2022 Cybersecurity Annual Earnings Recap (Part 1)
It's annual earnings busy season in cybersecurity, and February and March are the busiest months. I covered the annual earnings announcements of a few companies last year. This year, I'm covering as many of the high performing companies as I can. I'm breaking this analysis up into a multi-part series with 3-5 companies per part.
At a macro level, what's changed with annual earnings in cybersecurity is take-private transactions. Ten companies have been taken private by private equity firms or strategic buyers since this time last year:
With only two new public companies (via SPACs) during the same period, the number of take-privates represents a relatively large contraction for the industry's public companies.
That's not necessarily a bad thing — Thoma Bravo, Vista Equity Partners, and Turn/River are good owners for the companies that were taken private. It's often better to refactor a company for long-term success outside the pressures and scrutiny that come with being a public company. This trend is likely to play out over 3-5 years (or more) with additional companies being taken private and (eventually) companies re-emerging from their private equity owners as public companies again.
One last overall point before going into individual companies: why are public companies worth paying attention to? There are several reasons, but one of the main ones is that public cybersecurity companies are an indicator of the health of all companies in the industry.
Large cybersecurity companies are one of the main strategic acquirors ("strategics") of earlier stage companies. If strategics aren't doing well, their performance impacts the entire ecosystem. M&A and financing are directly impacted, and things like hiring, partnerships, product development, and more are second order consequences.
Now that we've covered the macro-level discussion points, let's get into the annual earnings announcements.
From Cloudflare's Q4 earnings press release:
Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced financial results for its fourth quarter and fiscal year ended December 31, 2022.
"In the fourth quarter, we delivered record operating profit, operating margin, and free cash flow. We also surpassed more than 2,000 large customers paying us over $100,000 per year and signed a record number of deals greater than $500,000," said Matthew Prince, co-founder & CEO of Cloudflare. "During economic slowdowns, we believe that it's important to show discipline and optimize for efficiency. We have our hands on the levers of our business and a full-throttle innovation engine that is the envy of the industry. There's no better time to outpace the competition and continue to deliver products on our customers' ‘must-have’ list.”
The story of Cloudflare's annual earnings call was humility and conservatism. Credit to their leadership team for reading the room and adjusting their tone — especially considering the high-flying spectacle that is a typical Cloudflare event or earnings call.
It's unusual to hear public companies talk so candidly about areas of improvement. That's exactly what Cloudflare did for both marketing and sales and public sector growth.
Cloudflare is a "hybrid" networking and cybersecurity company, but it's clear in the earnings call how important cybersecurity is to their business and strategy. They're too important not to cover alongside other pure cybersecurity companies.
Cloudflare is benefiting from convergence and vendor consolidation.
For all the generalized chatter we hear about convergence and vendor consolidation in cybersecurity, its important to look at specific and current instances as they play out. Cloudflare is one of the best case studies because it sits squarely in the middle of both convergence and vendor consolidation.
Before we get too deep into analyzing this, there's an important distinction to make about convergence and consolidation: they're related, but they're not the same thing. These terms are often muddled together, and knowing the difference matters.
Convergence is a macro-level phenomenon where entire product categories or industries overlap or merge entirely. It's driven by innovation and market forces beyond any single company.
Consolidation is the result of things like M&A (on the industry side) and vendor consolidation (among buyers on the practitioner/operator side), among other reasons. I wrote an intro about cybersecurity consolidation in the context of aggregation if you want to go deep down the rabbit hole.
Lately, we've been hearing a lot about vendor consolidation as cybersecurity buyers try to reduce and manage spend during uncertain economic times. There are examples all over the place in this set of earnings announcements from February. We'll kick off the examples with Cloudflare.
From CEO Matthew Prince:
A European financial services company signed a five-year $1.8 million deal, replacing a dozen different security and network vendors with Cloudflare...They wanted to consolidate and simplify their numerous point solutions into a single pane of glass solution.
