Cybersecurity's Class Conundrum

Cybersecurity has an unspoken narrative of mixed fortunes — a storyline we all feel but rarely can articulate.

Part of me says this is normal. Public markets fluctuate, often between different extremes.

But cybersecurity's current situation feels...different, or at least more nuanced.

Companies like Palo Alto Networks are were doing better than ever. They became cybersecurity's first $100 billion company (by valuation) in December 2023. (Nevermind the irrational panic-selling in the 24 hours after their Q2 2024 earnings announcement.¹)

Other companies are doing worse than ever. IronNet and Cyren both filed for bankruptcy in the last six months. Auditors for several other small-cap cybersecurity companies have raised doubts about their ability to continue operations.

And then there's everyone else. A group of ~60 public cybersecurity companies is stuck in the malaise of economic uncertainty that's been going on for two-plus years. It's a group of respectable companies that can't quite seem to break through.

This divide has bothered me for a long time. A lot of us feel this way. We recognize the circumstances but haven't quite been able to explain what's happening or how.

Mike Privette was on to something when he wrote about the K-shaped recovery of the cybersecurity industry almost a year ago: the recovery of the tech industry has been unevenly distributed, and it's the same story for cybersecurity, too.

In Bigger, Faster, Stronger: The New Standard for Public Cybersecurity Companies, I talked about cybersecurity IPOs by era and the metrics behind them. I didn't quite have a handle on this whole divide at the time, though.

So...what's going on here?!

Two weeks and 5,000+ data points later, I'm confident about one thing: Cybersecurity has a class conundrum, and the gap is only getting wider.

Let me tell you about this situation using a comparison you might not expect — celebrities.

Celebrities and cybersecurity companies have a lot in common

Even if you don't follow the latest Hollywood gossip (I sure don't), everyone can name and recognize a few A-list celebrities: Tom Hanks. Julia Roberts. Rihanna. Serena Williams. LeBron James.

You probably know more B-list and C-list celebrities than you might expect, too: T.J. Miller (I loved Silicon Valley!). Mindy Kaling. Allyson Felix. MGMT (listening to them on Spotify right now). They're all accomplished artists and athletes, but you might not recognize them walking down the street.

Reducing people and companies to status lists is shallow, but it's also human nature. We are a status-oriented species. Things like celebrity status lists can be a useful model if they're not taken too literally.

For this metaphor, I'd define classes of celebrities and cybersecurity companies something like this:

It's cleaner to use a single, objective metric like year-over-year revenue growth or market cap, but this misses nuances that are better captured with some judgment involved.

A comparison to celebrity status lists probably isn't the best way to do it either, but...whatever, this isn't Gartner.

So, let's go with it. Enough suspense already — let's reveal cybersecurity's A-list companies.

Cybersecurity's A-list companies

Cybersecurity has seven "A-list" companies, including both pure and hybrid: Cloudflare, CrowdStrike, Fortinet, Okta, Palantir, Palo Alto Networks, and Zscaler.²

A-list companies have performed spectacularly well across revenue, growth, market cap, and underlying financial metrics for a long time:

Again, this isn't to say the other public companies in cybersecurity are bad — it's not that black and white. Some of my favorite companies aren't on this list.

When you look at the data, there is a clear set of companies who have financially outperformed the rest of the cybersecurity market. Let me show you what I mean, and then we'll unpack it.

There are currently 55 pure and hybrid cybersecurity companies listed on major U.S. exchanges. I added two more (Darktrace and Trend Micro) from international exchanges because of their market cap to make 57 companies in total.³

Cybersecurity's seven A-list companies currently have a higher market cap than the remaining 50 companies combined:

This inflection point just happened in 2023. No wonder it's not being talked about very much.

Today's A-list companies were almost non-existent a decade ago. Only Fortinet and Palo Alto Networks were public in 2014. Now, the seven A-list companies are worth more than every other public company in the industry.

...uhhh, what happened?!?!

Let's rewind to 2011 and quickly step through the progression that got us to the class conundrum we're seeing today.

Remember the world in 2011?

Yeah, I needed a reminder. Here are a few highlights: Bridesmaids was a popular movie, the first season of Game of Thrones aired, and Aaron Rodgers won the Super Bowl with the Green Bay Packers. The Social Network won an Oscar, which is a funny coincidence. All of this feels like forever ago.

