as Tenable Inc..

Proofpoint fell off the four-star list because its Net Score didn’t make the top 10. CrowdStrike, CyberArk and Zscaler also fell back because they dropped below the top 10 in Shared N. But we still really like these companies and expect them to continue to do well. There could be some anomalies in the survey, but we’re trying to be as transparent as possible. Share the data, listen to it and adjust our models accordingly.

Interpreting the signals

Let’s make a few more points and try to interpret what might be happening here.

First, Okta pops to the top of the Net Score ranking, overtaking Crowdstrike’s top spending momentum from the last survey.

One customer in the financial services sector told Erik Bradley on a recent VENN roundtable:

We’re seeing amazing things from Okta. But the traditional firewall companies are stepping into identity. They may not be best of breed but they have a level of integration that is appealing.

This individual specifically called out Palo Alto and Fortinet as trying to encroach – so keep your eyes on that.

CrowdStrike has declined noticeably in this past survey, which surprised us. Zscaler actually is showing more momentum relative to last quarter’s survey so that’s a positive. Palo Alto and Microsoft are holding steady and continue to lead. Proofpoint and CyberArk are showing a bit of a velocity drop and SailPoint and Tenable are catching our attention. Identity management provider SailPoint in particular had a great quarter and re-instituted guidance, giving us the benefit of hindsight on its performance. So it was easy to give it two stars.

One side note: We’ve cut the data here with those companies that have more than 50 mentions in the sector, which pared down the list and represents higher quality.

We maintain the premise that cloud, endpoint and identity are the big security themes and drivers in the market. We believe this is a longer-term trend and not a work-from-home fad. Moreover, CISOs need tools to be responsive and don’t want to just get an alert. SecOps pros would rather immediately shut off access and risk angering users than get hacked. And companies are increasingly using artificial intelligence to detect breaches, and they’re relying on automation to remediate or protect and fence off critical resources.

Visualizing the players’ relative positions

Followers of these segments know that we like to plot vendors within sectors across two of our favorite metrics – Net Score, or spending momentum, which is a simple metric that tracks those spending more versus less on a technology; and Market Share, which measures a vendor’s pervasiveness in the data set. It’s calculated by taking the number of mentions a vendor gets within a sector divided by the total number of respondents.

What we show below are the key security players that we’ve highlighted over the past several quarters.

Let’s start with Microsoft. It has consistently performed well in the security sector as well as other parts of the ETR taxonomy. It has a huge presence in the survey, which is indicated on the horizontal axis and you can see it has a very solid Net Score which is shown on the vertical axis.

One interesting thing is that you don’t see Amazon Web Services Inc. on this chart. It’s because AWS and Microsoft so far have somewhat different strategies with respect to security. Microsoft with its long application software history and SaaS presence across Office 365, plus SharePoint with Active Directory, has been really focused on selling security solutions to protect its applications directly. Offerings such as Defender ATP for advanced threat protection, its SIEM cloud offering Sentinel, and Azure Identity Access Management indicate the company is really going after the space hard.

AWS prioritizes security but it doesn’t show in the ETR dataset the same way Microsoft does. It’s almost as if AWS is hiding in plain sight. AWS has always put a great deal of emphasis on securing the infrastructure such as S3 buckets and it announced IAM for EC2 way back in 2012. And last year at its re:Inforce conference, there was an impressive focus on security and a burgeoning security ecosystem. In fact, when you think of getting started in AWS, you think EC2, S3 and IAM. So I would expect to see AWS really become more prominent over time in the data set.

For the first time since we’ve been analyzing the security market with ETR data, Okta has the highest Net Score at 58%. It had consistently been CrowdStrike with the momentum lead. The company has dropped in this quarter’s survey and that’s something we’re watching. By the way, we’re not to imply that Okta and CrowdStrike are direct competitors – they’re not.

And you can see nonetheless that CrowdStrike, Zscaler and SailPoint show very elevated Net Scores. And we’ve plotted Tenable, which is also showing strong. You can see the respective positions of Proofpoint and Fortinet – these are more mature companies founded in the early part of the century, so you’d expect them to have somewhat lower Net Scores.

And then there’s Cisco with a huge presence in the data. Cisco is doing well in security. It consistently grows its security business in the double digits each quarter and it’s a real feather in the Cisco portfolio cap. That’s important as its traditional hardware business continues to come under pressure.

Splunk’s leadership position is no surprise, as we’ve mentioned.

But I want to talk a bit more about Palo Alto Networks. It’s a tier-one player with great service. CISOs want to work with it because they are thought leaders and have an impressive portfolio of great solutions. But its traditional firewall business is coming under pressure for the reasons we discussed earlier. Palo Alto has expanded its portfolio to the cloud and with Prisma the company’s suite of security services, it will maintain a leadership position in our view.

But Palo Alto as we discussed had some missteps with its product transitions, sales execution and pricing models. And it hurt its stock price, but we’ve always said that it would work through those issues and that was a buying opportunity. The other thing about Palo Alto is it’s considered the expensive choice by customers. You pay for those top-tier offerings. So that’s a two-edged sword.

