TomG's second stock, Varonis Systems first l

Varonis Systems is the second company TomG mentioned. IPO in 2014 amid high expectations at a price of 55, over the next two years dropped to around 15 and in the last 20 months has had a meteoric rise to the low 50s. Varonis Systems at its core is a data management company bundled as a security company. They implement a metadata (data about data) framework on top of your existing data system which allows them to provide near real time analysis and threat detection on your data. They have multiple different products which all ultimately are based on making sure your data is appropriately managed and accessed. Using their metadata they make sure the correct people have access to the correct files, file permissions are correct, out of data permissions are retired, sensitive data is appropriately secured, user behavioral analysis(is joe blow copying all your sensitive files to a thumb drive type of thing), audit trail management, and I’m sure more things that I’m missing. As far as I can tell this isn’t a company focused on keeping the bad guys out so much as not allowing them to do damage when they are in your network (whether that is your own employee or someone who has penetrated your network). They have automated and developed monitoring tools to ensure your data has a system to follows best practices. They have recently begun to target the cloud and feel well positioned to manage data for enterprises in that space (AWS etc).

Some comments from their earnings call,
“One customer is only 5 minutes of configuration, successfully analyzed and eliminated global access groups in approximately 60,000 folders. It would have taken weeks, if not months. The return on investment is clear and it is critical to understand the speed and magnitude of risk reduction”

“In Q3, the federal government agency contacted us one weekend because they were concerned about sensitive content hidden PDFs owing a potential breach. We quickly mobilize that team and we were able to locate the sensitive content they were looking for. They purchased the data for more than 10,000 to prevent data breaches and to secure sensitive data going forward.”

Financials.
All data is taken from the seeking alpha transcripts and varonis’ website
I found this slide deck very helpful. https://seekingalpha.com/article/4120847-varonis-systems-inc…

In summary.
Year Revenue in millions (% growth)
2011 40
2012 53 (32% growth)
2013 75 (41.5%)
2014 101 (26%)
2015 127 ( 30%)
2016 164
2017 (31% growth from the available data) expecting revenue to be about 211 million or 28% growth.

Last few quarters they have been guiding mid 20% revenue growth but coming in at the low 30% revenue growth.

About 40% of their revenue is international
Almost 50% of customers pay for more than one varonis product, with that number on a slow steady increase

Last two quarters they have had a non-GAAP positive earnings of 0.01 and 0.06. They still are reporting a GAAP loss of 0.12.

Gross profit margin has hovered right around 90% and they expect it to stay there.

Year to date, they generated positive operating cash flow of $10.8 million, compared to $4.5 million in the same period last year
They have ~120million in cash and cash equivalents on hand.

They have north of 5500 customers and are adding 200-250 a quarter. Their existing customers are signing up for additional products and seats which is how we are getting around 30% growth.

My comments: Security is an interesting field as I don’t think any company can approach anything close to the TAMs that are thrown about. The bigger the footprint a security company gets, the bigger the reward is for “hackers” as they can compromise one platform and have access to many enterprises. With the above disclaimer I’m not sure that I would call Varonis the typical security system as a large part of what they do is automate best data and access practices which seems easy but in reality is quite difficult. AS more and more high profile companies have high profile data breaches data management becomes a no-brainer. They also seem to have one relatively large potential catalyst in the near future. The EU passed GDPR or (General Data Protection Regulation) The law becomes enforceable across the EU May 2018. Varonis has introduced a new product to ensure GDPR compliance (so new in fact that when you click on the product page you get a 404 file not found).

Varonis isn’t cheap right now, historically their P/S peaked around 7, cratered to 3ish and now is back in the mid 7 range. They are occasionally profitable with a trend toward being always profitable which will probably happen next year. THey are projecting a 211 million in revenue for 2017, even if they blow the 4th quarter out of the water and beat by a huge 40% of revenue their p/s would still be a little under 7 assuming their stock stays the same. Long story short, this company is expensive. I find their business interesting but I don’t have a good handle on how big they can grow or how profitable they can become. They only have about 5500 customers, that number seems like it could be much much higher, onboarding customers is quick and easy. I’d say they have a pretty large runaway.

As always, I’m curious to hear others thoughts

Ethan

Very nice review, Ethan. Thank you very much for your hard work.
Saul

Ethan-

Thank you for doing a deep dive on Varonis. You had some points I hadn’t considered. Overall I like this company, I think they are thinking outside the box on IT security. I like their approach of identifying data breaches when they happen, as opposed to trying to stop all hackers from getting in,which I think is very hard because the hackers will find new ways in.