Displacing 12 (!!!) different vendors in one shot is an impressive sales feat. Situations like this don't happen without a powerful strategic driver. In this case, consolidation of network security functions was that driver. Implicitly, cost savings were the motivating factor. In the case of Cloudflare, it's likely the company also wanted to move forward towards a modern cloud platform and away from legacy products.
This is obviously a cherry-picked example, but it's a good one if you want to see what vendor consolidation looks like at customers. There are countless other examples that didn't get highlighted in earnings calls, and potentially an acceleration of similar instances as enterprises continue to manage the economic downturn at a tactical level.
At the level of financial statements, large customer growth is a partial indicator of consolidation. Matthew Prince summarized Cloudflare's large customer growth on the earnings call:
We added 134 large customers, those who pay us over $100,000 per year, and now have 2,042 large customers, including 33% of the Fortune 500. Revenue from large customers grew 56% year-over-year, and they now contribute 63% of our total revenue.
A trend throughout the entire set of earnings calls we're discussing is growth in large customer segments. While not a direct indicator of consolidation, it's definitely a causal relationship. Increased consumption (e.g. existing customers using more of Cloudflare's services) is one component of the growth — that's normal and expected. Consumption alone doesn't get you to 56% year-over-year growth. Vendor consolidation is likely a contributing factor.
They're starting to pull the profitability lever.
Matthew Prince started the call talking about discipline and efficiency:
We achieved a record operating profit of $16.8 million, representing an operating margin of over 6%.
While we continue to invest to capture the huge market ahead of us, we believe that during economic slowdowns, like the one we're in the midst of, it's important to show discipline and optimize for efficiency. We have our hands on the levers of our business and are adjusting them based on the macroeconomic conditions.
If you've followed Cloudflare long enough, you know this isn't Matthew Prince's normal tone. Prince is excitable and upbeat, especially about Cloudflare's growth. Unsurprisingly, growth was the theme of my analysis of Cloudflare earnings last year. They're still growing at a nice clip, but the shift towards profitability late in the year is the interesting part about this year's earnings.
This feels like Cloudflare showing the market they're capable of profitability if they want. Put differently, they're not a growth machine running amok. As Matthew Prince said, they "have [their] hands on the levers of the business" and can make adjustments as needed.
The $16.8 million operating profit (non-GAAP accounting — they technically still had a $50.7 million loss under GAAP) isn't much, but the statement it makes about Cloudflare's ability to be profitable is far more valuable.
At a macro level, Cloudflare's lack of optimism about the economy should be cause for concern. From CFO Thomas Seifert:
In our guidance, we have not factored in any improvement in the macroeconomic environment or from our go-to-market initiatives. Specifically, despite a notable improvement in our pipeline exiting 2022 as compared to with the first half of the year, we have assumed the increase in sales cycle, which we observed in the second half of last year, continues in 2023 and have, therefore, incorporated close rates below recent historical lows.
...the important takeaway in the guidance that we put forward is that we did not assume any help from the macroeconomic environment. We did not plan that things would get better.
When a company that's almost optimistic to a fault is saying things like this about their guidance for all of 2023, it's alarming. The tone is partly conjecture, of course — their job is to manage the expectations of analysts and investors, so conservatism is expected. We're just not used to seeing this level of conservatism from a company wired for innovation and growth.
Enterprise sales and public sector expansion are huge opportunities for improvement.
Enterprise sales and public sector expansion are where the unexpected candor part came in. Matthew Prince was brutally honest about his company's marketing and sales efforts:
While our innovation engine is the best in the industry and has unlocked $125 billion total addressable market we have ahead of us, if we're honest with ourselves, our go-to-market organization hasn't yet been fully optimized.
As our product become more complicated and we are selling to larger and larger customers, it's increasingly clear that we need to step up our game in marketing and sales. I introduced Marc Boroditsky who joined last quarter to lead our sales organization. Last week, he briefed me and Michelle on his first 100 days. My initial reaction, if I'm honest, was embarrassment over some of the basic things we should have been doing better. But my second reaction was excitement as there are so many opportunities for us to improve.