Here’s an example as to why. People often compare Fortinet to Palo Alto and we shared in previous segments the valuation divergence between Palo Alto and Fortinet – where the latter was making a smoother transition to its future. And people often tell us that Fortinet, while maybe is considered not as elite as Palo Alto is the value choice. Its stuff just works. Fortinet is a great alternative to Palo Alto and that has served them well.

Cyber valuation trends since COVID hit

Let’s now take a closer look at the valuations of some of these companies. We started this segment by saying that the pandemic has affected every sector and especially cybersecurity. The chart below shows the progression of key valuation metrics since earlier this year.

What we show above are the valuations of nine of the companies in the security sector since mid-February. The data tracks their respective valuations, revenue multiples and growth rates in both value and revenue terms. Revenue growth is shown in the last column for the most recent quarterly report. The companies in red have yet to report so as we mentioned, we’re flying a bit blind here, After the earnings we’ll take another look to see how the survey data aligns with the results.

Here are the key points:

• Market averages defy the economic reality. First we see the S&P 500 and Nasdaq performance in February, June and August. Pandemic? Recession? What do you mean? The Nasdaq in particular is up 14% since mid-February, is quite astounding.
• Palo Alto and Fortinet valuations diverge. Fortinet has reported its quarter and Palo Alto has not yet, but you can see, based on the revenue multiples highlighted in red, that the valuation divergence is shrinking. We’ll see if that holds up after Palo Alto reports in the coming week.
• Three disrupters stand out. The eye-popper is the valuation increases from February to August for Okta, CrowdStrike and Zscaler. 52%, 67% and 104% increases respectively. Now you can’t say we didn’t warn you that these companies were all well-positioned when we reported last year and in January. But I did say in our last episode that I thought these three were getting expensive. And since then, they’ve continued to run up. So if you’ve been waiting for an entry point based on my advice – well, sorry.
• Revenue multiples keep expanding for growth plays. Look at the revenue multiple expansions in the orange. Okta from 34X to 52X. CrowdStrike 39X to 66X. Zscaler from 25X to 43X. I mean, wow. Let’s see what happens after these three report. We would have hoped they’d take a breather this summer, so you could jump in, but these stocks just keep going up. And despite the decline in Net Score for CrowdStrike we still like all three of these companies and feel they’re very well-positioned from a product standpoint and customer feedback perspective.
• SailPoint has a strong quarter. SailPoint crushed its quarter, bringing in some large deals and providing forward guidance. It has nearly a 50% valuation increase since February and a revenue multiple expansion from last quarter, when the Street wasn’t thrilled with its numbers. But identity management is hot and so now is SailPoint from the Street’s perspective.
• Expectations on growth rates are high. The last thing we’ll stress is watch the growth rates. Expectations are high and the Street will cream any of these companies that miss, which may be your opportunity to jump in because we like these disruptors. As always, do your research and watch out for the whales trying to freeze the markets on these guys.

Key takeaways

Remote work

The trend is clear. The move to SaaS is entrenched. By the way, this isn’t necessarily all good news for buyers. CIOs and CFOs tell us that the dark side of the move from capital expenses to operating expenses is unpredictable bills. But the flexibility and business value gained is outweighing the downside risks.

We believe the remote-work trend is here to stay to a large degree. Organizations are rearchitecting their businesses around working from home and we think they are seeing some real benefits. They’ve made investments, it’s driving new modes of work and productivity, and they’re not going to just throw away those recent investments. Why should they? Just to go back to the old way? We don’t see that happening.

As we’ve said previously, the internet is the new private network and virtual private networks and software-defined wide-area network start to look like stopgaps. The cloud, endpoint security and cloud-based IAM are winning.

Breaking down silos

We’re also seeing new security regimes emerge where the CISO and SecOps teams are not an island. We’ve even seen some CISOs falling back under the CIO, which used to be taboo, like the fox guarding the henhouse. But this idea of shared responsibility is not just between the cloud providers and the security teams. Security is a board-level priority that everyone in the business is becoming more aware of.

Now the last two points are interesting. We remember reading a post by Jon Oltsick, who is an Enterprise Strategy Group security analyst. He predicted last year that integrated suites would win out over the buffet of point products on the market. We generally agreed with that but at least in the near- and mid-term, that’s not happening, as we’ve seen with the hot companies highlighted here.

Products versus platforms

Now these companies have ambitions beyond selling products and they would bristle at us lumping them into point products. Their execs are going after platform plays, so they’re all on a collision course. This should be fun to watch because the big integrated companies are well-funded, have great cash flows and large customer bases and they aren’t going down without a fight. So we would expect eventually there will be more of an equilibrium to what seems to be a bifurcated and unbalanced market today.

Expect more M&A activity, but at these valuations, some of the companies we’ve highlighted are becoming acquisition-proof. As such, they’d better keep innovating or they will be in trouble.

Remember these episodes are all available as podcasts wherever you listen and subscribe. These segments are published weekly on Wikibon.com as well. We have added in the Wikibon.com menu bar a Breaking Analysis link of all these episodes. We also publish on Siliconangle.com. Please do comment on our LinkedIn posts. Don’t forget to check out ETR for all the survey action. And get in touch on twitter @dvellante or email david.vellante@siliconangle.com.

Here’s the full video analysis:

Image: pixelcreatures/Pixabay