Things I like:

different approach to IT security
founder led
cash flow positive with $128M cash on hand and no long term debt
steady growth of about 30% with a long TAM runway
margins are improving and EPS turning positive

EV/S of just over 6, not bad for a 30% grower.

I took a starter (tryout position).

Jimbo

TomG started a new service recently for microcaps and just last week they were reopening with a new perspective and even more optimism. I would not be surprised if the two stocks he tossed us are from that service. Hmmm.

Ethan,
I have to a closer look, but from what you describe this is far more than an information security firm, or at least has the potential to be.

I spent the last several years of my career as an IT Enterprise Architect in a major aerospace firm. The focus of my work was Information Asset Management. A practice that I personally developed and espoused with not very much success.

Obviously, in that this was focus for a number of years, I could go on at great length. I’ll try to cut to the chase. First, let me discriminate between “data” and “information.” If you read any of the dictionary definitions for these two things (they are nouns) you will find that each is defined in circular terms referencing the other. In my capacity as a senior architect, I wrote the official definitions for the enterprise. Briefly, “data” is the digital (or analog) gunk that is captured, managed and manipulated by machines (primarily sensors and computers). Data is meaningless to humans. It is not the binary representation of 1s and 0s, that’s information. Rather, it is the magnetic flux recorded on a spinning ferro disc, or the electrical charges stored on a nand chip, or the electrical voltage differential transmitted on a conductive trace, etc. Humans are unable to perceive data in any meaningful way. Information, on the other hand is perceptible to humans and potentially carries a meaningful message. The two entities are obviously related to one another and can be transformed from one to the other, but they remain separate. As such, data management and information management are two entirely different disciplines.

Some examples of information assets are engineering designs, purchase orders, training materials, financial reports, patents, advertisements, personnel records, payroll records, manufacturing plans, invoices, system specifications, eye-readable source code, etc.

I argued that enterprise information should be managed similarly to the way the enterprise manages any other asset, though information has some characteristics that set it apart from other assets (like the ability to produce unlimited copies), that should not be viewed as an insurmountable obstacle. After all, inventory and facilities are separate assets of an enterprise. They are different and require separate treatment, but they are both assets and not surprisingly share a number of common attributes with respect to their management.

Enterprise assets, other than rare exceptions, are not managed individually, they are managed by policies that govern the assets by class. Take inventory as an example. Inventory in most companies is not monolithic. In a manufacturing firm (like the one I worked at) there is raw materials inventory which can be further broken down to perishable goods, tubular stock, sheet stock, etc. (each of which may be further broken down by material), wire, caustic liquids, acidic liquids, etc. Then there are treasury stores inventory, these are inventories that are ultimately incorporated to an end item with little or no alteration. Fasteners (nuts, bolts, screws, rivets, connectors, etc.), purchase equipment (avionics, lighting, entertainment systems, etc.). There’s work in process (WIP) inventory, (fabricated parts, assemblies, etc.) and so on. Hopefully you get the point. What’s important to glean from this is that individual rivets are not managed, they are managed as a class by the application of policies that govern that class. Composite raw materials for example have to be refrigerated and have a limited shelf life. There are policies that govern the storage and issue to manufacturing of these materials. There are additional policies related to how they are handled on the shop floor. If they expire prior to use, the policy asserts that they must dispositioned and written off as a loss. Get it? I hope so.

In essence, information is no different. The key ingredient to information asset management is metadata (more correctly, meta-information). The problem with managing information by policy is knowing how to classify it. I proposed that all policies fall into three classifications: 1) Life-cycle policies, 2) Quality policies, and 3) Security policies. I readily concede that there may be some ambiguity about whether a given policy belongs to one category or another. I proposed that this needn’t be a conundrum, pick one, it’s not vitally important which category the policy resides in. What is important is to have the appropriate policies for the information classes.

Maybe this is all somewhat murky. Let me provide an example. Let’s take purchase orders as an example. Like inventory, purchase orders are not a monolithic class. If you’re buying a truckload of chicken caracsses to launch into and aircraft windshield in order to insure that it will survive a flock bird strike it’s a somewhat different entity than buying jet engines or buying some proprietary assembly to be used on a top secret black project or buying toilet paper. Let’s look at some policies. First, who has authority for the information asset? Well, that depends on who a company is organized, but if there’s a singular purchasing organization for the company, then the authority will most likely be the executive in charge of the purchasing organization. OK, we’ve got a policy that designates the RAA (responsibility, accountability and authority) for the asset. How about security? The cited purchase orders obviously have very different security requirements. But, as a class, secret black project purchase orders are going to have similar security policies which will be different from buying toilet paper which, as a class, is considered MRO (maintenance, repair and operations) items, and so forth. Security policies will govern who can see an asset belonging to a class, who can copy it, print it, and a host of other things. Life-cycle policies will determine the provenance, cost, retention, disposition and a host of other policies that govern the asset class. Quality policies will determine the characteristics of attributes (i.e., “delivery date” must be compliant with a date format and must designate a time in the future), what attributes must be present in order to consider the PO complete and legally binding, etc.