For me, the interesting part is Cloudflare's dichotomy between being highly successful at product-led growth (PLG) and simultaneously being embarassed (in Prince's words) about sales. Cloudflare is one of the few cybersecurity companies who has reached a stage where this problem exists in the first place.
There are only a handful of cybersecurity companies with significant PLG (or bottom-up adoption) from consumers and/or developers, while also having a growing presence in sales-driven mid-market and enterprise companies. HashiCorp and 1Password are a couple others that come to mind, but this PLG-to-enterprise transition in cybersecurity is a relatively unique challenge.
I agree with Prince's optimism about the opportunity for improvement. Cloudflare's growth is so consistently good that most people wouldn't bother to notice the sales side could be doing better. They look committed to being great at both, as emphasized by Matthew Prince here:
We’ve been leaders on the product and engineering side. Now we're focusing on becoming a leader in the go-to-market side as well.
Opportunities for public sector growth are a similar reason for optimism. On the call, Prince shared that Cloudflare is now FedRAMP certified:
I'm happy to report that after our longer than expected wait at the proverbial DMV, we officially received Cloudflare’s FedRAMP certification.
FedRAMP certification itself isn't earth-shattering news, but the possibilities now that it's been attained are interesting. Matthew Prince shared a breakout of Cloudflare's public sector revenue prior to the certification:
...the public sector space is only 3% of our revenue today, so we believe it's only the beginning of what we'll be doing in the future.
That's a low percentage, especially compared to Cloudflare's traditional network security competitors. Another (adjacent, but relevant) peer-level comparison is CrowdStrike, which typically reports around 25% of revenue from public sector customers.
The early results are promising. Matthew Prince reported a nice win for the .gov registry:
We were awarded the $7.2 million, five-year deal to operate the .gov registry. We were awarded the contract because of our modern infrastructure, technical prowess, relentless innovation and proven ability to defend against the largest cyber attacks. Every e-mail sent to the White House, every agency's webpage and most of the other ways the U.S. government connects to the Internet now depend on Cloudflare and our network.
Not too shabby of a start for an area of Cloudflare's business that should become much more important going forward.
From Check Point's annual earnings press release:
Check Point® Software Technologies Ltd.](https://www.checkpoint.com/) (NASDAQ: CHKP), today announced its financial results for the fourth quarter and full year ended December 31, 2022.
“We delivered solid fourth quarter and 2022 full year financial results despite a volatile year-end macro-environment. Revenue and non-GAAP earnings per share came in at the top end of our projections,” said Gil Shwed, Founder & CEO of Check Point Software Technologies. “We continued building the future of cyber security with the prevention-first Infinity architecture and realized triple-digit growth in Infinity revenues. Building on this success we are driving security innovation with a focus on the 3Cs of the Best Security – a Comprehensive set of technologies that address the key attack vectors; a Consolidated set of solutions with a unified management portal, with Collaborative security technologies – to prevent the next cyber-attack.”
Check Point is in a state of transition. They've been a consistently profitable company since before the current economic downturn. However, they're facing challenges with growth, drawing the inevitable comparisons to other high growth competitors.
On the annual earnings call, these factors amounted to analyst concerns about growth, concerns about the economy, and a glimmer of hope about M&A. Like many companies, it appears tough times are ahead, but Check Point has been through this before.
Analysts are concerned about Check Point's growth.
Analysts didn't hide their concerns about Check Point's growth. This was a clear theme from the earnings call, which drew pointed questions and comments.
From Joseph Gallo at Jefferies:
...what is needed to explicitly grow double digits? Is it products? I saw you lean more into SD-WAN or is it go to market?
And from Keith Bachman at BMO Capital Markets:
Your competitor Fortinet gave guidance kind of mid-teens for product revenue growth...I'm just wondering, you talk about the strength of your product and whatnot and the efficacy of it, and yet you're still under growing one of your major competitors.
