What's wrong with security investing?

Two decades ago I lost money on Check Point Software (CHKP), last week I lost money on Zscaler (ZS). I’ve had some other security related losses. Is it me or is it security? I have learned to stay away from some investments no mater how beautiful the siren song. For example, anything that has credit risk such as banks. As Nassim Nicholas Taleb says, “They are negative black swan prone.” This led me to ask myself “What’s wrong with investing in security stocks?” I think I have the answer, no network effect.

Suppose WORD catches on, everyone needs to use WORD. Suppose FAX caches on, everyone needs to use FAX. Suppose FaceBook catches on, everyone needs to use FaceBook. Suppose Twitter catches on, everyone needs to use Twitter. Suppose XYX brand SAFE catches on, everyone DOES NOT need to use XYX brand SAFE.

In most high tech business categories there are one or two top dogs and the reason is that they have network effect. Security seems highly fragmented because it lacks network effect. In security there is no winner takes most.

Another point, most IT products and services are considered productivity tools. Security is not productive, it is protective. It does not add, it just spends on trying to prevent losses. A necessary evil.

Does anyone else see it this way?

Denny Schlesinger

Hi Denny,

In short I think the answer is yes.

I too sold ZS on Friday but for a small profit and then reading all the other stuff on this board as well as Bert’s opinion which I shall not share since it is not public yet I think, got me thinking.

As far as I knew until my reading Zscaler had this game taped in terms technology. Now having read Muji’s excellent report of Cloudflare , it seems that perhaps zscaler is not the dog’s bollocks when it comes to this technology. Furthermore, having looked at the Gartner quadrant for this which was one of the links in Muji’s report , I see that my old friend Akamai is actually the leader in this field along with Imperva which is a company I know nothing about.

I still hold Akamai eleven years after having bought the stock and was thinking of selling it to buy Fastly. Instead I bought some fastly anyway with some spare cash and have been happy with Akamai’s recent move.

It seems , in security , many roads lead to Rome which makes investing in it hard. Akamai was not in the security business really when MF decided it was a sell, it has morphed into that but had the huge advantage for any company of being a cash generating machine whilst this transition took place. This also gave it the scope to buy up the opposition before it threatened its core business.

Zscaler is in the Nutanix position of a year ago. I think Wednesday’s NTNX earning s report will be very interesting in seeing how the guru CRO is doing in his endeavour to get a decent sales team in place. This is obviously what Zscaler is hoping for too.

The difference between the two from my limited understanding of the techs involved is that it is obvious that in security, though ZS has great tech, it is not unique tech insofar as there are other solutions which may be as good, whereas, NTNX has its field to itself. If I am wrong about this then someone please enlighten me.

Perhaps the solution is to buy two or three of these security companies and then trade into the one that is comparatively the best in a year or so. Or ignore the sector altogether and just buy more Alteryx.

Jonathan

“What’s wrong with investing in security stocks?” I think I have the answer, no network effect. Suppose WORD catches on, everyone needs to use WORD. Suppose FAX caches on, everyone needs to use FAX. Suppose FaceBook catches on, everyone needs to use FaceBook. Suppose Twitter catches on, everyone needs to use Twitter. Suppose XYX brand SAFE catches on, everyone DOES NOT need to use XYX brand SAFE.

Hi Denny, that’s very interesting and thought provoking. I thought about it. I first noticed that Alteryx has no network effect. Just because a neighboring company uses it your company doesn’t have to. That hasn’t stopped it from becoming dominant in its field. The same with Coupa, Datadog, and Okta. Very profitable rapidly growing companies, very profitable investments, but no network effect. It seems more to be cases of the best products winning out and becoming dominant.

Then I noted that half of the examples you gave (Facebook and Twitter), were social media. Yes, it seems self-evident that networking effect would be key for them. On the other hand for many years Google operating systems for phones were dominant, but that didn’t stop Apple from making 95% of the profit in the cell-phone market. And how about Amazon. Just because your neighbor buys from Amazon it doesn’t mean that there is any pressure on you to buy from them. It seems to be another case of the best product winning out, and then snowballing. The more customers they have the cheaper and better service they can provide (same day delivery, etc).

