Security Market

Guest Post: It’s Not Just the Economy (A Financial Analyst’s Perspective)

By Rich

When I first started Securosis I was a little surprised at the number of due diligence and other investor-related projects that started flowing through the door. At Gartner we couldn't engage in these kinds of projects (for some very good reasons), but being independent allowed me more flexibility. Since then we've continued to work closely with a variety of investment partners and clients.

One of our partners is Marker Advisors, a boutique financial analysis and consulting firm here in Phoenix/Scottsdale. We like them for their dead-on analysis, and habit of buying us Mojitos on Friday afternoons. I wish I could tell you some of the stuff these guys are up to, but suffice it to say they have an extremely good pulse on the market. (We also suggest you follow Peter Kuper, who is blogging over at IANS and is another one of our favorite partners).

We asked the guys at Marker for their take on the security software market, and they were kind enough to let us post their response. Some of this information is counter-intuitive, and shows why the economy isn't the only issue the security market faces. We've broken it into two parts:

#

2008 was a tough year economically, but most software companies discovered ways to grow revenue. The 20 companies we are closest to and favor (what we call our "coverage" list) grew revenue 18% (organically) YoY in 2008; an outstanding performance given both the environment and an overall market that grew at less than half that pace. Our larger "universe" of the 75 software companies we follow grew ~16% (including acquisitions). However, growth in both groups slowed in the 2H08 to ~9% YoY. The big question that needs answering is at what rate will revenue grow in 2009, and then 2010? To best determine this answer, let's first take a look at why revenue grew last year:

1. New product cycles. The first major new product cycles since 1999/2001 spurred investment in 2006 > 2008. 2008 capped a multi-year reinvestment cycle, as many companies managed to finally complete the move to Web-based technologies (from client server) in most applications/infrastructure, as well as upgrade to the latest generation of IP networking products.
2. Existing vendor spend. Software companies with large customer bases were able to sell these new products (often at a discount) into a market that wanted to spend with existing vendors.
3. Add-ons increase ASPs. New add-on products (product line extensions) helped increase ASPs, as customers looked to improve the productivity and broaden the use of new installations.
4. Support costs increased. Many vendors pushed through 2007/2008 increases in maintenance and support charges, as pricing power shifted back to the vendors (for oh so short a time).
5. International growth. International growth helped overcome a relatively difficult U.S. market.
6. Budget Shifts. Budgets allocations shifted towards our favored sectors – Security, Web Content Management and Virtualization.
7. Weak dollar. The dollar's weakness pushed growth up in the 2H07 and the first half of 2008.
8. M&A boosts results. Acquisitions in late 2007 and early 2008 boosted 2008 revenue results by a couple of percent.

However, most of the factors that made 2008 a solid growth year are no longer present in 2009:

1. We are at the end of this decade's major product introductions. The next round of innovation appears to be focused on "cloud" computing, not data center computing. As customers evaluate where to install their next server and whether to rent or own software, they will spend less now. The economy will only make it easier to consider this a "transition" year.
2. The large customer bases that were heavily mined throughout 2008 are nearing exhaustion. Although they did not overspend like they did in 2000/2001, they are appropriately stocked.
3. Add-ons are slowing. Add-on products continue to get shipped, but it's going to be a slow year for innovation. There will be no major new product cycles until 2010-2011. Moreover, the future product cycles will be more cloud-based and subscription priced, so look for evolution in business models.
4. International growth will not be as much assistance in 2009, as EMEA, APAC and China all slow spending. We have picked up a growing number of channel checks that suggest all three regions are now slowing materially.
5. Budgets will shift towards a much smaller set of projects in 2009. If you are a strategic vendor and make the short list, the year will look decent (low double digit growth). If not, it will be a struggle (flat to declining revenue YoY). Security and WCM will continue to outperform, but ratcheted down a full notch. Applications will continue to underperform. Basic infrastructure will be mixed – virtualization will be solid, but communications and networking will be slowed by both "cloud computing" marketing and major vendor "next big thing" sales campaigns. It is no longer clear where organizations should invest... In their own data centers? Or should they outsource basic infrastructure like email, collaboration, and data services to the emerging cloud vendors? Or outsource it to their software vendors' SaaS offerings? 2009 will be a good time to evaluative these options, while not making a major investment decision.
6. It's hard to predict the dollar – however, it's unlikely to provide much tailwind given 1H08's prolonged weakness.
7. We believe acquisitions will pick up as the year progresses, as potential sellers understand we are in for a rough couple of years and valuations are not coming back strongly. In fact, we think many of the best investment opportunities will come in the form of M&A.

In December 2008, Street analysts had 2009 revenue growth at around 9% YoY for our coverage names, and close to that for our universe names. SaaS and virtualization companies have higher expected growth rates, and application companies lower growth rates. Today those same analysts have cut growth projections to around 5% YoY.