They're concerned because Check Point ranked among the lower growth cybersecurity companies at 5.7% (LTM) revenue growth in (calendar year) 2022:
As a result, Check Point's leadership team had some tough questions to answer about their plans for growth in (let's face it) an economic environment that's making growth difficult.
CEO Gil Shwed's main focus is on expanding their sales organization:
I think what's needed is mainly go to market. When we see -- when we engage with customers, when we deliver our message to the customer, to the CSOs, to the CIOs, they love the message, and they expand the usage.
...which was lacking, by his own admission:
...our potential and opportunity is reaching more customers, engaging more. And I think we are working very, very hard internally to achieve it. I think we have what it takes, but we need to get our act together on that.
Bigger picture, Shwed signaled Check Point's plan to stick with good old fashioned profitability:
...we do want to invest. Our goal is to grow. Our goal is to do what's right, and I think our margins are very rich. So my focus is not on -- again, I've always been proud and I'm still proud to be a profitable company and don't intend to change that.
I'm sure some analysts and investors weren't satisfied with these responses. The reality is that it's hard to answer questions about growth in the midst of an economic downturn. The most sensible strategy is for Check Point to hang on to the profitability it already has.
I don't expect low growth will make Check Point a take-private acqusition target. Their history of profitability is a positive. The company's $15B+ market cap would also make them a large transaction. That said, anything is possible in 2023, and we've seen acquisitions of this size recently.
Check Point is cautiously optimistic about M&A...
Check Point isn't widely thought of as a prolific strategic buyer in cybersecurity, but past and future M&A was an interesting topic on the earnings call. The company has been more active in recent years. From Gil Shwed:
...we made many acquisitions. If you look, we've made I think like 18 acquisitions over the history of Check Point. Over the last three, four years, I think made like six or seven.
According to Momentum Cyber data, Check Point has made seven acquisitions since 2018:
Application security, cloud security, infrastructure security, and messaging security have been their focus. Three of four acquisitions have been under $100 million, except for Avanan in 2021.
In the context of growth, Shwed spoke openly about how well their Avanan acquisition is performing:
...we had three "rockets." One was the e-mail rocket based on acquisition we did, which actually grows very, very fast. I don't know, we didn't mention it much today, but the e-mail aspects, that acquisition is very successful, and it's contributing a lot to our growth.
...
The one that's growing very fast and the one that we are very happy with is the Harmony e-mail, doing extremely well, reaching -- meets all the expectation from an important acquisition like that, integrates well with the rest of our technology like our anti-malware engine is used in that product. Their anti-phishing engine is used in many, many of our other technologies, everything that I said about centralizing this threat cloud brain is working well.
That's the type of value Check Point wants out of a larger acquisition: fast growth and integration with other parts of their product portfolio.
His commentary about future M&A is exactly where many strategic buyers are at right now — interested in acquisitions, but holding tight to see if valuations will decline further:
On the private market, I think we will see some opportunities in the future. I'm not sure that the valuation reached the level that we need to reach yet. Some -- we do get once in a while a call from a company that we think is interesting and reached this point of time that it may be interesting.
He also left open the possibility of a larger acquisition:
So, it's not that we are not active on the M&A frame. But I think in the future, there's definitely an opportunity that we will do more. And by the way, that is a good reason to keep some cash, especially if we will find something more transformative, and then not that I'm underestimating spending a few hundred million dollars on a company is also a big bet and a big investment. But maybe we'll find something even bigger, and then it's good to have some cash to fund that.
A larger acquisition would satiate many of the analysts and investors who are focused on Check Point's limited growth. However, the message was clear that Check Point is seeking value acquisitions and will do so with fiscal discipline. So, don't expect a buying spree to ignite growth.
...but also has concerns about the economy.
In a recurring theme across earnings calls, Check Point's leadership team expressed their concerns about the economy and the impact it's having on their business. In the case of Check Point, you could dismiss this as conjecture from a company struggling with growth. However, it's worth noting that the same concerns are being shared by nearly every cybersecurity company (and beyond).
