A dollar of revenue doesn't equal a dollar of revenue. Not when you're comparing different types of businesses, anyway.
Sounds like some 1984-level propaganda, right?!¹
In George Orwell's famous book, the statement "2 + 2 = 5" is a tool used by the Party to demonstrate its ability to bend reality. They wear down people's minds to a point where they are forced to believe something that is obviously false.
The narrative and influence in the cybersecurity industry isn't nearly as insidious, of course — but reality can get distorted sometimes in the frenzy of hype and competition.
I recently made an observation about Accenture's $9 billion cybersecurity services business unit having more revenue than any pure-play cybersecurity company in the public markets today. I made the comparison knowing it would create some discourse...and that it did.
Several readers rightly pointed out that comparing revenue (or any financial metrics) between product and services companies is a stretch. I agree, but not to a point of avoiding comparisons altogether.
It's still useful to understand the scale and magnitude of product and services businesses. Both business models are essential parts of the cybersecurity industry. More importantly, there are way more interdependencies between the two than many of us realize.
The part that was missing from my comparison was context. There's a lot of nuance behind how and why different business models work the way they do. Comparing revenue alone is only one dimension (among many) that drives the value of a business.
Comparisons like this need context in a way that's just not possible in the world of social media. This article is to explain the context and nuances.² We're going for beginner-to-intermediate level here — just enough to help you navigate the most common business models for cybersecurity companies.³
I'm partial to Warren Buffett and Charlie Munger's (RIP) old school ways of evaluating businesses. They're both principled, independent thinkers who are categorically immune to business world Doublethink. So, I'm going to channel these two kings and do an old school, Berkshire-style analysis.
Let's kick it off with one of their favorite topics: economic moats.
Economic moats
Buffett and Munger like businesses with predictable revenue and cash flows. Even better when the competitive advantages driving revenue are hard to replicate. Here is Munger's definition of a good business:
We have to have a business with a durable competitive advantage—because without that, you’re just fated to compete, and competitors will drive your returns down.
This, friends, is a moat.
In cybersecurity, you'd think the "predictable revenue" part would make product companies with subscription-based revenue more appealing. It's not quite that simple. Here's why.
Product companies
Most of the earlier stage cybersecurity companies that started in the cloud era have subscription-based pricing, which means recurring revenue. Public companies like CrowdStrike and SentinelOne also have nearly all of their revenue coming from recurring subscriptions.
Other companies who started on premise (like CyberArk and Varonis) have been on multi-year transitions from non-recurring licenses to recurring subscriptions. This cohort of companies is in varying stages of transition with varying degrees of success.
Subscriptions and recurring revenue sure sound wonderful. They are! But just because a company sells products or services by subscription doesn't mean it has the economic moat Buffett and Munger covet.
Most product categories in cybersecurity are brutally competitive. They often have 10+ companies who all offer solid products. In the eyes of a buyer, they're interchangeable.
Switching costs are real (especially in the enterprise customer segment), but rarely insurmountable. CrowdStrike blew up your Windows systems? No problem, you'll have SentinelOne up and running in a few weeks or less.
Most product companies don't have as strong of an economic moat as you'd think.
Services companies
Business models for services companies are more diverse. Managed services like MSSPs, Virtual CISOs, and other operations-focused services have a subscription-based model.
Traditional consulting, professional services, and systems integrators do not. They usually charge by the (very expensive) hour. A small project for firms like Accenture or PwC is $100,000 or more. Large systems integration projects for enterprise clients are seven figures.
Multi-million-dollar engagement fees might sound awesome, but they're non-recurring. Partners and Directors constantly sweat it out to win new projects. I was one of these people once upon a time, and trust me — chasing non-recurring projects over and over again is hard work.
Services companies may not have the cushy recurring revenue of product companies, but the big firms (and some savvy smaller ones) have incredible economic moats. Things like amazing brand recognition, global scale, and deep client relationships get these firms deeply embedded in the world's largest enterprises. Any experienced enterprise CISO will tell you they're very hard to get rid of.
The big services firms with cybersecurity practices are unique creatures, though. Smaller, cybersecurity-only services firms don't have the luxuries of brand or scale to enjoy the same type of moats.
Some have deep client relationships, which is enough to create a mini-moat on its own. The rest, unfortunately, are transactional with no economic moat at all — just another body shop to get the mundane work done.
Reinforcing economic moats
A small irony here is that the economic moats of cybersecurity product and services companies reinforce each other.
