INDUSTRY REPORT - CYBER SECURITY
“Cyber security conversations have moved from the basement to the boardroom. The industry is increasingly front and center for individuals, corporations, and governments.”
There continues to be a lot going on in the cyber security industry. Just over the weekend the Wall Street Journal reported US and European aviation authorities are focused on cybersecurity threats that could affect a basic data-transmission system widely used by airlines around the world. Weeks ago the State of New York proposed new cyber security regulations for banks, specifically calling for banks to have to hire a Chief Information Officer responsible for implementing measures to detect and deter attacks. Also this past week, a larger publicly traded cyber security firm, Fortinet, reported disappointing sales figures due to a slowdown of cyber security spend in the middle market, though this fundamental trend echoes what other industry participants have been talking about for months, and is not all that surprising considering the mad rush we saw of spend in 2014-2015 which was not expected to continue forever. Then earlier this month there was the news that another cyber security firm, Carbon Black, quietly filed for an IPO, which reaffirmed Wall Street’s ongoing commitment to the industry.
These recent events build on our prior analysis pointing to a favorable outlook for the cyber security industry. Recall, our prior work highlighted the dramatic increase in data breaches, most notably at the NSA, Home Depot, Target, and Sony. These breaches illustrated the importance of cybersecurity and underscore the fact that the cybersecurity market has a long runway for growth. To quantify the opportunity, we note that Frost & Sullivan and Interpol estimate the cyber security market will reach $155 billion market by 2020, representing an 11.8% CAGR from 2013.
The ongoing importance and huge market opportunity for cyber security make stocks in the industry very attractive. In this report we provide an update on Radid7, CyberArk Software, VASCO Data Security International, and FireEye.
COMPANY REPORT - RAPID7 INC.
Our research points to a lengthy list of reasons to like RPD shares including (i) end market exposure characterized by leadership in a growing product category; (ii) a brand name customer list; (iii) healthy financial metrics from operating margin expansion, to the healthy sales pipeline, to the inflection point for free cash flow; and (iv) emerging discussion already of a potential acquisition/takeout premium. We are buyers of RPD shares here at a level just around the $16 IPO price. We see upside to the low $30s in line with Street expectations based on ~5x 2017 revenue estimates.
The company will release its third quarter 2016 financial results on Wednesday, November 9, 2016 following the close of regular market trading. Consensus expectations call for revenue of $39 million and EPS of ($0.20).
The company was recently recognized by SANS for providing the most comprehensive coverage across the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense. The ranking found that Rapid7’s incident detection and response and threat exposure management solutions cover 19 of the 20 Controls as defined by CIS.
Andrew Burton, the company’s senior vice president of IT Search, was promoted to chief operating officer, as the company continues to drive customer adoption and disrupt the cybersecurity and IT markets with its security data and analytics platform. In this newly created role, Burton will will focus on Rapid7’s global sales, sales engineering, customer engagement and IT functions.
Rapid7 and ForeScout released a new product, which delivers on-connect vulnerability assessment and automated risk mitigation to reduce attack surface. For a video demonstration of the integration between ForeScout CounterACT and Rapid7 Nexpose, click here.
COMPANY REPORT - CyberArk Software
We first reported on CyberArk Software Ltd. on October 5, 2014 after the company’s September 24, 2014 IPO at $16. The stock has been a big winner. To remind you, CyberArk is a leader and pioneer of a new layer of IT security solutions. The company’s security solution protects organizations from cyber attacks that are already inside the organization’s IT network perimeter by protecting privileged accounts. Privileged accounts act as the “keys to the IT kingdom,” providing complete access to, and control of, all parts of IT infrastructure, industrial control systems and critical business data. In the hands of an external attacker or malicious insider, privileged accounts allow attackers to take control of and disrupt an organization’s IT and industrial control infrastructures, steal confidential information and commit financial fraud. CyberArk’s solution proactively protects privileged accounts, monitors privileged activity, and detects malicious privileged behavior providing an additional layer of protection against cyber attacks.