In examining the quarterly forecasts, it appears investors and analysts are looking for a 2H09 recovery in capital spending. The crux of our question is how could they possibly know that right now? We don't know either, but we think it more likely we don't see real recovery in software investment until 2010 or 2011, when there are new product cycles worth buying.

About Marker Advisors: Marker is a research consultancy firm specializing in the software industry. We work with senior company management as well as sophisticated industry investors to create shareholder value. We provide detailed market intelligence, business and product strategy, and M&A advisory services.

–Rich

My Take On The Database Security Market Challenges

By Rich

Yesterday, Adrian posted his take on a conversation we had last week. We were headed over to happy hour, talking about the usual dribble us analyst types get all hot and bothered about, when he dropped the bombshell that one of our favorite groups of products could be in serious trouble.

For the record, we hadn't started happy hour yet.

Although everyone on the vendor side is challenged with such a screwed up economy, I believe the forces affecting the database security market place it in particular jeopardy. This bothers me, because I consider these to be some of the highest value tools in our information-centric security arsenal.

Since I'm about to head off to San Diego for a Jimmy Buffett concert, I'll try and keep this concise.

• Database security is more a collection of markets and tools than a single market. We have encryption, Database Activity Monitoring, vulnerability assessment, data masking, and a few other pieces. Each of these bits has different buying cycles, and in some cases, different buying centers. Users aren't happy with the complexity, yet when they go shopping the tend to want to put their own car together (due to internal issues) than buy the full product.
• Buying cycles are long and complex due to the mix of database and security. Average cycles are 9-12 months for many products, unless there's a short term compliance mandate. Long cycles are hard to manage in a tight economy.
• It isn't a threat driven market. Sure, the threats are bad, but as I've talked about before they don't keep people from checking their email or playing solitaire, thus they are perceived as less.
• The tools are too technical. I'm sorry to my friends on the vendor side, but most of the tools are very technical and take a lot of training. These aren't drop in boxes, and that's another reason buying cycles are long. I've been talking with some people who have gone through vendor product training in the last 6 months, and they all said the tools required DBA skills, but not many on the security side have them.
• They are compliance driven, but not compliance mandated. These tools can seriously help with a plethora of compliance initiatives, but there is rarely a checkbox requiring them. Going back to my economics post, if you don't hit that checkbox or clearly save money, getting a sale will be rough.
• Big vendors want to own the market, and think they have the pieces. Oracle and IBM have clearly stepped into the space, even when products aren't as directly competitive (or capable) as the smaller vendors. Better or not, as we continue to drive towards "good enough" many clients will stop with their big vendor first (especially since the DBAs are so familiar with the product line).
• There are more short-term acquisition targets than acquirers. The Symantecs and McAfees of the world aren't looking too strongly at the database security market, mostly leaving the database vendors themselves. Only IBM seems to be pursuing any sort of acquisition strategy. Oracle is building their own, and we haven't heard much in this area out of Microsoft. Sybase is partnered with a company that seems to be exiting the market, and none of the other database companies are worth talking about. The database tools vendors have hovered around this area, but outside of data masking (which they do themselves) don't seem overly interested.
• It's all down to the numbers and investor patience. Few of the startups are in the black yet, and some have fairly large amounts of investment behind them. If run rates are too high, and sales cycles too low, I won't be surprised to see some companies dumped below their value. IPLocks, for example, didn't sell for nearly it's value (based on the numbers alone, I'm not even talking product).

There are a few ways to navigate through this, and the companies that haven't aggressively adjusted their strategies in the past few weeks are headed for trouble.

I'm not kidding, I really hated writing this post. This isn't a "X is Dead" stir the pot kind of thing, but a concern that one of the most important linchpins of information centric security is in probable trouble. To use Adrian's words:

But the evolutionary cycle coincides with a very nasty economic downturn, which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those that earn most of their revenue from other products or services may be immune, but the DB Security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire-sale or bankruptcy, depending upon how and when they act.

–Rich

Impact of the Economic Crisis on Security

By Rich

As I write this, the Dow is down nearly 600, Congress struggles to pass a bailout bill, and both the Broncos and Buffs lost over the weekend.

Bad times my friends, bad times.

Like many of you, although my current financial situation is pretty solid, I can't help but wonder what the future holds. We're not merely entering uncharted territory, we're headed straight for that big black circle marked "There Be Monsters Here". That doesn't mean we won't make it to the other side, but the journey is fraught with danger and challenge.

First, a couple of assumptions:

1. Some sort of bailout package will pass.
2. Times will get tough, but we won't enter a full depression.

If we hit a depression all bets are off- since, at that point, much of society essentially collapses. But short of total economic collapse, or a miracle economic recovery, we can somewhat effectively follow the trends and postulate some conclusions.

I lost my crystal ball years ago during a wild night with Hoff and Amrit involving some bottles of 40 year old scotch, the real Travelosity gnome, and a Vegas cab driver snorting pure ground Brazilian sugar cane, but if we step back we can probably make a few guesses as to the collective future of the security world.