Services companies need products to generate a large portion of their revenue. Product companies need services to help sell, implement, and operate the products. There's a reason why an estimated 90% of cybersecurity product sales go through channel partners.
Interdependencies manifest themselves differently across customer segments, but they're always a factor. Enterprise environments are complex, and so are the products they implement. Mid-market and SMB customers are less complex, but many of them rely on MSPs and MSSPs to partially or fully operate their cybersecurity functions.
Economic moats are the starting point for Buffett and Munger, but there's a lot more to a good business. Next, let's talk about predictability.
Business predictability
In the old school, long-term world of Buffett and Munger, "predictability" and "recurring" are not the same thing.
Their version of predictability is measured in decades — a demonstrated history of consistent, stable cash flows year in and year out. In Buffett's words:
The best business is one that, after you buy it, you can leave it alone for ten years, and it’s still going to generate cash flow.
This hasn't happened yet in cybersecurity. It doesn't even seem within reach.
Ten years feels like ten lifetimes in our industry. Broadcom and some of the private equity buyers might give this strategy a shot, but heavy reinvestment has been the only way to remain competitive so far.
Here's why we're so unpredictable.
Product companies
Revenue for cybersecurity's product companies is relatively predictable on a near-term basis — our market leaders don't just disappear overnight, and they all have above average retention metrics. Even in cases like Okta's security incidents or CrowdStrike's global outage, market cap gets wiped out but revenue doesn't.
We don't have the kind of long-term predictability Buffett and Munger cherish, though. Not yet, anyway.
Cybersecurity is a relatively young industry on the time horizon of the industrial era. We don't have many businesses of any kind with demonstrated market leadership over decades. Companies who have reached the top haven't sustained it for long, either. Look no further than Symantec.
Pure-play cybersecurity companies like Fortinet and Check Point might be starting to reach the territory of long-term predictability. They were founded in 1993 and 2000, respectively. 30-ish years is just scratching the surface of durability.
Sprinkle in the 10+ private equity take-privates of cybersecurity-related companies in public markets since 2020, ~70 billion-dollar acquisitions (and approaching 10 just this year), and ~250 total acquisitions per year, and you get the picture about why they consider industries like ours "unpredictable."
Services companies
Services companies are a bit more boring and predictable, especially the larger ones. Deloitte (179 years), PwC (175 years), EY (175 years), and KPMG (140 years) were all founded in the 1800s (!!!).
Accenture is barely younger than me (who is also starting to get old) at 35 years. Their ill-fated parent company, Arthur Anderson, was 89 years old when it suddenly burst into flames in 2002.
Put differently, the total combined age of the public cybersecurity companies with $1B+ revenue (Palo Alto Networks, Fortinet, Gen Digital, CrowdStrike, Check Point, Okta, Zscaler, and Trend Micro) is 197 years. These newfangled product companies are infants compared to the giant ol' services firms.
They haven't had cybersecurity consulting practices since the 1800s, of course — but they're far more predictable than the raucous product side of our cybersecurity industry house. Right or wrong, the top cybersecurity services firms basically are the top firms year in and year out.
With big services firms, we're talking about incredibly resilient and reliably profitable businesses that have steadily grown and produced cash flows for literally generations. Their revenue growth might only be single digits, give or take, but it rarely goes down.
Mileage varies with predictability for smaller cybersecurity services firms. Without the scale and economic moats the larger firms have, revenue and cash flow can be a lot more unpredictable. For a consulting firm, all it takes is the loss of a big client, slowing momentum in a key partnership, or something wild like a global pandemic to put the business in a bad spot.
Outsourcing and managed services firms like MSSPs and MDR companies have more predictability than consulting firms, even on a smaller scale. They operate in long-term contracts for repeatable, non-project based operational services. Once a managed service provider learns a customer's environment, the switching costs become high. Most companies don't burn through MSSPs year after year, even if the level of service is mediocre.
Generally speaking, cybersecurity services companies are more predictable at any scale (by the Buffett/Munger definition) than product companies. Most of them don't grow to the billion-dollar scale of Accenture, Deloitte, or PwC — but it's rare to see a services firm completely strike out on projects and revenue.
Product companines need predictability
The relative predictability of cybersecurity services companies is a good thing for product companies. It's one of the things that makes channel partnerships valuable.
Successful cybersecurity services firms have (predictably) strong customer relationships. They serve fewer clients than product companies, so it's natural to have deeper relationships than product companies — no matter how slick your AE is.