Gil Shwed highlighted Q4 2022 in particular as a challenging period for the company:
Q4 was a little bit different, and we did face some challenges towards year-end. Projects were postponed. Customers didn't have the budget flash, which usually expect in Q4. Despite that, again, the numbers that we have are very, very good, but I just want us to know that it's not business as usual and that -- and even though we have good numbers and good forecast for next year, I think we need to be a little bit cautious more than usual.
Like several other CEOs, he believes consolidation could work in Check Point's favor:
I think, by the way, in the mid- and long range, it can play to Check Point's strength because in times like that, people look for consolidation. In times like that, people look for strong vendors. And I think that can very much play into our strength of providing the best security.
I'm not sure that competitors like Cloudflare, Zscaler, Palo Alto Networks, Fortinet, or other SASE companies would agree, but we're all inherently biased. We'll see how consolidation plays out in this space.
Finally, speaking on behalf of all of us, Shwed commisserated about the current economy:
But I can do without the bad about the economy. And right now, I think it's nothing to do with network security or anything like that. It's clearly the more of the macro economy that's behaves a little bit different in the last quarter.
It's a trying time for Check Point, but the company has been around and made it through challenging times before.
From CyberArk's annual earnings press release:
CyberArk (NASDAQ: CYBR), the global leader in Identity Security, today announced strong financial results for the fourth quarter and full year ended December 31, 2022.
“Our results in the fourth quarter and full year 2022 demonstrate the durability of demand for our solutions and strong execution,” said Udi Mokady, CyberArk Chairman and CEO. “Our subscription bookings mix reached a new record of 90 percent in the fourth quarter, well above the mix assumed in our guidance framework. The higher mix drove our Annual Recurring Revenue to $570 million, an increase of 45 percent year over year and significantly above our guidance, but also negatively impacted our recognized revenue in the quarter. We also once again set a record for net new Total ARR and Subscription ARR in the fourth quarter compared to the third quarter 2022."
CyberArk is doing exceptionally well in a tumultuous period where other cybersecurity companies (and direct competitors) are facing challenges. Their financial performance is sneaky good — "sneaky" because they've been in a period of transition in their revenue model that's making their revenue growth apper lower than it is (more on that soon). Analysts were using terms like "defy gravity" on the earnings call.
The company's annual earnings announcement was one of the most eventful among all cybersecurity companies. Why? CyberArk's co-founder and CEO, Udi Mokady, announced he is transitioning into an Executive Chair role. That's clearly the headline here, so let's get into it.
CyberArk will have a new CEO in 2023.
Here's the news, straight from Udi Mokady:
We entered 2023 with a more durable, more resilient and highly visible business model. CyberArk is in a position of strength well on our way to our $1 billion ARR target, and we have already reset our sights well beyond that. Because of this execution, as we are gearing up for 2023, we recognized that CyberArk was in the best possible position to make the executive changes we announced this morning. In early April, I will move into the Executive Chair role and Matt Cohen, our Chief Operating Officer, will become our CEO. Matt is an incredible leader, and I can't imagine a better person to be the next CEO of CyberArk.
As a long time follower (and implementation partner) of CyberArk, I was a bit rattled when I heard the announcement. Udi Mokady is an icon in cybersecurity — right along with a rare and special group of founder-CEOs who were with their companies on Day 1 and remained as CEO long after going public. Any time one of these people steps down, it's a big deal.
However, CyberArk's leadership team has clearly thought this transition through. Throughout the call, it was made clear that Udi Mokady will remain actively involved with the company, and that incoming CEO Matt Cohen is sticking with their strategy because it's working:
While my role with CyberArk is changing as Executive Chair, I'll stay very active, working with Matt and the management team...It is very important to me that we get this right and that we have a smooth transition, continuity of leadership and that we don't skip a beat in our execution.
Cohen faces the difficult challenge of replacing an icon. He said all the right things:
...when you look at what has worked so well for Udi and I is that we do share a similar view on the market, on the importance of culture and the importance of the teams that we've built here. And we've been so kind of intricately linked from a standpoint of coming up with the strategy that we have today. So I think what I promise to the team and to Udi really is a continuation of the great momentum that we have. We feel like we've never been in a better position in a better place.