Atos, an international leader in digital services, and CyberArk announced a global partnership to fight today’s most dangerous cyber attacks. The focus of the effort is on privileged account credentials. KPMG and CyberArk also announced a partnership to help clients bolster their cyber security strategies. Again the focus of the effort is on privileged account credentials.
The company commissioned a survey. While 82% of respondents believe the IT security industry is making progress against cyber attacks, those gains are undercut by egregious security practices in critical areas such as privileged account security, third-party vendor access and cloud.
The company was awarded another patent (U.S. Patent 9,386,044) by the U.S. Patent and Trademark Office for innovative security risk detection technology.
The CyberArk Privileged Account Security Solution received the U.S. Army Certificate of Networthiness (Army CoN). The U.S. Army Networthiness Program was created for compliance and risk mitigation purposes and ensures that all IT purchases meet Federal Department of Defense (DoD) and Army guidelines, regulations and requirements.
COMPANY REPORT - VASCO Data Security International
VASCO Data Security International, Inc. is the world leader in providing two-factor authentication and digital signature solutions to financial institutions. More than half of the Top 100 global banks rely on the company’s solutions to enhance security, protect mobile applications, and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. The company’s solutions enable more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government, and healthcare markets. Vasco is very attractive at this point with very strong business momentum due to a strong position among banking customers created by a leading edge technology. The attractiveness of the business is illustrated by the takeover rumors surrounding the company.
Vasco will release its third quarter 2016 financial results after market close Thursday, October 27, 2016. Consensus expectations are for revenue of $53 million and EPS of $0.04.
Vasco’s eSignLive is the electronic signature solution behind some of the world’s most trusted brands. Regulated industries and top analyst firms recognize eSignLive for its ability to balance the highest levels of security, compliance and auditability with ease-of-use to automate any process. eSignLive was sponsored at Saleforce’s major annual conference, Dreamforce. The reviews were great. eSignLive was #1 for customer satisfaction at
Dreamforce on the G2 Crowd Dreamforce 16 Gridscape, outranking vendors such as Slack and DocuSign.
Vasco’s MYDIGIPASS earned a coveted credential for life sciences applications. MYDIGIPASS become a certified full-service Credential Service Provider in the SAFE-BioPharma Trust Framework, a unit of the global SAFE-BioPharm IT security standard used in the life sciences. SAFE-BioPharma Association was developed by leaders in the biopharmaceutical industry to assure that digital identities can be trusted and to allow for the use of digital signatures on electronic regulatory forms and other documents.
COMPANY REPORT - FireEye Inc.
FireEye invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors, including Web, email, and files and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,500 customers across more than 65 countries, including over 150 of the Fortune 500. FireEye is in the process of overcoming some near-term challenges and continues to be discussed as a take-out, where value could be $30 per share.
The company will release financial results for its third quarter 2016 on Thursday, November 3, 2016 after the close of the U.S. markets. Consensus expectations are for $183 million of revenue and EPS of ($0.31). The company presented at the Deutsche Bank conference on September 14th. Management discussed how guidance has been reset to a very conservative level, so we should not see below consensus results. Separately, investors will also want to see the business recover from the slowdown in SMB spending and evidence that restructuring has the company on track to reach profitability next year.
FireEye CEO Kevin Mandia took the helm of the company in mid-June with a tall order: To understand the current challenges and arrange all of the components to make FireEye the best security company in the industry. You can listen to his plans for reaching success recently discussed on a podcast, here.
Cyber security is an asymmetric fight. Most security operations centers (SOCs) are understaffed and overwhelmed with alerts. Traditional security relies on manual intervention and containment. Paul Nguyen, VP Orchestration & Integration for FireEye, recently discussed how orchestration levels the battlefield by leveraging FireEye’s years of expertise battling the world’s most consequential breaches. You can listen to the podcast, here.