The cybersecurity industry of 2011 feels pretty unfamiliar, too.⁴ Breaches of Epsilon, RSA, and the Sony PlayStation Network were the major events of the year. Back then, we had 26 public companies with a total market cap of $68.2 billion:

Symantec (now Gen Digital) was on top of the world at the time, clocking an $11.5 billion market cap on $6.7 billion of annual revenue.⁵ Fortinet was just getting started as a public company.

Palo Alto Networks and several of the other A-list companies were founded, but they weren't child stars destined for greatness. They were promising private companies, but far from the superstars they are today.

Cybersecurity's rise to stardom from 2012 through 2018 set us up for the divide we're seeing today. Let me show you why.

2012 through 2019: Cybersecurity's A-list walks down the red carpet

This era is the Oscars, otherwise known as the "High Burn/High Growth" era in software industry terms.

A total of 31 pure and hybrid cybersecurity companies walked down the red carpet and went public from 2012 through 2019. The guest list included A-list companies like Palo Alto Networks (2012), Okta (2017), Zscaler (2018), CrowdStrike (2019), and Cloudflare (2019).

The industry's total market cap more than quadrupled, going from $68.2 billion to $308.6 billion in under a decade:

Everything was going right. Take-privates were hard to find. Blue Coat (2012), Infoblox (2016), Gigamon (2017), and KeyW (2019) were the only subtractions from our overflowing club of public companies.

You thought that was wild? Think again. Let's crank the volume up to 11.

2020 through 2021: The after-party

If the High Burn/High Growth era was the Oscars, 2020-2021 was the after-party. We were all having the time of our lives.

Twenty more pure and hybrid cybersecurity companies went public on top of the companies we already had.

The industry's market cap doubled over a two-year period, going from $308.6 billion at the end of 2019 to $698.2 billion by the end of 2021:

Unfortunately, this was the "High Burn/Slowing Growth" era. The whole software industry got upside down from overspending on growth. And then the D-list companies (SPACs and reverse mergers) started showing up.

It's getting late — time to go home.

2022 onward: Our growing class conundrum

The free-for-all is over. Investors are taking sides now, and it's fueling the growing divide between cybersecurity's A-list companies and everyone else.

After a market-wide blip in 2022, cybersecurity's total market cap is back to levels higher than ever in 2024:

...but remember our chart from the beginning of the article where we hit an inflection point in 2023? That's the conundrum — our seven (S-E-V-E-N!) A-list companies are driving over 80% of the industry's valuation growth this time:

You could argue the divide is because 13 cybersecurity companies have been taken private since 2022. It's definitely a factor. But look at this trend of average valuations broken down by class:

The rising stardom of cybersecurity's A-list companies started in 2019 and shows no signs of coming back to earth, even with a decline in 2022.

The A-list companies took off and soared above $10 billion average valuations. Everyone else remained flat, stuck at the sub-$10 billion valuations they've known for years.

Using market cap to measure the success of a company is like using fame to measure the success of a celebrity. Valuations and fame are fickle, but revenue doesn’t lie:⁶

Revenue growth for our A-list companies has been a hit machine, outperforming the rest of the industry for more than a decade.

Enough with the numbers — you get the idea. Cybersecurity in 2024 is fundamentally different and more polarized than ever.

I still don't know if this is just a phase or a new long-term reality we all need to operate in.

One thing I do know: the implications of our growing class conundrum are more impactful than anything we've experienced yet as an industry.


Footnotes

¹I spent an hour and a half live with Francis Odum talking about this recently.

²I'm including Okta as an A-list company based on their way-above-average performance since IPO. I get the argument they're not an A-list company right now — that's fair. The time horizon for this analysis is intentionally longer. I also have doubts Okta is going to remain down forever.

³The data also includes Splunk and ZeroFox. Both companies have pending acquisitions that have not yet closed, so they're technically still listed for now.

⁴This probably depends how experienced you are. I was barely out of college and working with Oracle identity products (rough, I know – amazing I'm still in security). I still had a lot to learn about the industry at the time.

⁵How's that for a valuation multiple?!

⁶Okay, okay — sometimes revenue does lie. Or people lie about revenue. I get it, I worked at PwC. I remember Enron. Those are edge cases, especially post-SOX.