And we have a special opportunity here in the market and a group of special people here at the company. And so I'm kind of excited to continue the spirit, as you said, of where we've been and to bring it forward for the years ahead.
...
We don't need to pivot to a new strategy. We need to go and execute or continue to execute against the current strategy to go get that opportunity.
The company's leadership transition is clearly something to follow as it plays out across the upcoming quarters and year. There's never an ideal time to replace a person like Udi Mokady, but doing so from a position of strength is probably the best place.
They're one of the only companies who feels confident about their performance in the current economy.
In a rare departure from nearly every other cybersecurity leadership team during this earnings season, CyberArk is feeling good about how they're doing in the current economy and their prospects going forward. From Udi Mokady:
...we wanted to comment on the macro environment. While Identity Security remains top priority, more approvals continue to be required in deals, consistent with what we saw in prior quarters. The demand trends, deal progression, win rates, renewal rates and sales cycles remain healthy across the board, which we see in our strong ARR growth.
The big question behind CyberArk's strong performance and optimism is "why?" I thought Udi Mokady did a great job explaining the drivers behind their current success:
Privileged Access Management is one of the few critical security layers that really make a difference in enterprise security. I would categorize it in one of the few that are on the must have side of enterprise buying decisions. And no matter how you dissect every attack that's in the news, there's -- that point of no return is when they elevated privileges, moved laterally, captured identities. And CyberArk captures both the human and machine identities in our PAM platform and in our Identity Security platform.
And today, it's become clear that Identity is not just the new perimeter. Identity is the attack surface. And so it's one of the few things that enterprises do today. And of course, we pioneered the space. We're a market leader in the space. And the flip side of it is also executing on that opportunity that we created through our best-in-class go-to-market team, our channels and of course, delivering great solutions, all of these years. And I would say that the team is executing and firing all cylinders against a growing opportunity.
Cybersecurity budgets appear to be remaining stable, but not all categories within them remain equal. Mokady's observation about PAM being "on the must have side of enterprise buying decisions" is absolutely correct.
For CyberArk, that's a great position to be in. It's also a great position to build from — a reliable foothold into growth for other areas of their product portfolio during a time when companies on less stable ground are just hanging on.
They're so confident about their position that CFO Josh Siegel even shared they might be able to grow even faster:
...if we look at our win rates, our pipeline and in the macro, we actually believe we can grow faster than that...I'd say we're actually really confident in the underlying demand environment, and we have the pipeline to actually support a faster growth than in the ARR side.
You don't hear a CFO say things like that unless the company truly believes they can do it. The takeaway is that CyberArk is in an enviable position, and they're a company to watch as we navigate uncertain economic times.
Their transition to SaaS and subscription-based revenue has gone very well.
I started talking about CyberArk's SaaS transition and move to subscription-based revenue back in 2021. At the time, I acknowledged how difficult of a journey it was for a PAM product to move to the cloud From CyberArk and the New Paradigm for Privileged Access:
Privileged Access Management (PAM) is going to be one of the last cybersecurity services companies move to the cloud. Many security leaders (enterprises in particular) are reluctant to move their most sensitive credentials out of their own data centers. Privileged accounts and their credentials are the holy grail for attackers. If the vault the credentials are stored in is compromised, it's game over.
...while also agreeing with their strategy on SaaS and subscriptions:
This approach is unsurprising, and completely the right strategy. In CyberArk's case, transitioning to SaaS is even more of a sensitive topic given the nature of their business and their flagship PAM product.
Looking at where CyberArk is at on this journey at the end of their 2022 fiscal year, it's hard to imagine how this could have gone any better for them. I would not have predicted CyberArk to make (arguably) the most successful transition, while peers like SailPoint, ForgeRock, and Ping Identity continue to work through similar challenges — now as private PE-backed companies.