Anecdotally, services companies pull product companies through into new customer opportunities more than the other way around. The ratio isn't completely imbalanced, but deep customer relationships matter. Sequence matters, too: potential buyers often look to services firms for recommendations and evaluations of cybersecurity products.
From a customer's point of view, the predictability of relationships matters. Products come and go. I saw this myself with identity products during a decade at PwC. First it was Sun Microsystems, then Oracle, then SailPoint, then ForgeRock, now Okta. The churn isn't quite that sequential, but the momentum of product companies as partners definitely comes and goes.
Incentives between product and services companies are aligned a decent amount of the time, though. Services companies need products to implement and operate, and they want to partner with product companies customers want to buy. Product companies want to leverage service provider relationships and increase their odds of winning. This interdependency works — at least for market leaders and up and coming products that service providers want to partner with.
Next, let's discuss another hallmark of the Berkshire investment philosophy: capital efficiency.
Capital efficiency
One of the core investment criteria for Buffett and Munger is capital efficiency and the ability for a company to generate high returns on invested capital. Charlie Munger, as always, is good for an epic quip:
A great business is like a great athlete — it has low body fat and lots of muscle. It doesn’t need to spend too much capital to stay competitive.
Most cybersecurity product and services companies are more like couch potatoes — or, more generously, up-and-coming athletes in the low minor leagues. They lack capital effiency, but it happens for different reasons.
Let's talk about why Warren and Charlie are disappointed in us.
Product companies
Cybersecurity's publicly traded product companies all have respectable gross margins, emphasis gross. Their operating margins are low — more like negative (on average) until a recent emphasis on demonstrating profitability. The operating margins part is what makes them struggle with capital efficiency.
We're going to have to get a little accounting-ish here to explain why the nuances between Cost of Goods Sold (COGS), gross margins, and operating margins matter for product businesses, but it's worth getting into.
SaaS and subscription-based products (so, most of our cybersecurity products today) have very low COGS. The accounting definition has some minor variances, but in general, COGS for product companies includes hosting and infrastructure, third-party licenses or APIs, and sometimes things like customer support and capitalized software development costs.
The punch line is that all of these costs are low for product companies, especially at scale. For example, it barely costs CrowdStrike anything to sell another instance of the Falcon platform. They've already built it, and the marginal cost of replication is essentially zero.
Gross margins are where the good news about capital efficiency for most product companies ends. Operating expenses are a wildly different story.
People like Buffett, Munger, and the accountants aren't letting these fancy software companies off the hook so easy.
COGS is only one part of the equation for expenses. There are tons of other operating expenses. We call them Research and Development (R&D), Sales and Marketing (S&M), and General and Administrative (G&A) in financial reporting, but these are only high level classifications.
A few practical examples of each include:
-
R&D: Building and and improving software (you know, like the main function of a product company) mostly avoids COGS and goes into R&D, an operating expense.
-
S&M: Expensive steak dinnahs with salespeople, booths at RSA Conference (or drone shows instead) all add up.
-
G&A: Cool perks like swanky SOMA offices, ping pong tables, and less fun overhead like finance and HR are all expenses in this bucket.
When you look at a more complete picture of the business and factor in operating expenses, you start to see why capital efficiency is a struggle in the ultra-competitive world of cybersecurity products.
High margins and capital efficiency are two core economic promises of software companies, including ours in cybersecurity. Because the marginal costs of replication are low, a product company's economics get better and better as it scales. Operating expenses continuously become a lower percentage of overall revenue, and they become more and more capital efficient (read: rake money).
It's not an empty promise. This does happen, at least in the broader tech world. The "Magnificent Seven" public tech companies are all good examples, especially the ones who sell purely software. Operating margins for these seven companies are ~20%, way above the S&P 500 average of ~13.5% (today).
Cybersecurity doesn't have any companies who have reached this level of scale yet. Most of our companies have high gross margins and negative operating margins. When expenses like R&D, S&M, and G&A enter the picture, the level of investment required to keep up with the Joneses is gnarly. It's no wonder most of our public and private companies are unprofitable, even if it's technically voluntary.
Will trends like consolidation, platformization, aggregation, or plain old expense management ever get us over the high bar people like Buffett and Munger have for capital efficiency? Eventually, yes — for some companies. But it's going to take a while.
Services companies
Cost structures have a major influence on a company's capital efficiency. Basically all cybersecurity services firms have this working against them by default. People cost a lot of money to employ, and they're necessary because services are labor-intensive.