And then there’s Crowdstrike. It’s even a security company. The jury is still out on the investment, but it seems a bit like the Amazon story. Huge growth of new customers because of the best solution, and then the more customers they have the better the solution becomes.

Shopify is another example of no networking effect. If the next shop over has a website developed by Shopify, that gives you no imperative at all to have your own website from Shopify instead of someone else, if someone else can do it better. But Shopify can do it better. That seems to put Shopify in the Alteryx, Coupa, Datadog, Okta, Crowdstrike, Amazon basket of companies that don’t really have a network effect, but just can do it better.

And to go in non-tech fields, LGIH Homes made me a lot of money several years ago. But they had zero networking effect. People bought houses from them because they were cheap and well built.

And the biotech companies that have worked out for some of us don’t work out because of network effect, but because they have a great product (and then, hopefully, get acquired at a huge price ).

So, the network effect certainly seems to help, but most companies that succeed, succeed without it.

Just my way of looking at it.

Saul

One of the things about security companies is that their product is designed to keep something from happening unlike companies with a product which enables something. When enabling, there is a constant search for a better product to do more and more. With security, good enough is more likely to be the standard.

You make some great points. Yes, network effects are a primary driver of category leadership in high tech and it’s often given as the explanation for why tech has so many single companies that dominate a category. In the 20th Century, this wasn’t the case. In the car industry, for example, there is no platform lock-in. If you buy a Ford you can buy another car the next time and the gas will still work to power it. Tesla is looking to change this, obviously.

With security software, the complex and fragmented nature of computer security makes it hard for one player to dominate, at least to date. People keep finding new ways to skin the security cat. And like you said, the non-productive nature of the product also is problematic. If a company buys it, they don’t make more money. It’s just a tax. The best outcome by having it is, well, nothing. Which makes scaling and upsells tough. Why would I want to buy more security than the bare minimum? Even if I want more, how do I buy extra security and not look paranoid?

With that said CRWD is one security stock I am focused on. Them investigating the DNC hack was great marketing.

Denny,

“Security is not productive, it is protective. It does not add, it just spends on trying to prevent…”

Great insight, Denny. Thank you for sharing this simple but profound concept to our investing considerations.

Jim

It may be the case that becoming the largest security player ultimately and necessarily leads to its demise.

2) building a large company is even more difficult for the simple reason that hackers focus upon weaknesses in the cybersecurity companies with the largest market share — success sows the seeds of future failure.

More here:

https://medium.com/@gavin_baker/crowdstrike-s-1-why-cybersec…

-AJ

Saul, good points but Amazon and Shopify do have network effect, a different kind of network effect. I first noticed that with SAP. A friend who was in the personnel recruiting business told me he was very busy placing “SAPitos” (little frogs in Spanish). Because SAP was successful, IT people were flocking to develop SAP application and they were in high demand. The same is true for Shopify, they have an army of Shopify developers and dozens of Shopify apps and themes. If you need help developing a store that’s the best reason to go for Shopify and maybe to Amazon. Amazon has another network effect as well, product reviews. The more clients you have the more product reviews you can offer your clients. I know I rely heavily on Amazon product reviews and I have written a few myself. Probably true for Netflix.

None of the above takes away from your point that good products tend to do well but network effect gives them an additional helping hand. They have to be good to develop the network effect. It’s a positive feedback loop.

Denny Schlesinger

I’ve avoided security myself because they do seem prone to blowups. PANW seems to be the one rare exception. It is the only pure play security company out there over $20 billion market cap. Although CHKP and FTNT are now getting close. Okta is at $17 billion.

But still, as big and opportunistic the industry is, PANW is the biggest at $23 billion market cap. Only CRWD, in an overheated SaaS market, matched PANW for a brief period of time.

So when I look at that, it seems the odds are against you as an investor in the security space.

The article that AJ linked to is probably the best reasoning I have found so far. No security company is truly “in” a customer.

I do own Okta and CRWD at this time because I do believe the cloud does possibly change things and DOES give them a network effect. One issue at one customer are instantly monitored and addressed at every single other customer they have instantaneously via the cloud. Therefore the more customers, the better the product.

