Security is an area of IT spending that has been getting a lot of visibility over the past couple of years. This has been primarily driven by headlines associated with successful hacks and data breaches. In response to this opportunity, many new companies have been entering the space, several of which have fetched high valuations (ZS, CRWD as examples). However, I will not invest in security stocks for a more fundamental reason. At the end of the day, dollars allocated by a company to security protection represents spending they would prefer not to make.
Companies providing security solutions have been around since the dawn of personal computers. We all remember virus protection products from Symantec and McAfee. At that point in IT history, security protection was fairly limited in scope. We had a finite set of devices, the personal computers, and an even smaller set of entry points into company networks. Most companies didn’t offer VPN and enterprise applications were only available to computers on the company’s physical LAN.
Several new trends over the past 5-10 years emerged that have dramatically expanded the IT footprint and, hence, the threat landscape. Included in these are the proliferation of mobile devices and their apps, enterprise applications moving to the cloud (SaaS), expansion of company service offerings distributed over the internet and an explosion of data collected about employees and customers. To protect these touchpoints, companies now need to consider solutions to protect a large number of threat vectors:
- External access to networks and data centers (PANW, JNPR, etc.)
- Email accounts (PFPT)
- Privileged accounts (CYBR)
- Cloud application access (ZS)
- APIs and other endpoints (CRWD)
- Devices (FSCT)
- DDOS (Akamai, Cloudflare)
I won’t delve into the pros and cons of these solutions, nor will I try to predict how threat vectors will change over time or what new ones will emerge. From an IT point of view, this represents an exciting and complex space. However, from an investing point of view I won’t consider security companies.
The reason I am not interested in security companies for investment is that the customer spend associated with their offerings does not drive business growth. The CIO or CTO at the customer company who is responsible for allocating this budget towards security would prefer not to spend it at all. They would rather invest IT dollars in initiatives that either grow revenue for their company or increase their employee’s productivity.
CIOs and CTOs are being increasingly encouraged to demonstrate ROI for all their IT investments. It is easier to calculate ROI for investments in things like better customer service tools, new online features or improved employee collaboration. Calculating the ROI for security spend is much harder, because the investment is being made to prevent something bad from happening. I acknowledge that the cost of a public data breach is huge and that adequate security for a company’s information systems is a must. However, at the end of the day, a company would rather reduce this expense. This is probably why I don’t hear security companies referencing their Dollar Based Net Expansion Rate (DBNER) in earnings reports.
When I was a CTO, I was excited to allocate my budget towards growth drivers – hiring new developers, efficiency tools or third-party services. These investments were easy, because I could demonstrate the increase in customer spend or productivity. On the other hand, investing in security solutions was defensive. I think this inherent bias will always limit the growth of the total addressable market for security solutions, because that market represents money that companies would prefer not to spend.