Cybersecurity people are also expensive because they're smart and specialized. You won't find seasoned cybersecurity practitioners just walking down the street. They either have to be paid a small fortune or be trained from junior, usually fresh out of college levels.
Firms like Accenture, Deloitte, and others do both. PwC trained me fresh out of college, then paid a small fortune to retain me as I became more senior. It's a vicious and necessary cycle.
All this expensive labor adds up to a bad combination for capital efficiency.
The part our services firms have going for them is the reinvestment of capital side of the equation. It costs a ton to employ dozens (or thousands) of people, but firms don't have to reinvest much capital in service offerings, sales, or marketing. Their gross margins are bad compared to product companies, but their operating margins can be decent.
Big services firms reinvest in the business like any healthy business does, but cash flows are still high and owners (partners, usually) get nice distributions every year. Accenture's operating margins hover around ~14-15%, which is respectable for any company and borderline incredible for a services company.
From an employee's standpoint, the downside of being both salaried and junior is you can get squeezed for extra time to "reinvest" in the firm. You might get a bigger bonus at the end of the year, but you're not getting paid extra for the overtime hours you work.
Sales and marketing are generally handled by senior client service people, too. They have relationships with CISOs and other senior client people, so it's weird to put an extra sales person in the mix. Directors and Partners get paid a lot, but the firm doesn't have to pay double for its sales counterparts.
Marketing happens, but it's rare. They'll sponsor Phil Mickelson or Tiger Woods once in a while, but flashy marketing campaigns are about as rare as a hole-in-one. Marketing dollars get spent on conferences, thought leadership™, and other fancy things consultants do, but it's not a huge drag on overall capital efficiency.
What cybersecurity services businesses lack in gross margins gets made up in operating margins. They don't have the promise or upside a privileged few product companies achieve at scale, but they're rarely unprofitable.
Services partners keep the product cost structures clean
One of the main interdependencies between cybersecurity's product and services companies is delivery — strategy, implementation, and operations. Building a good product is hard, but so is getting (and keeping) it up and running in a customer's environment.
Most cybersecurity product companies work with channel partners (services firms) to implement, upgrade, and operate their products. This means product companies don't have to operate a massive services business unit in-house — they just farm out the work to partners and let them take care of it.
From a financial standpoint, partnerships with services companies are a nice boost in capital efficiency for product companies. Most public cybersecurity companies offer services, but it's a single-digit percentage of overall revenue. They're not trying to compete with channel partners, and especially not large cybersecurity services practices like Accenture and PwC.
In a hypothetical world where cybersecurity services firms didn't exist, product companies would be forced to have much larger services business units. They're capable, but their capital efficiency would take a hit because of the people-intensive cost structure of services.
Services are also a different core competency than building products. It's a massive strategic distraction most of the time. Their focus is better spent on building, selling, and supporting core products.
Everything we've talked about so far culminates in one area: scalability, growth, and valuation. Welcome to the main event.
Scalability, growth, and valuation
If services companies are so essential to the cybersecurity ecosystem, why do people constantly bag on them? And why are their valuations so much lower than product companies?
Two of the biggest reasons are scalability and growth. Warren Buffett nailed the dilemma:
The problem with a consulting firm is that you can’t scale it in the same way you can scale a product company. You need more people to sell more services, and that’s hard to scale without losing control of quality.
Let's talk about why this is and how it drives valuations for both types of companies.
Product companies
Like we discussed in the last section on capital efficiency, the appeal of product companies is building a product once and selling it N number of times. This is pure, unadulterated scalability in business.
With a cybersecurity software product, you get high scalability and low incremental costs. This means growth can happen very, very quickly. Every venture capital investor's dream is to invest early in a flashy new cybersecurity company, have it hit product-market fit, and grow quickly into a massive exit.
You can't grow or scale like this with cybersecurity services companies — we'll get into that in a second.
The implication of these differences in scalability and growth rate is one of the main reasons why both public and private market investors value cybersecurity product companies at higher revenue multiples than services companies. You might get a nice return out of a services company, but the big winners in cybersecurity are product companies.
There's the catch: the big winners.
Product companies are significantly more likely to have (relatively) modest exits, get acqui-hired, or fail completely.
But when a cybersecurity company gets the formula right, they grow quickly. The average compound growth rate of our public pure-play cybersecurity companies is 19%, well above the software industry average of 14%. CrowdStrike, SentinelOne, and Zscaler are all growing over 30%, which is among the best of all public software companies.