ZSCALER should have had that same network effect. It never really hit critical mass though. With ZSCALER things don’t really add up because they should be getting a lot of growth because office365 is still growing and they, along with another security startup, are the only Microsoft trusted partners for office 365. The other 3 trusted partners recommend ZSCALER.

So the fact they are slowing down so much doesn’t make sense. Their main bread and butter o365 is still going strong. And even last quarter they said “the markets are coming to us.” They say that while saying their new CRO is going to turn things around and they’re spending a bunch on sales. So in truth their words don’t match their actions nor the reality showing in their numbers. On top of that their “tough comps” from one time deals started to become absolutely ridiculous, mentioning a $1 million deal as a tough comp. so if you don’t know what’s going on you have no way of knowing if they can overcome it. I sold ZS a while back after their previous quarter. That’s 3 quarters in a row of declining fundamentals. The first quarter was not so bad to me though the market felt it was and quickly knocked ZS share price down. I held another quarter and the next one was even worse. So I sold. Then we have this one. Even worse of the previous two. And the market had been bidding up ZS shares going into this report. Another example how the market is not some magnificent always right prognosticator at what stocks should be valued at and which companies are doing well. Or which will continue to do well.

Palo Alto. Amongst many security winners. Just depends when you buy it. The numbers spoke volumes about Palo Alto.

Tinker

Netflix has a different type of network effect. The more customers they have, the more they have to spend on better content. The better content they have, the more customers they attract. I would call that economies of scale rather than network effect. Network effect is only one of the handful of ways a company can build a moat.

Amazon has also built economies of scale. It would be a losing proposition to start a company and compete with amazon on cost. That’s how they started. Then they built a superior product. It would be next to impossible to compete with them. Which is why wayfair (or now chewy) would never get a dime of my investment dollars.

Economies of scale, network effect, switching costs (where SAP gets its power), basically anything that gives a company a moat. If I don’t feel like I understand a moat the last thing I’m going to do is buy it and start regurgitating it’s quarterly reports. But nothing is foolproof.

So the question becomes, what moats (or since I believe Hamilton Hemler broke these down very well in his book) exist in the security industry? How can checkpoint, panw or anyone else have a moat or so they already have one?

ZScaler by all means had (has) a very interesting value proposition for a moat. But right now it’s not paying off.

AJ’s linked article brings up two very interesting points, one negative and the other positive:

There isn’t the same degree of “lockin” that accompanies application software (user familiarity, etc.) or other areas of infrastructure software.

The Gorilla Game defines a Gorilla as an "Open, proprietary architecture with high switching costs. If a security product operates in the background with little or no user intervention then switching costs tend to be low. Security products become interchangeable, like cars, drive one, drive all. How difficult is it to switch teleconferencing products?

Crowdstrike approaches cybersecurity via traditional ML. So it is fascinating that new security companies based entirely upon deep learning — i.e. BlueHexagon — are emerging just as Crowdstrike IPOs. Having diligenced some of these co’s (not BlueHexagon), there are real advantages to deep learning vs. the more traditional ML methods used by Crowdstrike. These companies are just releasing their solutions into the wild, which is obviously the ultimate test, but early results were very promising,

AI driven security could be a game changer, imagine a really smart AI backed security product that learns as fast as hackers attack…

Denny Schlesinger

The article states Crowdstrike may be obsoleted by companies in the pipeline such as Blue Hexagon. This would negate any type of moat CRWD has and I do not think that’s a good thing.

SentinelOne who uses Automomous AI or Blue Hexagon withbeeep learning are goingvto have a head start on CRWD unless CRWD can buy one. So things are not all rosy with CRWD and it’s up to them as an emerging leader to maintain up to date with emerging technology.

The same thing is happening with genetic treatment companies. Companies like bluebird bio are at advanced stages of developing gene therapy drugs when gene editing treatments that offer to be faster and cheaper are now about 5 years behind them. And on top of that gene editing tech is changing where CRSP NTLA and EDIT may have an old way of approaching the problem because BEAM has a simpler safer approach of chemically altering the gene rather than cutting/splicing. And even BEAM says there are competing alternatives to not having to cut and splice the gene so even their approach may prove inferior. It is a rapidly changing space and what’s big now may be obsolete in 5 years. It’s one of the reasons I think BLUE is so low priced despite all the headway they have made. If Blue Hexagon or SentinelOne start making headway for sure CRWD will see low share prices as well.