OK, enough of that. Here’s the rub. Managing information by policy as an asset class is labor intensive. So much so that precious few managers are willing to invest the effort necessary to do so. There are content management systems that provide a vehicle for managing information by class with applied policies, but they don’t alleviate the human effort required to a great extent. Most of the effort is related to collection and application of the meta-information required to classify information assets. I have long believed that much (not all, but a lot) of the required meta-information can be derived from the information asset content sans human effort. However, the tools to do this have been absent.

So, I’m excited about the potential of Veronis to do this. Of course, they are currently focused on security issues as that’s getting a lot of attention due to large scale data (information) thefts. My sense is that if they can derive the majority of meta-information to establish security policies, they can obviously extend the capability to quality and life-cycle issues.

This would herald an unprecedented level of information asset management capability. The next step would be the policy formulation engine (many of which could be provided as a fill-in-the-blanks templates) and the assignment of policies to information classes which might also be largely automated based on existing standards.

I don’t know anything about Veronis other than what Ethan reported, but I’m going to take a harder look at this company and their product offerings.

brittlerock,

You could make an MBA level Coursera course with that overview!

Awesome. Thanks.

Qazulight

Brittlerock. Your post is an example why I love this forum. Who knew that we would have an expert at information management and that expert would be so gracious as to give us a primer. I’m looking forward to seeing the company through your eyes once you have a chance to look at it because I am definitely not an expert in this field.

Best,
Ethan

I argued that enterprise information should be managed similarly to the way the enterprise manages any other asset, though information has some characteristics that set it apart from other assets (like the ability to produce unlimited copies), that should not be viewed as an insurmountable obstacle.

Paint me skeptical. pretty much we service every company in A&D space and in one form or other. I am involved in many of them for the last decade.

My team goes through background checks, drug checks, security clearance, annual security reviews, credit check, before they can even step into the account. Then there is whole set of policies who can access what, etc. The team has dedicated laptops to connect to the environment and they cannot use our standard company issued laptop to connect these environments. Many of them carry multiple phones because each account/ customer require dedicated devices. Have you ever heard about iTAR or FedRamp?

These are some of the things I can discuss here. If you are suggesting the companies don’t have data policies during the last decade… with due respect you have no idea about what you are talking. It is interesting to see you seems to be stuck at least 15 to 20 years back and consider those information are current.

Kingran,
I don’t disagree with you. Yes, I’ve more than heard of iTAR (not FedRamp, a quick look on Wikipedia shows it didn’t come into play until 2010, the year I retired). I’ve dealt with most of the issues you’ve mentioned, and a whole lot more. I worked for a heavy manufacturing company that designed, built and supported highly engineered, highly regulated very expensive products that were sold to customers all over the world.

In my job, especially in the last 12 - 15 years of increasingly high levels of IT related architecture I had to be cognizant of myriad security issues as well as a host of regulations. Although I did not work in the computing security organization, the manager of that organization was a long time colleague of mine. I had a lot of interactions with members of his staff. I also worked with various persons in the law offices of the company, general counsel as well as the folks who worked on patent licensing and IP protection issues (they were kind of separate from general counsel). I worked with numerous functional organizations, outside vendors, consultants and contract personnel. I worked on several M&A projects related to IT and more specifically, information management and ownership issues.

In addition, I’ve worked on IT related contract bids involving the US as well as foreign governments. I’ve pretty much been there, done that. Like you, even though I retired in 2010, there are many things I can’t discuss here as I’m still bound by security clearances and various NDAs. To the best of my recollection, I can’t remember ever signing an NDA with an expiration date.

After I retired I contemplated going to work for a contract organization, but decided I’ve spent 30 years of my life with this stuff; I’m done, enough already. So yeah, my experience is somewhat dated, but while the technology changes at a blistering pace, other things like management attitudes, laws, government regulations, legal decisions and corporate cultures move much more slowly.

You’ve kind of missed my point.

Take any physical asset of any large organization and you will find that there are clear (well, usually pretty clear) RAAs (responsibility, authority, and accountability) for managing them. Let me provide a couple of examples.