And then there's Wiz, the fastest-growing software company ever.
Investors have noticed how well cybersecurity-related companies perform, and valuations have skyrocketed. As of this week, six of the top ten companies with the highest valuation multiples have a cybersecurity component (Palantir, CrowdStrike, Cloudflare, ServiceNow, Datadog, and CyberArk).
Valuations, both public and private, are a fickle and inexact science, of course — but ambitious investors are going to bet on our product companies over and over again.
Services companies
Buffett's quote about services businesses is spot on, but I would also add: you need more people to deliver more services, not just sell them.
Delivering quality cybersecurity services at scale is incredibly hard. Delivering quality services at all, no matter what the scale, is incredibly hard. The nature of cybersecurity makes delivery exponentially harder, especially when the business driver for a project is regulatory requirements or a security incident.
Every seasoned enterprise CISO has their own horror stories about projects that went sideways with services firm X, Y, or Z. I've seen this movie dozens of times now. The CISO gets mad, kicks out the team, swears off working with them ever again, and brings in another firm. Maybe their luck is better this time, or maybe it isn't. And the process repeats itself to infinity.
Quality is part of the reason why scaling and growing a cybersecurity services firm is so hard. Marginal cost of replication is not a thing when you're talking about people and time.
If a cybersecurity services firm wins a new project, they can't just clone a team they already have and deploy them the next day. They either have to maintain a bench of people (which is bad because unutilized people cost money without bringing in revenue) or hire more of them. Hiring takes time, and who knows about quality. Scaling is a messy process.
There's a reason why there are only five pure-play cybersecurity services companies are publicly traded, and only two have valuations over $100 million. Investors have a hard time with limitations in growth and scalability. It feels a lot more appealing to put their money into software businesses.
Big cybersecurity services firms drive growth
Cybersecurity product companies can grow quickly, but they usually don't do it on their own. It's a top-down, procurement-led world where channel partners drive a lot of sales.
Large services firms like Accenture, PwC, and Deloitte are kingmakers. Many of our current or former public companies — ones like SailPoint, CyberArk, and ForgeRock — all had their growth heavily driven by global systems integrator partnerships.
The interdependence also works the other way. Building service offerings around emerging cybersecurity products and use cases is a driver of growth for services firms. The strategic rationale for a lot of cybersecurity services M&A is picking up smaller firms who have expertise with emerging products. One example is PwC's acquisition of EagleDream, which added cloud security services for AWS.
There are multiple ways for both types of companies to grow, but channel partnerships and joint GTM efforts is a big one in cybersecurity.
We've covered a lot of mechanics and practical examples here. Let's finish by talking about what it all means.
Not better or worse, just different
If you take one thing away from the article, I hope it's this: cybersecurity's product and services companies aren't better or worse businesses. They're just different.
Sure, they have different financial and operational characteristics you might classify as "better" or "worse" based on your own view of the world. Other people may have a different view.
Some of us care about investing in or working for a company with high growth potential. Others want consistent returns and long-term stability.
Warren Buffett and Charlie Munger have their view, which is investing in "wonderful business at fair prices." (They've never invested in a cybersecurity company.)⁴
When I decided to work at PwC, I cared about a balance of economic growth, stability, and professional development. I wanted access to learn about the largest companies in the world. I also kept my job during the global financial crisis in 2007-2008. I got exactly what I wanted, which is incredibly valuable to me.
That's exactly the point. Value is derived in so many different ways and depends on so many different things.
Economic value is an important way, for sure. It's not the only way. And it's certainly not possible for cybersecurity product or services companies to create on their own.
Acknowledgements
Thank you to Prem Iyer at Palo Alto Networks for teaching me the phrase "a dollar of revenue doesn't equal a dollar of revenue," and for the spirited and respectful LinkedIn discussions on this topic.
Footnotes
¹To be explicitly clear, I'm not saying any of the positioning or investor relations companies in our industry do is as evil or serious as totalitarian political regimes or psychological warfare.
²I don't have an accounting degree, but I've taken masters-level accounting classes and spent enough time working on financial audits at a public accounting firm to have a decent grasp of this.
³If you're an equity analyst or investment banker, you can probably skip this one. My goal is to share a practical explanation of the differences in business models for people who want to understand the industry but don't work in capital markets every day.
⁴Unless you count investments in large insurance firms who issue cybersecurity insurance as a small subset of their overall coverage. Buffett doesn't like it, either.