Third-Quarter Cybersecurity Earnings Wrap

The recent quarterly earnings season spotlighted a range of public cybersecurity companies, revealing how some are keeping pace with digital transformation, while others are slower out of the gate. And it's not over yet: Still more companies are set to report later this month.

Overall, the standouts for the quarter included CyberArk (CYBR), Fortinet (FTNT) and Zscaler (ZS), with Qualys (QLYS) also booking decent results. Let's take a deeper look at the situation.

Security Gets Cloudy

Most public companies doing well in cybersecurity are following a trend toward closely integrating their products and services with software-defined wide-area networks (SD-WAN). This can take several forms: Firewall vendors like Fortinet are offering appliances with tight SD-WAN integration via homegrown or partnered solutions; SD-WAN providers such as Aryaka are adding security through partnerships with third parties like Palo Alto Networks and Checkpoint. Zscaler is also benefitting from this trend as it bundles its cloud security offering with SD-WAN offerings.

Cybersecurity vendors see SD-WAN as the highway to a future of subscription-based cloud services, sold not just to enterprises but to smaller companies too. As 5G and IoT (Internet of Things) gain momentum, it will be imperative that security get better, more manageable, more scalable — just more everything. And cloud-based SD-WAN is the key enabler.

Recent earnings reports show that selected public companies in the cybersecurity market are moving ahead with the strategic shift to SD-WAN — and making money while doing it. But some companies appear to be moving faster than others. The chart below shows the rate of overall revenue growth year-over-year for a handful of public cybersecurity firms for the third quarters of 2018 and 2019.

Of course, the move forward isn't about revenue growth alone. Newer companies grow faster than older ones. And marketwise, it will take time for traditional IT security solutions to get fully sidelined. Still, given the urgent need they address, cybersecurity companies are bound to be in the vanguard. The slowpokes have a bit of time, but perhaps not as much as they think.

And They’re Off!

The companies listed below aren’t showing too much strain in the transition from their traditional products and services to SD-WAN-based security offerings. Their relatively well-paced adjustments are good news for customers and investors alike.

Akamai (AKAM). By using its position as a network service provider to leverage security and edge networking, Akamai seems to have a winning proposition so far. On the company’s recent earnings conference call, CEO Tom Leighton said: “We’re seeing very strong growth in new customers, and that’s being led by security.”

CyberArk (CYBR). By pursuing government as well as enterprise customers, focusing on compliance and security certifications, and looking toward SaaS growth, CyberArk seems to have hit on a solid formula for success. On November 6, the company reported solid quarterly earnings. Though smaller than some of its rivals and partners with $108.1 million in quarterly revenues, CyberArk’s 28 percent growth is significant. Its new SaaS solution, dubbed Alero, doesn’t require VPNs, and cloud-based versions of CyberArk’s other privileged access products are getting good market reaction, execs say.

Fortinet (FTNT). In its third-quarter 2019 earnings report on October 31, Fortinet declared revenue of $547.5 million, up 21 percent year-over-year. Fortinet’s model is to sell security appliances, powered by its own ASICs, for up-front revenue. Once sold, inherent capabilities in the ASICs, such as SSL and SD-WAN, can be activated incrementally for additional fees. Execs said having proprietary ASICs gives the vendor an edge on competitors in terms of secure SD-WAN integration that does not sacrifice performance to security.

Qualys (QLYS). Third-quarter 2019 earnings show good profitability for this twenty-year-old company, which has been offering SaaS for security and compliance since 2008. Having expanded its software lineup with regular releases, acquisitions, and integrations (with Amazon AWS, Google Cloud Platform, and Microsoft Azure), Qualys is in a good position to sell from the cloud, albeit gradually: The vendor’s Cloud Agent, which deploys on mobile and virtual devices, among other types, accounted for 22 percent of the firm’s revenues last quarter. But executives boast about the software's scalability and insist that number will grow quickly.

Zscaler (ZS). When Zscaler reported quarterly earnings September 2019, it announced a nice 53 percent revenue growth rate year-over-year to $86.1 million. And the company has been doing well since its IPO in March 2018. Partnering with SD-WAN suppliers and a range of other vendors — most recently Microsoft for Ofiice 365 — has helped push Zscaler ahead, especially in service provider networks.

The Jury's Out

The companies on the following list face some interesting challenges. How those are handled will determine whether these firms continue to stay ahead of the pack or fall behind. Right now, they’re holding their own in the cybersecurity tectonic shift from product to SD-WAN-integrated cloud subscription service. But a lot can happen before the goal is reached.

FireEye (FEYE). This company continues to increase sales on the way to cloud land. But it’s stumbled a bit on the way. In the second quarter of 2019, internal costs of investing in cloud-based services to create its own offerings, coupled with losses resulting from discontinuing hardware products, made for a dip in earnings and profit. There is also persistent industry talk that FireEye is looking for an exit strategy, possibly a la Imperva’s sale to a private equity firm in 2018 (more on that below). Rumor also suggests that FireEye may try to sell the appliance business that still accounts for a big part of sales. Until FireEye’s future direction is clearer, questions will abound — and questions about a company’s future don’t attract new customers.

Imperva. In what is every firm’s worst nightmare, Imperva, a formerly public company acquired by private equity firm Thoma Bravo for $2.1 billion in October 2018, was forced to acknowledge that a database containing information about its security cloud service customers was compromised in the same timeframe last year.

The breach went undetected until, in August 2019, the company received a “bug bounty” request from an unidentified source. On October 10, 2019, the company issued a detailed explanation of how the breach occurred: “Our investigation identified an unauthorized use of an administrative API key in one of our production AWS accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords,” stated Imperva CTO Kunal Anand in a posting on the company’s website.

Understandable, but for a cloud security firm otherwise following market trends, it’s gut-wrenchingly embarrassing. While Imperva struggled to explain and regain its footing, CEO Chris Hylen resigned at the end of October 2019, though he claimed his exit had nothing to do with the breach.

All this aside, Imperva was doing quite well before Thoma Bravo and the breach. Its final quarterly report before the sale revealed good growth and solid traction in the market. It will be interesting to see how this company’s obvious strengths line up against the recent dings to its reputation and executive suite.

More On the Way

Of course, these are just a few of the vendors to keep an eye on. The coming weeks will reveal earnings from other big vendors in the cybersecurity space, including Cisco (November 13), Palo Alto Networks (November 25), and Splunk (November 21). As these and other players move toward cloud security services, they are going to partner with others (and with one another), acquire other companies, and in some cases get acquired. It’s going to be an interesting journey