Hi Denny,

most IT products and services are considered productivity tools. Security is not productive, it is protective. It does not add, it just spends on trying to prevent losses. A necessary evil.

I agree with this assessment. Scott McNealy, former CEO of SUN Microsystems, years ago was asked, “When is SUN going to take security seriously?”, and replied, “When security makes us money, or lack of it costs us money. Security doesn’t sell!” (paraphrased a bit there, I can’t recall the exact quote, but this is certainly the sentiment!).

As an IT/Network person myself, I’ve long said, “Security is inversely proportional to productivity!”. Many of the examples cited by others in this thread, including those by Saul, such as OKTA, AYX, and the ones you mentioned, FB, GOOG, etc. all have something in common; they make things easier in a very obvious way to everyone.

AYX - Makes data analysis easier to the analyst. But the rest of the company sees this in the form of faster turn-around time, faster analysis, more complete analysis, better information faster, etc.

OKTA - Makes application access faster and easier to everyone. The entire company knows what OKTA is, it’s the “One single place I need to enter a single set of credentials to gain access to ALL of the web sites and applications I use all the time rather than remember a different set of credentials for each of them!” IT sees it as “The one place I need to disable a user when they leave to company to know they no longer have access to anything!”

AMZN - Saves time, saves money, makes finding and shopping and receiving of things easier.

FB - Makes sharing and keeping in touch with friends and family easier and faster than ever.

AAPL - Makes devices that incredible simple to use and make tedious things easier with those simple-to-use devices

GOOG - Makes finding information easier and faster than ever before.

All of these companies make things easier whatever those things are. And everyone intuitively understands exactly what it is they make easier, faster, cheaper.

Contrast that with what I refer to as “infrastructure plays” (which I’ve discussed here before), which is where things like NTNX and ESTC, and possibly ZS, Akamai, CRWD, PANW, etc. fall. A few people understand who they are and what they do. But most do not. The vast majority of people in any company have no idea whether their HCI is on NTNX or VMWare
, or OpenStack, nor do they care. The CIO or whomever, cares about cost, and that’s it. The IT staff might care about a few different features. But Jane in accounting, or Joe in HR, doesn’t know and doesn’t care. Same for if they use ZS or PANW or CRWD. But both of those people know if the company is using OKTA. And, everyone who needs to do data analysis knows the company uses AYX’s product, or Tableau, etc.

Additionally, as you point out, and as Scott McNealy noted, “security doesn’t sell!”. No one cares about it. It’s a necessary evil that costs money. You never actually know if it works, only if it fails. It’s an insurance policy you hope to never have to use.

I think that’s what makes it so hard to invest in security. No one really cares until something bad happens. It’s not like DDOG which solves a huge problem, (monitoring and alerting), it’s an insurance policy you don’t even know is there, and don’t really want, but are forced into “just in case”.

–
Paul

Hi Denny,

I quite agree with your caution around security companies. I think it is much bigger than no network effect - security has an anti-network effect.

Security is basically an ongoing struggle between the black hats and the white hats. The black hats focus their energies on the most effective targets - not only the weakest products, but also the weak points in the most wide spread technologies.

Thus you have a constant proliferation of new companies finding solutions to today’s biggest security hacks. This is an area of IT spend which is very open to new products, because execs are always looking to show they are on top of their security issues, and new companies can show they are not susceptible to popular hacks, while also having good performance and usability. So new companies get traction.

Some of the new companies grow big, and now they become the new targets. Whatever processes and technology they use, black hats look to find weaknesses. The new technology either becomes susceptible to attacks, or bloats up with work-arounds preventing attacks that make it hard to use and affects performance.

In the mean time, other companies come up with different processes which avoid the techniques the black hats are focusing on, and revenue growth moves to the newcomers.

I have done well with my investments in security tech, but I am very careful on price point when I’m coming in, and on being clear, through revenue growth that the company is in the rocket up, and not on the plateau and gentle move down. I have to thank a lot of financial/revenue analysis from people on this board for that.

