What's wrong with security investing?

I have a few industries I just avoid at all costs. No matter how many Fooldom recs show up.

No Fashion…at all, ever.
No Airlines…at all, ever.
No Security Tech…at all, ever.

I have lost money on security companies a couple of times. I started back in the days of multifactor cards and tokens. My company used them, other companies used them, they had to be the future. More recently Fireeye was all the rage.

The issue with internet security is that there is no fix. There is no one company that can say, ok, done, this is the only product you need. They can’t. Every few years a new company comes out and says, “OK, we are the best at preventing THIS thing.” Everyone oohs and ahhhs…but then the next attack is completely different. There has not been any one company that can innovate as fast and consistently as hackers can change direction. They might for a few years, but I have yet to see any company continue to stay cutting edge forever.

I have ZS and CRWD and FTNT on my watch lists, along with all the security companies that I have sold. I keep them there to remind me of my operating thesis. There could be truth to the no network effect, but even here there seems to be disagreement on what is it actually. The biggest issue in security is, tech is always changing, this changes the attack vectors, and ultimately leaves previous security fixes in the dust.

6 Likes

I recently found a new blog that I find is one of the better (or perhaps best) sources of free information on the stocks we own here. The blog is softwarestackinvesting dot com. I imagine some of you are aware of it. I would not be surprised if the author reads this board and/or is a contributor. In any case, the author wrote an article last October about this very subject. His reasons are identical to those put forth by Denny. Namely, nobody wants to spend money on security. It is a necessary expense.

I recall links do not work in these messages, but if you search for “why I won’t invest in security stocks site:softwarestackinvesting.com” you will surely find it. Well worth the read, and I am sure you will find some value in the other posts as well.

7 Likes

"In most high tech business categories there are one or two top dogs and the reason is that they have network effect. Security seems highly fragmented because it lacks network effect. In security there is no winner takes most.

Another point, most IT products and services are considered productivity tools. Security is not productive, it is protective. It does not add, it just spends on trying to prevent losses. A necessary evil."

I do think security solutions are slowing evolving towards more platform centric approaches, but the unique nature of most cyber threats has led to a proliferation of tactical solutions. Most CISOs hate the fact they have so many tools, but also have to react quickly and get small wins where they can. Most companies are more compliance driven as well or check the box and aren’t doing very pro-active security and risk management, they are barely keeping their heads above water.

You are absolutely correct most security tools are preventive and despite increased attention from most BOD at the end of the day most security conversations will still land 4th or 5th in their priority lists. Think about it, does a CEO get excited when the CISO comes to him and says you need to spend XXX millions to protect our enterprise or when the VP Sales or Marketing walks in with a proposal for Zoom and says we can reach xxxx more customers with this tool, drive xxxx millions of additional revenue, and save xxxx millions in travel costs. Zoom moves the CEO needle (as one example) whereas security is by and large a cost center or at best might be saving them on costs from whatever security tech they are using today.

There will still be some very big winners in the security space so it’s great to invest there, but I think the real massive homeruns will come from solutions that help grow businesses.

4 Likes

There is a thoughtful post on Cybersecurity company scaling here

There isn’t the same degree of “lockin” that accompanies application software (user familiarity, etc.) or other areas of infrastructure software. So big revenue ramps are often followed by increasing churn and decreasing retention looking out 2–3 years.

“Crowdstrike S-1: why Cybersecurity is great for VC investing but suboptimal for public equity…” by Gavin Baker https://link.medium.com/xOcVoLypm4

4 Likes

Thanks everyone for a terrific discussion, I’ve learned a lot!

To sum up my “new and improved” view of security as an investment:

1.- Security is not as good as high quality productivity software with strong network effects

2.- Security is not as risky as debt and credit exposure

3.- Take the middle road, invest but keep security on a short leash, whatever that means for you, for me: diversify and keep positions smallish

Denny Schlesinger

14 Likes

Palo Alto. Amongst many security winners. Just depends when you buy it. The numbers spoke volumes about Palo Alto.

Tinker

Security is a necessary spend, there is no getting away from it. But it is always ripe for disruption. Anything technological can be disrupted with better tech. Palo Alto was a disrupter at some point, and now it seems to be going through that cycle themselves. They are getting crushed lately.

https://www.marketwatch.com/story/palo-alto-networks-stock-p…

The field is crowded with competitors because it is such a crucial element of our tech landscape, and because it is so ripe for disruption primarily because hackers continue to innovate and infiltrate at every turn and every opportunity they get. CRWD, CYBR, CHKP, ZS and others will come and go, those that innovate, adapt and rapidly iterate will have longer legs than others. Tough to be stock picker in that field.

2 Likes

Not so tough if you use volatility as your friend, and follow the numbers. Palo Alto’s numbers were very much like Crowdsource’s numbers. While the stock price went up and down the numbers never did for Palo Alto.

The problem we have with Crowdsource is that the valuation multiples are now higher for the same numbers than they were for Palo Alto back way when. There were many incumbent competitors for Palo Alto, and it is only now that Palo Alto is the market leader in NGFWs.

For Zscaler, they have unique technology that provides distinct product benefits. The numbers however…Zscaler needs to start retaining new customers. Not any more difficult than that. So you can hope they will start doing so, or pretend the numbers are lying.

Either way, if you bought back in the crash of Oct and Dec of 2018 your still up more than 50% on Zscaler despite it all. When you buy matters a lot. It makes it a lot easier to hold as well if you buy on such opportune moments. The odds are that Zscaler’s fundamentals will improve. Whether or not Zscaler can become a category killer is TBD. Makes a big differences the distinction between improving fundamentals or category killer. But either way, even after the awful earnings, and even after the Coronavirus crash, had you bought when I bought your still up more than 50% in a little more than a year. Not bad.

With Zscaler you have 3 quarters probably to wait for the turnaround (Zscaler and Palo Alto were nearly identical in their earnings calls. It was as if it is a completely secular issue for the industry). We hope (because we have seen it before) it happens sooner. Holding a concentrated portfolio I decided to take my profits and move to a simpler story with all 8 cylinders firing like a machine, with a narrative that equates to the numbers, and then some, and with a very pragmatic product value, both for now, and in its road map.

I would not be surprised to see Zscaler come back as Zscaler is completely disruptive. This is not just another security company, it is a company that changes the entire network paradigm. As an investor, however, I am pragmatic.

Tinker

7 Likes

“I know I rely heavily on Amazon product reviews”

But check fakespot.com to see if the reviews are legitimate.

1 Like