Cyber security and industry maturity are two phrases rarely heard together. The vendor hall gimmicks, perennial vaporware and billion dollar valuations always draw a wry smile from seasoned InfoSec professionals.
Despite all this, if we look closely there’s signs emerging that the industry may actually be starting to mature.
The best – and perhaps only – reliable source of industry data is to be found in the annual reports of publicly listed companies, where the year in review – including financial statements – is laid bare in black and white.
A look at some of the largest cyber pureplay firms is revealing; the study here includes Symantec, FireEye, Checkpoint, Palo Alto, Proofpoint, and Fortinet.
While growth among these organisations is still impressively double digit – it has slowed significantly, falling from an average of 29% in 2014 to 18% in 2017, with 2018 results yet to be released across the board.
So what’s caused the slowdown across these firms? From an external perspective, perhaps the market can simply no longer support the historic levels of growth. Or perhaps the market is becoming desensitized to the cyber threat, with ‘breach’ the new normal and share prices bouncing back in record time post-attack.
Are internal factors also be at play here? A further look at the financial reports shows that decisions made by the companies themselves may be contributing to the growth slowdown.
Sales and Marketing spend falling
It has been no secret that cyber security spends eye-watering sums of money to get you to buy more of its stuff; five years ago a median 53% of revenue went into sales and marketing efforts. It wouldn’t be unfair to say that back then, these weren’t security organizations, or technical organizations – they were marketing organizations with a slightly-larger-than-usual IT team.
Today, the industry is in the process slowing down, with sales spend and marketing spend falling to 41% on average. Furthermore, last year was the first time that every one of these firms reduced their sales and marketing budgets as a proportion of revenue – a clean sweep towards sustainability.
R&D investments no longer protected
Sales and marketing wasn’t alone in facing the axe; Research and Development, the driving force behind the cyber-security industry’s clamor for ‘new’, also took a hit across the six firms, with not one increasing R&D spend relative to revenue. Indeed, Palo Alto slashed R&D by 42% over the last two years relative to its revenue increase, with FireEye following suit with a 29% cut. It should be said that as an industry, cyber-security still outstrips most of the economy (including healthcare) when it comes to R&D spend – which makes these recent decreases all the more notable.
Again, could it be that shareholders are looking for some kind of return from what is sold today, rather than the promise of silver bullets in the future?
Operating Profit increasing
Perhaps this is reinforced when we examine the ratio of Operating Profit against revenue. Last year, each firm either increased its operating margin or made progress towards balancing its operating cost against its revenue.
For a once-runaway industry, these figures are significant. The gains in operating profit show an industry focused on moving the needle towards returning shareholder value, rather than growth at all costs and the pursuit of ‘new’.
Are we there yet? No – the financial statements don’t lie – the industry still isn’t profitable, in part because it’s still growing quickly (sales and marketing cost) and also because it continues to reinvent itself each year (R&D cost). However, there’s one striking anomaly here, Checkpoint, who deliver 50% operating profit, and even maintain a share buyback policy to return investor value. Checkpoint achieve this through maintaining sustainable, single digit growth, combined with a steady proposition to control costs.
In doing so, perhaps they provide us a glimpse into the future for the industry as a whole. For now, we’ve still got some growing up to do.