First, our starting assumptions:

1. We'll continue to see severe credit restrictions- even tighter than now.
2. With limited credit and a weak stock market, the economic effects will spread beyond the financial sector. Retail, auto, and other credit-heavy industries will suffer the most.
3. We will see no decline in security threats, but the threats will morph to adapt to changing market conditions.

We don't need to get fancy; belts will tighten, credit will be harder to obtain, the bad guys will keep adapting, and business will continue, albeit more slowly.

These lead directly to some conclusions about the security market:

1. Startup cash will dry up, and IPOs are no longer an exit strategy option. There will be less security product innovation, and what is created will be bought earlier, and cheaper, by established players who can't afford big acquisitions anymore.
2. We will see continued, massive, consolidation as small companies struggle to survive and larger players can't create growth. These won't be big buyouts with happy founders retiring on the beach, but survival consolidations. Think Symantec buying Checkpoint, or Oracle buying Symantec. More middle players will consolidate as well, like the Sophos/Utimaco deal. We'll have a few big generalists, a smattering of middle-sized guys glomming together, and the occasional small company that bootstrapped with a couple paying clients and isn't dependent on external financing.
3. Best of breed loses to security suites. Users will demand more suites from their vendors, and "good enough" will be the name of the game. If you have a technologically superior solution no one will care. To be honest, no one really cares today, but they'll care less in the future.
4. Large price pressure. Users will demand these suites at no (or minimal) additional cost. Vendors will grind over each other in a race to the bottom just to keep customers. It may not look like it on the surface price sheets, but in the nitty gritty street battles on deals you'll see sales guys tossing in their firstborn essentially for free.
5. A continued obsession with compliance, cost reduction, and obvious threats. If a tool isn't required by the auditors, doesn't reduce ongoing operational costs, or stop a threat (like spam/viruses) that knocks people offline, it won't sell very well. Vendors who don't solve a clear and present business problem are in trouble. It will be nearly impossible to get budget for anything else.

We'll also see some threat evolution:

1. Tighter credit issuing will reduce new account fraud. If it's harder for the good guys to get credit, it will also be harder for the bad guys.
2. Existing account fraud will increase. It isn't like the bad guys will go get some non-existent legitimate jobs. They'll hammer the financial system, especially phishing/preying on financial fears. As any historian will tell you, fraud tends to increase during times of economic extremes- good and bad.
3. Major attack vectors will be similar to what we see today- clientside and web application. I don't see anything in an economic downturn that changes the technical nature of the attacks we see today- they'll continue to get more sophisticated, but that's happening regardless of any economic issues.

And, of course, this will impact security professionals and how we do our jobs:

1. The bad guys will keep us employed, but salaries will be under pressure. "Good enough" applies to us as much as it does to our tools. We'll see a little professional erosion as underexperienced newbies enter the market to stay employed, and non-security IT folks take added security responsibility. Now will be a good time for a diverse skill set to survive fat trimming.
2. We'll have to do more with less. That's so obvious I'm embarrassed to write it.
3. We'll be under even greater pressure to justify what we do, and what we spend on. Again, really obvious, but as we've been talking about long before these economic troubles, the most successful security professionals will be those who can clearly communicate with the business and articulate their value.
4. Get used to accepting more risk. We'll have to take hits on the small stuff to focus our efforts on the biggest risks.
5. Pragmatic wins. The broader your skill set, the less you cost the company while stopping most of the bad stuff; and the better you can communicate all of this the happier you'll be. It's always been about getting the job done, but let's be honest and admit that it isn't always about getting the job done. While internal politics and BS will never go away, odds are those who take a practical approach will survive better, and perhaps thrive, during tough economic times.

In other words, get used to people trying to nibble at your job, tighter belts in general, and doing more with less. Pet projects will fade and you'll be forced to use suites more, as we try to reduce both what we spend on tools, and the people to manage those tools. Threats won't fade, and we'll focus more on the large obvious stuff that doesn't obviously affect the balance sheet. Compliance won't go away (it will be worse in some sectors) and will continue to define much of what we do.

The need for security doesn't diminish, but the way it's delivered has to change during tough times. Security practitioners, vendors, and bad guys alike will be pressured to solve obvious business problems while proving their value (preferably with numbers and pretty charts). In other words, the more practical you are (except for you back stabbing wizards of internal politics), the better you'll be. Focus on the basics, keep the skill set up, and learn to talk to management and make nice looking charts.

As for me? I, like everyone, worry. As an expectant parent I'm starting to worry in ways I never imagined before. But I also know that if I continue to focus on helping my readers and clients save money, and am able to articulate said savings, I should be fine. I'm fairly pragmatic myself.

Oh- and I think we need a complete reboot of our fracking country and government, and fully intend on voting that way.

–Rich