Three charts from CyberArk's investor presentation show exactly how dramatic the transformation to subscription revenue has been. First, subscriptions are driving total revenue growth. In FY22, 88% of new licenses sold are subscriptions:
There is no going back at this point — customers have clearly been willing to transition to subscription-based licensing. With 88% of new bookings via subscription, the revenue mix will continue to shift in favor of subscriptions.
Second, the breakdown of recurring revenue improved significantly in FY22:
Revenue from perpetual licenses is down $66m year-over-year, exactly as you'd want to see during the transition to subscriptions.
More importantly, SaaS revenue is up $97 million year-over-year. This is impressive because it shows customers are adopting their SaaS product, not just transitioning on-premise implementations to subscription licenses. In a perfect world for CyberArk, a majority of their implementations (and revenue) would be coming from SaaS. They're well on their way.
Third, the transition to subscriptions is making top line revenue growth look less impressive than it is:
TL;DR, this is due to differences in revenue recognition for software subscriptions versus term-based licenses. We're not going to unpack that here — just know that's the reason for the obscure "headwinds" they mention.
If you're only looking at the headlines, CyberArk's revenue growth looks decent but relatively pedestrian. When you factor in the headwinds, 27% topline growth puts the company among the very best in cybersecurity.
From Fortinet's annual earnings press release:
Fortinet® (Nasdaq: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, today announced financial results for the fourth quarter and full year ended December 31, 2022.
“Total revenue grew 32% in 2022 and year-over-year to $4.42 billion, and we generated GAAP net income of $857.3 million. This marks the 14th consecutive year that we have been GAAP profitable, including every year since our 2009 IPO. Cash flow from operations was $1.73 billion and free cash flow was a Fortinet record of $1.45 billion for the year,” said Ken Xie, Founder, Chairman and Chief Executive Officer.
In a period of time where profitability is valued by investors more than growth, Foritinet's streak of GAAP profitability (net income) looks even more remarkable. Fourteen consecutive years of profitability is unheard of in cybersecurity — yet here they are, just doing what Fortinet does: consistently churning out profits and growth at scale.
Investors have rewarded them accordingly. As of January 31, 2023, Fortinet had the second highest market cap ($40.89 billion) among all pure cybersecurity companies in public markets:
As you might expect, their strategic drivers are remarkably consistent with past years — highlighted by convergence and consolidation and growth through R&D. Their competition with Palo Alto Networks, Zscaler, and others in the network security market — and especially SASE, where their strategy is most actively playing out.
Fortinet is benefiting from convergence and vendor consolidation.
As a multi-product networking and SASE company, Fortinet is another example of a company that believes it's positioned to benefit from vendor consolidation. Fortinet CEO Ken Xie cited consolidation as one of the main drivers of revenue growth in FY22:
For the full-year, revenue growth accelerated to 33%. We continue to gain market share in the service security industry with customers increasingly recognizing how Fortinet integrate and a single platform approach to security delivers along total cost of ownership and a greater return on investment than competing solutions.
Here's what vendor consolidation looks like for the company — in this case, an example where it played out nicely in their favor. From CFO Keith Jensen:
If we look at a few of our large deals of the year, let's start with a competitive upsell deal. Fortinet displaced a 11 different vendors by consolidating the customer's network security functions on our Security Fabric. This worldwide wholesaler previously purchased secure SD-WAN and FortiProxy.
On a broader basis, what's good for Fortinet — a multi-product company with an established network security platform — is bad for other cybersecurity companies. In this example, 11 other vendors are now gone or saw their footprints reduced by the hand of a consolidated technology platform fueled by cost savings. The displaced vendors likely include a mix of point products and other platforms, neither of which could match the maturity and cost efficiency of Fortinet.
On the topic of convergence, Keith Jensen discussed another nice example with security and networking:
There's been an explosion of devices that must be connected to the cloud, data center and edge compute. As a result, the infrastructure has expanded to support secure connectivity via distributed firewalls, it is no longer feasible to overlay security on top of networking in the data center. They must be deployed as a converged solution.