When I first started working engineering drawings were produced by hand, mostly on mylar. The drawings were stored in a “vault” (really, a caged area with steel fencing). Engineering employees controlled access to the vault, managed the drawing revisions, controlled who drawings were issued to and when they needed to be returned, etc. Engineering had the full RAA for their own work product. In fact, they were very protective of it. Over the course of years, engineering migrated to digital definition. As they did so a strange thing happened to the management of the work product. What had been an engineering RAA got completely turned over to IT.

Think about an inventory management organization turning over the RAA for physical inventory to the facilities organization because facilities managed and maintained the physical plant in which the inventory is received, stored, picked, staged and issued. Yes, all analogies are flawed, but this one is pretty close to the same idea. IT manages the h/w and s/w, that’s their domain. If you look at it objectively, IT actually provides a custodial service. They have literally no business setting content management policies. It’s not their stuff. Yes, they are responsible for providing a safe, secure, efficient, cost effective environment. But that’s where the RAA should end. Just like there is a lot of different inventories and they are managed separately based on their characteristics (aircraft engines are managed a lot differently than rivets or office supplies), there are a lot of different types of engineering work product. In that the information content, the engineering work product, is not homogenous, different policies should be applied to the many different work products. But, the only real indication IT has about the difference in content is the CRUD matrix of the apps used against it and the storage middleware and devices used. This can be very misleading. Make a .pdf of a drawing and you’ve not altered the information content, but you’ve completely altered the apps and devices. IT has no way of knowing it’s the exact same information. It gets managed differently due to the change in access methods and the fact that it’s now on a Windows file server rather than scattered across an object overlay on a relational DBMS.

Another example, SOx legislation was the result of off-the-books shenanigans at Enron. Without going into a lot of detail, in essence, the executive management of Enron set up a bunch of shell companies that were used to hide costs and enhance the reported financial performance of the company. Not a single computing system was surreptitiously entered and the data tweaked. All the information systems were used as they existed. There was no evidence of data tampering.

Yes, false information was fed into the systems, but nothing was altered within the systems. No executive stole super-user credentials in order to cook the books. 100% of the violations occurred outside of the boundaries of the IT environment. Despite this fact, SOx compliance was almost entirely an urgent IT project. Urgent because SOx specific monetary and incarceration penalties for the CEO and CFO of a company found in violation. That did get the attention of executive management. But why was it an IT responsibility? IT was able to implement chain-of-authority which had not been present in most case. And they were able to implement additional safeguards to inhibit tampering. But these things had nothing to do with the original violation that gave rise to the legislation. I was involved with SOx implementation. I asked these questions. I asked how are these steps IT was undertaking (literally working day and night) going to do anything to inhibit high level executives from doing exactly the same thing that was done at Enron. I never got an answer.

I never suggested that companies don’t have data policies. I’m not sure how you concluded that I suggested that. What I am asserting is that functional units of the company that are largely responsible for the acquisition and utilization of information products have pretty much abdicated most of the RAA for managing those information products.

In the engineering drawings example I gave above. When the products represented by the engineering designs went out of production, the drawings were still actively maintained for customer support purposes. But even before the products went completely out of service, there was an orderly process where the drawings were first migrated to a company owned off-site storage facility. Eventually they were either dispositioned or archived at an Iron Mountain facility. When I retired, digital engineering work products were retained indefinitely in the same technical environment in which they were created. There was no archive and final disposition process. I, fruitlessly, spent a lot of time in meetings and giving presentations about the information life-cycle and the benefits of archiving and managing information by policies that pertained to the types of content irrespective of the data forms and storage devices. The company where I worked had terabytes of information hosted on the interweb. No one knew what was stored there, whether it was current, or what kind of regulatory exposure might be at risk. I’m not actually asserting there was any exposure, I’m only stating that no one actually knew if there was. Some managers worried about it. No one did anything about it. It was considered a potential problem without a solution. The Varonis products that prompted my comments might provide assistance in this area, at least with respect to discovery.

Maybe your experience is entirely different. I don’t know what you do or where you work, but you are obviously intimate with a lot of IT issues. But I would be astonished if you find many very large IT environment in your experience to be a lot different than one I’m most familiar with. The very fact that data management policies are pretty much the domain of the IT organization is testimony to the problems I’ve described rather than evidence of a problem solved.

Maybe this lengthy exposition adds some clarity to the issues I raised - maybe not. I could elaborate further, but this really hasn’t much to do with investments.

Separately, we’ve had more than one interaction. It’s my impression that you address me, personally with an air of hostility. Questioning my familiarity with certain regulations as if I were ignorantly just spouting off. Comments like you have no idea about what you are talking. Seem pretty personal and really have nothing to do with the meat of my commentary. I don’t mind being corrected. I’m fallible, and I admit that my experience and information gets more stale by the day. But I really don’t appreciate being denigrated. That’s uncalled for.