The key for me is that if I invest in a security company, I’m ready to pull the trigger at any time, as I don’t expect any of them to be long term plays.

Cheers
Step

I was thinking the along the same lines. Security is an expense.

Companies like Data Dog and AYX while not capital, they have that flavor. We invest in this, we get more money.

While when you spend money on security and it works, nothing happens. It is an expense.

Nobody fills out their annual report and says “Look nothing happened”

Except me, but that is why I am a level 0 working or employed in the hinterlands. Of course, because I do my job, it looks and actually is, easy.

Cheers
Qazulight

Step, that actually makes a lot of sense and it’s what I was thinking/have read elsewhere mulyself. A “negative network effect” is the best way to put it.

I’m not convinced it’s an “out of sight/out of mind” thing. Otherwise why do we have these startups growing and attracting a bunch of new business only to blow up?

Insurance is a huge industry. It too does nothing but cost money in hopes of saving money. But there are plenty of insurance companies that have done well over the years.

The other thing about ZScaler is I’m not sure companies feel safe with the idea of having all their network data going over to the cloud to some external company for inspection. Even if it could be safer.

But the “anti-network effect” may best explain the lack of a large dominant player in this space.

By the way it appears that the battle will continue between the Black Hats and White Hats even with 2FA.

https://www.zdnet.com/article/chinese-hacker-group-caught-by…

“Chinese hacker group caught bypassing 2FA”

Hi Denny

It’s an interesting point of view but although I agree to a degree on the point about a network effect or lack thereof, I’m not sure I totally agree on the productive vs protective point and disagree on the end investment value creation conclusion as there has to be other factors involved.

I’ve made multiples on all my purchases in the cybersecurity space including:
Check Point (the first)
Palo Alto
Imperva
Qualys
Fortinet
Cyber Ark

I now currently hold Okta (3%) and Crowdstrike (5%) and ZS (2%) - which I might well let go.

So to me the track record of hitting multiples on all my holdings clearly didn’t fit with a rule precluding profitable investment relating to the absence of a network effect.

To a degree the reasons I think that CyberSecurity has a favourable investment thesis involves:-

1. #1 IT spend priority
   Cybersecurity has effectively been the #1 IT spend priority for the last 10 years. Companies can chose to suspend network/hardware/software upgrades/roll outs but will not compromise on security. This is reinforced by very public breaches that server a constant reinforcement to cybersecurity importance.

2. Sold to C-suite
   Large deals get done by the business leaders not via lengthy technical operational decision makers allowing for large corporate deal sizes to be secured fairly swiftly.

3. Willingness to spend on a belt and braces basis
   Very often having 1 security platform does NOT preclude another as companies will want to make sure they are covered on every threat vector which allows room for point solutions, best in breed operators as well as platform or fabric plays to co-exist

Productivity is still a factor
One company that did well for me and has beaten all expectations is Fortinet. Nobody thought Fortinet could assemble a complete build out and compete at the enterprise scale vs Palo Alto and Check Point etc, but they did. They did that in part through excellent products and excellent management but also because of their positioning. Their positioning was absolutely around productivity - claiming they had the fastest throughput of any security platform.

Protection is still a valid benefit
In any case I don’t see protection as being valueless - if that was the case then the insurance industry wouldn’t exist and Insurance is a trillion $ business sector.

One point about the lack of a network effect though which I agree on means that there is always the threat of being replaced by the next latest and greatest. This means you have to time your exit and take your chips off the table in swift order and that is probably accelerating.

Previously I had a rule of questioning anything growing less than 25% and selling anything growing at less than 20%. This might need to be revised to 35% and 30% or replaced by an even more nimble approach.

Ant

Ant:

I’m not saying that security is going away, I’m saying that security does not behave like the productive side of high tech and therefore investors need to look at it from a different perspective, as you say:

One point about the lack of a network effect though which I agree on means that there is always the threat of being replaced by the next latest and greatest. This means you have to time your exit and take your chips off the table in swift order and that is probably accelerating.

As I said, I had “bad luck” with security and I had to ask myself why that was. My questioning has brought out a lot of interesting facts and ideas about the industry that many of us had not thought about before. The core idea seems to be the swiftness of the paradigm shift in “threatology.”

Denny Schlesinger