The convergence of security and networking is a part of the broader trend that's easier to recognize. Convergence in these two domains is much more mature than others, with examples like Fortinet, Palo Alto Networks, Zscaler, and other large companies. They started with networking and followed the path of convergence to become full on cybersecurity companies.
Looking forward, Fortinet is making big predictions about convergence and consolidation. From CEO Ken Xie:
As networking and security continue to converge and consolidate, we believe we are well positioned to achieve our 2025 building target of $10 billion.
Justifying revenue growth with convergence and consolidation is a clear tell that Fortinet (and others) should believe these are real themes that are shaping cybersecurity markets.
Fortinet's growth strategy is to build new products, not buy them.
Two slides in Fortinet's investor presentation tell us almost everything we need to know about their growth strategy around products. The company is heavily invested in R&D and internal product development, spending very little on M&A. These slides are a direct shot at Palo Alto Networks, a company notorious for M&A.
The first slide is a comparison about product revenue growth and overall growth on an LTM (last twelve months) basis:
Fortinet's product revenue is growing faster than Palo Alto Networks — perhaps a lagging indicator of Fortinet's long-term approach to product strategy playing out.
Total revenue growth between Fortinet and Palo Alto Networks is similar at 29% and 27%, respectively. The punch line here isn't the direct growth comparison — it's the comparison of two very different growth strategies. Fortinet's revenue is growing at the same pace as Palo Alto Networks despite Fortinet spending less than 1/10th the amount of capital on M&A as Palo Alto Networks.
The second slide zooms in on Fortinet's build vs. buy strategy, highlighting investments in R&D and share repurchases over the past five years:
You read that correctly — Fortinet invests in R&D over M&A at a 90/10 ratio. An important side note to their R&D spend is that they've invested this much while remaining profitable, unlike some other cybersecurity companies with high R&D spend.
A specific example of this strategy playing out is Ken Xie's response to an analyst question about the SD-WAN and OT markets:
So advantage much huge compared to other competitors, quite some mostly come from acquisition. And at the same time, they don't have the ASIC help to increase speed, lower the cost and the power consumption. So that's why we feel we're keeping growing above the market, so above the market growth rate. There's a different research about how the market is growing. But I do agree it's a fast-growing market compared to the cybersecurity space and there will be a lot of potential going forward.
Fortinet is deeply committed to their long-term product innovation strategy, as we'll see next in the highly competitive SASE market. While they could be opportunistic with reduced valuations, don't expect any major M&A activity out of Fortinet.
Fortinet is taking an integrated and long-term approach to SASE.
Secure Access Service Edge (SASE) is the market where the intense competition among network security heavyweights is currently playing out. Three of the four most highly valued (pure) cybersecurity companies — Palo Alto Networks, Fortinet, and Zscaler, plus (hybrid) Cloudflare — have SASE offerings. Game on.
SASE is a massive topic, so we'll focus on Fortinet's strategy here. From Ken Xie on the annual earnings call:
Our strategy...in the last few years is: first, we want to have a SASE integrated in the same system, the same OS, including all the SD-WAN or the SASE function. So making SASE can be more easily broader deploy and also working with service provider to leverage their infrastructure to offer a SASE. So it's a little bit different than some of the SASE players right now in the market. So we do believe this is highly integrated the single system as will be more efficient and same time will be more secure.
...we believe long-term leverage...will be much more efficient than the profit model compared to some of the SASE solution or player kind of losing money, which will be difficult to last long. So that's what we will keep investing in this area. And also, we want to be a long-term player in this space and also we'll be keeping internal innovation R&D and keeping driving this space.
Fortinet is all about integration across its proprietary hardware and software. They're committed to this approach (even at the expense of speed and time to market) because they believe quality and value will win out in the long term.
Xie's comment about "some of the SASE solutions or players losing money" and how that will be "difficult to last long" is prescient. Fortinet has clearly demonstrated the ability to compete while remaining profitable as a company. With public markets placing an increased emphasis on profitability over growth (and no end in sight), Fortinet has a lot to gain from being positioned to outlast the competition.